The Host Unknown Podcast - Episode 30 - The Magic Number
Episode Date: October 30, 2020Our presenters delve into their darkest secrets from the past, the internet is rebooted, the logs cleared, and cats play havoc with your home security (according to your training programme).This wee...k in Infosec24th October 2010: 2010: Eric Butler announced Firefox extension Firesheep's release at Toorcon, making HTTP session hijacking on open Wi-Fi trivial.Today, by far, high traffic sites redirect HTTP requests by default - so 90% of Internet web traffic is encrypted. That long tail though? Sad face. https://twitter.com/todayininfosec/status/1320095119857561603?s=2027th October 1980: ARPANET ground to a halt because a bad status message propagated, causing all IMPs (routers) to exhaust memory. The solution? Reboot all IMPs! Yep, a reboot.This incident was such a big deal that the case study of it was published as RFC 789.https://twitter.com/todayininfosec/status/1321054719863828481?s=20 Tweet of the Weekhttps://twitter.com/KathsBurgess/status/1321509257431449600?s=20Very good awareness video: Billy Big Ballshttps://www.huffingtonpost.co.uk/entry/no-woolworths-is-not-returning-to-the-uks-high-streets_uk_5f97f50ec5b6b74d85f459ccHere to save 2020! Woolworths is coming back to your high street, as a physical store!A couple of legal things to get sorted, but we’re full steam ahead at Woolworths HQ.We want to get this right, so we need your help. What do you want at your UK #YourWoolworths?https://www.standard.co.uk/news/uk/woolworths-reopening-prank-student-a4573379.html Industry NewsUS and UK Issue Sanctions to Iran and RussiaAmazon Warns Users of Insider Disclosing Details to Third PartyReport: Application Flaws Being Fixed Faster Although Bugs PersistAkamai Boosts Mobile Security Offering with Asavie Acqusition Rant of the weekhttps://www.theregister.com/2020/10/26/finland_psychotherapy_clinic_ransom_attack/A Finnish psychotherapy centre was hit by hackers who stole therapy session notes – before threatening patients of the clinic with ransom demands amid selective dark web leaks of stolen material."Psychotherapy Center Vastaamo has been the victim of data breaches and blackmail," said the Helsinki-based clinical chain late last week (in Finnish), adding: "In recent days, the blackmailer has published sections of the information he obtained during the hacking. Now the blackmailer has begun to approach the victims of the breach with blackmail letters demanding a ransom." The Little PeopleMadelaine Howard of Cygenta and the NCSC Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
Could we perhaps take the piss out of Graeme trying to pronounce the Wu-Tang Clan?
Yeah, that's right.
So something about they got the G because Smashing Security doesn't have the G.
Well, surely they must have done that one themselves.
No.
What?
Or is it because Graeme couldn't find the G?
You're listening to the Host Unknown Podcast.
I didn't realise we started recording, though.
Hello, hello, hello.
Good morning, good afternoon, good evening,
wherever you are. And Jav, you know, you always say the funniest stuff when we're not recording.
But yes, welcome to episode 30. Talk about the magic number of the Host Unknown podcast. Jav,
hello. We're recording, by the way. Hello, yes. I kind of gathered that now that I see the red blinking light on my screen.
But yes, hello. Nice to be back. Good to speak to both of you, I suppose.
Indeed, as usual. And Andy, how are you?
Not too bad. Not too bad in interior decorating hell.
This is self-imposed interior decorating hell but um this is self-imposed interior decorating hell it's self-imposed yeah i will just say so before you uh join this morning uh tom i was chatting with jeff um it's just sort
of how this has kind of spiraled out of control so half term week i've taken the week off work
uh the original plan was just to repaint my office um and then when i kind of looked at it i thought
you know what i'm not a painter
um so i will get a professional in because i am a big fan of getting professionals to do what
professionals do yeah um and that kind of spiraled into yeah do you know what i need to take the desk
out um but i actually i love the desk but it's just too big so i need you to take two inches off
the desk all the way around and then um yeah then, then there's a case of, you know what, the shelves,
they're really nice, they're custom fitted, but I don't want them anymore.
I'm going to get rid of them.
And then, you know, it's like while the desk is out,
you might as well put down the carpet.
Yeah, and then the finest rule is probably this fan,
which I'm getting attached to the ceiling.
You know those proper big-on ceiling fans?
And he did actually say to me, the room's too small for it.
But I measured it myself, and the fan will fit.
The fan will fit, but the wind produced by the fan will probably, well,
do more than just shuffle a few papers on your desk.
So I am actually not bothered about that.
So I love the cold.
I've got my fan on at the moment in the background,
keeping the room nice and cool.
But summertime, this office is just too hot for me.
So the big question is, when is the house going on the market
so you can get a larger room?
Well, there was a big debate as to whether or not I actually sacrificed this room
and just got a garden office built instead.
Yeah, I think most people call those sheds.
Why don't you just swap your bedroom for this room?
Put your bed in it.
I mean, you're only sleeping in it at night.
Nothing happens in the bedroom for you anymore mate let's face it you've been married for 20 years yeah it's just this uh this room's too small for a bedroom it is it's perfect
office size but uh obviously not if you're taking up shaving off your desk from all sides, ripping off the cupboards.
The fan barely fits.
Oh, it's perfect size.
Perfect size, Governor.
One of these days,
we will get the host of Noam podcast
recorded from the broom cupboard.
I'll bring Gordon the gopher.
Hey, just watch where you put in that hand.
Yeah, exactly.
Exactly.
For our American viewers,
look it up.
