The Host Unknown Podcast - Episode 34 - Black Friday Special

Starting point is 00:00:00 Hey, Andy's not here. It's Black Friday, everybody. 33% off. Hey, yeah, very good. Yeah, I think we should start with that because then what that will do is make him look like an idiot. Yeah, because he's going to come in trying to be funny with that joke. You know, he's not. Yeah, exactly. And frankly, with the size of him, it's more like 50% off. Yeah, but if you think about actual contribution to the show, it's more like 50% off. Yeah but if you if you if you think about actual contribution to the show it's more like 5%. Yeah true so not such a good deal after all. No no it's like most of these deals they look good on paper but in reality not all what it's cracked up to be.

Starting point is 00:00:38 You're listening to the Host Unknown Podcast. Host Unknown Podcast. Hello, hello, hello. Good morning, good afternoon, good evening from wherever you are. And welcome to this special Black Friday episode of Host Unknown with, well, either 5%, 50% or 33% off. Whichever way you look at it. Oh, is this Andy? We can hear now. Yeah, right.

Starting point is 00:01:10 It's like that, is it? I see the red lights already on. Yeah. Did you at least do a gag about it being Black Friday and how you're doing 33% off? We actually said 50% off. Jab reckoned it was five. Because I'm the sole founder, right? Yes, something like that. Anyway, now we've got Andy here with a cup of tea in his hand. Andy, how the devil are you? Not too bad. I was just, well, prior to getting my tea,

Starting point is 00:01:40 I was bemoaning the lack of Black Friday bargains that are out there today. Yeah, that's true. Not much Apple kit is on Black Friday in the UK anyway. No, nothing worth it. The best I've seen is £20 off an iPad, but that's not via Apple. Obviously, that's via someone else. I got a free MacBook Pro delivered to me this morning. You and your freebies. Yeah.

Starting point is 00:02:09 Yeah. Hey, Jeff, how are you, sir? Not – I feel angry this morning. Yes. You know, I went for a walk. You look in the mirror and just get angry, right? Yeah. That's right.

Starting point is 00:02:26 So what's causing said anger, Joe? I felt I was verbally attacked by a lady in the park this morning. What? Are you serious? Yeah, yeah. So I went for a walk in the morning. What did you do? It was cold.

Starting point is 00:02:43 So what I do, I do a loop around the park so people that are doing a loop the opposite way you you pass them twice so once when you're going there and then when on the way back um so i was walking and there's a lady she might have been in her 40s and she was jogging the opposite direction so we just pass each other and you know just sort of like you know like in the morning people are a bit more friendly. You sort of like give a little nod or what have you. But, you know, we just made eye contact anyway she ran on. I went round the loop and I was at the top end and my right knee started giving up

Starting point is 00:03:14 and I was just walking. This is just one of those issues. You're not going to say you were walking around following her whilst rubbing the top of your. No, no, no, nothing like that. Nothing inappropriate, nothing inappropriate nothing inappropriate and when you know when it just feels like it's about to it needs a click but the click is stuck and are you hearing a joke on its way there's a long setup there is a long setup this is a long set but do go on jack no this is this is dead straight so i got to the top and then um so i'll stop on the side there's grass verge and there's a bench there so. So I got to the top, and then I stop on the side.

Starting point is 00:03:46 There's grass verge, and there's a bench there. So I'm holding on to the bench, working my knee gently, just hoping that I don't hurt myself more because it's happened in the past where, you know, Paulton. And anyway, I'm there trying to, like, do my knee, and she comes running past again. So she comes running past, and we make eye contact, and she sort of, like, half smiles, and she comes running past again so she comes running past and we make eye contact and she saw like half smiles and she says morning and to you it might seem like she was just saying

Starting point is 00:04:12 good morning but I know exactly what she was saying she was saying look at you you you look like you might be younger than me and you got like old man knee you can't run you're fucked up and I got so offended by that if I could I, I would have kicked her dog. You know, my leg was messed up. But, yeah, so I'm really upset this morning. That's a terrible joke. It's not a joke. It's reality. It's reality what happened.

Starting point is 00:04:35 It just, you know, when you see people who are older than you that are still running around, hopping around like, you know. Hold on, Jeff. Hold on a minute here because you clearly said that she looked like she was in her 40s. Late 40s. Late 40s. Okay, so someone in your age group. Did you get her number?

Starting point is 00:04:52 I'm asking for a friend. Tom likes them younger. Tom, I said she was in her 40s. She's way too young for you. Half your age plus seven, that's four. Like I said. She's way too young for you. You're age plus seven. That's four. Like I said, she's way too young for you. Oh, dear.

Starting point is 00:05:12 How's other than a free MacBook, Tom, anything else happening this week? Any news? Well, not news. Been doing client work. I had a long week of client work, which was very, very good, actually. I had the sort of penultimate client call this morning, very happy client, and presenting to their leadership this afternoon, which is good, but they're happy with it.

Starting point is 00:05:36 So, yes, lots of late nights this week. Diet went for a burton as I snaffled chocolate and biscuits at sort of like half past 11 midnight for the last three nights to try and keep myself going. But yeah, that's it really. Pretty normal week at TL2 Towers. Awesome. Yes. Yes. Right. Well, on with the show. Hey, what have we got for you this week? This week in InfoSec the not so new feature Tweets of the Week, Billy Big Balls, Rant

Starting point is 00:06:09 of the Week and will we have a little people today oh and also industry news of course huge if true will we have a little people today Jav

Starting point is 00:06:24 maybe maybe not Huge if true Will we have a little people today Jav? Maybe Maybe not If we have time Wow maybe that's the most committed You've been about the little people for a long long time Excellent Excellent well Andy If you are ready I think we should move

Starting point is 00:06:41 On to this week's This week In InfoSec So this is a stroll down memory lane liberating content from the Today in InfoSec Twitter account Good recovery Yeah, I lost my thought I looked out the window and I got very thoughtful and just lost myself there. Was there a squirrel? Did you see a squirrel?

