The Host Unknown Podcast - Episode 44 - Fly My Pretties, Fly!
Episode Date: February 26, 2021This week in InfosecLiberated from the “today in infosec” twitter account:25th February 1989: Knight Lightning published an Enhanced 911 technical doc (it had been stolen from a BellSouth computer...) to Phrack under the pseudonym "The Eavesdropper".http://phrack.org/issues/24/5.html#articlehttps://en.wikipedia.org/wiki/United_States_v._RiggsOn This Day: Feb. 25, 2005, authorities arrested Dennis Rader, a municipal employee and church leader, for the so-called BTK (blind, torture, kill) serial killings that terrorized Wichita, Kan. Rader was convicted and sentenced to 10 consecutive life terms.Between 1974 and 1991, he murdered at least 10 people in Wichita, Kansas. He apparently got away with it for over a decade.In 2004 an article was published suggesting that nobody remembered him.Desperate for notoriety, he began to write to the police and media gloating and showboating.In 2005 he sent a floppy disk with some bragging. When police examined the disk, they found metadata of an old word document on it which revealed the name of the Church where he worked and his surname.https://www.abajournal.com/magazine/article/how_the_cops_caught_btk Bill Big Balls of the WeekI use an email tracker to spy on people I work with. This is whyhttps://www.independent.co.uk/life-style/email-trackers-how-to-work-b1806723.html Rant of the WeekApple has long held its position on iCloud backups. It has focused on usability rather than total security. If a user changes iPhone and wants all their old iMessages, the easiest way to retrieve them is by getting Apple to store and send them from the iCloud to the new device. It’s the same for other messaging apps like WhatsApp, which offers backups.But Apple has reportedly considered making iClouds much more difficult for police to access. A Reuters report last year suggested that Apple did have plans to fully encrypt iCloud accounts too, so only users had the key, but backed down. Though the report claimed the decision was made after the FBI asked for iClouds to remain accessible, Reuters found no evidence of Apple’s motivation for ditching the plans.https://www.forbes.com/sites/thomasbrewster/2021/02/15/when-imessages-arent-private-government-raids-apple-icloud-in-a-dark-web-drug-investigation/ Industry NewsInternet Registry RIPE NCC Warns of Credential Stuffing AttackConcern as Attacker “Breakout” Time Halves in 2020US Retailer Kroger Admits Accellion BreachAircraft-Maker Bombardier Breached by Accellion FTA HackersLegal Firm Leaks 15,000 Cases Via the CloudKia Denies Ransomware AttackAston Martin Partners with SentinelOneCrowdStrike Slams Microsoft Over SolarWinds HackEducational Adaptation Required to Close the Cyber-Skills Gap Javvad’s Weekly Stories6000 vmware vcentre devices vulnerable to remote attacksIs Clubhouse safe, and should CISOs stop its use?Google Alerts used to launch fake Adobe Flash Player updaterHackers are using Google Alerts to help spread malwareJavvad wins 2021 Cybersecurity Professional Awards – Winners Tweet of the Week (not aired)https://twitter.com/HackingDave/status/1364945642599182344?s=20 The Little PeopleYousef Syed and security architects Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
but now it's recording you don't want to tell us about those habits do you no i don't those
are strictly off the record for my only fans
my mother was very disappointed after she heard that pre-roll from a couple of weeks back
you're listening to the Host Unknown Podcast.
Hello, hello, hello. Good morning, good afternoon, good evening,
and welcome from wherever you are joining us.
And this is the Host Unknown Podcast.
Hello, Andy.
Hello. How are you doing?
I'm very good. I'm very good. Thank you.
Have you had an awesome week this week, or are you just thank crunchy it's Friday?
Thank crunchy it's Friday, this week has been the longest year so far.
No, I thought April last year was the longest year last year.
No, it's just been an extremely long week you know when everything just uh
when you lose more than you win i think it's the if you're keeping tally on how the week's going so um uh yeah definitely like work everything my fridge freezer broke down i'll tell you guys that
what you're heating your fridge fret did you buy everything on the same day and it's all breaking down
roughly yeah not far off that so you know um i'm sure like you do it like you've got kids or you
know you've had uh younger kids where uh you walk in and like you open the fridge it's like hmm
it's not as cold as it should be and you're like did you leave this fridge door open
straight away and then uh you know you look at the freezer part and you're like did you leave this fridge door open you know straight away
and then uh you know you look at the freezer part and it's like the ice is you know there's not any
ice it's sort of getting a bit warmer and it's like did you leave the freezer door open but uh
no it's just knackered it's had its time it's uh i mean i thought it was you know maybe six years
old and my wife informed me we had it in our previous house.
And then she informed me that we didn't even buy it.
It was actually a hand-me-down.
Ah, yeah.
Yeah, that one.
But, I mean, luckily it's not.
We've got two fridge freezers.
So this is the second one.
But it is my favorite one.
So much like your internet connections connections where you have two internet connections
and one doesn't like doing podcasts on it.
Do you have a favorite?
Does it, does a fridge freezer have a favorite kind of food that, you know,
only freezes one and lots of drinks and flavored waters are in the fridge freezer
part in the fridge, flavored waters in adverted commas is that
wine and vodka no definitely uh but but it is it used to be uh do you know that's a funny thing
before i had a kid it was my vodka freezer i would store all my vodkas in it and all your
vodkas in my freezer dear Dear me. How life changes.
Anyway, I'm getting depressed just thinking about that.
How are you doing this week?
Talking of depression, yeah.
How are you, Jeff?
You know, Tom, you'll remember this.
It's been a year to the state.
We were in San Francisco last year.
We were.
Oh, my God.
We were shopping in,
was it,
I can't remember the name of the shop now,
one of those big departments.
Target.
Was it Target?
I'm pretty sure.
It's the one with the cinemas.
It's near.
Yeah, near the Apple store.
That's it.
Oh, Apple store, yeah.
