Submit Podcast
Logo

Your Ad Here

Reach thousands of podcast enthusiasts and grow your business with our targeted advertising solutions

Learn More →
HomeThe Host Unknown PodcastEpisode 226: The Prime Episode
Technology

The Host Unknown Podcast - Episode 226: The Prime Episode

Episode Date: July 18, 2025

8th July 2008: Several DNS vendors released patches to mitigate an attack method discovered by Dan Kaminsky which could be used to cause DNS cache poisoning. Kaminsky had discovered the vulnerability ...6 months prior and reported it to vendors privately so they could address it. RIP, Dan.https://x.com/todayininfosec/status/194269569127019321110th July 1999: Cult of the Dead Cow (cDc) member DilDog debuted the program Back Orifice 2000 (BO2k) at DEF CON 7. It was the successor to Back Orifice, released by cDc a year prior. DilDog proclaimed it "a remote administration tool for corporate America". https://x.com/todayininfosec/status/1943440335608385876Outsourced Trust: How Coinbase's $400M Problem Started in an Indian Call CenterThe GPS Leak No One Talked About: Uffizio’s Silent ExposureHundreds of Malicious Domains Registered Ahead of Prime DayM&S Chair Details Ransomware Attack, Declines to Confirm if Payment Was MadeChinese State-Sponsored Hacker Charged Over COVID-19 Research TheftQantas Confirms 5.7 Million Customers Hit by Data BreachTribunal Ruling Brings ICO’s £12.7m TikTok Fine CloserFour Arrested in Connection with April UK Retail AttacksTikTok's Handling of EU User Data in China Comes Under Scrutiny AgainLLMs Fall Short in Vulnerability Discovery and ExploitationMPs Warn of “Significant” Iranian Cyber-Threat to UK  https://x.com/krezae/status/1943463109173338558 Come on! Like and bloody well subscribe!

Transcript
Discussion (0)
Starting point is 00:00:00 We're going to have to get cracking at some point, aren't we? How's he still got control of the record and the jingles and everything when he doesn't do anything else? What do you mean? This is what I do now! He's literally the podcast equivalent of that person that sits in the elevator and presses the buttons for you when you get in. And look, I don't wear this uniform for nothing. No, no. Or maybe even better, the person in the bathroom when you go to those fancy places that opens the cap for you and all. Oh, that's great. And still expects to get paid for it. Jesus, man. That stuff costs money, you know. Gotta make some coin back. Anyway.
Starting point is 00:00:58 Hello, hello, hello. Good morning, good afternoon, good evening. And welcome from wherever you are joining us. It's episode... you are joining us. It's episode... 226! I don't care anymore. I really don't. I mean, Jav's just started to re- just started the renumbering all over. If you look down at your podcast listening device it will clearly say episode 226 in the title. Exactly. Yes, but if you look at the actual way you publish the podcast... La la la la la la la la la la la la la la la la la la la la la la la la la la la la
Starting point is 00:01:32 And how many weeks has it been since you've now looked up and seen the number? Have you even listened to any of the previous, these recent podcasts? I don't need to listen to them, I'm in them. So you admit you're nothing but a glorified guest, so act like one. What? Hang on, hang on. Be humble. A glorified guest who's appeared in 99% of the episodes. Mmm, citation needed. Okay, fine. Fine. I might go down to 98%. Wow. Oh, which reminds me, I can't make it next week. You can't make it which reminds me I can't make it next week you can't make it and then I can't make it the week off no I can make it the week after is a week after that that I'm on holiday so I can't make it. Okay yeah next week I'm going to an air
Starting point is 00:02:14 show. The end of the month I'm not gonna be here. So if we just continue like the number it may actually sort itself out if we just don't publish anything but still claim that something went out there. Well, actually, since Jav's taken over, things are actually being published and going out. They're not! They're wrong! A month and a half ago you still got an episode that you haven't edited and published. Yeah, we're not going to do that one. It's pointless now. See, and this is why your number rings off,
Starting point is 00:02:46 because there's about eight unpublished episodes in your drafts. No, there's only two. Number two. Yeah, the others haven't yet made it to his drafts. Oh, god. I don't know. Talking about unfinished business, Jav, how are you?
