The Host Unknown Podcast - Episode 49 - Have Your Bunnies at the Ready
Episode Date: April 1, 2021April 1st!https://www.facebook.com/burgerking/posts/4438200159526619https://twitter.com/VW/status/1376868756782219266https://www.animationmagazine.net/tv/the-cats-out-of-the-bag-cn-rebrands-as-cat-too...n-network/ This week in InfosecLiberated from the “today in infosec” twitter account:27th March 1979: 33-year-old computer consultant Stanley Mark Rifkin was sentenced to 8 years in prison for stealing $10.2 million from a bank via computer. Federal District Judge Matthew‐Byrne Jr., rejecting an appeal from Mr. Rifkin that he be placed on probation.https://twitter.com/todayininfosec/status/1243427187165814785https://www.social-engineer.org/wiki/archives/Hackers/hackers-Mark-Rifkin-Social-Engineer-furtherInfo.htmRant of the WeekWhistleblower: Ubiquiti Breach "Catastrophic"https://krebsonsecurity.com/2021/03/whistleblower-ubiquiti-breach-catastrophic/https://community.ui.com/questions/Update-to-January-2021-Account-Notification/3813e6f4-b023-4d62-9e10-1035dc51ad2e Billy Big BallsThoughts on Selling to Security LeadersJason Chan - VP Security NetflixIf I ask to not be contacted by your company, ensure that fulfilling my request covers all channels (phone, LinkedIn, email, snail mail, etc.) and extends to your colleagues.Don’t sell based on FUD (Fear, Uncertainty, and Doubt). Security is a tough field to work in, and bad things happen. I don’t need scare tactics from sales folks.It’s fine to follow up to an unanswered message - once. And give it at least a week between messages. If someone doesn’t respond after the second reachout, it’s likely they are not interested. I’d not have time to do my job if I replied or unsubscribed to every reach out I receive.Don’t assume you understand the problems I’m facing or that you know what should be at the top of my priority list. Every organization has a different threat model, culture, and risk tolerance.If you’re selling something, don’t ask to “pick my brain” or for “feedback on your approach.”DO NOT CALL ME ON THE PHONE. There is no situation where I'm looking to have this conversation. Email or LinkedIn is fine.If you’re working with someone on my team, don’t escalate to me if things don’t go your way. I trust my team to make good decisions.Your solution or product doesn’t solve every security problem. That’s okay, I don’t expect it to. Just be clear about the value you believe your solution brings.Your solution won’t save me from the next [INSERT BREACH/EXPLOIT/VULNERABILITY] here. Don’t say it will. Perhaps it’s additive or helpful, but operating a security program successfully is complex and involves people and technology working together. Again, just be clear about your product’s value.Don’t offer me a gift card, gift, or cash in exchange for a meeting. Just no.Keep your word, and follow up on time if and when asked. I appreciate folks who meet their commitments and respect my time.If I’m a customer, think long term partnership vs. transactional sale. There is a lot of overhead to switching vendors and I appreciate folks that I can build a long term, mutually beneficial relationship with. Industry NewsFBI Issues Mamba AlertBurned Out Employees Put Corporate Security at RiskAussie TV Network Taken Off Air by RansomwareGerman MPs Hit by Russian-Backed Phishing AttacksCyberbullying Linked to Social Media AddictionUK Cyber Security Council Officially Launches as Independent BodyCISA and RH-ISAC to Run Cybersecurity DrillThree-Quarters of Legal Breaches Caused by InsidersMost Global Chip Companies Show Signs of Compromise Tweet of the Weekhttps://twitter.com/0x26d/status/1377415060759269377 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
Yeah, do you know what? It can be shorter this week. Let's not.
Well, let's face it. Between the three of us, you two are definitely happy with shorter.
But I'm...
You're listening to the Host Unknown Podcast.
Hello, hello, hello. Good morning, good afternoon, good evening from wherever you are joining us.
Welcome to Host Unknown, episode 49, our April Fool's and Easter episode.
So have your bunnies at the ready, won't you?
Why are you two sniggering like little girls in the background there?
Because when we talk about bunnies, we're thinking about the Lord and Saviour Hugh Hefner.
Do you know what? I hadn't even thought of that one. I was thinking of the other one.
Anyway, how are you this morning? Jeff, how are you, sir?
Actually, don't answer because you're going to infect all of our listeners if you answer.
Because you're as rough as a bag of badges, aren't you, at the moment?
I am, yeah. I don't know. I went out cycling one day and then I've been laid up in bed with a cold, a flu, a chest infection.
That's what exercise will do to you. That's what I'm seeing there. I'm seeing a dangerous link there.
There is definitely
correlation. Yes. So we won't be hearing too much of your dulcet tones, just a bit of, well,
more Lily Savage than Javad Malik this week, I think. So Andy, how are you? Not too bad. Can't
complain. I got my COVID jab this week. Yay.
Yeah, I figured that I want to see you two old guys at some point.
Yeah.
And so, you know, I'm not due to my age.
I wouldn't be due to get it until like November time or so.
So I figured I'd come and see you over the summer sometime.
So I put myself forward, got the jab.
That'll be nice.
Excellent.