Obviously, we went to the Apple store,
but yeah, we were shopping in Target.
You bought a tie, didn't you?
Or a jacket or so i
can't remember i can't remember yeah you were you're trying to smarten yourself up for the
booth babes as i recall but no no no it's what i do is when i when i fly to the states i go with
very few clothing and then i i stock up on clothes over there because um as i've been been bulking up in my age,
I find that their clothes fit me a lot. As my clothes have shrunk.
Yeah, their clothes fit me a lot better,
and they're a lot more affordable than the clothes over here.
Yeah, the ones with three Xs in front of them,
they're quite expensive over here.
They are, they are.
And over there, it's the same ones,
but they don't even have an X in front of them.
It's just an L.
Yeah, that's the same ones, but they don't even have an X in front of them. It's just an L. Yeah,
that's right.
So how was your week?
Yeah,
great.
It's been,
you know,
it,
the weeks end like every Friday and it's like every night.
I'm like,
next week's going to be different.
I'm going to be more organized.
Oh my God.
Yes.
Oh my,
I,
you should have heard me last Sunday night.
Yes, I'm going to get so much done this week.
But still, payday came around a little quicker, which is always nice.
It is.
It is indeed.
Yeah.
So it was less than four weeks this time,
and now it's five weeks for the next one.
So it's a bit of a problem.
But there you go.
But there you go.
Yes.
So how was your week anyway?
Yeah, it's been okay.
You're adapting to corporate life again?
Oh, my goodness.
What do you mean I have to write another presentation?
What's wrong with the last one I wrote?
So, yeah, I've been given a – well, I did have two presentations I had to write over the next couple of weeks,
and I got another one landed on my desk yesterday.
It's like, what?
Do you think you even pay me for that?
Oh, yeah, you do, don't you?
Yeah, I am going to have to do this.
So, yeah uh yeah it's
um but it's been good it's been good i'll be working this weekend but but hey it's it's all
good i'm i i'm actually enjoying corporate life um i had some lovely conversations with some of
the uh c levels uh this week and um really lovely people really lovely people so it's been good it's been good and do
you uh do you miss not being a c-level tom yes i miss the expense account
and the privileges that go with it yeah and the privileges that go it's bizarre isn't it because
you know in as a c-level there are certain things that you do.
You beg forgiveness, not permission.
It's my budget.
I can spend it how I want and all that sort of thing.
And now I'm, well, even more than halfway down.
Justifying spend.
Halfway down, I'm thinking, well, I only want to spend three grand or so
on some camera
equipment and a few bits and bobs thinking you know i should just go out and buy it uh maybe
not maybe i should tell them that i want this you know what i mean so i love it i love it you know
it's like you know when i was a c-level it's all about begging for forgiveness not permission and
ladies and gentlemen is why tom is an ex C-level.
I'd like to think that that was the reason for it, but it's not.
It's not.
It was pure incompetence.
But no, I am enjoying it.
I am enjoying it. I am enjoying it.
And I'm enjoying it especially every last working day of the month.
That's probably my favorite point of working for someone else,
to be honest with you.
So, yeah, let's move on, shall we?
Let's see what we've got.
So we do have our favorite this week in InfoSec,
Tweet of the Week with the best jingle ever for it,
Billy Big Ball's Rant of the Week, Industry News.
Will we have a little people today, Jav?
Maybe, maybe.
You know how unreliable and flaky these people are,
but I have it on good authority.
Dreadful.
Yeah, exactly.
And given that we probably maybe won't maybe do have a little people today,
will we have a sticky pickle of the week?
Potentially.
Potentially.
Yeah.
The tension is palpable.
Stay tuned and find out.
Stay tuned for the next 50 minutes.
That's all it costs you to find out. Stay tuned for the next 50 minutes. That's all it costs you to find out.
Or read the show notes.
Yeah, or read the show notes.
Yeah, exactly.
Oh, dear.
So I guess, yeah, we should move on to this week in InfoSec.
If I could just find the jingle.
I've not got used to this at all.
Where the hell is it?
Oh, well, who knows?
Oh, I'm on the wrong page.
That's why.
Here we go.
Let's go on to this one.
This week in InfoSec.
week in InfoSec.
And in fact, Andy, you reminded me that I played the wrong jingle last week.
Yeah, but it's okay. I don't think anyone noticed.
No, no, I think we got away with it.
But you know, this one, it's just such a catchy tune.
Love the tune.
Yeah, it just sticks in my head. That's why I miss it when unknown though exactly yes so this is the part of the show where we take a little stroll down memory lane
usually with content liberated from the today in infosec twitter account um and this we've got two
great stories this week one one which I absolutely love.
Don't care whether anyone else does. And the second one, which Jav sent through to help beef up the content as you know, we are running low.
And let's face it, it's going to be a bit of a letdown after yours.
Exactly. Yeah. This is the first part.
Exactly. This is the first part. We will take you back a mere 32 years to the 25th of February, 1989.
And this story is the nostalgia that I love to see in the This Week in InfoSex segment.
And it's what we aim to bring to the youngsters breaking into the industry. So years ago today um that's that's the little
people yeah well the little people but just think how many people weren't even born when this was
happening um and this this is like the you know when i the equivalent of the when i was a child
i had to walk 30 miles to school in the snow type story that we go through but you know i was an
adult in 1989 this is true yeah you'd probably
uh well you just had your 50th birthday i think yeah uh oh in the run-up to your 50th yeah so
yeah anyway so my mother wants word withc history to it and this is why i love it
um so 32 years ago craig neidorf um also a hacker that goes by the name of night lightning
uh he was one of the two founding editors of frack magazine um and he had basically published the materials that he had
liberated from belt south uh the telephone company um and this material that he had he was essentially
facing 31 years in prison for distributing these materials uh which belt south described as the
inner workings of the enhanced 911 system um which obviously you know the
emergency services used in the u.s and you know as part of the court case they stated that this
material is worth eighty thousand dollars um you know it's confidential he'd published it to everyone
um and you know that eighty thousand dollar cost they had basically derived that from
you know amongst other things that the value of the VAC system that the document had been written on.