Starting point is 00:03:03 I don't know where to go with that now. Yes, I'm good, I'm great. Yeah, a couple of my kids' birthdays all around these 10 day periods, so it's an expensive month for me. Oh, roughly nine months after your birthday? Yes, yes, conveniently. Weird. It's funny how that happens. We'll never find the connection between the two
Starting point is 00:03:27 and then summer holidays. Why do you get so excited for your birthday? They wanted to... see if you guys had been better friends back in the day and given me my fidgety presents on time maybe. Maybe your kids would be spread out a little bit more. on time maybe maybe your kids would be spread out a little bit more yeah maybe my summer holidays would be cheaper oh dear mine are all nine months after pancake day when's yours andy uh just randomly in the uh randomly in the year could be anytime who knows Randomly. Randomly in the year. Could be any time, who knows. Random number generator. That's right. Here's a present random child. September. September, yeah, exactly. Exactly.
Starting point is 00:04:18 Talking of random gifts, Andy, how are you? I am a gift to you guys, aren't I? You are. I keep Toph feeling young. I introduce him to the natural. You do? I look at you and I think I feel so much younger. Yeah. No, I've been good. It's been a long week. But the sun's coming back. Today's going to be a scorcher, from what I understand.
Starting point is 00:04:40 And I did, you know what? I actually purchased one of those shark fans. The silent ones You told us about it last week. Do I tell you about the fan? Had it arrived by then? The mist one? The mist one? The mista? Where the mist doesn't land. Do you call it Mr. Shark? Yeah, yeah, so I brought a second one which is arriving today You didn't tell us about the second one in fact. Well I only ordered that on the 9th Yeah, was it was this a Prime deal? No it was a TikTok purchase. So the thing is, with Prime, and this is factual, you know they always
Starting point is 00:05:13 sort of inflate their prices in the run up to Prime Day and then they say oh 33% off and then it goes down to the price that you would pay elsewhere. So if you use TikTok shop, which isn't available in all regions by the way, so you know if you're looking from somewhere else and you say there's no such thing. Just southeast London basically. Yeah pretty much but certainly yeah they don't bother up north because you know they're worried about stuff. They can't afford TikTok. Yeah so you can get vouchers and stuff like you just click claim here. So it's typically, it's always on for £99 is the price.
Starting point is 00:05:49 Amazon put it down as £129.99 and then say that they do specials 33% off and they drop it to 99%. But on TikTok, you know, you had the vouchers, seller's voucher plus another random voucher they'll give you every couple of weeks. £79.99. But pretty much anything that is available on TikTok is available on Amazon. It does cost more with Amazon, but to be fair, Amazon will generally deliver it next day, whereas TikTok, there is always a two to five day delivery time regardless.
Starting point is 00:06:21 But even like random things like like like one of these handheld fans like I get one of those for traveling and like on Amazon they're 15 quid tick tock shop 392 9 so I mean it's it just took five days to arrive whereas do you know it's the same thing though have you done a maybe it is I not with the product but the entire promotional stuff is identical. The same images, the same text, the same company. I mean, it's very easy to use the same images and stuff or, you know, sell cheaper products. But I'm not saying, I'm just saying, you know. Oh yeah, no, they are identical products.
Starting point is 00:06:57 And certainly the one I got for trainer washers. This is really boring stuff. Please stay with me. Trainer washers. You stick your trainers in them, stick them in the washing machine. Oh in the bag, yeah I got those, they're really good. Yeah so 11.99 on Amazon, 99p on TikTok. No way. The exact same thing. Yeah. They're very good for your middle-aged white man white trainers aren't they? I've got blue trainers. Your pub shoe. Yeah I don't have white trainers. I don't have white, oh because you haven't reached the age yet have you? I'm not yet middle aged and
Starting point is 00:07:26 Run DMC is still playing Playing in my head I'm not going back to the box white adidas of the 80s But talking about old man Tom How are you doing? Well that was pretty lackluster wasn't it? It was, let's just go crash it into it
Starting point is 00:07:42 It even says in my thing old man Langford I know you're owning it I appreciate that you're owning it now lackluster wasn't it come on it even says in my thing old man Langford there i mean i know you're owning it i appreciate that you're having it now no i just couldn't change the text it was seemed to be hard coded in now i don't know what technology i don't know what you did with it andy given it's your account yeah exactly uh very good i've got an amazing prime day deal Very good. I've got an amazing Prime Day deal, which is obviously sounding a lot less amazing. No, I did buy a couple of things on Prime, but I bought a new robot vacuum. Nice. Which mops as well. It's brilliant.