Excellent. So I hear you got about three hours sleep again last night uh i did so yeah it's a good night for me last night
but i do have a question though which i hope you can help with uh why have we received three pairs
of sticky pickles branded nipple clamps oh yeah if you could just forward a pair to me, that would be lovely.
Thank you.
But you were aware these were coming, right?
Yes.
Yeah.
Did you mean you don't listen to the Sticky Pickles podcast?
Of course. The podcast that I've been invited on, I hasten to add.
It's interesting.
So they named it after our feature Sticky Pickle of the Week,
I understand.
Yeah, that's right.
That's right.
And I think they stole our tagline tagline you know the one you the one you used i know there's definitely
a a tender link there but but i think we might have to ditch it yeah yeah they they claimed it
was theirs and bizarrely they said well in which case we're gonna have to send them some sticky
pickle nipple clamps so hey i asked for three did you say did you say you're
going on the sticky pickles podcast yes i am so you're going on there you've been on smashing
security like three four times in the last year four times which tells yeah and uh and uh
speaking of causation and correlations um the government the government has said there's no evidence of institutional racism
in Britain.
Yes, but smashing
security and sticky pickles are a nation
unto themselves. So I
guess we have to wait for their report.
You've been on
smashing security at least once.
That was ages ago,
years ago. Yeah, yeah.
What more do you want than a token appearance?
Come on.
I see, I see.
I see how it is.
I can imagine them with a board on, a calendar on the wall
and like every three weeks, oh, we need to have a token,
token representation.
All it tells me is that I've been on that show four times
and as I said the other day on the show
you know when I was chatting with
Graham and Carole
all I said was that
it tells me that they've had
four people drop out last minute
hence why
I'm on the show
you know because I'll go to the opening
of an envelope let alone uh being invited onto a
podcast as long as it doesn't cost you anything right absolutely and and if there are sandwiches
and free nipple clamps and i'm there uh i also i also it may have helped that i also became a
patreon of um smashing security oh is that what it takes? You've got to pay. Yeah.
So we got an issue this week that we are recording earlier than usual because of the Good Friday.
Yeah, a day earlier.
It's completely screwing everything up.
I'm really busy today.
I don't know what time I'm going to get this podcast out.
So essentially the stories are going to be as old
as Smas smashing security stories
they are they are yeah and in fact up to about an hour ago they were the smashing security stories
you know i think we're missing something here that there's some pay-to-play going on right
right here that you know i became a patron this is like you know you're not letting go of this, are you, Jake? It's the government PPE scandal all over, isn't it?
Exactly.
This is how it starts and this is how it goes.
Next mayor election,
I expect to see Tom and Graham standing for London mayor.
What can I say?
They just choose the brightest and the best.
And when they don't turn up, they ask me on.
Isn't that how Boris got into power?
Yeah, exactly.
Oh, God, don't even get me started.
Oh, dear.
So, chums, chums, chums, what have we got for you this week?
We will have this week in InfoSec.
That's Andy's favourite part.
I think we've got a tweet of the week, have we?
We've definitely got a Billy
Big Balls and a rant. We're
a bit thin on stories, if we're perfectly honest
with you. Industry news.
So, did you know, also,
funnily enough, that six out of seven
dwarves are not happy? That's all
we've got to say about the little people this week.
And will we have a sticky pickle of the week?
Although going by what we've talked about so far,
we're more likely to have a sticky nipple of the week this week.
So, yes, it should be an interesting show, if nothing else.
So shall we get cracking?'s try it let's see
where we go let's it's the only ways down from here folks this week in infosec
so this is the part of the show where we take a stroll down memory lane liberating content from
the today and infosec twitter account um so you know this genuinely is content inspired by the
today and infosec twitter account and embellished by us a mere 42 years ago, before I was born, around about the 27th of March 1979,
a then 33-year-old computer consultant called Stanley Mark Rifkin
was sentenced to eight years in prison for stealing $10.2 million from a bank.
The federal judge in that case, a judge, Matthew Byrne Jr., rejected an appeal
from Mr. Rifkin that he be placed on probation. So he asked to be placed on probation after
sealing $10.2 million so that he could teach bank officials how to prevent computer fraud.
Oh, so he stole it through computer?
Yes. So yeah, he did steal it through computer fraud.. So, yeah, he did this via computer.
And I'll get to a bit more detail about what he did there.
I think I've seen this film because he got his name wrong.
I think it was Richard Pryor.
And it was Superman 2, 3?
I can't remember.
Well, these things were all inspired, right?
Yeah, that's right.
They all come from somewhere. So Stanley Mark Rifkin, a.k.a. The Artful Schmoozer, was's right. of 1978 when he committed this crime it was at the time the largest bank theft in US history
so he was actually a contractor working for this bank security specific national bank
to develop a backup system for them and during his time there he learned the transfer procedures
that they used and then he found that the bank agents would actually write down the daily transfer code and just sort of leave it on their desk. So he's there, he goes into the
transfer room one day, like as part of his normal work, he saw the code, memorized it, walked out,
and then basically impersonated, you know, another person in the bank, made a few phone calls,
and then just had the 10.2 million wired to this trust in New York,
which then forwarded it to this bank in Switzerland where it already set up an account.
So knowing the procedures, you know, nothing was unusual about this process because,
you know, it's normal for that person to authorize a transfer. He had the transfer code.