Starting point is 00:07:11 So first we're going to go back 12 years and this is the story of the conficker worm when it was first discovered and it quickly spread by exploiting a vulnerability, which, as with most vulnerabilities, was patched approximately a month prior to that. Now, at the time, this was the biggest worm that we had seen. And there's a lot of great stuff with Configure in terms of it was planning to do something. It was going to get new instructions on 1st of April, and everyone was sort of waiting, like, what's this going to do something um you know it was going to get new instructions uh on first of april and everyone was sort of waiting like what's this going to do what all these millions of

Starting point is 00:07:50 machines have been infected what instructions are they going to receive on the first of april um and it to be honest it was a complete anti-climax um because nothing nothing actually happened um but uh yeah this was a worm that I remember personally in the office I was working at the time. You know, our patch management was, you know, meh. I'll say ad hoc was probably the best way of stating it. You know, we'd have a process and sort of push out the Windows updates once a month.

Starting point is 00:08:23 But, you know know we thought we were pretty sick you know pretty safe from this type of thing everyone had their av installed um and it actually got us via a third party that we used a third party development house who had access to our instant messaging systems um and all of a sudden yeah we just had these links pop up everyone sort of received these links at the same time and straight away you know you could see it and it was like oh because you know it's got php ending on it as well and it was like don't click that link but it's too late i mean you know half the company had already clicked it um but a good lesson in

Starting point is 00:09:01 management and this is uh you know know, only 12 years ago. So it probably should have been a bit more mature at that time. 12 years ago? But, yeah, we were very agile. So, you know, patching sort of took a backseat to delivery. 12 years ago, agile meant you had no policies, procedures, documents, anything like that. You just did what was required.

Starting point is 00:09:23 And a lot of the time today, that still means the same thing exactly okay so second story and this is one that i recall from my childhood this was about this one yeah it was really sort of uh popular so this is taking us back to 1987 22nd of november 1987 um chicago tv stations had their signals overridden in two separate incidents by a man in a max hedron mask and what i absolutely love about this and there is a link in the show notes to this do you know what actually happened uh just in the middle of doctor who in 1987 imagine you're watching tv and all of a sudden sylvester mccoy uh if it was it was probably a welcome break yeah i don't know it was mccoy in 87 i don't know i was still a youngster at this time tom so you know i'll have to defer to your superior knowledge watching it in real time i've been william hartnell i don't know right but uh i mean it's just the craziest thing um this this person just came online um you know talked garbage um pulled his trousers down and got

Starting point is 00:10:37 spanked by a woman and then just disappeared so they had literally intercepted the TV signals, you know, broadcast this stuff. And what I absolutely love about this story is the fact that no one was ever caught for it. Yeah. And, you know, to me, this is the ultimate. You see some really intelligent people. They pull off some amazing hacks. But because they are so arrogant and they want the kudos and you know it's so ego driven that they have to tell people what they've done whereas this person has pulled off the ultimate and only he knows about it you know and to me that is just all she obviously but i think it definitely uh sounded like uh uh you know a male voice and the backside certainly resembled that of a 1987 male.

Starting point is 00:11:28 I'm sorry, what? I refer to your expertise on backsides. Male backside, specifically. Was that the second incident, then? So, have you watched this video? Have you seen what actually happened at the time? I watched it years ago, years ago, but it was almost unwatchable in a sense. Yeah, I mean, it was pretty painful to watch

Starting point is 00:11:50 because it was so unstructured. And I think this is the greatest thing, is what it was sort of like, you know, pre-recorded. And if you think back in 1987, it's not like you had everything on your PC and you sort of cut, oh, let's take two seconds off the beginning. Let's drop this part, you know, splice.

Starting point is 00:12:06 This was probably videotape, right? Yeah, this would have been like, you know, camcorder at best. You know, and if you wanted to do fancy editing, you sort of had to rewind and pause really skillfully to get the part that you want to record over. So definitely a great trip down memory lane on that MacTec phone line.

Starting point is 00:12:24 And the final story I was going to talk about, I know we only do two normally, but I've been sort of slipping in a third. And this was a mere six years ago, 24th November 2014, where the Washington Post published an article which included a picture of TSA master keys. And this is the US TSA. And the reason I just want to remind us about this is you know this is for in the world of 3D printing you know sort of six years ago what are the possibilities for us to me this is almost as like the you know what the TJj max breach was to the pci industry you know this was a real warning up front

Starting point is 00:13:06 for the misuse of 3d printers and i know we covered a story last week about a guy making you know hooks uh disguised or items disguised as hooks that can turn semi-automatic guns into fully automatic um but you know just that mere six years ago i remember someone just paused that or took that photo and then just used it to create their own master keys uh absolutely fantastic so there's a service um i've not seen them in in real life but i know they exist where you can take a photo of your house key and upload it and it will cut the key in the machine basically it will cut the key and drop it out to you yeah yeah there is a service that does that yeah and actually i went to b&q the

Starting point is 00:13:55 other day they've got these uh vending machines that do the same as well they just well you actually put your key in there but it just scans it and it and it's all right yeah but but actually on on this same one this was in 2014 i'm sure it was around the same time or maybe a year later there was also the master keys for new york's uh the fireman keys were also yes they were being sold online but that was wasn't that taken from a tv image or something that That wasn't an article. I thought that someone was on TV. I can't remember. I know that I think someone found that they were being sold on eBay for like a tenner or something,

Starting point is 00:14:33 and they got you into every single, you know, elevators in New York, basically. Handy. Yeah. Handy. If you ever want to stop a lift halfway between floors like you're doing films which you can't do at all yeah just so you can have that really important conversation with your co-worker before that before the dramatic part where you restart it and yeah and there's

Starting point is 00:14:59 no one waiting for the lift either when you get to your destination yeah it's fun well i think it'll be really interesting to like start up like that because you know the elevator pitch that it doesn't have to be 30 seconds you just pop the key in as long as you want that's how they should have marketed that key can't cut down your elevator pitch for just $10. You can buy. Buy more time. You can buy more time. Boom. It ties in nicely with Doctor Who, the time key.