Starting point is 00:08:18 I was just setting it off and it maps the house and then it knows what's got a hard floor and what's carpet. That's what I was going to say, does it like mop the carpet? Yeah, that's right. No, it's really good, it's really smart like that. And then it gets back and then it empties the vacuum, all the bits into the main unit and cleans the water through and then dries the... So it empties itself... Empties itself? Empties itself, yeah. Into a bigger rubbish container.
Starting point is 00:08:49 So you don't have to empty it every two or three days. And what happens to your previous robot vacuum? I'm saving that, unless you're angling for it, but I'm saving that for when I move house into a bigger house and on a different floor. OK. Then you have two robots. Exactly. Deploy the drones.
Starting point is 00:09:08 One at the bottom of the stairs and one at the top of the stairs looking at each other. I have the superior position. Yeah, I have the high ground. I have the high ground Anakin. God, yeah, that would be quite cool. The top one Obi-Wan and the bottom one Anakin. God yeah that would be cool. I'll call the top one Obi-Wan and the bottom one Anakin. So you think that they're not gonna get on but they're actually gonna say look he's not telling me what's downstairs and the other one's
Starting point is 00:09:34 like yeah he's not telling me what's upstairs. How about we map this place out and sell it online and kill him in his sleep. That's right. Wake up with a... ...over my face. Your head's looking extra shiny today. Yes. It was the washing angle. Are you actually looking to move soon? I mean it sounds like you've got a place in mind or not. No I don't have a place in mind but I'm assuming it will have two floors rather than this one one floor flat You know, but too much Lego to
Starting point is 00:10:12 Yes, I need a dedicated room. There's no doubt about that I may I may sort of concede and put a sofa bed in there and make it a spare bedroom But yeah, it's it's too much. I've had to actually take stuff out and put it into my my container which is now full mostly of Lego but yeah it's far too much stuff far too much stuff more stuff if I was if I was not single I wouldn't have half as much of this because there'd be someone saying what you're buying that for So you're saying you have no willpower off your own? No, none at all. Anyway, shall we see what we've got coming up for you this week?
Starting point is 00:10:52 This week in Eversook proves it's never DNS. Spoiler alert, it is always DNS. Rant of the week tells us how the tables have turned. Billy Big Balls is big brother always watching you. Industry News is the latest and greatest security news stories from around the world and Tweet of the Week is a non-info sec tip on staying in your family's life forever. Okay let's move on shall we to our favorite part of the show? It's the part of the show that we like to call... It is that part of the show where we take a trip down Infosec memory lane with content liberated from the TodayInInfosec Twitter account and further afield. And today our first story takes us back a mere 17 years to the 8th of July 2008 several DNS vendors released patches to mitigate an attack method discovered by
Starting point is 00:11:59 Dan Kaminsky which could be used to cause DNS cache poisoning and Kaminsky had discovered the vulnerability six months prior and reported it to vendors privately so they could address it and RIP Dan. So if you cast your mind back to 8th of July 2008 the day every DNS administrator on the planet swept through an emergency patch cycle. And why was this? Because obviously, Dan Kaminsky had quietly warned them six months earlier that DNS, like essentially the internet's phone book, could be rewritten by anyone, you know, with a packet blaster and a bit of luck. But the trick was so elegant and scary. Essentially, you flood a DNS resolver with forged replies
Starting point is 00:12:45 until one slips through, poisoning its cache. And then from there you could send, say like Google.com to your phishing server, or Barclays Bank to a clone, or every corporate VPN to a malware farm, all invisible to the end user. And he kept the full details under wraps, you know, speaking with Microsoft, Cisco, ISE, bind, and others in secret conference calls and synchronized patch drops. He wasn't chasing fame. He wasn't doing it for the ego. He wasn't creating, you know, websites with these great names on it and then dropping it on the unsuspecting public. Yeah. And that day in July, all these vendors shipped updates that added source
Starting point is 00:13:26 port randomization which is a simple change that multiplied the attacker's workload from milliseconds to near impossible. And obviously I did say RIP Dan, he did pass away in 2021 but obviously every time your browser hits a website without being silently hijacked, you know, raise a glass to Dan. This was like, I remember it vaguely. I mean, not vaguely, but it's a distant memory. But it feels like one of the last era, in the era of last great disclosures,
Starting point is 00:14:03 if you know what I mean, like real big, proper hackery stuff. Yeah. You know, you don't get as much of it. It's not DNS, but it's always DNS. Yeah. And also, when the hell was 2008, 17 years ago? Yeah, it's like the other day. What?