And listeners as well. Ah, good. How. For our American viewers, look it up. And listeners as well.
Good.
How's your week been?
Yeah, very busy.
Been doing a lot of writing.
I've got a report I'm trying to finish, and it's like pulling teeth.
You know what it's like when technically you could write about a thousand words
in an hour really easily, right, if you know what you're writing.
This feels like pulling teeth out.
Every single word is just not wanting to come out onto the document at all.
So really painful.
So lots of late nights.
But I think I've broken the back of it now.
Is the topic just InfoSec?
No, it's not even InfoSec. That's the best part of it now um is that the topic just infosec uh no it's not even infosec that's the
best part of it it's like it's another topic um which i'm i won't talk about in case somebody
so i noticed a uh payment which you made me this week uh under the description of anal re-bleaching
well that's that's that's more that's more about finally being able to get my own back
on your, what, two, three times that you've transferred money
into my account, of which every time I tweet,
never, never, ever have Andy owe you money
because of what's going to come up in your bank account.
So when are the bank going to be looking at your account details
for mortgage renewal time?
Is that any time soon?
It is actually May time, so I've got six months or seven months.
Okay, we're going to have to work out how you owe me some more money
in the next few months.
Just send them a fiver anyway, Tom.
It'll be worth it.
Yeah, exactly.
Actually, yeah, now I've got his bank account details i could tell a whole story you know what i've got so a friend of mine
is actually i'd say he's actually that dummy actually accidentally transfers me money on a
regular basis and he just sends me a text saying sorry i've done it again can you send me the money back please well i don't
know just say no uh well i did uh start deducting five pound admin fee um so this is this is this
is a story i've i've seen this film before at the end and he gets done for being a money mule. Yeah,
that's right.
How can somebody send you money accidentally so often?
So he's,
uh,
his brother's called,
uh,
Andrew.
And,
um,
so he's got my bank deal and like him and his brother,
they're always exchanging money.
It's his brother rents out his house or something.
And,
you know,
it's,
uh,
they regularly transfer money between each other.
This is what he told the judge, yeah?
Yeah, yeah, absolutely.
It makes sense when you hear it, you know?
It's when you actually look at it and pick it apart that it does it.
But, yeah, no, every couple of months now I'll probably just get a text saying,
sorry, I've done it again, can you send it back, please?
New number, who gives yeah yeah yeah you gotta try that one next time oh anyway anyway let's see what we got on the show for you this week uh our usual suspects of
this week in infosec tweet of the week Billy Big Ball's Rant of the Week, and the ever
regular question of, will we have a little people today?
Time will tell.
Stay tuned.
Stay tuned, indeed.
So why don't we just jump straight into it?
Let's see, oh, we've got our new one, This Week in InfoSec.
This Week in InfoSec.
so this week in infosec is uh we or curated content liberated from the today in infosec twitter account i highly recommend you follow it if you are not already um however it's a nice
little stroll down memory lane and there are many stories i could have gone on about this week
this week has been a very busy week in the infosec era we could have gone on about this week. This week has been a very busy week in the InfoSec era. We could have gone back to 1952, 68 years ago,
when Harry Truman signed a memorandum revising the National Security Council
Intelligence Directive, thus officially creating the NSA,
who I think have been regular topics of conversation in the InfoSec modern era,
for reasons unknown.
I don't know.
But that's where they first started having those generations of agents
just watching you through your webcam.
And they'll continue to be with us side by side until the end of days.
We could have also gone back 18 years to 2002 when a worm-like
virus which went by the name friend greet propagated by emailing all Outlook recipients
in your mailbox. But the genius of this worm was that it actually launched an install shield wizard
and the EULA literally told you it was going to access your
contact list and email all your contacts um alas i did miss out on those fun things because uh
during 2002 i was a lotus notes administrator um so we didn't get um we didn't get i thought
you're going to say during 2002 i was off my tits on drugs and don't remember much about it. I was absolutely off my tits on drugs.
However, I did remember.
I'll tell you one time.
I did actually miss work for three days where I went on a massive bender.
Oh, my God.
Yeah, just completely lost track of time.
It was crazy.
What time is it?
What year is it?
The first I knew, I got a phone call from my boss at the time uh and i was like oh i'm so sorry i'm just really not well and um it's like
we're just really worried about you because it's thursday i'm like what so it went out on tuesday
what the hell happened but uh yeah you tiger in the bathroom and Mike Tyson.
Yeah.
No, I wish.
Oh, man, I'd love to have those things.
Anyway, so what we are doing,
we're actually only going back 10 years on this story.
And this is a story when Eric Butler announced Firefox extension FireSheep,
which was released at Torkon,
extension fire sheet um which was released at torcon which then made hacking http sessions um on open wi-fi just a merely a click of a button um and i think as a result you know today by far
all high traffic sites uh redirect to https by default um you know so as of now, I believe 90% of internet web traffic
is encrypted.
But back then, I don't know if you recall
this FireSheep plugin for your
Mozilla browser, or Firefox
browser, but
I think this one, like to me
this is such a great turning point in
security education
or security awareness, because
you could just show people how easy it was
to access their facebook um you know just by hijacking their their sessions uh you know on
the starbucks wi-fi um it was so funny there was so there was a a spate of blogs cropping up under
the guise of research here i went to my local mcdonald's or
starbucks and look what people need i need to be stop being so stupid and like yeah you just wanted
to perv on everyone's facebook that's all it was i recall watching a video about somebody who tried
to get a um a pwn apple to work um oh it's you jav Jav. That's right. Yes.
I think you... Didn't you smoke the mirrors the entire thing?
You mean the
pineapple? Yeah.