Starting point is 00:15:33 Excellent. Thank you very much. That was really interesting and, yeah, blimey. I'd forgotten about a couple of those things. Thanks, Andy. This week in InfoSoul. Oh, dear. All right.

Starting point is 00:15:54 So why don't we move straight on? I think we should because I think we've got quite a doozy here for Tweet of the Week, and it's me, even better. So let's move straight on to Tweet of the Week. So this week's Tweet of the Week came from Jeff Belknap, actor Jeff Belknap. Thank you, Jeff. Don't know if this is actually an original or ripped off from somebody.

Starting point is 00:16:23 You never know these days uh it's so harsh that that suspicion is out there i know and you know there's one person we blame for this don't you uh but uh which we who we may mention later on in fact why don't we get one of his as a tweet of the week later uh so his tweet was i can't vacuum because US East 1 is down. And for those that don't know, US East 1 is the AWS Amazon Web Servers East Coast site. So yes, they had an outage. Amazon's web infrastructure had an outage in their East Coast area, which left smart home enthusiasts unable to use basic household items. So like, for instance, doorbells. And in this case, not a handheld vacuum cleaner, as many of you might be thinking,

Starting point is 00:17:23 but a Roomba, a Roomba robot vacuum. And that's the problem. You know, if you're going to get a robot vacuum, get a dumb one like mine, because, you know, mine just bumps into everything and is, you know, just gets in the way every single time. that map their way around, they rely on a connection back home to where the servers are, in this case, US East 1, in order to process the map they hold internally. And without that, they don't work. So poor old Jeff was knee-deep in dust in his in his uh new york apartment um completely unable to crack out a handheld vacuum cleaner which to be frank was my initial response to this

Starting point is 00:18:16 uh because uh the amazon web services were were offline but it does give a, it is an interesting thing in that, you know, we talk about, I've just been with a client this week and we've had to, you know, look at things like incident management and business continuity processes and procedures. We're going to have to start drawing some up for a home, aren't we? You know, so next aws goes down and we can't vacuum we can't brush our teeth we can't what are your contingency plans what are your contingency plans yeah now most people's are go to starbucks and use the wi-fi there but you can't exactly vacuum your living room from starbucks can you so um but yeah it's uh it really does give rise to the thought of, you know, where is the redundancy? Because those sites, US East 1, for instance, is hugely redundant,

Starting point is 00:19:12 except, I presume, for the pipes that go in and out of it, which must have been the thing that went wrong at the end of the day. So, yeah, fascinating stuff. So what I didn't realise was that these things were so dependent on that constant connectivity. I don't think they all are, in fact. No, so the ones with iRobot and there was something else. You know, I mean, someone else did a similar tweet at the time.

Starting point is 00:19:37 It says, you know, my effing doorbell doesn't work because AWS is having issues. But, you know, with that vacuum cleaner, so that's literally mapping out your house and sending those details back to Amazon, right? Yeah. Yeah, I guess. Sorry, not Amazon directly, the company that is hosted out there. Either that or it's using it as the brain, for want of a better term,

Starting point is 00:20:04 to work out where to go. I don't know, but it seems weird. I mean, my vacuum cleaner just basically goes around in random like a dog on steroids. Yeah. You know, and eventually through a process of elimination over a couple of weeks, it's pretty much covered the entire flat, you know. But others are a bit more intelligent. the entire flat you know but um others are a bit more intelligent uh so for instance i know you can say uh hey google tell tell my vacuum to to sweep under my kitchen table and it will know where your

Starting point is 00:20:32 kitchen table is you know that sort of thing you know but um but yeah it's the amount of data and again i think it's only through things like this that you realize quite how much data is going backwards and forwards right yeah and i believe a down detector was an impacted website as well so so yeah you're going to really struggle you know the first you realize that there's problems uh is because your doorbell doesn't work not because uh you can look it up and hear about it but but a terrible failover right there should There should be a fail functionally concept. Do you know what I mean? If you can't get connection, then fail to dumb mode.

Starting point is 00:21:16 Fail to press a button and make a noise. It's the old failover, isn't it, in security terms? Yeah. If someone's trapped in a room uh so you know when the argonite gas is going off which you're not allowed to use anymore you know make sure the doors fail open yeah but you know what what's really interesting so about a year ago there's a there's a journalist called kashmir hill she she i think it was it might might have been one of those websites, not Vice or something, Gizmondo or something, but she'd done a five-week experiment or six-week experiment

Starting point is 00:21:53 where every week she would block one of the big five. So she had a custom sinkhole made. So it was basically Amazon, Facebook, Google, Microsoft, and Apple. So she couldn't use, so for one week at a time, she would not use any product made by those companies, a physical product, and she would not use any service. And the services one was so difficult. And I think at the end of it,

Starting point is 00:22:22 she spent a week not using any of them all at the same time holy crap and she said it was nearly impossible she goes everything it gets she goes like basically between those five um your life is unusable if you turn them off because your phone your you can't use iMessages you can't download stuff from github you can't there's basically nothing you can do and i think when you put it in context like that it makes it really clear like you know you know it's not just your your your vacuum cleaners that are at risk it's basically your entire life your existence existence is is dependent on the services provided by literally like half a dozen companies. But the only people that are sort of pointing and saying,

Starting point is 00:23:07 see, see, are those with beards and sandals that use Linux. Run their own server farms in the... Yeah, exactly. Yeah, well... In the middle of nowhere. On their homebrew laptops. Yeah. No, I think the point is that...