Starting point is 00:14:22 Yeah. That's outright, you're gonna tell me the 80s was only, you know, was... 22 years ago. 45 years ago. 22 years ago. Alas, I'll take us on to our second story which takes us back a mere 26 years to the 10th of July 1999 when Cult of the Dead Cow member Dildog debuted the program Back Orifice 2000 aka BO2K back at Defcon 7. It was a successor to Back Orifice released by CDC a year prior and Dildog proclaimed it a remote administration tool for corporate
Starting point is 00:15:06 America. So there we were in Las Vegas in that hot July of 1999 on stage strized Dildog of the CDC holding this shiny CD labeled Back Orifice 2000 and with a straight face he called it a remote administration tool for corporate America. And so, you know, the back office tool, it had previously embarrassed Microsoft the, you know, the prior year by letting any script kiddie or essentially anyone who could open a CD tray just pop a Windows 95 box for fun or profit. And BA2K was that sequel that made the original look like a demo tape essentially. He'd added updated support for Windows NT 2000 XP, shipped it
Starting point is 00:15:54 as open source and supported plugins for everything from encrypted comms to live desktop and video key logging. All in stealth mode as well. So essentially it was this sort of admin Swiss army knife or a hacker's backdoor, depending on which hat you fancied wearing that day. Obviously security vendors panicked, corporate firewalls lit up, and then the industry finally admitted that remote management and malware could be the same thing with different marketing. And so yeah, the term rat entered everyday jargon. And you know, Microsoft's push towards host firewalls
Starting point is 00:16:32 and privilege separation suddenly looked urgent. But you know, you have to admire the brazenness, you know, rather than hunt for the vulnerability, CDC just gift wrapped a fully featured stealth tool, tossed it into the wild. To find them all and said yeah Let be down with it. Just do as Do as you want. Let's you know chuck it in the air. Let God sort it out is essential. Yeah. Yeah
Starting point is 00:16:54 I remember like zone alarm getting downloaded on a million The other side gRC shield right around the same time. Shield up! Yeah. All these ports are open. Great concept. That was, that whole thing just... Steve Gibson.
Starting point is 00:17:12 Steve, it just felt like CDC Lite, didn't it? Good marketing though. Yes, yeah, it did work. Excellent, thank you Andy for... This week in InfoServe. If good security content were bottled like ketchup, this podcast would be the watery juice which comes out when you don't shake properly. In a niche of our own, you're listening to the award-winning, Host Unknown podcast. And talking of watery juice. It's my turn for So this is about how coin bases 400 million dollar problems started in
Starting point is 00:18:03 Of all places an Indian call center. Coinbase is no stranger to limelight over a hundred million registered users it's the polished face of the cryptocurrency world so if Binance is the wild west of crypto Coinbase is the Wall Street but Binance is obviously, well, it's the one that the criminals use, let's face it. So basically anybody who works in finance and trusts you to buy Bitcoin go to Binance to buy it. It's publicly traded, it's based in San Francisco and it provides a platform to people to buy, sell, store and even just learn about crypto. It allegedly boasts industry-grade security, cutting edge cold storage for assets and a comprehensive
Starting point is 00:19:01 compliance playbook that exceeds those of most tech firms. Which sounds like it comes straight from their website. But it is discovered the hard way that no tech stack is stronger than its weakest human link. Especially when that link is being paid like four bucks an hour from overseas. So let's take a look at what happened and why this is so outrageous and audacious. Back in early 2025, six or so months ago, a ragtag Telegram crew knew that a chat app would have crews. I mean what's that all about? We've got a chat channel on there. You can join the Host Unknown crew.