Because you've got to inflate these costs somehow, right?
So everything was looking bad.
He was looking at 31 years in prison.
And this is a major case known as United States versus Riggs.
And so you must be wondering, how did he Houdini his way out of it?
Because, you know, he would just be getting out of prison now.
Spoiler, he didn't. He's still in prison.
No, but this is just one of the greatest stories.
So the charges were actually dropped when they discovered the document
was not, you know, as they described it in court, but rather more detailed documents could have actually been ordered directly from Bell South for $13.
For enthusiasts who wanted to understand more about the system and stuff like that.
But it's just amazing.
I mean, this whole case, you imagine the stresses they were going through at the time,
and it's not like information is as freely available as it is today
because of the internet.
And Wikipedia actually lists this case as the catalyst for the founding
of the Electronic Frontier Foundation,
the EFF who represent many people in courts,
particularly from the the security uh industry um but yeah I mean like I said this story is just so many levels you know
we've got frack magazine um you know landmark court cases the government trumping up charges
and the foundation of the EFF uh which is what made this something I was very happy to share in uh yeah i like that one especially the the the
13 reveal yeah so there's a great book uh called uh the hacker crackdown um you know which uh
bruce sterling wrote i think in the early 90s but it covers a lot of um you know similar stories
like this um you know operation sun devil and the the raid on Steve Jackson Games back in the late 80s, early 90s.
Steve Jackson Games, really?
Yeah, but you see how close companies were to, so close to going bust because they got raided and the feds just held on to all of their equipment.
You know, in the early day without
charging them with anything um because they had that power but so many great stories from back
then um well really abuse of power by uh federal authorities but um yeah fantastic i love those
type of things um definitely worth uh you know exploring get getting that book you can get it
for free i think via um audiobooks uh on apple but also it's not that expensive to uh purchase it
in fact remember we went to steel con a couple of years ago and i took up uh you know a load of
stuff to to uh donate to the table that was giving stuff away. Oh, yeah. And I took up pretty much most of my book collection
with the exception of The Hacker Crackdown.
That's one book I will not give up because I love it so much.
That's high praise, high praise.
Yeah, indeed.
And the fact that I read it as well.
I mean, I'm not big on reading.
Anyway, best move uh swiftly on and this uh this is a story that jav
uh you know shared rounds with us and it is a fantastic story so this week in infosec but
i think some of the undertones for it uh we can cover off at the end so anyway uh on this day, 25th of February 2005, so only a mere 16 years ago,
the authorities arrested a guy called Dennis Rader,
who is an employee and church leader for the so-called BTK,
which stood for Blind Torture Kill.
And these were a load of serial killings that terrorized the state of
wichita in kansas why were they always church leaders yeah it's just yeah it just goes with
the territory i guess but so i mean this guy uh dennis rage was convicted sentenced to 10
consecutive life terms so you know he's still in prison.
And this is because between 1974 and 1991,
he murdered at least 10 people in Kansas that he had gotten away with for over a decade.
So if you think, you know, over the span of 10 years, you kill at least 10 people.
Oh, 15 years.
Could be more. Yeah.
Yeah. And no one knows about it.
You're going to feel pretty good about it, right?
So in 2004, an article was published,
and it kind of had the undertones that no one remembered him.
And so he saw this article, and desperate for notoriety,
he began to write to the police and the media,
and he was sort of gloating that it was him they couldn't catch him um and in 2005 he sent a floppy disk to the police
uh you know to to brag and that's how he communicated via floppy disk and obviously
when the police examined the disk they found metadata on it it had an old word document
um which revealed the name of the church where he metadata on it it had an old word document um which revealed the
name of the church where he worked and it had his surname and so knock knock the police came knocking
and they picked him up uh i've got i've got some questions here uh initially just it's 2005 and he
sent a floppy disc yeah but i mean if you think he's an old school killer right the 70s were his era the
late 70s and uh you know the was it like one of the eight inch floppy discs who knows who knows
we don't go into that level of detail there's other shows that we go into that level of details
but not yeah that's right but i mean this this comes back to this is
something that I noted
it's funny it came from Jav
people that need that notoriety
and I don't know whether Jav
subconsciously could relate to it
this guy did all these great things
not great as in
fantastic but great as in
huge events
that deserved more media recognition.
And just can't wait to tell people about it.
And just couldn't wait to tell people about it.
Spoiler alert, Jav's Weekly News.
I hate you guys.
You guys are the worst.
But yeah, no, it's always those different personalities.
The ones that never brag, the ones that never brag the
ones that never gloat they're the ones you want to worry about yeah because that's where those
unsolved uh crimes are that's right i mean jav's always talking about being the you know the sole
founder of host unknown bragging gloating and we all know it's not him right absolutely and
i'm so glad that mo amin, friend of the show on LinkedIn,
actually called out the true founder of Host Unknown.
Did he?
I didn't get a Google alert for that.
And you know what?
He said that, and then he immediately asked you for a bribe, Andy.
What did he ask Andy for?
I didn't see that. Some haribos,
of course.
Oh, dear.
He's gone very quiet now.
He has.
In fact, he's gone on
mute, so I've got a suspicion
he might be coughing or something like that.
I'm just checking the um
uh the track and trace uh for the postal delivery which i sent to mo's house just to uh make sure
he's okay with it so yeah should be with you today mo don't worry about it honestly corruption of
the highest order this week in infoSoul.
Oh dear, I tell you what, the criminal mind,
if we ever do come across a criminal mastermind, we're screwed.
In reality, aren't we?
Because something, it's a bit like, what was it, the big diamond heist that was planned on the Millennium Dome back in 2000.
Do you remember that one?
Yeah.
Was it he was bragging in the pub?