Starting point is 00:23:24 I know. You know, it's in the same context what is the fail fail open concept here so if if uh amazon web services go down on the broader content uh delivery platform or what have you um what's the alternative and you know where can people go what can people do and i think the other sorry go now go i was gonna say the other thing is it's a bit like the banks you know if microsoft was to file for bankruptcy or get ready to you know to go bust would governments globally bail out microsoft because it's too big to fail? Probably. Because, you know, as you say, it would be nearly impossible.

Starting point is 00:24:16 Governments themselves rely on services from Microsoft, let alone everybody else. Yeah. They probably classify them as a critical national infrastructure. Yeah. I'm surprised if they don't. They should. Those five, those big five, probably are. Although Facebook should be struck from the face of the earth.

Starting point is 00:24:33 I think those guys, they could afford to sort of buy each other out. Well, Apple could probably afford to buy all of them. Yeah. In cash, you know, in briefcases of cash taken by their head of security. Is that because they don't offer any Black Friday discounts? No, that's right. Buy one Microsoft, get a Facebook free.

Starting point is 00:25:00 Oh, dear. So, yes, US East 1 is down. Developers around the world took an extra day's holiday as a result. Tweet of the Week. Interesting. Yes, interesting. And I think it's time for one of these. You're listening to the Host Unknown Podcast.

Starting point is 00:25:29 More fun than a security vendor's briefing. It's all very serious at the moment, isn't it? Have you got something a bit more lighthearted for us, Jav? I do, if you play the jingle i'll play the jingle billy big balls of the week so before i go into the the story like um i've been getting like loads of tweets what did i play the jingle for then if you're not going to go into the story like loads of tweets what did i play the jingle for then if you're not going to go into the story it's related it's related to the jingle

Starting point is 00:26:10 okay we've got tons of uh like from our fans we get lots of feedback every week and one of the questions they often ask is what qualifies as a billy big balls look look down and if you've got them you'll know and uh and yeah it's normally someone what does what does qualify indeed it's it's it's not an exact science it's a bit like trying to figure out who the pound for pound best fighter is you know it's it's just an arbitrary thing but it's normally someone that's done something quite outrageous. And we say, like, that's a Billy Big Balls move. So it could be a good thing or a bad thing.

Starting point is 00:26:51 It's just one of those things. But let's face it, we've even done tweets of the week which haven't been a tweet. So, frankly, it's whatever we want it to be. Well, we know that someone has tweeted that story. Yes. Yes. Someone, somewhere, at that story. Yes. Yes. Someone, somewhere at some point.

Starting point is 00:27:08 Absolutely. Exactly. Yeah. Anyway, do go on, sir. So Aussies, what are they?

Starting point is 00:27:15 They are. They're over here is what they are. No, they're, they're, they're just British Texans. They are. Yeah.

Starting point is 00:27:26 That's exactly what they are. Yeah. And we love you, British Texans. They are. Yeah, that's exactly what they are. We love you, British Texans. Yeah, yeah. So this story features an Aussie hedge fund. And I know it's really hard to feel sorry for Aussies and even harder to feel sorry for a hedge fund. But someone had the Billy Big Balls move to go in and fleece $8 million from them. And how did they do it?

Starting point is 00:27:50 Any guesses? Did they? Social engineering. No, no. It was something to do with fosters. Well, no. Did they sell them corks for hats? No.

Starting point is 00:28:00 Well, no. Did they sell them corks for hats? No. They got them to invest in US East 1 alternative backup sites. Yeah. Sorry. Hang on. Hang on.

Starting point is 00:28:17 Hang on. There we go. No, no, no. So it wasn't social engineering. It was a phish. But what it was, it was a fake Zoom invite that was sent. Was it a fish that could kill you? Because that's pretty much what Australia is, is filled with animals that could kill you. Well, let's just see how this progresses. So it was a fake Zoom invite. And I thought this is like quite clever because, I mean, how many times a day do I suddenly get a notification

Starting point is 00:28:46 that I've got a meeting starting in five minutes and I have no idea what it's about. I'm there with you. I just hope it's not a presentation because I've got no slide deck to hand at the time. But, you know, it's – but, yes, one of the owners clicked on it and it gave the attacker access to their email account as one of the CEOs or founders. And they sent emails purporting to be from the CEO to finance and what have you saying, hey, make these payments to these new clients or what have you.

Starting point is 00:29:20 And so they sent out about eight million. And so they sent out about $8 million. I assume the guy that's behind it, Mohamed Bati, he made, and this is good banking in operation here, he made 64 withdrawals from one bank where the money was transferred. And he went on a shopping spree as well. He basically spent about 800 grand off that money or withdrew it before leaving Australia. The other money was recalled back. And this happened about a week or 10 days after uh the original thing because the the

Starting point is 00:30:06 founder logged onto the bank account and saw some some new transactions going out like you know one million here two million there to do my raise an eyebrow yeah exactly exactly it's a bit like you know i can understand you're like oh i don't remember going to cost a coffee that day what it's like three pound fifty going out there and for them it's like £3.50 going out there. And for them, it's like 1.2 million. But it is a hedge fund, though, isn't it? It is. It is. But, you know, so they recovered most of that money.