Starting point is 00:19:45 And we just, you know. Ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha ha Anyway, this Telegram crew calling itself COM, also known as Puff Party. Do they get allocated these names randomly? I mean, come on. Prove that you don't need zero days to rob a crypto giant. So two task us support agents in indoor India who are paid about 21,000 rupees a month which works out just shy $200 US dollars a month was slipped What insiders described as a small cash offer? Roughly a week's wages not enough to buy a fancy car, but enough to suddenly slide out nearly 70,000 customer records. Those records are comprised of names, addresses, phone numbers, the last four of each social security number, walked out without even triggering a single alarm because they probably either wrote them down or copied them onto a USB or whatever. And then came the Hollywood moment.
Starting point is 00:21:12 The teens of this ragtag Telegram crew emailed a 20 million dollar ransom demanding silence because we all know if you pay a ransom they'll definitely not do the thing they're threatening to do. Coinbase's reply was complete swagger and in fact there was that um crikey what's his name there was that film Mel Gibson film yeah and you'll know what you know what you're going yeah you know as soon as we get there instead paying, what Coinbase did was flip the script into an equal $20 million public bounty. Send tips to security at Coinbase.com with bounty,
Starting point is 00:21:59 if you can name and shame the attackers. I mean, maybe they should have just gone on the dark web and put out a hit on them as well. That would have been even better I think. The wallet keys did stay safe but the stolen PII was fishing gold at the end of the day and the investigators, I'm sorry, and investigators already link roughly $65 million worth of follow-on scams to address to addresses tied to the breach so comms still pocketed a fair amount of money so whilst they did flip the script Coinbase did suffer something of a hangover the SEC filing pegs legal reimbursement security costs between
Starting point is 00:22:49 180 to 400 million dollars and Task us who subsequently axed 226 staff and faces a class-action lawsuit Which is well just collateral damage at this really when the human firewall costs just £4 an hour. So the rant here is that Coinbase seem to do everything right here except secure the human. And I can see Jav perking up at the thought of that. We've just dropped right into his wheelhouse here about securing the human and also securing your supply chain because you can have all the tech you want but if somebody
Starting point is 00:23:36 just wants to walk the stuff out of the door with it written on a piece of paper or stuffed onto a USB key then there's not a lot you can do about it. So I just it's it's a real I think it's a bit of a salutary lesson. It's almost it's almost I would suggest a Billy Big Balls if Jav were to do it. You know like we keep on saying every week the line between a rant... It's a fine line! Yes, yes. So was it uh Brian used to always uh, Brian Honan, friend of the show, well he'd say why would you spend 10k on a zero day when you can give like the admin 2k for direct access? Yeah, yeah that's right, yeah pay off his student loan. Or better still why don't you just apply for a job at the company and they pay you while you get access to all their systems? Yeah, it does seem like a key and peel sketch about robbing a bank. Oh yeah, yeah, that's right. But they're going to take sit in that bank every week, Monday to Friday, 9 to 5.
Starting point is 00:24:50 Genius. But you're right, a company with a US$400 million turnover in trust in order to this data to people being paid 190 quid a month. Well it's fine to do that if you're also... As long as you've got controls around it. Yeah, yeah, exactly. You've got to understand that there's a temptation there that is... Of course and it's not... and also it's it wasn't even a huge temptation either, it was a week's worth of money. I mean you know even on Jav's inflated salary a week's worth of
Starting point is 00:25:20 money is not a vast amount. Well, steady on. Actually, I was reading somewhere. I think it's the annual turnover of St Lucia from that. I might be wrong, but I read somewhere that when they look at corporate fraud, it's actually not the lowest paid people that engage in the most white collar crime. It's actually middle management or senior management who are actually already on good money that will end up doing something. And sometimes they do it for very nominal amounts of money. Because they feel like they're owed. There must be a psychology of something behind that, right? Yeah.