Yeah, he was bragging in a pub that he was going to do this,
which basically ended up tipping off the police,
and they swapped the diamond out for a fake one,
and had officers ready and waiting.
Because someone bragged in a pub.
I mean, jeez.
And was it the same story with the Hatton Garden diamond heist as well?
Yes.
Yeah, although they got away with it because they didn't brag before,
they bragged after.
Yes.
It's like, oh, my God, you know, at least find a trusted circle
in which you can sort of brag about this stuff.
You know, some criminal mastermind anonymous or something.
But it's like that couple from Dallas, was it, last year?
They were scamming.
They set up fake medical companies,
And they were scamming for care home services rendered to insurance companies.
And they were making like millions off it.
And they got caught because they couldn't resist posting tons of pictures off Instagram of them on private jets and eating lavish dinners and everything.
Didn't we cover that in one of our episodes?
We did, we did, yeah.
Yeah, absolutely.
That's just stunning, absolutely stunning.
Well, the ego that allows somebody to...
Mind you, it's the ego that thinks they can get away with it
in the first place, and then the ego that actually drops them in it
because they're telling people that they got away with it.
Amazing.
Keep your ego in check, kids.
That's the lesson.
Absolutely.
Don't be like Andy.
Don't get away with anything.
Indeed.
Anyway, let's move on, shall we?
Let's move straight on now to this week's...
Oh, that's me.
Yeah, that's you, mate.
That's you.
So this was a rather provocative, I say intentionally provocative article
published in the independent quality newspaper uh by uh someone called case hassein and um he his the title is i use an email
tracker to spy on people i work with this is why so you can immediately see there that emotional
response he's going for with the thing but um he's a he's a journalist and a student. And you know how many times, if you're a journalist or whoever you are,
you send an email to someone and you're not sure,
did they actually get my email?
Was it good?
Was it not good?
You know, people are looking for jobs.
They're wondering whether anyone's opening their emails or what have you.
So most people, if their email client allows, they'll enable a read receipt.
And it sometimes works, it sometimes doesn't, because most recipient emails, they'll notify
them that, hey, there's a read receipt on here.
Do you want to send it or not?
Or they can just block it.
So what he'd done, he turned to using those spy pixels, where it's a tiny pixel you put in there and it tracks everything
from location to how many times someone's opened it to all this kind of thing and you know what
it's not a unusual thing actually if you if you look there's an email service called hey
h-e-y and it's a new one it's set up by one of the founders at base camp and basically it's all about
a privacy enabled email and they they will flag up anytime there's tracking pixels in a in an email
to you so and there was a whole piece on the bbc actually um last week or this way earlier this
week where um they they showed like how nearly every single vendor out there anyone
who emails you the bbc even or british airways whoever they all use these tracking pixels in
there and they were like this is invasion of privacy or whatever but that's at the at the
big corporate level but in this article um you know it's so there's some quotes i pulled out
from from this article where where the author is of course, it's incredibly unnerving when people accuse me of being invasive or breaking their trust for using spy pixels.
But that is not my intention.
For me, it seems like a smart way to do business.
business. And then he threw up in the face of one of his colleagues that he knows that she'd opened his email 14 times and hadn't responded. And she asked me, do you think it's incredibly
invasive and encroaching for you to know how many times I read your emails? But I kept using it.
Then a former teacher accused me of intruding in her personal life
for using it.
Neither of these were enough to deter me.
Blimey.
So, I mean, I think the thing is that when a company uses them,
they're using it as part of a marketing campaign.
It's done en masse, and it's being tracked by mainly an automated system this is individual spying and and the
thing is like you know you spy on someone yeah this is like being a peeping peeping tom yeah
you spy on someone you get caught spying the victim is then explaining to you why it's uncomfortable or
hurtful or harmful to them and you just carry on because that's what you want um that that's
like i think that's some uh sociopathic behavior right there uh and you're you're an expert in
sociopathic behavior what do you think of that so you're a narcissistic sociopath what's your view on this so i remember uh back in like i mean
this started you know i think when you first get into corporate life you start seeing these uh email
receipt has been requested you wish to send it um you know i always said no and then you know lotus
notes came around and you know had to go
into it edit it make sure just don't even ask me just never send one uh and i've got the same
setting now it's like if anyone asks me just never send it i don't care yeah um and these tracking
things i'm curious does this require um you know most mail clients now will say images have been
blocked you know do you wish to load them? Yeah.
Do you want to download the HTML?
Yeah.
So, I mean, I never do that.
But also, like to me, email is just not really my main mode of communication.
So I would happily open someone's message a hundred times and not reply to it if I knew that they were getting those stats.
Just to wind them up. just to wind them up just to wind them
up so I'd love to know if people are doing that and I can see you know sometimes you see messages
and it says you wish to download stuff and there's nothing else there to download and I'm guessing
people will hide them in their signatures and stuff like that yeah but um yeah i mean to me i just i don't use email that much if i'm honest
i know that that sounds a funny thing so i receive probably you know up to anywhere between 400 and
600 emails a day um i generally just don't read half of them um i can get a gist just from the
subject line whether or not it's of interest uh or what the message is going to be about so um yeah i mean if there's a way of me knowing that someone's tracking it i would happily just
keep opening it and not replying maybe that's a service that should be developed like you know
it's like this person is deploying the spying tracker pixel do you want to fuck with them
and you say yes and then it's a sliding scaler how much do you want to fuck with them and you say yes and then it's a sliding scalar how much do
you want to mess with them open this message every 15 seconds yeah exactly
in the deleted item so i never see it yeah yeah so here's the thing just just to challenge you
slightly is it is it really an invasion of privacy to know how often you've opened somebody's email
uh well that's i mean that's the thing is i you know if someone says to me oh you haven't replied
to my email i'll say okay sorry yeah exactly you know but if they said you've opened it 15 times
and haven't replied to it you know so sorry i just don't know how to how to drop to your level
you know put things in a way you're going to understand.
Or even fill the gaps.