So everything seemed OK. The bank were completely unaware that this had happened.
Everything seemed seemed OK. The bank were completely unaware that this had happened.
And where it sort of all fell down for him was that, you know, in order to fence, you know, this 10.2 million, he basically bought nearly nine kilos worth of diamonds so that he could then resell them.
I know it's a strange show. I mean, there's a link in the show notes to the to the
full story um definitely worth worth going through so i wasn't actually aware of this
at the time but it's absolutely brilliant that the bank were completely unaware of this and the
first thing they knew of where this money came from was when the fbi um actually intercepted him
on a separate steam and that separate steam was set up because um the lawyer that the first lawyer
he used um to deal with this uh issue of being caught with uh so many diamonds um was not under
attorney-client privilege for whatever reason so that lawyer then went to the fbi and and uh yeah
he got caught.
It all went back and the officials at the bank had no idea that this money
was gone until after the FBI arrested him for the diamond heist
and then traced the money back.
I think the attorney-client privilege thing, don't you have to be paying
for the services or something like that, don't you?
Yeah, I'm not quite sure.
Yeah, I'll be honest.
We use it a lot, you know, corporate.
I don't really understand it.
Better call Saul.
He regularly asks if he's about to get shot.
He regularly asks the other person, give me a dollar.
And then he's under client attorney privilege or attorney client privilege.
And that may be simplifying it somewhat,
but I'm assuming it's
because maybe he just said i'll pay you afterwards or something like that there is so much to unpack
here but what i'm thinking is had the judge said go and teach the banks we might not have business
email compromise today because it's it works in pretty much exactly the same way
and it could have been dealt with you know in the early days yeah we may not even be sat here
doing this podcast because the industry is not as big and expensive as it you know as it would be
because frankly they're oh so we've got to do this and then they've got 40 odd years to get it right
yeah so the judge actually said you know at his his request to be put on probation to educate,
the judge actually said prison is a far more effective deterrent
than all the lectures he could give.
America!
Yeah, exactly.
Yeah, but I think there was someone else who stood up for him at his trial.
It's a professor of management science at the California State University, so CSU.
So he actually said, you know, the guy's not a bank robber, he's a problem solver.
He said, I have a feeling Stan viewed the entire thing as an incredible problem.
He's always five years ahead of anything else that's going on.
Five years and $10.2 million dollars ahead yeah but you know again how much has changed in terms
of you know people get social engineered to to transfer funds you know nowadays it's via email
you still get the odd phone call but yeah man been there before this was done big big wailing
was done back in you know know, 42 years ago.
Yeah, blimey, 42.
I didn't even think computers were invented then.
So what does he do now?
He's now just an entry on Wikipedia, according to my very quick research.
I don't know what he's doing.
So he must be in his late 70s
by now
hmm
okay interesting
so he's kind of like the
version 0.1 of
Frank Abagnale
yeah the one that you know there's always the ones
that you know get the
big gigs you know like
your colleague
Mr Kevin Mitnick you know he gets get the big gigs, you know, like your colleague, Mr. Kevin Mitnick, you know, he gets all the big gigs
and all the plaudits, but, you know, there's plenty of people
who got arrested before him that didn't quite make it big.
Nice one.
Thank you, Andy.
Thank you very much for this week's.
This week in infosur
nice like that one like that one i think we should put uh one of these on now
recording from the uk
you're listening to the host unknown podcast not that we're trying to pad the show out at all i do like that one though because it's
got the uh yeah makes you proud to be british well as we're talking about you know the smashing
security podcast and institutionalized racism yeah i managed to chuck in a bit of rule britannia
remind people of the colonies right yeah absolutely absolutely it's would sticky
pickles be considered a colony of smashing security i don't know it's interesting oh well
anyway shall we move on um yes we will since uh i've got the jingles let's move on to Listen up! Rant of the Week. It's time for Mother F***ing Rage.
So, Rant of the Week.
This is on friend of the show, Krebs on Security, Brian Krebs.
And I've got a wonderful story about Brian Krebs, which I won't tell in public.
But nonetheless, it involves me and Brian Honan, and it's hilarious.
But I shall maybe tell that another time.
But so Krebs broke a story this week on the Ubiquity breach.
Now, Ubiquity Networks, they produce high-end uh networking equipment
um primarily wi-fi but certainly not enterprise level but um i i wateringly expensive i water
really uh expensive yeah that's right iwateringly and unpronounceably expensive.
So other good friend of the show, Croy Hunt,
he has plenty of this equipment in his house and he often tweets about the installation or whatever.
And if Croy says it's good, then it's probably very, very good.
I looked at getting it and couldn't afford it, even on my salary.
So, Andy, on your minimum wage job, you've got no chance.
But at least, you know, good news, minimum wage does go up today in the UK.
Yes, it does.
It does.
What does it go up to?
£10 something.
Not bad.
So about €2 then. Yeah, a huge amount. An hour, that is, yeah. So about two euros then.
Yeah, a huge amount.
An hour that is, yeah.
Yeah, that's right.
Well, certainly on a British workday anyway.
So there was a breach and it was through a third party.
There was disclosure that a breach involving a third party cloud provider had exposed customer account credentials.
They had reported this on January 11th that, you know, this breach had happened.