Starting point is 00:25:58 Because if it was randomly across the entire organisation, then obviously there's something else but if it's just one particular group or predominantly one group what is pissing off that one group? Anyway that was this week's Rant of the Week. This is the podcast the King listens to, although he won't admit it. All right Jav, time for your rant of the week or as we like to call it. You know I tell you once, you know it's Billy Big Bulls about this one which I've been sitting here trying to work out what the angle actually is that I'm gonna go for. And you know, data is, I'm trying to find an alternative, I don't wanna say it's a new oil,
Starting point is 00:26:55 but it's basically the lifeblood of organizations now. Yeah. So, you know, there's so many organizations which like now the whole business model is just dictated around moving around data or manipulating it. Information brokers. Information brokers. Exactly. Even if you look at Coca-Cola, those fountain vending machines, where you can choose, I want a diet Coke, but I want a diet coke but I want it with cherry or I want it with lime and you can mix them and then it gives you
Starting point is 00:27:30 a mixture to your specifications I mean you can have a normal coke or you can mix one up yourself. That's a bit fancy I'm not aware of that. You're not aware of that? They've been around for a few years. I've just got a Nando's with an empty glass and do like, you know, half Fanta, half Diet Coke. No, no, no. These are the machines. There's a screen on it and you can see. It's like that but with data. So literally with that machine, you can think of it. They're not even producing the actual finished product in the factory. They're shipping raw ingredients into this machine.
Starting point is 00:28:02 And getting you to do it yourself. And getting you to do it yourself. It's a data-driven company from that product is a data-driven product. It's not really a something that they need to guard the recipe for everything in the factory and what have you. So the point I'm getting at is that if you are a company that sells GPS trackers for fleet management. So imagine you provide these GPS trackers that you sell to the police so they can keep track of all of their cars. You give them to hospitals so they know where all their ambulances are, to big mini cab companies, taxi companies, all these sorts of businesses. What's the one bit of data
Starting point is 00:28:47 that is critical? Or what's the real value of the business? It's not the actual physical device, it's not the SIM card in it. It's the data of where those vehicles are and the movements and the historical movements and all that kind of stuff. And also the type of company it is, right? Because if it's delivering packages versus it's a cab, actually it can be used a lot more nefariously. What can be more nefarious? If it's packages, it can be, you know, we know where this van is going to be at any given time.
Starting point is 00:29:20 Therefore we can ambush it if we've got the data. Yeah, but what if the cab is carrying your kids or someone of high value? All I'm saying is I value human life more than your iPhone being delivered. That's the only point I'm making. You fool! You fool! Children can be replaced easily. iPhones cost money.
Starting point is 00:29:43 So actually, Jeff can only replace children every July. Once a year. Every June or July. So DeepSpectre.com done a bit of investigation and they found a multi-year data exposure involving they found a multi-year data exposure involving Ufisio. It's a software provider which provides this white-labeled GPS fleet management platform. And Uzefio is claiming GDPR compliance and its deployment by hundreds of global resellers, but for over five years it was leaking all of its fleet data in at least 12 countries and this continued even after a public CVE disclosure and an internal GDPR audit. So some of the information that was leaked included SIM identifiers, license plates, company names,
Starting point is 00:30:47 tracker IMEIs and real-time activity. So these effectively mapped the movement of thousands of vehicles including those operate by police, ambulances, municipal fleets and even nuclear energy programs. Well, you can tell those because they glow in the dark. Yeah. Right. Yeah. But how brazen, how unbothered must you be to be running a company like that
Starting point is 00:31:20 and then allowing just all that access out there? I think it's just the height of either just like ignorance or just absolutely massive balls that like, let's just charge people service that, okay, they're getting it. They don't know, they don't care that anyone else out there could be tracking this. So what's the angle?
Starting point is 00:31:42 Just the brazenness. Well, and the useless and the fact that they passed audits somehow, and they've't understand all this newfangled technology and thinks they're just selling widgets. Waiting for his pager to go off. Why in your opinion is it always... me and technology... I don't know. I don't know. Opinions. So GDPR compliant covers tidy paperwork on audit day, but it's not evidence of operational effectiveness. Yeah, that's pretty much where it is, checkbox, right? Yeah. And also you can't be GDPR compliant.