I've opened it 15 times and I either don't wish to or can't reply.
Do you know what I mean?
I'm not saying that this is how we should approach this
and I'm not saying that this particular journalist is doing the right thing
and not displaying slightly sociopathic
tendencies, as you said, Jeff, but it's like, is there a big deal in this? It depends, you know,
if it's able to get your physical location when you open it, if it's able to, you know,
switch on your camera when you open it and things like that.
Absolutely gross invasion of privacy.
But just knowing when an email has been opened or not,
I'm not sure.
I don't know.
I think a lot of it comes down to the context in which it's framed.
And I think that he's... Yes.
So both the examples I read out in here, they were females, number one.
They get a lot of harassment and stalkers compared to like you know fat old
men like you two who've never been stalked or harassed less of the old thank you
but and and of course by females jav i presume you mean women yeah okay let's check him
so um you can take the man out of Ferengi but uh
and then to to then throw the stats into someone's face I think that's what
makes it real for people and and then they think well yeah wait how do you know and and the and
the mind's not racing what else do you know about me? Even though you can boil it down into a simple, like,
well, I only have this tracker that can open that,
but you start making all these other assumptions.
Is this what they know?
What else could they know about me?
So I don't know.
The insinuation is very creepy.
Yes.
Yeah, yeah, completely agree.
Is it a generational thing, do you think,
in terms of how much this would bother you?
Well, I don't think we had it around when Tom was a kid.
So, Tom, when the Roman messengers delivered you a letter,
they watched you open it.
No, no, no.
I asked them to stand outside the tent while I opened it.
Okay, right.
Gotcha.
Are you done with it, sir?
Go away.
Have you opened it, sir?
No.
Fourth time.
Yeah, I've read it four times.
Do you wish to reply, sir?
No.
Do I tell him that I've delivered it no
yeah
it is an interesting one
again using the technology
and I you know
it's not cool I always
click no when it says you know
there's a read receipt being attached
to this.
And part of me thinks, I don't know why I click no.
And I think the reason, really, when I think about it, the real reason for clicking no is I have this image of them
waiting at their computer to find out if I've read their email.
And I enjoy that, which in itself is slightly sociopathic.
You can get delivery receipts as well, though, right?
Yeah.
And that's pretty – people just rely on that instead.
It's been delivered.
Whether they read it or not, that's –
For me, I turn off all the read receipts,
even on like whenever chat platforms can allow you to turn it off or whatever, because I feel like it sets
an unrealistic expectation of there's a response coming
within a certain SLA.
And like most people, I mean, email.
You need to have a wife, Jeff, because really,
he's in a marriage, really, that should not be working.
No, no.
But email, it should be like an asynchronous form of communication.
It absolutely should.
You send it and then you give them three days a week, 10 years.
It doesn't matter.
But, you know, it's not.
But then again, so should Slack and instant messages and all that sort of thing.
Yeah.
They're all asynchronous.
Well, they are.
But, you know, the fact that they notify you when someone's read it.
And not only that, that horrible, the worst words ever, X is typing. synchronous well they are but you know the fact that they notify you when someone's ready and not
only that that that horrible the worst words ever x is typing oh my god but do you remember when
google was it google mail when they first launched or they had a change where if you were replying to
your email it would sort of switch into google chat if the other person was also in their mailbox that you're communicating with.
Do you remember that?
No, I don't.
And it had that whole thing, you know, like X is typing.
You know, but, yeah, I don't know.
I guess to me, email's kind of – I'm not huge on email these days anymore.
I tend to get it more as a news blast rather than
you know like a major way of communicating well i mean i i understand that because even when we
send meeting requests for the host unknown podcast any any time you reply is actually
if i'm standing outside your house with a megaphone yes Yes, I'm coming.
Well, so you send it to my email.
It automatically goes into my calendar.
And then that's cool.
I know when it's there.
But you don't accept it.
No.
You're supposed to say, yes, I'm coming.
You know I'm going to be there.
I'll let you know if I'm not.
I'll tell you via WhatsApp if I'm coming or not, right?
That's what she said.
Yeah, that was the most disturbing evening ever.
Anyway, thank you so much for that, Jav, for this week's... Billy Big Balls of the Week.
More disturbing revelations this week.
Interesting one that one was.
I'm conscious we are rapidly burning through time, aren't we?
I know, as always.
It's almost like we enjoy the sound of our own voices.
So let's move straight on, shall we?
Listen up!
Rant of the week. It's to mother rage so this is a story from a week or so ago and so
apple's iMessage service is probably one of the more secure market why are you doing the apple
story well right i'll tell you and i'm going to get to it, okay? So there's some behaviors here that are just not good,
and I expect better from Apple, okay?
What? No! Outrageous! How dare you?
I'll start off as all good shit sandwiches do start.
You start with a positive.
That is, their iMessage service,
considered one of the more secure ones on the market,
provides end-to-end encryption,
which obviously means no one, apart from the sender or receiver can unlock that text so all good so far right so when are your messages not safe
and that is if you have backups enabled on iMessage, all of your text is uploaded to iCloud.
And because Apple made the choice to make it possible for users to download those messages when they change phone,
rather than enforce encryption on those backups, they leave it all in plain text.
And this was detailed in a recent report from John Hopkins University.
So when those backups are turned on, Apple can unlock those iMessages,
and they have done so for government officials
should people come knocking with a valid warrant.
And so this is exactly what happened during the investigation
into a crew of alleged dark web drug dealers operating out of Virginia.
And all of this information is recently made public, according to a recently unsealed search warrant.
And within the document, it sort of details this investigation that started in 2020, where the Alexandra Police Department, through one of their confidential sources,
they went through that person's iPhone. And then that iPhone had messages with contacts with
members of this alleged conspiracy. So then police just served Apple with a warrant for all of these
iCloud accounts and then downloaded all the iMessages that were in there and you know these messages
detailed the manufacture of fentanyl and care fentanyl opioids um heroin you know all these
sort of pills and you know very really sort of detailed information about the sort of potency
of those pills as well as photos as well and recipes that they were using. And so all of this information was just put together from the messages
that were uploaded to the iCloud.