Which one? The Wi-Fi pineapple.
When you were demonstrating how it worked.
You know, I can't
remember. And then
you got annoyed and basically sent it to me in a box and said,
you fix it or something like that.
I get annoyed and send it.
I do get annoyed with tech very quickly.
And I do pick it up very quickly.
Um,
you did it.
You did a video about the wifi pineapple.
I must've done a video.
Yeah.
I,
it's,
you know,
it sounds like something popular
he would have jumped on yeah yeah exactly yeah it's not about making the videos that you want
it's about making the videos that they want what were you going to complain about next
really doesn't fly to him like you know superman doesn't really have laser eyes
um but anyway so i am uh going on to our second story uh of the day this day in infosec
um and we're gonna go back to 40 years so i just quickly 40 years there was no info check well so arpanet uh do you recall uh
arpanet um indeed back in the day the predecessor to the internet right correct yeah the first wide
area packet switching network so let me ask you guys a question um how bad have you messed up in your job uh you know what is the
has anything ever come of you know like what warning labels were created because of you guys
i didn't get where i am today without really screwing up yeah i'm getting on a podcast with two people
go on jab you go first because i know you've you've screwed up
it's like which time yeah yeah and which version of the story did i say to not make it uh
you try and protect the victims in the story i don't want to get sued like you know
five years later or 10 years later or like a week later after didn't you take down a cash
machine network once well actually it was but that was just uh asking for his balance though
wasn't it so i worked at a bank and they had a precursor to internet banking.
And it was only available to high net value customers.
And basically, it allowed them to log on from home and check different account balances they had in different currencies.
And they could do some very basic things like transfer funds between currencies to take advice.
But it's just something for rich people.
And I was asked to make some permission changes to a couple of folders.
And this was all, the back end was all on NT4.
And being the NT4 expert back in the day,
because I had been on the administering Windows NT4 course and
course. I decided why go into file manager and manually change it when I can just write
myself a quick cackle script and execute it on the server in production as you do.
You wanted to write a script to change some permissions on some folders.
Yes, exactly. Because there was a whole long list
of them and I couldn't be bothered doing it.
Oh, right. Okay.
And, you know, because of the stupid way
that these scripts are actually designed
through no fault of my own...
LAUGHTER
Oh, the hubris
is oozing!
Oozing!
It's not like now, kids, where you can just download one off the internet.
You have to write it yourself back then.
Yeah, exactly.
You had to plug it up yourself.
There was no GitHub.
They were just gits.
So spread all over the place.
And so, you know, if you missed a switch,
apparently it would just replicate the top-level permissions all the way down to all of the sub directory.
And it so happened all those sub directories, each one was for a different customer.
So there's about four or five hundred of them, I think.
And all of them got overwritten.
And, you know, within like 15 minutes, there was a p1 incident on our queue
and uh my boss who's like a couple of seats down oh jay his name was andy but as well um
and uh he's just like you white people you only have like three or four names it's like andy steve
dave and that's about it but but uh he goes oh like you know this is dan and i was like i completely
bricked it i was like oh leave it with me i'll go and to the meeting first thing i do go onto
the server and flip the logs and uh delete you seriously cleared out the logs? I did, yeah.
The fact that you're even able to do that is even better.
I know.
So this taught me that, look, you should have centralized logging,
a SIM or something like that, and you should not give admins the right to go anyway.
It didn't teach you about actually writing shitty scripts.
No, I learned I should outsource the writing of scripts to someone else.
So I go to the incident recovery meeting and everyone's there.
And I'm like, I have no idea what's going on here.
It looks like some permissions are wrong.
And they're like, yes, we've seen it.
And then one of the guys like
but there's nothing in the logs
and at which point you you thumped the table and said god damn it i've been talking about
these logs for we need to see you're not too far off you're not too
so i'm like look i can see where the problems lie let me go let give me half hour
give me some space and you try and fix it and they're like let me work my magic as you click
it you know click your knuckles yeah yeah so so we all reconvened after an hour during which time
i was sweating buckets fr frantically going through the original
project handover documentation and manually this time going through file manager permission here,
click and read, write, whatever permissions were, went back in and lo and behold, you know,
everyone's like, yeah, it's all working now. It's been restored record turnaround time.
hey, it's all working now.
It's been restored.
Record turnaround time.
And, you know, but that wasn't the end of it.
I thought I dodged the bullet, but a week later,
the guy who was the head of the project that handed it over to Light,
you didn't get like an employee of the month or something, did you?
He said, oh, the head of IT for retail banking is uh has called us into it has called us basically so you know what you know it's just like yeah you're gonna go there you're gonna by the time
you're back your desk is all going to be packed up and you're going to be taking car keys with you
frog marched off the building and uh went there and he was like, you guys were involved in the incident.
Yeah.
And he pulls out a certificate for your contributions to the bank.
Thank you so much.
We need more people like you.
People who recognise the fuck-ups I've made and know how to fix them.
Oh, my God.
That's proper PR, that. that is turning a negative into a
positive that's true it's very true i mean no doubt as you as you no doubt uh just uh covered
that point there that uh you know you need seams and uh admin rights privileged access shouldn't
be given out like that so you know the the second story which I had was about ARPANET grinding to a halt 40 years ago today, purely because a bad status message propagated, which caused all the routers to exhaust their memory.
But I think, you know, the thing about this was that the incident was such a big deal that a case study of it was published as RFC 789.
that a case study of it was published as RFC 789.
So, I mean, I'm not sure whether you have an RFC number yet, Jeff, but I definitely think you're worthy of one.