Starting point is 00:30:34 They only lost 800 grand. So you're thinking, happy ending. But no, sometimes these poisonous fish bite you and you don't die immediately. I see what you did there. Nice one. Yeah. One of their biggest clients, Australian Catholic Super,

Starting point is 00:30:57 was one of their biggest clients. They withdrew their entire funds from it, and they forced the hedge fund to fund to shut down wow because one client withdrew their funds well you know what it's like i mean like you know tl2 you know i mean like some a lot of businesses are structured in a way that most of their revenue comes from one client or what have you but i think it's the reputation loss. And what that does also, it signals other funds to say, hey, let's withdraw money from here. They're no good. They can't protect your money. They can't protect themselves. How are they going to invest your money? All that kind of

Starting point is 00:31:35 stuff. So this is a case where reputation actually caused the loss. And for once, I think every risk professional that's ever wrote reputational risk feels vindicated that, yes, it's true. So, yes, it is true. You can keep on writing reputational risk. Point to this as your example for the next 20 years. And that was this week's Billy Big Balls. And you're welcome. Billy Big Balls of the Week. By which I mean you're welcome. Billy Big Balls of the Week. By which

Starting point is 00:32:08 I mean you're welcome for the example you can use in front of your board all the time. Right, yeah. You know, there's two things that strike me completely unrelated to that story. Firstly, there's a gardener that operates in my area called the

Starting point is 00:32:23 Hedge Fund Manager. Oh, nice. It's fantastic. It's hedgefundmanager.co.uk. I do love those pans because we used to use, when I used to live in South London, our gardeners were called Border Patrol uh which again you know and um it used to turn up the same time as our neighbors had the lawn ranger all right there's some fantastic uh puns going on

Starting point is 00:32:56 over in the gardening industry um i i always remember the um the builders the indian builders who had on their logo or sorry, their tagline was, you've had the cowboys, now try the Indians. You've got to love that creativity. Yeah, it's so good. There's actually a shop not too far from me. It's a vape shop and it's called Puff Daddy. Oh, man.

Starting point is 00:33:21 So that appeals to the rappers and the kinksters. I'm surprised you actually know who Puff Daddy is, man. So that appeals to the rappers and the kinksters. I'm surprised you actually know who Puff Daddy is, Tom. Only because he told me before the show. But the other thing that reminds me of is there's this great video I saw called Lost All The Money. And it actually starts off by someone transferring money to, you know, a fish like this. That's true.

Starting point is 00:33:52 Because the name was very, very similar. What was the name, Geoff? Ravi Pat Shanmugna Tiruchal Vam. And what should it have been? Ravi Pat Shanmugna Tiruchal Vim. Only an idiot couldn't tell the difference. Exactly. Clearly wasn't paying attention

Starting point is 00:34:11 at their security awareness course. No, they just went for the food. Oh, I tell you, this is like the host unknown players present. We're going to have to drop that in the show notes now, link to that video. Yeah, yeah, absolutely, absolutely. Oh, dear.

Starting point is 00:34:32 Is it that time yet, Andy? It is. So it's that time where our reliable sources over at the InfoSec PA Newswire have been very busy bringing us the latest and greatest security news from around the globe. It's this week's... Industry News. Microsoft announces Pluton Processor for Better Hardware Security.

Starting point is 00:34:57 Industry News. Hashtag ISSE2020. Focus on 2020's crypto successes rather than efforts to break it. NCSE issues warning about expected hashtag Black Friday scams. Hashtag COVID-19 drives massive multi-cloud adoption. Finds less of a concern than reputational damage for public sector security. Industry News. Home Depot settles with US states over 2014 data breach. Industry News. DDoS attacks against online retailers increased fourfold during pandemic. Industry news.

Starting point is 00:35:46 Finding codes of conduct to enable post-Brexit GDPR compliance. Industry news. GDPR has had successes. Requires public knowledge. Industry news. And that was this week's... Industry news. Huge if true.

Starting point is 00:36:09 Who was that? Javid's weekly story. Dude, you've got stories this week. Jesus! Up to 350,000 Spotify users targeted by credential stuffers. Industry news.

Starting point is 00:36:26 Beware of Black Friday deals that are too good to be true. Industry news. Data breach of online kids' games exposed personal data of 46 million parents and children. Industry news. Spotify hit by credential stuffing attack. 300K plus accounts vulnerable. Industry news. Broad operation targets Spotify users with leaked database.

Starting point is 00:36:48 And that was this week's... Jav, what's a K plus account? Javid's weekly stories. There's 300,000. I think you meant... Okay, dude, you actually got stories this week there was no need to do that yeah what the hell these are the quality stories these are glenn gary stories these are the ones that really will inform so is it fair to say that you are quoted in all of those

Starting point is 00:37:19 articles that you just read out which you are now putting into the show notes i see you know what these are just the best stories i read in the week if i'm quoted in them that's purely coincidence and not intentional there's five coincidences in a row here and the fact that the other thing that also uh is a revelation to me is I really do need to read ahead in the show notes. I noticed as you were talking about being quoted, Tom, I noticed you were quoted in a story about Manchester United's cybersecurity incident. I was because I'm known for my football commentary. Well, that was the first thing. Obviously, I'm a football fan and we don't normally talk about it amongst ourselves, you know, our discussions focus elsewhere.

Starting point is 00:38:10 But I was surprised to see this article. And not just that, you know, you're crossing over into the football world, which is, you know, really the area for the Stig to, you know, our InfoSec Stig to do. I had to take a shower afterwards. I felt a little bit filthy well it's not just that it's more the fact that you actually um i believe made a statement so this was about the cyber incident you're gonna hold me to what i said in it well no i thought it was a brave move no i thought it's brave move so this is about manchester united uh investigating a cyber security incident.

Starting point is 00:38:45 Yeah. So they actually published it on, you know, via their PR sources as well. So, you know, Man United are a listed company and they put out a public statement. Yeah, well, they have to. Yeah, yeah, exactly. But if I find the article,

Starting point is 00:38:57 so Tom Langford, founder of the security consultancy TL2, says ransomware is a likely culprit uh now what i notice is different here is that you've actually nailed your your uh your flag to the mast you've actually gone in a direction and made a statement as to what you think it is rookie move rookie is that right well i was just thinking in contrast to jeff sort of say well you know it could have been or you know what's been popular elsewhere in the industry has been xyz and what i've offered is an opinion rather than some vacuous statement exactly yeah yeah just just checking we know but commentary and it's meant to educate and inform.