It happened through a third party.
party. However, recently, as reported yesterday, a source who actually participated in the response to that breach has alleged that Ubiquiti massively downplayed what was considered to be a catastrophic
incident to minimize the hit to its stock price, and that the third-party cloud provider claim was a fabrication. I think that means
lie. I could be wrong. Economical with the truth. Economical with the truth. That's right.
So this security professional helped the company respond to the two-month-long breach that started
in December 2020. Actually contacted krebs on security directly
after raising his concerns get this with both ubiquity's whistleblower hotline and the european
data protection authorities and obviously nothing happened um a con and uh this person contacted
krebs on the obviously on the condition of anonymity for fear of retribution.
I'm presuming he's fine.
This guy sounds like a serial snitcher.
Well, snitches get stitches, right?
I can imagine that, can't you?
Mr. Snitch, please come to the boardroom for your stitches.
So this person said it was catastrophically worse than reported
and legal silenced and overruled efforts
to decisively protect customers he wrote in um this chap wrote to in a letter to the european
data protection supervisor the breach was massive customer data was at risk access to customers
devices deployed in corporations and homes around the world was at risk. That's pretty fucking awful, really.
So not only to create or to lie about the source of the breach, i.e. it wasn't us,
it was a third party, but to then actually have legal stop any kind of open and transparent dialogue with customers.
And those customers were only informed of it two months after the investigation. So not
something has happened, we're looking into it, we'll keep you informed on a regular basis. But
oh, this happened, we've dealt with it, and it was nothing to do with us.
It's awful, absolutely awful.
And basically all their letter says is just that, this happened,
we think you should change your password and enable 2FA.
Oh, wow.
Yeah.
This is right up there with fat faces,
the response that we covered last week.
And also, not to recycle old content from other podcasts,
which obviously they normally do to us anyway,
but I talked on Tuesday about MobiQuick, an Indian company
that did basically the same.
A researcher said, all your customer records are up on the dark web.
And they publicly said, said no they aren't it's nothing to do with us we didn't we didn't uh we haven't had a
breach and we've got a third party to prove it and anyway uh our customers probably put it there
wow it isn't us but if it is we didn't do it, we didn't do it. Yeah, we didn't do it.
Our customers did.
They brought it on themselves.
Yeah.
And then caused the researcher that raised it as a media-crazed researcher
wasting our time.
Got to destroy the character.
You know, that sounds like a very Indian response.
Actually, it kind of loses its meaning when I think you say it out loud in English,
but I'm imagining someone in Hindi saying it and then it being translated
like that, and it is so on brand.
It is totally appropriate for a model.
Well, they were apparently, allegedly, pre-IPO.
So I think there's a whole bunch of um fire fighting ass covering going on
but the fact is that this data that they allege their customers have probably copied up there
contains password hashes and know your customer information um yeah because we often upload our
data including uh usernames and passwords and password hashes to websites don't we as as
consumers uh and also salts in some cases as well so yeah how else are you meant to back stuff up
i know i know right but this kind of this we seem to have we seem to have come out of a renaissance
of responsible disclosure and people you you know, companies saying,
hey, we got hacked, this is what we're doing about it,
sorry customer, we'll keep you informed,
and actually being responsible about it.
And we seem to be going back into this thing of, as you say, Jav,
it wasn't us, and even if it was, it wasn't our fault, you know.
Yeah.
I think what it is is, like the the companies that we've been praising in
the last few years they're like just ahead of the curve and then there's just so many
organizations like they're collecting data they have no idea what what they why they're collecting
the data but it's just data so they might as well collect it anyway there's no purpose even
but they they just think they might be able to monetize it in the future or it might just come in handy and i think those are the ones we're like they have really bad
breaches yeah yeah you know and the thing is you know many of these companies like ubiquity is
right at the source of your organization it quite literally is the transport layer of all of your
communications right and if that's if that'sached, that level of trust is breached,
then you can assume that anybody with the right technical know-how,
knowledge, et cetera, and intent and motivation could actually
fundamentally expose your network, right?
Yeah.
expose your network, right?
Yeah.
You know, this isn't just, you know, I don't know,
losing the account to your Sunday newspaper digital download.
This is significantly more fundamental than that,
and yet they're treating it like it's nothing and lying through it as well, so allegedly.
Yeah.
Their share price has dropped in the last couple of days, actually, ubiquities.
Funny that.
Yeah, I know.
Funny.
But, you know, it's only been a couple of days.
I'm sure it will bounce back stronger than ever.
And it's not actually the first time ubiquity have had security issues.
Oh, interesting, really.
time ubiquity have had security issues um oh interesting really back in 2015 krebs uh reported something about the apart trojan being uh on the on some of their products 2015 did you say yeah
yeah all right um and before that in 2013 there was a uboot configuration extraction
where uh you it was possible to to extract plain text configuration from the device without leaving a trace using trivial file transfer protocol and Ethernet cable, revealing such information such as passwords.
Right.
But you know, technologically bleeding-edge environment, these issues happen.
And it's not the fact that they happen because, you know,
if you want old reliable, then, you know, go with some other product.
Tom, you're talking about bleeding-edge technical.
It's a router.
Yeah, but Ubiquiti was one of the first ones to be signed.