So, yeah, I don't think I'm going to top that one.
No, no.
It had everything, even the log deletion, which is...
Frankly, Jeff, you should put that story on this week in InfoSec.
Yeah.
Rather than... I mean, ARPANET, it was old.
It was creaky.
It's expected.
Yeah, it's expected.
Just bounce the internet or the ARPANET.
It'll be fine.
You? No, I'll fuck it up.
I'll flip the logs.
I'll take all the credit and then get a certificate at the end of it.
Lovely.
Thank you, Andy.
This week in InfoSword.
In fact, any listeners out there, you've got to tweet us
or send us your royal screw-ups.
I think we could put a little section on the website, don't you,
of screw-ups we have made.
I think that would be a good one.
Don't get me wrong.
I've screwed up, but not to the point where I've had to delete a lot.
No, no, not to a whole financial system.
I'll tell you what, Jeff.
When you tell us a story about the mortgage market collapse in 2008,
the subprime collapse, that'll be an entertaining one.
Absolutely.
He didn't just flip the logs.
He actually spoofed them.
No, it wasn't that technical back then.
What do you mean, back then? As to now you're uh yeah that's right when you're in your prime i at least know
the terms exist and i can find someone and find that they do it for me that's the difference
you're a subject matter googler right yeah exactly you you know you're not technical
jav when you keep asking me my opinion on certain technical subjects
on our WhatsApp chat.
That's just to keep the conversation.
You know it's wintertime, the nights are long.
What else is there to do?
You mean you're being quoted in a story somewhere
and you're trying to figure out what they're talking about.
Right.
Are we going to see a story about a raspberry pie hole
in the next few weeks then?
Because you seem very interested in, you know, have you built a Raspberry Pi hole?
You know, the thing that, you know, the thing that sweeps up all of the ad traffic from your network before it gets to you.
You mean like a sinkhole made by a Raspberry Pi? Is that what you're trying to say?
Yeah, yeah, that's right. That's right. But you just called it a pie hole, which is what it is.
Speaking of pie holes, shut yours and move on.
Yes, I think Jav might be a little bit quieter for the rest of the show.
Right, in which case, yes, let's move on to
this week's, and I can't find it.
Where's the bloody button?
I can't
find it. Ah, there we go.
Yes, to this week's
Tweet of the Week.
This is why Tom is single.
Oh dear.
So this week's Tweet of the Week comes courtesy of Catherine Burgess
at Caths Burgess.
She has a little blue checkmark, but I'm sorry, Catherine,
I don't know who you are.
But not that that means anything.
Because you know everyone who has a blue tick.
Tom is actually the person who hands out the blue ticks.
Yeah, exactly.
Exactly.
There's a photo of me shaking Graham Cooley's hand
while I'm giving him his blue tick mark.
Anyway, so it normally means that somebody's reasonably well-known, right?
You know, in our field, you would tend to know.
Anyway, so Catherineatherine it's not
you it's me um so katherine posted a a photo from what i uh what we can only assume to be
is her um uh some information security training from somewhere her organization or whatever
uh and she's quoted saying, doing cybersecurity,
et cetera, training. Gannett, I have a question. Gannett, I'm assuming, is someone she knows.
Now, in the picture, which is in the show notes, folks, it says, so under home life,
first bullet point, do not allow children, yes, your spouse, yes, or even your cat to touch your work devices.
Now, I'm not sure what kind of cats Catherine might have, but if it's anything like mine,
then, well, actually, that's a fair point.
My cat will probably try and stitch me up by browsing to, I don't know, cat porn sites or something like that.
But your cat to touch your work devices.
I think this is possibly one of those statements that goes into the training
to see if actually, you know, people are actually reading it.
Yeah, this is the brown M&M story, you know,
just to make sure that actually you're reading it.
But that is brilliant.
I do like that one immensely.
And, in fact, it reminds me of my last place we did,
we obviously did information security training,
and we did the obligatory questions at the end.
And we had one in there that talked about tailgating
and propping doors open and that sort of thing.
And it was something like, you notice somebody has tailgated behind you.
What do you do?
And you say, you know, talk to them, escort them to security, ignore them,
drop to the ground and growl at them like a dog.
them drop to the ground and growl at them like a dog so yeah that's um that was uh um again our way of just trying to make sure people were reading it yeah yeah very well done so i'm just
thinking there's a really funny video about security awareness training um which you can see on youtube it's uh really catchy it's to the tune
of um ride with me got a ride with me yeah so it's a song called uh lost all the money i highly
recommend you uh google um on on youtube lost all the money by a group called Host Unknown. Never heard of them. Maybe we could get them to sponsor the podcast.
I hear they're terrible with money.
I hear they're absolutely terrible with money.
They burn through it.
Host Unknown.
Sponsored by Host Unknown.
You say burn through all the money.
I've not seen any of it yet
well i question that because you're the one that's been receiving the last couple
well then again i saw i saw your company bank accounts
i swear my accountant thinks that i'm laundering money um i think your accountant just thinks
you're an idiot.
Yeah.
So last year I,
uh, borrowed two and a half grand from my company account with,
uh,
absolutely no reason whatsoever.
Um,
it's just,
it's called a what?
Dividend payment.
Uh,
yeah,
I'm pretty sure there's a formula behind that,
but,
um,
yeah,
I was like,
I'm just taking back cash that I'm owed.
Um, and he starts, yeah, he starts going on about receipts and shit like that it's like just give me a break it's my company
yeah you need you need to um at least put some false expenses in to get that money out
yeah it's been a...
Accounting's not for me, believe it or not.