So these people thought they were communicating securely,
and then it turns out that they were communicating securely,
but then all this stuff goes into the back end.
And obviously, Apple has long held its position on iCloud backups,
that they focus on usability rather than security.
So the whole point is, if you change your phone,
if you want to download all your old stuff, it's just there.
It's kind of conflicted about this one in all seriousness because one i think if there is a
valid um if there's a valid legal basis for discovering someone's you know uh opening up
someone's data it should be observed you know we we you have to trust to a certain extent the um
the legal framework of whatever country you're in.
And if there is a valid warrant or equivalent,
then if you have access to that data, you should turn it over,
be you an ISP, a banker, a technology company, whatever.
It doesn't matter.
So there's that side of things.
The flip side is Apple are very, as we know from my usual rantings on this, you know, Apple are very focused
on privacy, et cetera. But what they don't make very clear is that under certain circumstances,
i.e. you use iCloud to back up your iMessages, you lose that privilege almost of having a fully encrypted backup
of your data that you control the key to.
That's not actually made abundantly clear.
It's fair to assume that a company like Apple,
with all of their other security controls, would...
We regularly say it's one of these common controls.
Whenever you look at backups for a company,
those backups also have to be encrypted.
They also need security equal or greater than the original source.
Well, let's face it.
They probably are encrypted, but they're encrypted with keys
that Apple own rather than you as an individual own.
That's the difference.
Yeah, I guess there is that, yeah, which you wouldn't expect
if you've got this end-to-end encryption.
No, exactly.
Yeah, that's right.
So when somebody grabs my phone and tries to look at my messages,
they can't because it's my encryption key.
So therefore they go to the, you know, the organisation in the middle
that I've thought, you know, it's nice to have all those messages
with the recipes for Coke and meth and all that sort of thing
so I don't have to ask Jav for them again.
Especially since he switched on deleting messages on whatsapp right he did yeah exactly but but it'd be nice to have those
so that when i change phone it's still there uh and also well it's apple so it's encrypted right
yeah but it's not something i own so it's i think if Apple had been clearer, they would come out of this looking a lot better.
If they'd been clearer, those criminals wouldn't have been caught.
And there's the source of the conflict, right?
Yeah, yeah. No, you make valid points, because I think you're right, Tom, because there are two
issues here. One is like, should a company cooperate with a valid legal request? I think absolutely yes.
And I don't think there's a ton of debate.
You'll always find people that will debate that point.
Yeah.
But then all these companies, they put out their transparency reports and they say how many legal requests they've received in the year,
how many they've complied with and all that kind of stuff.
There's many examples of when certain countries,
they're not looking at the legitimate interests of their citizens.
They're doing it in order for persecution, et cetera.
Not a lot we can do about that in this.
No, no, exactly.
And that's a different issue altogether.
So the real issue boils down to is, you know,
should Apple be doing better?
And I think, yes, they can be doing better.
And also the fact that if law enforcement can use anything,
and this is the whole argument around backdoors as a whole,
as a concept, is that if you enable something that law enforcement can
use then a bad guy is going to create a tool and they're going to use it as well and abuse it so
and also yeah i think there's also concerns around um you know what the the level of uh
of proof that or the level of um you know suspicion that's needed to obtain a legal warrant as well
uh you know that's down to obtain a legal warrant as well.
Well, that's down to the legal system of whatever country.
Indeed, yeah.
But wasn't there, you know, in the UK where you only needed up to like an inspector's level in order to obtain a warrant?
You know, yeah, I mean, suspicions of the police, you know,
if they just want to go on a fishing exercise, you know,
it's difficult to say that that's a robust system that you could put a lot of trust in.
Yeah.
Yeah, absolutely.
But that's outside of the control of the companies in question, right?
For sure.
Yeah.
But then, you know, they put themselves in that position by holding those keys or you know having that ability to um decrypt
but what's their alternative to to not uh comply with a legal if by some people's standards
unethical uh request but if they gave that option where you know the messages were encrypted and
it's very much like you know the authenticator app and stuff like that if you lose your keys and you're screwed um you know that's it tough
or your history i think this is what we're saying apple should be clear that if you press this if
you click this your your messages will be backed up but unsecured yeah yeah yeah if you if you want the if you want the no snitch option
we encrypt it and you hold the keys it's a bit more cumbersome but yeah the feds can't access it
then it's another five dollars a month well no not even that not even another five dollars it's
just a case of then don't use this service i snitch then don't back
it up to icloud yes i snitch exactly i snitch there we go i grass yeah well i'm gonna after
after today's podcast i'm gonna have to go and self-flagellate for for disagreeing with apple
yeah somewhat of a sticky pickle as well.
Well, yes.
Sticky pickle of the week.
Yeah, trademark.
Sorry.
Sticky pickle of the week trademark.
Absolutely.
No, that was a good one.
That was a good one.
Thank you very much, Andy.
Rant of the week.
What time is it, Andy?
It's time to pick a sweeper.
But we don't have to.
Yeah, it is.
Sketchy presenters, weak analysis of content,
and consistently average delivery.
Like and subscribe now.
That was the most appropriate one, I think, at this time.
So, Andy, what time is it?
Now it's time for us to head over to our sources on probation
over at the InfoSec PA Newswire,
where it has not been a particularly busy week,
but they have continued to bring us the latest
and just the latest, really, security news from around the globe.
Industry news.
Internet registry ripe NCC warns of credential stuffing attack.
Industry news.
Concern as attacker breakout time halves in 2020. Industry news. Concern as attacker breakout time halves in 2020.
Industry news.
US retailer Kroger admits Axelian breach.
Industry news.
Aircraft maker Bombardier breached by Axelian FTA hackers.