Starting point is 00:39:46 You do none of those. Sorry, but you educate and inform by ultimately saying nothing. No, no, no, no. There's a lot of wisdom behind it, but obviously the audience knows. I mean, this is just brilliant. No one knows the details of this, and Tom's just like, yep, ransomware. Yeah, I'm calling it.

Starting point is 00:40:05 I'm calling it now. Call it early. I'm calling it now. Just like I called in another article, I called the fact that we're going to have our first proper video phishing attack next year using deepfakes. That is my prediction for next year. So it will look like somebody's boss on the screen telling them to

Starting point is 00:40:26 transfer money well a prediction is different yeah making a prediction is different an actual you you like feeling like colombo at that moment like you know walk into the crime scene immediately you know who's guilty and then you're trying to. No, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, uh websites etc etc are unaffected by this attack um however you know that there has been there has been something has happened uh and we're pretty sure that there's no um you know effectively customer data i can't remember the term they used on it so that tells me that one part of the network was attacked whereas another part wasn't uh the parts that weren't were probably run by someone else, completely separate from them, third parties, websites, media, all this stuff that is so often outsourced, right?

Starting point is 00:41:33 So chances are the attack was on their internal network, and the chances are that an internal network attack right now are ransomware or just some horrible malware going round. Reality, ransomware. There's lots of chances our chances our chances are which yeah there are absolutely but you know the the other thing i i think is is uh is where you played it safe because you can't go wrong if you say ransomware and the reason is that nearly everything these days from a criminal point of view is cybercrime, is ransomware. Because even if they're not deploying ransomware to,

Starting point is 00:42:16 because it's not like 10 years ago where it would just land on the endpoint and it would just encrypt it. They actually go into the organization, then they'll move laterally. They actually exfiltrate data beforehand they'll try to figure out which ones it is a complete command and control uh setup now and when you look at it ransomware is just a part of the entire um it's one one element it's one element it's it's a massive platform now and ransomware is one of the features that is in there so um you know it's it's interesting how um they've evolved now and ransomware sometimes just the last calling card it's like the joker leaving his card at the end saying i was here pay attention to me so i think that's what makes it interesting. So you're right. I think to say ransomware, you're probably 80% of the time,

Starting point is 00:43:09 you're right 100% of the time. Absolutely. And you know what? That's good enough for me. That is good enough for me. But I think what this does mean, though, is that we found a potential sponsor. Oh, it has to be.

Starting point is 00:43:20 And it's going to be football related. It is. I mean, I'll take that filthy money, but, you know, it'll be money nonetheless. So, yes, I think we have. Host Unknown. Sponsored by... Manchester United.

Starting point is 00:43:35 Manchester United. Stupid football club. I nearly said Manchester City then. You know what? There's a quicker way to get the money. So Andy's a big football fan. Rans money. So Andy's a big football fan. Ransomware. Andy's a big football fan.

Starting point is 00:43:49 He probably is a season ticket holder for Chelsea. So instead of buying that, why doesn't he just pay us directly? Then how do I get into the games? What do you want to watch those stupid things? They just fall over, clutch their legs like they're in pain, someone runs out, sprays their hair with hairspray and gives it a quick brush

Starting point is 00:44:13 and off they go again. I mean, come on. It's soccer, it's not football. Bloody game of hairdressers. Not that I've met any hairdressers recently because I don't go into the hairdressers bloody rich hairdressers that's what I was going to say

Starting point is 00:44:30 yeah that's right right right right let's move on Andy I think it's you let's

Starting point is 00:44:39 let's go to well crikey penultimate thing of the thing feature feature of the podcast. Rant of the Week. So this week's Rant of the Week has been one which I think everyone loves to pile onto. It's our favorite U.S. person, not the one with the big red button, but the one with all the money in the bank. And this story comes from a Vice article where leaked documents from inside Amazon's GSOC or

Starting point is 00:45:15 Global Security Operations Center reveal the company's use of Pinkerton operatives, who are, you know, anyone who knows anything about Pinkerton, they've got a history of being corporate goons for hire in America. They're sort of private intelligence. And the article goes on to say they were hired to spy on workers and the extensive monitoring of labor unions, environmental activists and other social movements. Yeah, I mean, this article was really, it's very sort of anti-union. I think, you know, it is one of the things that they go on.

Starting point is 00:45:57 Firstly, there's a whole issue about Amazon using intelligence analysts or sort of, you know, intelligence specialists to look for what they perceive to be environmental activists, you know, as a threat to their business operations. And other practices they've done is like, you know, accused of inserting spies into warehouses. And I mean, the more you read into this, the more there's like this whole history and it's all very shaped towards amazon's anti union position and sort of just constant monitoring of workers and i think everyone has been you know

Starting point is 00:46:34 quite annoyed with it and rightfully so you know it sounds terrible uh you know when you look at it like that but very british everybody's quite annoyed everyone's quite annoyed uh gosh you really are quite annoyed spat my tea out when i read about this i run called my brown yeah my gary baldy was in the cup for too long because i was so stunned now the problem is i think when you actually look at this on its merits, it's right. Obviously, everyone wants, you know, fairness. Everyone wants to be treated humanely. Everyone wants this, you know, this utopia.

Starting point is 00:47:16 And everyone just assumes that because Bezos is, you know, the world's richest man and has, you know, 200 billion. Evil man. has you know 200 billion yeah just like you know money in his back pocket that could you know basically fund a couple of nation states uh which amazon is you know amazon has been accused of being a nation state in itself you know just the sheer size and resource it's got um but when you actually strip out the emotion which i know it's a phrase i use a lot and actually look at the uh you know what they're doing so how many big companies have intelligence analysts um you know would you say all of them exactly so the fact that they're hiring intelligence isn't really an issue um the fact they identify environmental activists as a threat to their business operations um would that not be a fair threat to their logistics and distribution network?