Starting point is 00:32:40 There is no compliance element. Oh, there's people that will happily sell you badges that say oh I know I know but that's that's as soon as somebody says GDPR compliant with a badge you know they don't have a fucking clue about GDPR I am GDPR compliant me personally show us the tattoo we want to see it yeah that's coming up I can't get my shirt off over my headphones.
Starting point is 00:33:07 Because it's round, it's on your left side, not your right side. Yeah, exactly. You've got GDPR compliant and ISO there. PCI. PCI. No, surely that's, you know, because you need somewhere to swipe the credit card. Oh dear. Okay, let's move swiftly on. Yes. All right that was... Rant of the week. It actually was rant of the week. I think those two stories were the wrong way around. Oh it was wasn't it? God I hate this bloody thing. Here we go. Billy Big Balls of the Week.
Starting point is 00:33:50 People who rate other security podcasts better than the Host Unknown podcast are statistically more likely to enjoy the Harry and Meghan documentaries. Read into that what you will. That's going to age quite quickly I think. Right Andy, what time is it? It's that time of the show where we head over to our new sources over at the InfoSecPA Newswire who have been very busy bringing us the latest and greatest security news from around the globe. around the globe. Industry News
Starting point is 00:34:26 Hundreds of malicious domains registered ahead of Prime Day. Industry News M&S chair details ransomware attack. Declines to confirm if payment was made. Industry News Chinese state-sponsored hacker charged over Covid-19 research theft. Industry News Chinese state-sponsored hacker charged over Covid-19 research theft Industry News Qantas confirms 5.7 million customers hit by data breach
Starting point is 00:34:54 Industry News Tribunal ruling brings ICOs £12.7 million tick-tock fine closer Industry News Four arrested in connection with April UK retail attacks. IN THE STREAM NEWS TikTok's handling of EU user data in China comes under scrutiny again. IN THE STREAM NEWS LLMs fall short in vulnerability, discovery and exploitation.
Starting point is 00:35:22 IN THE STREAM NEWS discovery and exploitation. INDUSTRIE News MPs warn of significant Iranian cyber threat to UK. INDUSTRIE News And that was this week's INDUSTRIE News Huge if true. Huge if true. I wonder if M&S paid for the ransomware attack using their sparks card. Don't think, do they still do sparks cards?
Starting point is 00:35:49 Yeah, sure they do. Do they? I don't know, you're showing your age again there. I see you've got the old St. Michael bags as well. It says St. Michael, yeah. Oh yes. Well, it's St. Michael wife runs, you mean? So I'm looking at this, so M&S chairman Archie Norman
Starting point is 00:36:04 confirmed the attack on the retailer's systems in April was ransomware related but declined to say whether a payment was made to the threat actors. This is in comments made during oral evidence to the Business and Trade Subcommittee on the Economic Security Arms and Export Controls Committee hearing in Parliament on July 8th. Why do people decline to state things like this when it's going to come out? And because they declined, it's going to look bad. Yeah, everyone knows they've paid it now. Yeah, of course they did, but why do they decline when it's just going to become common knowledge anyway?
Starting point is 00:36:42 Yeah. Makes no sense. annoys me. You saw the people that got arrested were like teenagers, right? Oh, the eldest was 20. Yeah, two 17 year olds, a 19 year old and a 20 year old. Yeah. The 20 was a British woman in Staffordshire
Starting point is 00:37:03 and one of the 19 year olds was a man from London. So assuming the other two were men that means that the women in cyber security percentages gone up to about 25 percent. We're making progress folks. Revenue generating cyber security professionals as well. Yes revenue generating. See what we need, we've got some diversity, we need more diversity. Hopefully the next gang they'll get at least like three out of four of them will be women. Yeah, it's going to be like a pussy riot of cyber security. That's the name of a band for anybody who doesn't know, not an activity. I see there's two stories besmirching the good name of TikTok again. I'm not even going to click on them and give them the traffic.