Anyway, that was
this week's
Tweet of the Week.
Very good.
I haven't seen many
good security awareness training
recently. You haven't? No good security awareness training recently.
You haven't?
No.
I know content updated for the modern era,
and this kind of sounds like it's been updated,
children, spouse, even while we're all working from home these days.
Yeah, yeah, yeah.
It's a different kind of threat.
I mean, we always talked about, you know,
I guess because places I've worked at had a fairly significant work-from-home capability, so it was always recognised that it was there.
Many companies didn't, obviously, until recently.
So, you know, this may be a new setup.
But I think adding the cat in there is a stroke of genius.
That's brilliant.
Yeah, I like that. Alternate touch. You know what you overlooked, Tom, was that, new setup but i think adding the cat in there is a stroke of genius that's brilliant yeah i like
that you know what you overlooked tom was and this is something that i think would have impacted you
more than anyone else is the second bullet point on that which is slightly cut off at the end but
it says while working limit other devices such as various smart appliances or other computers
from connecting to your home network would you be able to disconnect everything else
from your home network while you're working from?
That's the question.
Says the man who came to my house
and immediately connected to my guest network.
Without even wanting to.
Yeah, that's the problem, Tom.
Well, if you didn't live in such a rural area
where I could get some decent 4G signal, I wouldn't have needed to.
4G?
We're lucky if we get 2G around here, or whatever that's called.
G.
G.
Oh, dear.
I think we found the G that Graham kept on adding to Wu-Tang Clan again.
Right.
So shall we move on?
Blimey, we're half an hour through already.
Yeah, let's move on to this week's...
Oops.
Oh, my God.
To this week's...
Billy Big Balls of the Week.
You really suck out all the energy from the podcast
when you don't hit the button.
Do you know what? I was going
to edit that out, but when
you crash the end of the jingle
with a comment like that, it's got to stay
in.
So, here's what we've got.
So, Billy Big Balls of the Week.
Here to save 2020.
Now, this is the opening line of a tweet which went out.
So, if I talk to you guys about your first shoplifting experiences,
is there a particular store that comes to mind?
Yeah.
No.
Woolies.
Exactly.
It's good old Woolworths.
And boots.
I remember boots in Dover. Oh, Woolies. Exactly. It's good old Woolworths. And Boots. I remember Boots in Dover.
Oh, Boots.
So home of the pick and mix at Woolworths.
Not to be confused with the Woolworths that they have in Australia
and that side of the world, which is completely different.
South Africa.
It's a holding company, isn't it, Woolworths, elsewhere?
Possibly.
But whatever you do, those places don't have pig and mix selections.
No.
Or the Top 40 singles or a selection of screwdrivers and screws.
Exactly.
A bit of everything.
A bit of a variety store.
So this tweet went out.
Here to save 2020, Woolworths is coming back to your high street
as a physical store
a couple of legal things to get sorted but we're full steam ahead at Woolworths HQ
you want to get oh we want to get this right so we need your help what do you want at your UK
your Woolworths um so this caused a lot of people to get excited, as you can imagine,
because, as I say, very fond memories of pick and mix.
I think we know where your focus is on this story, Andy.
Yeah.
So just for the avoidance of doubt, it's the pick and mix.
That's right.
However, so this went out and people replied and it went viral.
It started showing up in news outlets.
None of the reputable ones, I'll admit.
It's all the red tops.
So the sun, the mirror, et cetera.
It's like Woolies is coming back.
It's coming home.
It's coming home it's coming home
exactly so this store which
sold everything from
chocolate bars to toasters and televisions
you know
sewing kits
if you need it just pop down to Woolies
yeah
where can I get Woolies
that's where I can get it
and they have these uh
sort of free samples of sweets you can eat as you're walking around the store as well
no that's the pick and mix yeah they're not free mate they're not free well i never paid for them
that's all i'm saying i don't know what your local woolies was like um however this whole thing uh despite getting people elated and uh
you know sort of really um you know something good to look forward for a 17 year old student
has uh stepped forward um to claim responsibility he's entrepreneurial isn't he well indeed I'm sure
the uh the accounts would probably look the same as they did uh when the
shot went into administration first time around if he did run it uh so he basically um you know
said that you know the 17 year old from york um he's a marketing student and he he sort of posted
this uh as part of his digital marketing course in his business a level um just to show um how people
will believe anything uh you know and fake news is so easy to spread if they want to believe if
they want to believe it yeah so it took twitter maybe i think 12 hours to shut down the account
and he deliberately put spelling mistakes in as well uh so he didn't include a website uh and he spelled it uh
walworths instead of walworths as well uh when when talking about it um so he sort of well he's
saying he deliberately put in these uh little gotchas to sort of give give people the red flags
um but then there was one actual journalist who just contacted the very PR department
who owned the Woolworths brand, and they said,
is this a real thing?
And they said no.
And so there it was.
They didn't run with the story.
But all it takes is just someone's little bit of background.
I'm surprised Brian Krebs wasn't on it.
Well, yeah, unfortunately, I think this popped up and, you know,
disappeared before Krebs woke up.
That time difference.
Krebs doesn't even get out of bed for a storyline.
There's an article on it, which is on Russian underground forum.
Naturally, Jav was quoted in five of these stories that were published.
Mostly about
the opening of Woolworths,
not about the fact
that it was a fan.
If I was quite,
if I had been approached,
my quote would have been...
If it's true.
If true,
you're just true.
If everyone had a pie hole, this wouldn't have happened.
Oh, man.
I tell you, I was getting excited about Woolies coming back
because Wilco's, which is kind of like the replacement.
They tried.