Industry news.
Legal firm leaks 15,000 cases via the cloud.
Industry news. Legal firm leaks 15,000 cases via the cloud. Industry News
Kia denies ransomware attack.
Industry News
Aston Martin Formula One team partners with Sentinel One.
Industry News
CrowdStrike slams Microsoft over SolarWinds hack.
Industry News Educational adaption required to close the cyber skills. CrowdStrike slams Microsoft over SolarWinds hack. Industry news.
Educational adaption required to close the cyber skills.
Industry news.
That was this week's...
Industry news.
Huge if true.
Yeah.
You say they're a pretty boring week.
That's not a boring week.
That's got formula one in it
that's brilliant you know i think i i read somewhere kia's denial was really weird because
they said that we haven't been hit by ransomware but none of their systems are available and
customers couldn't even collect their cars they went there and there was like i think some
customers even said like, where is it?
I went to the Kia dealership and signed
a new lease yet the manager told me
your computers have been down for three days due to
ransomware and it's affected
Kia all over the USA.
And Kia's like, nothing to see here, nothing to see here.
It's like that.
It's like Comical Alley
from San Jose.
He's the head of PR.
That's by no means the biggest story.
That's not the biggest story this week. The biggest story is definitely the Aston Martin F1 team.
So I'm looking forward to life after June 21st
when we can start getting to promotional events
sponsored by SentinelOne.
Yes. Absolutely. Absolutely. first when we can start getting to promotional events sponsored by sentinel one yes absolutely
absolutely if my sentinel one paymasters are listening then uh you know uh we are open for
sponsorship as you know anyway yeah the old aston martin wouldn't go amiss either
yeah because they throw those things around you know like like confetti obviously yeah obviously
yeah i mean i'm just saying they're a bit better than uh you know, like confetti, obviously. Yeah, obviously.
I mean, I'm just saying they're a bit better than, you know,
sort of like branded T-shirts.
I would drive an Aston Martin more than I would wear a Sentinel-1 T-shirt.
That's true.
I wouldn't even do the decorating in an Aston Martin either.
So, yes.
Anyway, let's see what our other colleague has.
Javad's Weekly Stories.
6,000 VMware vCenter devices vulnerable to remote attacks.
Industry news.
Is Clubhouse safe and should CISOs stop its use?
Industry news.
Google Alerts used to launch fake Adobe Player Updater Industry news
Hackers are using
Google Alerts to help spread
malware
Industry news and the most important
Javad Malik wins
2021 Cybersecurity Professional
Awards for European Blogger of
the Year Silver
And that was this week's
Badly Read
Javad's Weekly
Stories.
So tell me more about
this award which you've won.
Tell me more about this Adobe player.
I'm glad you asked, Andy.
This is something I
didn't even know I was up for to be honest a colleague of mine
a colleague of mine messaged me saying uh congrats on the silver and i was like
what's it and uh i've never come second in my life and uh so he he sent me the link and cybersecurity-excellence-award.com
forward slash 2021-cybersecurity-
We'll put it in the show notes.
But they have a few categories on there.
I nominated you, Jeff.
That's how I know.
I nominated you.
They have about like 50 categories.
Did you seriously, Andy?
Of course. I always lift you guys up. I alwaysinate them. They have about like 50 categories. Are you seriously, Andy? Of course.
I always lift you guys up.
I always do this hard work behind the scenes.
And yeah, so there's a cybersecurity blogger of the year, Europe,
and I was given the silver award for it.
Who got gold?
Bernard Meyer.
No, never heard of him no neither have i he he's apparently a editor or a security reporter at
cybernews.com okay so i think it's unfair to compare bloggers to professional like people
journalists and what have you but uh so uh but what was interesting there's also cyber security
blogger of the year for north america and that the silver in that was joseph carson our friend
from lithuania the unknown state of north america our irish friend from lithuania yeah exactly right
okay just checking well it's probably because he's Irish,
he's probably got Boston on his birth certificate or something.
I'm surprised it wasn't Troy Hunt, if I'm honest.
Yeah.
It's always good to get some recognition, you know, let's be clear.
It is.
You don't want me to go all Sunday,
you floppy disk to tell you how great I am.
So I'm curious about another story that you contributed in uh for this one uh and this is the one about clubhouse um you know is it safe and should cso stop its use yeah so i
downloaded clubhouse um at the start of the year uh j, you're not an iPhone user, so you can't have it.
Tom, I tried to invite you, and you said you have zero interest in coming along.
So, yeah, I guess what are you doing?
I've seen you outside schools handing out sweeties.
No, crack, whatever it is.
You know what I mean?
The first hit is always free, and then suddenly you're addicted.
I mean, look at Jav and TikTok.ok for you know let's be clear i'm not addicted yes you are oh no oh no no no your last 20 posts to us on our whatsapp group are tiktok videos
that's only because that's where the good content is
it's better than you regurgitating Reddit's front page.
Yeah, so anyway, with this one, Jeff,
what are you doing talking on this story
when you've probably never even seen Clubhouse?
I am fully aware of Clubhouse.
A social media elite like me,
it always rubs shoulders with the latest and greatest
social media platforms to see if i can monetize it as much as my only fans and um
you must spend a fortune on fishnets jeff yeah it's really interesting though because
hey i'm like why are are you surprised that you're commenting
on a public social media platform and people are, you know,
and now it's being heard by other people, you know,
your audio recordings.
It's not really the place you want to go if you want
to be discreet about something.
Let's be honest.
It's an audio channel.
And then, you know,'s i mean looking at the
vulnerability it's really like their their api was just balked wasn't it they're the way they
issue the the session token so so when you log on you get a session token for your id
but then the server issues you a separate one depending on the room that you enter, and they're not linked in any way.
So if you go into a room and you're given speaker privileges,
that is completely different from your login session token.
So you can then take that token and you can reuse it.
You can spread it around.
So basically you can then log out of that.