Starting point is 00:37:49 So the UK's Privacy Watch dog cleared its first major hurdle, alleging UK GDPR infringement after the first tier tribunal decision confirmed that the ICO did in fact have the power to issue a monetary penalty notice to the Chinese social media giant. Well why wouldn't they be able to? So this is about something that happened in 2020. Yeah. So they're saying that they processed data on an estimated 1.4 million children under the age of 13, contrary to the firm's rules. Dear me. They say that TikTok didn't do enough to check who was using its platform or identify children. Well, them and everyone else, right?
Starting point is 00:38:32 Well, exactly, yeah. They're only going after TikTok though, right? Yeah. It's such a witch hunt. Yeah. I love this Prime Day domain register. It recorded more than a thousand domains with names resembling Amazon and Amazon Prime. 87% of which have been flagged as malicious or suspicious. Why would the other 13% not be suspicious? Well, I told you the easy way to check if they're suspicious ones. So forget looking at the URL or the domain name.
Starting point is 00:39:05 Padlock? No not even the padlock. What you do is you check the prices and if they're actually genuinely reduced then it's a scam site. Good that was this week's. Industry News Are you not entertained what the judges were you're listening to Europe's most entertaining content what are you talking about man the host unknown podcast all right Andy take us home with this week's sweet of the week
Starting point is 00:39:43 we always play that one twice sweet of the week this week's Tweet of the Week. We always play that one twice. Tweet of the Week. This week's Tweet of the Week comes from Mr K aka Crease on X Twitter. Is this Blue Sky or Twitter? Twitter. Okay and he says if you get cremated after you die you can be put into an hourglass and still participate in family game nights which I think is quite nice that you know you're not missing out on all that fun. It reminds me of that Monty Python sketch about the film director who says says he's his new film stars Marilyn Monroe or something
Starting point is 00:40:21 like that. He says well didn't Marilyn Monroe die like, you know, 15, 20 years ago? Yeah, but wasn't she cremated? Yes, that's why she appears in the ashtray, in the open fire, in the vacuum cleaner. Brilliant. Yeah, Monty Python's a bit before my time, so I wouldn't know. Yeah, yeah. I had to look that up while you were talking. What is Monty Python?
Starting point is 00:40:48 What is Monty Python, dear me? I did have an alternative tweet off the week that I sent you. I don't know whether you... Oh yeah, go on. I can read it out. It's on Blue Sky by Kevin Beaumont, who... Gossie the Dog? He's not Gossie the Dog on here. he is doublepulsar.com on here and he says I'm in a WhatsApp greet for security co-pilot with business execs and a pattern for months has been exec joins during pilot kickoff, says security co-pilot is amazing, then comes
Starting point is 00:41:18 back a month later and asks if everyone knows how to optimise it, then reappears two months later asking how to justify it. And I think that is just like so true about so much of like the AI type capabilities and stuff, like people get excited about it. Then it's like, well, okay, beyond the novelty, how do we actually use it? And then it's like, okay, I've got a use case, but I have no idea of how to sell this to the board so it's like just like tell me the trough of
Starting point is 00:41:47 despair yeah and it was I did like the you know the follow-up you see I'll see how it goes but currently it looks like dark traces of service EG you renew the PO and hope somebody uses it one day One day. This is what we call the Andy subscription model as well. Yeah. Just keep paying it. It'll be fine. We'll use it one of these days. Definitely. Definitely one day.
Starting point is 00:42:18 Excellent. Thank you for this week's. Well, we have stumbled into the end of the show would you believe. Gentlemen thank you so much for your time. Jav thank you. Greatly appreciated as ever. Wit, wisdom, charm, charisma and all-round smiliness. I know I know it's weird but it's in the script that he wrote for me. So Jav thank you. You're welcome and it's always a pleasure to be here with you my friends talking to you and learning from you. Who wrote this script this week? And Andy thank you sir. Stay secure my friends. Stay secure.
Starting point is 00:43:01 You've been listening to the Host Unknown Podcast. If you enjoyed what you heard, comment and subscribe. If you hated it, please leave your best insults on our Reddit channel. I heard a really good one the other day. You know that phrase about, you know, opinions are like arseholes? Yeah. Everyone's got one and they stink no no worth investigating oh no oh no this is

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.