They tried.
But it's not quite the same.
It's good.
I like Wilco's.
The Picker Mix is pretty good.
I presume you've tried it, Andy.
I have.
I don't know whether it's that nostalgic thing
or whether it's just more chemicals back then,
but I still think the Woolies Pick'em Mix was better.
Yeah, I think it's probably a combination of the both.
The fact that the chemicals probably came out of an industrial waste
somewhere back in the 70s and a bit of nostalgia.
So, yeah. So 17 year old teaching people you shouldn't be believing everything you see online.
And he even threw in some red flags to highlight the errors.
But unfortunately, our trigger happy press was all too keen to get this story out there
and didn't do any checking.
So a 17-year-old teaching people what they should be doing.
What a Billy Big Balls.
Billy Big Balls of the Week.
Although the T on the picking mix is like a Blue Balls.
A Blue Balls.
Is that like a gobstopper?
Oh, dear.
Oh, so I think we move on.
And I think it's that time of the week, Andy, isn't it?
It is that time of the week.
We're now reliable.
Are you trying to read this off the show notes by any chance?
No, normally I usually just reel this out.
I just had a look at our show notes and I can see that it's been edited quite heavily and it made me lose my train of thought as to what I should be saying. You are like Anchorman.
You'll read anything that's put onto the autocue.
So I normally say our reliable sources over at the InfoSec PA Newswire
have been very busy bringing us the latest and greatest security news
from around the globe.
Very good.
Time for...
Yeah, that's not what's written in the show notes let me put it that way that's
industry news us and uk issue sanctions to iran and russia industry news amazon warns users of
insider disclosing details to third party. Industry News.
Report. Application flaws
being fixed faster, although
bugs persist.
Industry News.
Akamai boosts mobile security offerings
with... Industry News.
They'll put it together.
And that was
this week's...
Industry News. Slow week. and that was this week's industry news slow week
huge if true
I mean after last week's
you know absolute
feast mother load
yeah this feels like a little bit of a famine
yeah exactly
but also isn't there
spelling mistakes as well isn't there
second time I've noticed a stick has has misspelled acquisition, you know, in a title.
That's, I mean, yeah, run a spell check.
Yeah, come on, Mr. or Mrs. Stig.
You know, you're letting down the side.
I don't know.
You know, there's certain words that you know how to type them or spell them,
but every time you type them, the muscle memory in the typing always gets it wrong for some reason.
Yes.
And, you know, funnily enough, acquisition is one of those words
I frequently misspell, which is a bit of a problem.
That's a bit of a problem.
Yeah, exactly.
But, you know, I use a spell check, so I always sit and I'm like,
how do I – it's just one of those words.
You need to do – like whenever you type M& i just it's just one of those words that i need to do like whenever you
type m and a it should just put acquisition or do you know do a little code word because you can do
those replace things in in work yes i don't do that after i've got a couple of things where uh
where i do that maybe you should if you can't spell yeah i guess that's what it's for yeah
one thing i've started doing and tom this might help you with the problem you
discussed right at the beginning where you're saying you're really struggling with writing is
i found that the the voice dictation on the phone is is so much superior than any other voice
dictation there is out there so i i tend to nowadays open up google docs on my phone
and just hit the dictate one and i just just start talking for like five, 10 minutes.
And it doesn't make any spelling mistakes at all.
Well, I say it doesn't, but unless it mishears you,
but you get this nice stream of conscious that you then just have to sit down
and edit.
And I actually find you can get like a 500 word blog post written really
quickly that way.
Yeah. It might not be a
very good one but but didn't um i mean it just probably goes on about some really hard stretched
analogies to a an old 80s film but you know aside from that um so i thought didn't you earlier this
year accuse um a mutual friend of ours of being you know an old man for dictating into his phone whilst
you know to do texts and stuff you know it's it's funny you say that and i wrote a blog
about a week or so ago on my on my site it's called the future often looks silly
and in that true story i was this was in the early 2000s before the iphone came out
and only a few people had blackberrieserrys. You had to get approved.
So just so you could see emails and what have you.
And I was in one of these project meetings,
like security meetings and like, you know,
where I'm the designated security consultant there.
And there's like someone from every department
and you sit around for like five hours of the day,
and everyone only gets like half hour to speak or 10 minutes.
And this was one where we had a whiteboarding session to
to draw it out and normally you at the end of it someone would just jot it down but the project
manager he was this young guy who was new new in the company he whips out his blackberry and takes
a photo of the whiteboard and today that seems perfectly normal back in that day we were all looking at each other
around the table and one guy was like wanker he was like you'd have made the hand gesture he was
like what is this guy doing what why would you be so stupid who the hell takes out their phone
which is crappy resolution blackberry just to take a photo just to save you writing it down
and everyone in that room was like like, shocked and mortified.
And it was almost like he sort of, like, walked on someone's grave.
But today it's perfectly normal.
And not only that, the cameras are set up to even adjust
for taking the photo at an angle, to straighten it up,
to convert it into, you know,
just a colour-based, you know, image, you know, like a flat file,
not a full colour file, if you see what I mean.
Yeah, absolutely.
It's completely changed.
And I think that's the thing.
When you first see something, it's like, where are you from, future boy?
What kind of
is this but only after a while when you catch up with the lag you think you know what this is
actually genius that person's ahead of their time if only i bought bitcoins back then like they did
instead of making fun of them so like i tell you the future is asking your bedroom window blinds to open twice before they do.
That is the future, I'm telling you.
No, see, see, I came to your house.
You just look silly doing that, Tom.