You're arguing with tea season
sorry what
anyway well the cultural references are lost on tom i know i know um so but but but what i'm saying
is these things will happen yes but it's what you do about it that counts and how you respond and how you
manage it and how you treat your customers and if you treat them with disdain that's that really
shows um and that that really reflects you as a company in a very bad light well, well said. Yeah. Right, okay. In the great words of Andrew, time to move on from this story.
So that was this week's...
Rant of the Week.
You're listening to the Host Unknown Podcast.
Bubblegum for the brain.
I know that's Andy's favourite, that one.
Yeah, that one is.
They're all my favourites.
They are.
Well, you created them, let's face it.
So, yeah.
I still like the intro music myself, you know.
So I think that's pretty much the only one that survived.
Survived the great Cullen by Andy.
Okay, let's move straight on to...
Do not assume gender.
This is not...
Colossal cojones.
No, Carol's colossal cojones, I think we decided.
Very good. carol's colossal cojones i think we decided very good so um actually this probably isn't even a billy big bull's more of a rant off the week but it's a very good post by jason chan who is the vp
of security at netflix um and he he wrote a post on linked saying, thoughts on selling to security leaders.
And it's a good post.
He puts down lots of bullet points as to how to not contact him
or security leaders broadly if you're a security vendor.
So I went through this and i thought oh those are good
points and then i i don't know if you remember a few years ago there was a a lady she wrote a post
about if you want to talk to a girl somewhere think of that person as the rock and is it something i would say to the rock and if it is if it is then
it's cool and if it's not then don't say it and and i read this and i thought this these bullet
points actually apply perfectly in that same scenario as well so so like the first point is
if i ask not okay i'll embellish it slightly if the rock ask not to be contacted by your company,
ensure that that covers all channels, phone, LinkedIn, email,
and extends to your colleagues, or he will lay the smack of the down on you.
Don't sell to the rock based on FUD, fear, uncertainty, and doubt.
Security is a tough field to work in and bad things happen.
The Rock doesn't need scare tactics from sales folks.
It's fine to follow up with the great one to an unanswered message once
and give it at least a week between messages.
If someone doesn't respond after the second reach out,
it's likely they're not interested.
I'd not have time to do my job if I replied or unsubscribed
to every reach out I receive.
The rock would not have time.
Yeah, I really relate to that one.
I think the best I've got is six in a week.
In five days, six messages in five days
forwarded on every time
saying, you know,
sorry to keep,
sorry for my persistence.
Did you see my previous messages?
Yeah.
Don't assume that you understand
The Rock's problems
or you know
what he should be
at the top.
You are not on your game today, are you, Joe?
No, no.
Do not assume you understand the Rock's problems, Jabroni,
or that you know what should be at the top of his priority list.
Every wrestler has a different threat model, culture, and risk tolerance.
Very good. Very good.
If you're selling something, don't ask to pick the rock's brain or for
for feedback on your approach from the rock do not call the rock on the phone there is no
situation where the rock is looking to have this conversation email or linked LinkedIn is fine. If you're working on some second tier person on my team,
don't escalate to The Rock if things don't go your way.
I trust the little rocks to make good decisions.
Did The Rock have a tag team?
He had many.
The Rock and Sock Connection is probably the greatest.
The Rock what? The Rock and Sock Connection. The Rock and Sock Connection is probably the greatest. The Rock what?
The Rock and Sock Connection.
The Rock and Sock.
That was Mr. Socko.
That was played by Mick Foley, a.k.a. Mankind, a.k.a. Dude Love.
He was also in the, what was that?
It was in a film, right?
You could have just said Security Operations Center, you know.
Oh, I missed that one.
I'm not on my game at all.
Your product or solution doesn't solve every security problem.
That's okay.
The rock doesn't expect it to.
Just be clear about the value you believe your solution brings to the rock.
Your solution won't save the rock from the next insert, breach,
exploit vulnerability here.
Don't say it will.
Perhaps it's additive or helpful, but operating a security program
successfully is complex and involves people and technology
working together.
Again, just be clear about your product value.
This is like an adult's, you know, reading 101 class.
I didn't realise that was such a long one.
I only had enough breath in my lungs for that first part.
This is a problem when you don't see the show notes.
Don't worry, folks, there's only three left do not offer the rock a gift card a gift or cash in exchange for a meeting just no i'd say it depends on what the gift is i did i did accept
a pair of um uh beat Studio headphones for a meeting once.
Keep your word and follow up on time if and when asked by The Rock.
The Rock appreciates folks who meet their commitments and respect The Rock's time.
If The Rock is a customer, think long-term partnership versus transactional sale.
There is a lot of overhead to switching vendors,
and The Rock appreciates folks that can build long-term,
mutually beneficial relationships.
Do you know what, Mr. The Rock?
If you're listening, please let us know.
Do these resonate with you?
Do you often get sales pitches like this?
Because we know you're a fan of the show, so let us know.
If you smell.
Do you know, I think we're alienating more and more of our audience
every single week.
Join me and Jav for our weekly wrestling podcast.
That would be good.
Anyway, thank you, Jav, for this week's...
Billy Big Balls of the Week.
Oh, God. Andy, what time is it?
