The Host Unknown Podcast - Episode 70 - Two is the Magic number
Episode Date: August 27, 2021This week in Infosec (13:24)With content liberated from the “today in infosec” Twitter account25th August 1991: Linux completes 30 years.It was on this date in 1991 that Linus Torvalds announced t...he first version. He actually wanted to call it as Freax, but his friend Ari Lemmke named it as Linux, which he accepted. Version 1.0 would later be released in March 1994.https://twitter.com/SadaaShree/status/14304157238562037772004: (a mere 17 years ago) The US Department of Justice (DOJ) announced the results of Operation Web Snare - the arrest or conviction of over 150 individuals involved in cybercrime.https://www.justice.gov/archive/opa/pr/2004/August/04_crm_583.htm Rant of the Week (29:03)https://www.ncsc.gov.uk/blog-post/10-years-of-10-steps-to-cyber-security Billy Big Balls of the Week (36:40)Iran official acknowledges videos of Evin prison abuse realThis clip of a security control room at Iran's most notorious prison being shut down by hackers is straight out of a movie.Hackers are now leaking stolen CCTV from across the Evin prison to highlight the abuse of inmates Industry News (45:35)Crunch Time for Liquid as Crypto Exchange Loses $97m to HackersMan Gets Three Years for Stealing Nude Photos from College VictimsHackers Leak Footage of Iranian PrisonPoly Network Hacker Returns Remaining FundsAT&T Denies Data BreachTime to Fix High Severity Apps Increases by Ten DaysDrug Dealers Get 27 Years After Police Crack EncroChat Comms70% of Cyber Pros Believe Cyber Insurance is Exacerbating RansomwareAngry Birds Developer Accused of Illegal Data Collection Tweet of the Week (51:42)Charlatan - Frank W. Abagnale Jr.https://twitter.com/securityerrata/status/1429225280997142530 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
Good morning, good afternoon, good evening from wherever you are.
So with me being unexpectedly away today, I'm hoping you clowns don't lose both of our listeners in my absence.
Up until now, I have been the only ever present and the listener numbers have been trending upwards,
which is pretty conclusive statistics if you ask me.
So if people are tuning in today just to hear me uh they are going to be disappointed with you
guys rehashing fat jokes uh i know there won't be any height jokes owing to mr platform shoes
himself being back this week so i'm pretty sure it's just gonna be limited to the fat jokes
anyway i digress i can't be there in real time today so i don't know if you're butchering this
week in infosec or not but i do know that the average age of presenters on this show has just increased to 70 uh that's without my youthful presence which
shows now basically become infosec's radio 5 um so i will leave you a fact on this an age-based one
the year 1980 and the year 2021 are as far apart as 1980 and 1939 are to each other.
So you guys were obviously born closer to one of those extremes than the other.
And just if that didn't make you think about your own mortality enough
to show time in another perspective,
if they remade Austin Powers powers for today he would have
been born in 1991 groovy and with that thought i bid our listeners a good day and for my two
employees at host unknown may your pillow be warm on both sides stay secure my friends
you're listening to the Host Unknown Podcast.
Hello, hello, hello. Good morning, good afternoon, good evening from wherever you are joining us.
And welcome to episode 70 of the Host Unknown Podcast.
to episode 70 of the host unknown podcast we are sleeker faster more streamlines than ever before uh and as you probably gathered there's just the two of us jav how are you sir i feel like anthony
mackie uh from eight mile when in the final rap battle against Eminem.
Is Anthony Mackie in that film?
Yeah, he's the guy he's rapping against.
I've never seen that yet anyway.
You've not seen the movie?
So basically the Falcon is a rapper.
He's a bad rapper who got destroyed by Eminem in the end.
Ah, right.
Anyway, so do go on. he's a bad rapper who got destroyed by Eminem in the end. But the way Eminem approached his rap battle was he started in his rap.
He said everything that Anthony would have been able to think about to diss him with.
So he's like, yeah, I am white. I am poor. I am this.