Starting point is 00:48:08 Yeah. I mean, it's like BP hiring people that work for Greenpeace. Exactly. Yeah. And if you consider when they're talking about inserting spies into warehouses to carry out investigative actions to prove or disprove collusion works, would you say they're actually looking for factual evidence to take action rather than trusting a supervisor's gut feel you know and your jedi mind tricks and getting me to agree with you so other things that you know they're accused of doing stripping workers' rights is workers have to surrender all their personal items before they go into a warehouse. Now, a warehouse where they're handling goods, which are going out to the public, what's to say that, you know, they take something,

Starting point is 00:48:56 you know, off the shelf, put it in their pocket and say, no, I came here with it. You know, we can have these arguments every day, is it's just easier to say look this is a high security area no personal belongings come in or out you've got a locker out here keep your personal stuff in there that way anything you have in your pocket you know as you there's no discussion about it you've taken it from inside oh yeah i mean i mean i'm sure you've been to data centers that are similar as well. Yeah, absolutely. And so something they've really jumped on recently is some newly implemented procedures to keep workers six feet apart, which they're saying is to prevent potentially rebellious or labor-friendly workers from collaboration. Now, what else has occurred in recent months that might require people to keep six feet apart?

Starting point is 00:49:48 And what areas would be breeding grounds and have a massive detrimental impact if these rules were not, you know, followed? So, again, I think it's more the angle that, you know, people want to hate something. And it's true. Don't get me wrong. You know, Amazon, there's so much more they could do. But, you know, some of the other gripes they've got. OK, CCTV monitors everyone's movements. Well, duh. OK. Welcome to the real world. Giant televisions display people who have been caught stealing and fired um you know constantly on loop around the buildings and stuff well to me that's you know preventative uh you know it's better to prevent uh you know crime that's a bit chinese that though isn't it but yeah but i'm pretty sure it's effective

Starting point is 00:50:36 or you know it does deter some people probably illegal in some countries as well well i don't know i mean how many times have you been into your local news agent shops and they've printed out to yourself on tv yeah yeah or like they said these people have shoplifted from these kids you're not allowed back in there again or stuff like that so the other thing uh workers were to pair up were they found to be legally uh guilty or was it just as a result of an internal investigation well funny you say that's actually one of the other um issues people have is that workers can be fired um purely by surveillance tech uh without a human manager actually dealing with it or having a discussion about it um yeah so i mean to me that that's just efficiencies you know if it's that black and white

Starting point is 00:51:23 you know this is a business that thrives on efficiency. So others can say, you know, workers are individually tracked, you know, how many steps they do and how quickly they load stuff. And again, this is a job that depends on productivity. You know, how are you managing that? Are you going to get someone to manually complete a timesheet or are you just going to record that? complete a timesheet or are you just going to record that um and i think you know people are instantly instantly on amazon on the back foot you know from the very beginning because they've got 200 billion um is it amazon's got 200 billion in the bank uh you know that's apple oh that's okay well amazon are up there i think oh yeah this is good you know amazon are up there, I think. Oh, yeah, we had this discussion. You know, Amazon are up there in the top four.

Starting point is 00:52:07 And, yes, they have done some practices that people find, you know, morally questionable. But there's no doubt they are efficient. Morally bankrupt. Morally bankrupt. They are efficient at what they do. You know, they're very data-driven. And they have boomed where other companies have gone bust um you know providing similar sort of services um right and you know what they have done this week also which wasn't

Starting point is 00:52:33 uh sort of highlighted is they are spending hundreds of millions of dollars on bonuses for christmas stuff um and it's going to be 300 pounds or $300, depending on where you are, for full-time staff and £150 and $150 for part-time staff for their workers. So, you know, I'm not going to get into the debates of, well, they can afford it and all that sort of crap, because I think that's just a silly argument. But so this week's rant of the week is, yes, Amazon are using intelligence operatives to monitor their workers and work behaviors. But my rant is don't automatically assume it's just to prevent unions. You know, there are very legitimate reasons for a lot of these practices. Should you strip out the emotion and look at the benefits of them? Right. I've kept my counsel so far.

Starting point is 00:53:24 I know. I knew that you were going to try. You're going to take down every point I've said. I'm happy. No, no, I'm not going to take down every point because a lot of what you said does make absolute sense. And, you know, I completely agree. It's a large business that thrives on efficiency and, you know, the tracking of people in warehouses and things like that, I think there are absolute valid business cases for that. Things like putting up pictures of people who have been fired, and not only that, but fired by computer, I think is morally bankrupt. I think that's completely ethically wrong and potentially illegal in some countries, so I'm sure they don't do that in those countries.

Starting point is 00:54:05 The thing that bugs me is any company that goes out to actively suppress the organization of unions has got a problem in its hiring and employment practices and its employees' rights. I do not believe in unions. I don't think unions are valid in today's society. They were built to protect people from bad and dangerous working practices and to ensure fair wages and all that sort of thing. Government and legislation has taken over that role in most cases.

Starting point is 00:54:49 Not in every case, absolutely, and not in every country. However, so therefore, when people feel the need to organise a union, it's because they normally genuinely feel they're being targeted or being taken advantage of or being subject to poor working practices, in this case by a company that's big enough to take on governments in the law courts and to actually suppress workers' rights. And I think they should let these people organise unions, listen to the concerns, and perhaps even consider paying them a decent wage for what they do.