It's that time where we head over to our sources on probation
over at the InfoSec PA Newswire
to have been busy this week bringing us the latest and greatest security news
from around the globe.
Industry News
FBI issues Mamba alert.
Industry News
Burned out employees put corporate security at risk.
Industry News Burned out employees put corporate security at risk.
Aussie TV network taken off air by ransomware.
German MPs hit by Russian-backed phishing attacks.
Cyberbullying linked to social media addiction. Industry News.
UK Cyber Security Council officially launches as independent body.
Industry news.
CISA and RH-ISAC to run cyber security drill.
Industry news.
Three quarters of legal breaches caused by insiders.
Industry news.
Most global chip companies show signs of compromise.
Industry news.
And that was this week's...
Industry news.
Let's go straight on to...
I lost over a kilo and a half this week.
Damn it.
So I am the biggest loser between Tom and I.
I put on 300 grams.
Oh, well.
Javad's Weekly Stories.
Which the phrase huge if true now applies to me.
You realise that you guys are going on this health kick right before Easter Boxing Day.
Yes, I know.
I ate half an Easter egg yesterday.
I know.
Half.
Amateur.
Amateur hour.
You don't know how big the damn egg was.
You don't know how big the damn egg was.
It works out for me because Ramadan's just around the corner.
Yeah.
I call unfair advantage.
How dare you let your religion take advantage of this situation?
You're more than welcome to fast with me, Tom.
Fuck that.
Or how.
Yeah.
So what the hell is a Mamba alert anyway?
So I assume that we're talking about, have you seen the film Kill Bill?
Yeah.
Black Mamba.
I was wondering if she's back.
Yeah, the Mambas, yeah.
So Mambas ransomware, which has been deployed against local governments,
public transportation agencies, legal services, technology services,
industrial commercial manufacturing and construction businesses.
So pretty much targeting everyone.
Everything. Yeah.
Nothing like reading the first paragraph of an article.
No. Well, I'm trying to do it quickly to...
To keep us moving along.
Yeah. So, yeah, open source full disk encryption software called Diskryptor.
I like that.
That's clever.
The other one that I thought was interesting,
three quarters of legal breaches caused by insiders.
That doesn't surprise me.
No.
When you see that barristers are still carrying all of their documents around
on paper just secured by a coloured bow, a coloured piece of ribbon.
You leave one of those on the train or something,
that's a massive data breach.
If you leave an iPad or something like that,
at least it's encrypted and secured.
So that doesn't surprise me at all.
If you consider how many small legal firms there are,
and it's not like that TV series Suits where they've got some expert IT guy.
Hey, someone's hacking our firewall.
They've dropped an encrypted Trojan on there.
They're stealing our data.
Damn, they got in.
I thought that was CSI.
Yeah, all of the above.
It's the same script, yeah.
Yeah, lots of personal data data lots of commercially sensitive data
uh very little little uh investment i i you know the thing i loved in suits is like how
there could be the most complex case in the world and they go over with a binder that in their hand
and there's only like a few pages in it it says what's up and he hands them the binder and they
they open the binder and they skim read it and within five seconds they get a complete grasp of everything that we want off the case at due time i'm like
we need to have a security version of that where like you know when someone asks what's happened
there you can just give them like a you know five bullet points and they completely understand
what's happened right and then just walk out and give an announcement to the press that they just
yeah sophisticated attack yeah but as i read a white paper or something like that and i think
no i'll have to leave it a day and read that again yeah yeah i'm sorry i i know that those
words were in english and i understood them all in you know uh as individually but in context
not a clue so so here's a an actual useful tip and i told
someone this the other day and they didn't realize because i thought this was kind of like
common knowledge but i suppose it's um when there's a white paper or research paper in particular
um you don't start at the beginning and read all the way through read the summary at the beginning
and read the conclusions at the end,
and that will give you the majority of what you need to know.
The middle should all be all the details that you're trying to fill in.
So if you're one of those people that gets stuck reading these papers,
read them.
So that's a bit like this show, right?
The intro and the outro, that's all you need.
But it's true, though, because a good document,
the executive summary tells you what's in the document.
The document just tells you how it's reached those conclusions.
Exactly.
UK Cyber Security Council, the self-regulatory organisation
responsible for boosting professional standards
and career prospects for those working in cybersecurity
has obviously now launched in the UK.
What will they bring us in the industry?
And I see that the chairman of ISC Squared
was very quick to put themselves out there and say that,
yeah, we definitely need more industry collaboration
to address the cyber skill shortage.
Oh, man.
Of course.
You know, I feel like a millennial because I get triggered every time I hear the phrase cyber security shortage.
Yeah.
Yeah.
It's ridiculous.
Ridiculous.
We should do a whole episode on that because we could do with culling a few of our listeners.
Yeah. episode on that um because we could do with culling a few of our listeners yeah it's an it is it's it's gonna be good overall it's got to be good news but but yeah it's um
so again like a lot of this goes back to research and and methodologies and what have you thing is if you ask 10 of your best friends or 10 people you know, say, like, do you think you earn enough money or could you do with more?
Yeah.
The majority are going to say, well, even if they're happy with what they earn, they say, well, I wouldn't say no to more.
Yeah.
Especially if you stay like that.
I get paid too much.
I get paid too much.
I don't need it.