So even if the moderator revokes your access you that's a long
life token you can then reuse it elsewhere and you can share it and that's basically what the
vulnerability was it's just like poor token management uh session management and uh you know
you know they they could have integrated it just better and that would have solved the issue
but um well i think this is this is the journey of every popular platform though, right?
Yeah.
You start off as you grow because, you know,
you don't know whether you can afford to build this thing first.
You know, you need people to come onto it.
You know, the cost of security is so high for something
you don't even know if it's going to grow.
And, you know, they got that sudden boost when Elon Musk musk came onto it mark zuckerberg uh zuckerberg's a member of it um and so now
they're sort of working backwards you know they've had gdpr concerns you know the ties to china um
all of the things that all good social media platforms go through in their early stages um
exactly yeah to me this is just a funny story to everyone get up
in arms about it's you know we see it every single time a platform gets popular right
yeah it's kind of like the standard playbook now isn't it yeah is that what keep your eye on
startups wait until they get mildly popular be outraged at their lack of privacy policy you could you could pre-write your
um you know your breach comments or your privacy policy comments or your vulnerability comments
up front you know that i mean in fact i mean pre-writing is a long time ago i'm trying to get
a developer like a ai that can just pluck out the relevant quotes and send them and randomize a few of the words.
Sounds like David Bowie's songwriting technique.
You're cutting up words and then rearranging them on, you know, on the table in front of you until you got a song.
I had no idea that's what he did.
That's fascinating.
That was one of the methods he used in, I had no idea that's what he did. That's fascinating that I shared that with David Bowie.
Yeah, one of the methods he used in the 70s.
That's great.
The one story that I really thought was very clever amongst these,
and I'm just conscious of time,
was the Google Alerts used to phish people.
And if you're a phisher, then you know that it's a,
normally it's a great return on investment
if you're sending phish emails.
But you have the thing that you might get stopped
by the email gateway, it might end up in the spam,
or even if it hits the user's inbox,
they're not going to click on the link.
So what these scammers were doing is they're looking
at what people have
set up as google alerts or what are the most popular search terms and they were creating
fake news headlines with those search terms in it that's brilliant uh so that google alerts
picks it up and sends it to your inbox and then when people and then when people would click on it it would redirect
them to a malware page so i mean that ingenuity there is there without a shadow of a doubt
that's impressive it is very good and now i'm going back like all the all the links i clicked
on over the week hoping that it wasn't one of those because i've got a few google alerts set up you know not
not not only with my name but yeah but but mostly mostly anyway that that was uh this week's
weekly stories and lots of so we're gonna rush on to the end here um jav do we have a little people? Yes, we do What? Seriously?
We do, if you want to run the jingle
I can introduce it
Alright
So this week's little person is
someone who's a friend of the show, Yusuf Sayed
we've met him a few times even though Tom
doesn't remember meeting him
We met him a few times even though Tom doesn't remember meeting him.
We met him at the rant event, at some 451
round table event. I have
since remembered him, since you mentioned
him at the beginning.
Yusuf, my apologies. Since I described
him to you as the brown guy with the beard.
Yeah, yeah, exactly.
There's only like three people.
Yeah, exactly.
There's only like three people.
Just get over it.
He's a security architect, and I said,
what is it about security architecture that security people don't really get?
My big issue with architecture within IT domains?
My father, he studied architecture for eight years.
That's as long as it takes to become a doctor.
He does his Bachelor of Architecture, followed by a diploma in architecture,
and then usually becomes a member of the Royal Institute of British Architects.
To my knowledge, there's no comparable educational path within IT, digital, or cyber for architects.
educational path within IT, digital, or cyber for architects. Certain bodies provide certifications, but none of them come close to eight years of dedicated study. As such, there's a wild west
aspect of being an IT architect. Anyone can call themselves an architect with next to no
qualifications or experience to back that up. There's no standardized definition for what an RUT architect is or should be.
So this brings about a huge amount of confusion for recruiters,
and there's so much space for smooth-tongued scammers
and charlatans to operate.
I mean, some of the companies and people I could mention
are a right bunch of chances.
Like, wait a minute, you're not recording any of this, are you?
I'm an architect.
Yeah.
An architect of your downfall.
Wow.
You need to add in the thunder and lightning sound effects in the background.
That's right.
I'll try and do that afterwards in post.
Anyway, it's interesting because architect with a capital A
versus architect with a lowercase a.
I don't know.
Do you feel seen?
Do I feel seen?
I never claimed to be a security architect.
Well, you just said I'm an architect.
Of downfall.
I'm not a security architect, just the architect of your downfall.
Fair enough, fair enough.
Well, I think you are an IKEA architect.
I'll put you down as that.
I'll endorse you for that on LinkedIn.
I'm an Apple architect.
Oh, dear.
No, very interesting, very interesting, very interesting.
It does eight years to be an
architect that is quite a long time maybe his dad was just a slow learner
it's only a six-month course it took him eight years
okay yeah i think we should end this uh
oh i think on that note absolutely before we really really um uh um before we really put our foot in it
anyway jav we are well over now so we even had to miss out a section uh but jav thank you so
much for this week uh i do hope you have a lovely weekend thank Thank you so much. And Andy. And I hope you do too. And hopefully Monday is super productive.
Oh, it will be.
It will be.
It's going to be as productive as yours is.
Excellent.
So we're screwed.
And Andy, thank you very much.
Stay secure, my friends.
Stay secure.
You've been listening to The Host Unknown Podcast.
If you enjoyed what you heard, comment and subscribe.
If you hated it, please leave your best insults on our Reddit channel.
The worst episode ever.
R slash smashing security.
I can't believe you called a contributor's father slow, Jeff.
It's no surprise
that people
don't want to
send you stuff
well look
it takes
five years
experience
to do a
CISSP
how does
that compare
to an architect's
eight years
tell me that
tell me that
I'm sorry
Yusuf
oh my god
he's never
speaking to me
again