Yeah, fair enough, but, you know,
the wanker sign was a little bit hurtful, I have to say.
In your face, yeah.
Yeah, exactly. And a bit too close to home anyway yeah well close to home you're in my damn home
right jav let's move on um you've got this week's rant of the week
if you're following the show notes there was actually a sponsor jingle before then
If you're following the show notes, there was actually a sponsor jingle before then.
Oh, whatever.
Look, we don't all follow the show notes.
I mean, Andy didn't just before on the industry news.
Amateur.
Because they've been edited literally as I'm talking.
Actually, there's only one edit done today.
One word was changed today. The rest has been slowly changing over a number of weeks.
Well, there's certainly more profanities in those,
in that extra long sentence than I originally.
Yeah.
And you know, just to keep you happy, Jav.
You're listening to the Host Unknown podcast. more fun than a security vendor's briefing
okay so this week's rant is uh i took one story but i think it's going to tie into
a couple of stories that have happened over the week or a couple of weeks and in finland a psychotherapy clinic was uh hacked uh data was exfiltrated
and there's about 300 patients uh personal records or maybe more were stolen so they were
exfiltrated and then they're the criminals instead of doing the traditional, let's just encrypt all the files of the clinic and try to extort money from them, they started getting in touch with all the patients and saying, we have all of your notes, pay us 200 euros or we're going to release them.
Game changer.
Game changer.
Salami slicing.
Bear in mind, this like this is psychotherapy
clinic i assume some of those people are already suffering from paranoia or delusion of some sort
yeah and to get this kind of thing is probably not helpful the the only time i've heard something
similar happening was last year in florida a cosmetic surgery clinic was hacked, ransomware.
And so they were also asked to pay ransom.
But then their customers were also targeted saying, hey, we have details of all of your procedures before and after photos, notes, pay us money or we're going to release those as well.
So it's it's it's one of those cases where you think how low can these um criminals go because
i mean everything is ransomware from a criminal perspective everything revolves around ransom
we call it ransomware but it's it's not just ransomware they go in they they they work out
what's the best files to uh encrypt, what files should we exfiltrate,
how much money should we actually demand from this organization, how much can they afford.
So there's many steps now involved in that, and it's just become quite bad.
Yes, so I guess the – sorry to interrupt.
So you're right in terms of what they're doing is bad,
but also probably more likely to pay out than your typical ransomware attack
because where you've got companies not willing to pay at all,
here you've got a high number of obviously vulnerable people
and an achievable € euro ransom fee per person.
Yeah.
So, you know, potentially this is going to pay higher rewards
than going for the big one.
It is.
Or rather they're getting, you know, a slice of the pie
rather than no pie at all.
Yeah.
Exactly.
Exactly.
And, you know, it um krebs actually posted yesterday or day before
that uh the department of home and security and whatever they've warmed off an imminent
credible ransomware threat against u.s hospitals that's right so not something that we're worried
about but um it's it's one of those things where well well, you know, you kind of like should always be aware that, you know, you might get attacked by some of these guys because, you know, it is such an easy way to make money.
And the Reval or the R-Eval ransomware gang, I don't know how to pronounce it, but R-Eval, they claimed a couple of days ago that in the last year they made over a hundred
million dollars in profit now this might be a bit of exaggeration so when you say profit you're
are you saying they're actually deducting costs and uh balancing their books properly
you know what yeah they're not criminals for god's's sake. No, you know what? A lot of these are, you know, they are run as legit companies.
And the thing is, the amount of profits they're making,
the problem is that they can now afford to hire really talented people.
They can pay off, like, officials in certain countries
where they might have their data centers or operations
or, you
know, local police force, all that kind of stuff. So this is really, really serious thing. And I
think I suppose where the rant part comes in is not that this is unexpected or not that, you know,
the criminals shouldn't be doing this because that's their game. They're there to make money
and do whatever it is. But this is a real failing on behalf of the security industry.
We often see things coming and we will, like,
use it as an ambulance chasing moment to say,
oh, this is great, let's now, like, point fingers at how, you know,
so-and-so's technical solutions are inferior and my ones are superior
or my approach is better than someone else's
or we now need to be adopting this model or that model and you know with this I think the industry's
really taken their eye off the ball and like it's it's now getting to a point where it's getting
highly toxic where every organization potentially could be a victim of something like this and
there's no real easy way or a consistent advice as to how
to defend or or respond or negotiate or or do any of those things it's it's pretty much every every
person for themselves so um just just to wrap it up um i think even the the the criminals are
feeling a bit bad for all their success they're like like, oh, my God, this is a bit too easy.
This is like a one-legged man in an arse-kicking competition,
as JR used to say.
That's quite difficult.
Yeah, exactly.
So a ransomware gang, the Darkside ransomware gang,
a few weeks ago, they donated 10K to charities the children international and the water project yeah
so it's tax deductible so so you think like what when you know when it's so easy that even they
feel bad about making so much money that they're giving money to charity i think you know the
industry needs to step up its game yeah yeah very true although i'm pretty sure you've got your analogies
mixed up with your one-legged man in an ass kicking contest but i do you know i often think
that what would you do in in this situation if you were the target of this so you know there was
that one recently that used old um email accounts and passwords that have been on Pastebin, et cetera,
and then emailed people saying,
I've watched you do filthy things in front of your webcam
and here's your password to prove it.
Send me money.
When you first get that, obviously you're filled with a little bit of dread.
And then the second part of you, if you haven't realised that actually
this is a scam, thinks, ah, screw it, publish and be damned.
I'm wondering how effective this tactic really would be in this instance.