Exactly.
like that i get paid too much i get paid too much i don't need it exactly so so you know you know it's one of those things if you ask security people or leaders like do you need more resources
majority are good very few are going to say no i have the perfect team i have enough people
i have enough budget and you know everything there's always going to be that that case where
it will be always be nice to have more or you're always striving to grow your team
or your budget or what have you.
So I think there's a fundamental flaw in when you go
and ask someone that kind of question.
Yeah.
Yeah, that's right.
That's right.
Well, on that note.
This is the Host Unknown Podcast.
Well, on that note... This is the Host Unknown Podcast.
So, Andy, I think we're going to go over to you for this week's...
Tweet of the Week.
I always play that one again.
Tweet of the Week.
Once again, this is one of those could be a rant of the week.
Why not?
We're just shoving it in.
So the tweet is from Caitlin at 0x26d on twitter
and she has posted a screenshot from a job application and she's put the the commentary
tech and infosec twitter please help me decipher why a job listing would have this. And within that job listing, it has a applicant screening
process, which asks to prove that you are human, qualified, and committed. All applicants must
calculate the sum of the following four values. Number one, maximum number of virtual processes per virtual machine in a Hyper-V hypervisor.
Two, number of host bits in a slash 21.
Three, the most recent DEF CON number.
Four, the lowest registered BGP ASN for University of Southern California.
BGP ASN for University of Southern California.
Then create a H.265 slash Opus encoded video of yourself,
intro message optional, providing the answer.
Email it along with your resume or LinkedIn too.
And then it's got the IP address.
So this is one of those, if you want this job, you know.
Dance, monkey, dance. Exactly. I think the the questions are like why would a job listing have this uh and some of the responses to this is uh you know it's
quite like very little support for it as you can imagine yeah um you know for someone was declared
best nerd and promoted to manager of nerds uh you know this person enjoys being smarter than others
has no clue how to recruit um other people you know this is enjoys being smarter than others has no clue how to recruit
um other people you know this is when i walk away and laugh it's not even a fun or educational
challenge um others say no the key of this is to get a video of you this is to discriminate
um you know i can already tell this is a shit company is it facebook or google they haven't
named and shamed, unfortunately. Why?
I mean, these are public documents.
Do you know what I mean?
Yeah.
And then, you know, you've got someone else actually giving the answers.
Please, does the number add up to 421 or something like that? But, I mean, general feeling is that the hiring manager is incompetent
at being a hiring manager.
Yeah, some people are asking them to reach out, to name and shame, but no, she's not doing it.
But others are saying you can get it.
But yeah, this goes back to that hiring practice.
You know, it gets to the stage, you know, I think I'm at that stage in my career where,
you know,
if I look at a job and someone says,
I've got to dance,
I'm going to be like,
nah,
not for me.
You know,
like I,
I know what I can bring to the table.
You know,
this is a two way street.
I had to do four interviews for this current job.
And I thought that was pushing it a bit.
I mean,
God,
just,
just listen to the podcast.
That should be enough.
Not this episode, though.
Yeah, not this episode, no.
Episode 31, I think that's our highest-rated one.
Yeah, but, yeah, and this is the thing,
but you'll have people, certainly younger people, fresh out of university, et cetera, who will, you know,
dance to this because they won't have any other option.
And I think it just really does show quite how poor the culture
in that particular organisation is.
Yeah.
So one of the responses actually is like to hire the person
they already have.
And I think that's a very valid point.
To hire the what, sorry?
To hire the person they already have. i think that's a very valid point to hire the person they already have oh i
see so sometimes because of state local laws or whatever you have to publicize a job externally
before hiring from within or whatever so it could be that you might as well say you know like tell
me the number i'm thinking of yeah applicant screening pros yes yes well
cry i mean jesus i'd much rather have a go for that at least that's slightly funny you know
tell me the number i'm thinking of and i'll guarantee you an interview
cv or not i think that there's there's this is one end of the spectrum and on the other end
you do have people like Tom who say,
I'm not even giving you a CV.
Here's my podcast.
Here's my website.
You put in the effort.
You spend hours researching me and every other applicant
and then decide on who's the right person.
It's about having self-worth.
I mean, let's face it, Jav.
When I first came up with the idea for Host Unknown,
the idea was, let me finish, let's face it, Jav, when I first came up with the idea for Host Unknown,
the idea was, let me finish, let me finish,
the idea was that we would never have to ask to present at a conference ever again,
that we'd be invited, that we'd never have to justify ourselves,
that we'd be paid to travel around the world. I mean, obviously that's failed miserably,
and I blame you two as sole founders for that that works that works
for certain types of things so if you're hiring a actor you know they put out their showreel yeah
or you can watch their movies or whatever but when it's an internal role that you know you're not
creating something for public yeah i go out of my way to suppress any association with this show. Yeah.
Oh, dear.
Yeah, don't like it myself.
I definitely think this is Google or Facebook.
Prove me wrong.
And thank you very much, Jeff, for this week's.
Tweet of the Week.
You're welcome, but it was Andy.
Yes, it was Andy, wasn't it that's all right it happened you
know what i create jav gets a credit why change well this is true the habit of a lifetime right
this is true this is true you know everybody knows how much um um you know how much jav had
to do with the ci double SP video. Yeah,
we will.