Starting point is 00:55:36 These people are on minimum wage, working stupid hours in very physical environments. I mean, it almost is the equivalent of, you know, modern coal mining, you know, without wishing to sort of give way to too much hyperbole. So I think, you know, a lot of what you said makes absolute sense, Andy. I think a lot of people's concerns would go away if they felt they were being fairly compensated for what they were doing, though. So, I mean, yeah, people have you ever asked people what they feel is fair compensation? I was going to say, yeah, this is all subjective. You know, it is a legal requirement to pay this amount. There's a legal requirement to pay this amount at a very minimum. Yeah, and that legal requirement, I mean, if we look in the US,

Starting point is 00:56:25 for instance, in the US, the minimum wage basically hasn't gone up since 1980, something like that. It's absurdly low, something like seven bucks. It clearly shows they were grossly overpaid in 1980. That's all I can say. bucks it clearly shows they were grossly overpaid in 1980 that's all right but so if uh so bear in mind minimum wage doesn't just impact um the big people like amazon right so or once you increase that minimum wage then all these small uh sort of business owners that are already struggling to compete with the giants would also have to increase their staff costs. Yeah, this is a three-dimensional problem, don't get me wrong.

Starting point is 00:57:08 But I think in this instance, Amazon are doing themselves a massive disservice by trying to crack down on the organisation of labour unions. So again, I will just point out on this one. And this is where I was going with it. I've not read anything that specifically targets the organisation of unions. There's a lot of circumstantial evidence that can be put together. And, you know, maybe with all of these things combined, a byproduct of all of these together is an impact towards, you know, that organisation. um there's nothing here explicitly that prevents that no i i i get that and i i hear a lot of you know there's a lot of hearsay etc it's like when mcdonald's cracking down on unions there was there was one there was a union that was actually

Starting point is 00:57:57 successfully able to form in one mcdonald's restaurant in one city. And so what happened was McDonald's closed down that restaurant, fired everybody, sorry, made them redundant, and then opened up another restaurant on the opposite side of the road. When was this? I can't remember. Because McDonald's don't own, they franchise out, and it's a very different. Not all of them.

Starting point is 00:58:21 Some of them are owned by... But also, in many cases, the franchisees are working on behalf of McDonald's, right? They go to McDonald's for their legal support. They pay for legal support, et cetera. So this was done effectively at the behest of McDonald's. Anyway, that got a bit serious, didn't it? It did. It always does at this stage.

Starting point is 00:58:47 Yeah, indeed. Well, excellent. Thank you very much for that rant of the week this week, Andy. Rant of the week. We are nudging right up to the hour. Are we going to do the little people or shall we leave that for next week? Let's do it. Let's do it. Let's do it. Blimey.

Starting point is 00:59:10 Okay, folks, beware. We don't know what happens when we tick over the hour. So Jav, let's see. I can't even find the little people at the moment. Ah, yes, here we go. So, Jav, let's see. Who have you got for this week's The Little People?

Starting point is 00:59:30 This week I have got a very, very interesting, perhaps one of the more interesting people in InfoSec. It's Tricia Howard, a.k.a. Tricia Kicksass on Twitter. And if you don't follow her on Twitter, you should do because she does these absolutely brilliant, dramatic readings of sales emails, cold sales emails. So people send her examples of sales emails they received, and she does them in character. She's got this theater background, and she's very, very good at it. Anyway, I got in touch with Tricia and I asked her, what kind of annoys her about the cybersecurity industry?

Starting point is 01:00:10 The little people. What you mean, other than everything? I will say, I think my least favorite part of this industry is just like the egos and security. Like you have the groups that are just super God complex-y about it. Like I own everything. And then you have like the super fragile ones that just can't deal with the fact that someone might actually do their job better than them. And especially like fringe groups, you know what I mean? I mean, the rest of the

Starting point is 01:00:41 community is awesome, but those groups just are crazy. And we have this insane exclusionary culture in security. Like we forget a lot of the time why we do what we do, which is to protect people and their data and systems that hold other people's data. I mean, we don't even call them people. We call them end users. Are you freaking kidding me? No wonder nobody cares about security outside of our community. So it's just amazing.

Starting point is 01:01:06 Like, we forget that not everybody lives this world every day, and it's really, really frustrating. Actually, I got into it on Twitter a while ago with, like, a pretty well-known account, and I was really, really disappointed by what they said. I don't know if I told you about this. Oh, wait. You're not recording me, you the little people good points well made very good i like her yeah yeah that's good i like i like what

Starting point is 01:01:38 she said even though she was uh talking about you in the beginning well you know i mean we've had our differences um and that person she was referring to at the end what can beginning well you know i mean we've had our differences um and that person she was referring to at the end what can i say you know i apologize it was it was old tom as opposed to the older tom that you are yes something like that tom 2.1 oh dear no that was good. I like that because there is a lot of crap that goes on in the industry and it's very rarely called out.

Starting point is 01:02:11 So it's good to see that it's not, you know, we're not the only ones who see it. Good. Excellent. Well, I think we have come to the end of the show. Gentlemen, thank you very much, as always, for your time. Javad, thank you, sir. You're welcome. Yeah.

Starting point is 01:02:30 Sorry, you're about to say something. No, don't do it. I'm on. Yeah. You are on. No, that's fine. Let's move on. And Andy, thank you very much, sir. Stay secure, my friend.

Starting point is 01:02:45 Stay secure. You motherfucker. Host Unknown, the podcast, was written, performed, and produced by Andrew Agnes, Jilvad Malik, and Tom Langford. Copyright 2015, Or something like that. Insert legal agreements here as applicable and binding in your country of residence. We thank you. You know, I have no idea how unions work and what their purpose are

Starting point is 01:03:27 that's because you pay all of your house uh staff a fair wage you know when i was in in banking there was a union there and i wasn't a member of it and one girl in our team she was like no i've got to be part of the union got to be part of the union and she thought he gave her such backing and she had a dispute and uh she called in the union and even the union sided with the company oh my god you know you've really screwed up if that's the case oh my god

The Host Unknown Podcast - Episode 34 - Black Friday Special

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.