Now, I know it's a psychotherapy centre of vulnerable people,
that sort of thing.
I wonder what kind of return
they would get based on really are people going to be that interested in my psychotherapy reports
well i guess that that's a thing it depends isn't it on what they're talking about um yeah i mean
you know if i was talking to a mental health professional um you know and unloading all my
deepest darkest secret i'll probably give them a bit extra as well so let's say you will actually A mental health professional. Yeah, and unloading all my deepest, darkest secrets.
I'll probably give them a bit extra as well.
So I'll tell you what, actually just destroy the files.
So no one's got a record.
You know, that password thing, I mean, I get that.
You know, my password's actually the subject of, you know,
I receive the emails.
But, you know, with that, it's like, well, that's just, you know, it the emails uh you know with um but you know with that it's like uh well that's
just you know it's just very generic i think with this one it's so specific that you know this place
has actually been hacked and it's a lot more it's not that scat gun approach it's a lot more personal
in terms of they can actually prove that they know um you know enough about you
it'd be interesting to see if in the coming months we find out exactly
how much they made from this or how many people paid.
Wait until they publish their accounts at the end of the financial year, right?
Yeah, that's right.
That's very true.
Unless they do a statement, you know, an earning statement.
A quarterly statement.
Quarterly statement, yeah.
Anyway, sorry, Jav, you were going to say something?
No, just to tie in, i think there's a book by
ron johnson called so you've been publicly shamed and oh that's right it's a few years old but it's
it's a really interesting book about how people's careers and lives have either been destroyed or
taken a very bad turn uh because of something they might have said or done online or have been exposed online and then
they just haven't been able to recover their reputation or their standing in society since
and I think it's it's a really good look at many case studies but it's it's it's a very real fear
that people have I mean but it's it's not a black and white situation though is it it's not like
if you if you are exposed your career will fail it depends well no it depends but it's the fear
that it puts into people's heads oh yeah yeah yeah yeah and that's and that's what criminals
are playing with it's not the the absolute certainty it's the fear if you can scare
someone into getting like oh you know what i like andy
said i'd rather pay that extra just delete the files that's what they're that they're relying
on and and i think you know we we all have so much of our digital lives online or we give so much up
online like andy uses tiktok without a vpn or anything and he you know it's like the joke about the being in court.
And I have your,
your Google browser history for the last week.
I'd rather confess to the murder,
your honor.
I think that's the fear that people have.
And that's where the criminals have so much leverage.
Yeah.
Yeah,
absolutely true.
Absolutely true.
Oh,
thank you,
Jeff,
for this week's rant of the week.
Now I know this is the moment everybody has been waiting for.
Do we have a little people?
We do indeed.
What?
What?
Incredible.
Yes.
Who've we got?
We have got an absolutely absolutely wonderful individual individual today
madeline howard she's the socio-technical engagement manager at friends of the show
sygenta who's run by jess barker and fc and um not only does she work there but she's also heavily
involved in ncse and getting kids involved in
cyber first and what have you so I thought well you know Madeline why is it important to get kids
involved in cyber and what role can the NCSE play in it? The little people.
Hi Javid that is a really good question and i think the ncsc have done an amazing job at
showcasing what can be done when you engage with young people through their cyber first program
and their cyber schools hub program but ultimately i do think that the responsibility comes down to
us as an industry we talk about how awesome the industry is and as a community we absolutely love
it but why aren't we going out and speaking to young
people, engaging with schools and inspiring them and telling them about all the awesome
opportunities? That's something we really need to do. And I think that's important for three reasons.
The first reason is that within school, computer science can typically be quite boring. And so we
need to get into the school, role models, inspirational
speakers, run workshops, and we need to show them how it applies to the real world. We need to give
them those opportunities to apply their learning and see the impact and the positive impact that
it can make to help secure individuals, organisations and businesses. The second is that as the industry
continues to grow and more threats emerge and cyber criminals get more savvy,
we need to make sure that we have the best people at our disposal.
And kids are so excited to be part of that.
But we have to show them.
And the third reason why it's so important, and this is a bit of a, you know, a bit of a secret, I'd say, is...
Wait, Javid, are you recording the little people
good points well made yeah i like the third point myself that was actually uh very professional um
i'm kind of uh i feel like i should sit up straight and um sort of behave a bit more now finally someone bring a bit of professionalism to this show yeah yeah very true we've had a few
people on here and uh yeah professionalism is not the word that springs to mind right
yeah so mads if you want to come on and replace andy
if you'd like to come on and replace Jav.
Mads, if you'd like to come on and replace Tom and Jav.
And Andy.
Yeah, this CV stain of a show will ensure you.
Oh, dear.
No, very good.
Very good.
Yes, I've heard of Madeline.
I've not heard her speak. I've never met her but um excellent stuff very very um very compelling yeah and madeline like these two
would get involved more but they're not allowed near school so on that lovely note thank you jav um much appreciated um i hope you have a lovely weekend
thank you and andy thank you very much sir stay secure my friends stay secure host unknown the podcast was written performed and produced by andrew agnes javad malik and
tom langford copyright 2015 or something like that insert legal agreements here
as applicable and binding in your country of residence. We thank you.
Cutting a bit fine there.
You're going to have to edit out about a minute's worth of work.
I don't think that's going to be a problem in the slightest. It's a bit random.
Just drag the slider across and just chunk out a minute of anywhere. It's not going to be a problem in the slightest. It's like a random sort of just drag the slider across
and just chunk out a minute of anywhere.
It's not going to make a difference.
You know that whole story that I told you about flipping the logs?
Just delete that whole section.
No, that's staying.
That's staying.