Absolutely.
Absolutely.
Right.
I'm not even dead yet.
And you guys are already tarnishing my legacy.
We're proactive.
You know,
we're trying to get ahead of the game here.
We're busy people. Got a very long to do list.
Yeah.
We're busy people.
Just be thankful we're giving you any attention at all.
What does constitute institutional racism? I need to-do list, yeah. Yeah, it was busy people. Just be thankful we're giving you any attention at all. What does constitute institutional racism?
I need to look that up this week.
Oh, man.
So do we have a sticky nipple of the week this week?
I don't think we do.
No, so obviously this is part of the show that we like to call
Kick of the Week.
I was going to say uh we do have no we didn't do the um any mentions
of april fool's pranks uh and i didn't see any infosec related ones but there were a couple
so this is like my favorite uh time of the year anyway uh and it's a shame that we're not in the
office to see all those pranks that uh you know, you used to go around, especially when you've got call centres and sort of, you know, ask people to call back Mr. Sea Lion at London Zoo.
You know, that sort of stuff.
Or, you know, call Buckingham Palace, ask for Liz.
You know, all that type of stuff.
But I saw a couple which did make me chuckle.
So I'll talk about the first one cartoon network said they rebranding
as cat to network and they're going to focus uh on a feline focus uh on twitter volkswagen
i've said they were uh rebranding to volts wagon uh as in like you know to start with
all new electric uh stuff uh burger king announced that they say, do you think everything is better on
sourdough? So do we.
To celebrate, we're putting everything
on sourdough.
So that looks
good. And then just a couple of
other ones which
Pringles Lip Balm
coming soon. So salt and
vinegar and sour cream and onion flavour
to be released
that actually sounds quite nice i must have it oh i don't know about that um a meaty bath bomb
so frank and benny's uh chain restaurant thinks that uh you know meatballs are so good you'll
want to bathe in them uh so they've got bath bombs uh mccain smiles you know the potato snacks uh they have teamed up with iceland to produce
upside down potato smiles
love it yeah i like those uh falafel flavor ice cream uh coming from good life uh not sure i'm a
fan of that and uh i think the big one is heinz have announced a collaboration with Innocent.
And they have created the Heinz cream of tomato soup and classic strawberry and banana smoothie.
They're calling it a schmoop.
A schmoop.
A schmoop.
I did see one on Twitter this morning from Lego called the smart brick.
And so it showed.
You'd already ordered it on Amazon before you read the story, right?
Yep.
I'm sorry.
It's coming tomorrow.
But so the actual little video was somebody walking across the living room
and then standing on bricks, you know, and obviously hurting their feet,
blah, blah, blah.
And then with the smart brick, as you walk towards them,
they all spread out of the way.
Excellent.
And then we had one this morning on our internal chat channels
that basically was saying that we'd been acquired by Cisco.
Oh, wow.
That's harsh. Yeah, that's a cold cold one so if you want to know why my education
is so poor this is a genuine story my uh a level business studies teacher actually came in one day
and barely you know this was a long time back so it wasn't like she could just double check stuff
on her phone or look stuff up on the internet and and she basically presented how marketing market research
really powerful and why you always make decisions based on numbers and she had this article from
mars who had created a left-handed mars bar and she was she was 100 suckered in by this
where uh yeah no i'm not even joking um Basically, you know, like Mars has the R for the registered trademark,
or it used to back then.
And they had produced images of that saying L,
and it just said look for the L if you want a left-handed one,
and it tears open easier if your dominant hand's on the left.
Oh, I see.
Yeah, and, you know, we were like, oh, my God,
this person's teaching us.
She is setting us up for the world.
So, yeah, if you want to know why my business sense is so screwed, it's...
Wow.
Thanks, Miss Jarrett.
Oh, dear.
Excellent.
Well, gentlemen, I think we're up against it at the moment.
Thank you very much
I can't believe we've even got
Stories in backup
Just in case we didn't have enough
Given this morning
But anyway yes thank you very much
For your time today
The April Fool's edition I think you can tell
But Jav thank you sir
Yeah thanks
You look after yourself Try not to die on us just yet Thank you, sir. Yeah, thanks.
You look after yourself.
Try not to die on us just yet because you've got to get our next video sorted out.
And Andy, thank you, sir.
Stay secure, my friend.
Stay secure.
You've been listening to the Host Unknown Podcast.
If you enjoyed what you heard, comment and subscribe.
If you hated it, please leave your best insults on our Reddit channel.
Worst episode ever.
R slash Smashing Security.
You still alive, Jav?
Oh, barely.
What? What?
Oh, God.
Do you think they'll get that that was a joke episode?
That was a joke episode.
Well, you know what I forgot to mention,
and I apologise it's taken so long because it would have been a lot funnier,
but do you remember at Christmas how I got you guys some awesome presents?
I got you the Mac, Tom, and Jeff, you got the brand new iPad Pro.
Oh, that's right. So what I didn't've got you the Mac, Tom, and Jeff, you've got the brand new iPad Pro and the Pen. Oh, that's right.
Yes, yes.
So what I didn't tell you at the time,
and it's probably not funny now because it's been so long,
I actually use the money from the host's unknown bank account for that.
What?
You son of a bitch.