He basically took all of his lines that he had nothing left to cuss him with.
And that's how I feel right now after Andy just went on about saying,
yeah, you just got to make fun of my weight and how fat I am and how this.
And now I've got nothing to come back.
He's a sly git.
Well, quick fact check. I mean, in reality, I think pretty sure Andy was the first one to take a day off from the podcast.
We're going back a few, well, probably about a year or so, but he was the first one to take the day off, as I recall.
So, I mean, you've taken, well, loads. There's no question about that.
But I've taken one and he's taken now two, at least two so i you know i think he's trying
to rewrite history what's really fun is how last week he was adamant about he'd never take a day
off even if he was on his deathbed i'd never take a day off i know i know the unfortunate thing is
somebody had to die for him to take a day off it doesn't matter regardless of
what it doesn't matter what the reasons are he was so adamant he'd never take a day off i know
i know and yet and yet he'd already taken a day off i'm sure we need to go through back through
the archives um or even if one of our maybe maybe q maybe Q could QA us on this.
Because he knows.
I mean, he's got the memory of a memorable thing.
But, yeah, I'm sure Andy's taken time off,
and he's just trying to rewrite history.
He is.
He's always trying to rewrite history. Well, yes.
Yeah, exactly.
The sugar addles his brain, to say the least.
It does.
It must be one of those missing podcasts that conveniently disappear from history.
Yeah.
Yeah, that's right.
That's right.
We're going to go back.
We're going to go.
Funnily enough, I watched Tinker Tailor Soldier Spy last night,
and they go and steal a day book, you know, a log book,
and they find that the crucial two pages have been removed we're going to go back and we're going to find that there's a big gap in our uh
or a gap of an episode in in our in our archives yeah i saw a movie based on you last night
oh yeah what was that it was called i boy
isn't that where um his phone explodes in and into his face or something and so he's embedded
with electronics it is it is it's so rubbish don't watch it no no don't watch it don't watch it
i i only saw the trailer and i thought oh my god no what made you watch that or was that with the
kids no i was just i I couldn't sleep last night.
So I just thought, oh, it's only a 90-minute movie.
How bad can it be?
Yeah.
Really bad.
I highly recommend Tinker Tailor Soldier Spy, the new one.
Well, a new one.
It was filmed in 2010, I think, something like that, 2011.
It's incredible.
It's set in the very early 70s in london and obviously europe etc but
you know primarily in london it feels like it really was filmed in the 70s in london you know
you know because a lot of films go back in time you know you set set in different times and all
that and you can kind of tell they're sort of staged and they're um you know everything's a
prop this really does look like it was actually filmed in london it's almost like they used old
film stock or something like that as well uh but yeah really good film really good film very little
happens in it and it's gripping absolutely gripping i don't think there was even a single
exploding helicopter and that's that's the thing about some great films you see and very little happens
yeah um the one i i remember which is really great it's um when i saw it the first time it
was death trap i think it's the one with christopher reeves and michael cain in it
oh yeah christopher reeves is in a wheelchair isn isn't he? No, that's in real life.
No, no, no, I thought there was one where he was in a wheelchair.
No.
Anyway, it doesn't matter.
This is like, I don't know, 70s or 80s,
but I think it's based on a stage play.
So the entire film is set just in one room pretty much.
Yeah.
And I think Michael Caine is an author,
and he's a very published,
very, very famous author.
And Christopher Reeve is a young writer up and coming and he comes
and he gives his manuscript to him to look over or whatever.
And it's a really, really good piece.
And Michael Caine hasn't had a hit in many years and then he wants
to try and steal it from him or kill him.
Oh, that's right, yeah.
It's a really, really good story.
It's almost Hitchcockian in its sort of nature.
That's right, that's right.
Yeah, yeah, yeah.
Well, much like this, you know, not a lot happens in these podcasts,
but really we know you're just gripped to the very, very end.
We really do.
We really do.
So what else have you been up to, Jav, apart from not sleeping at night?
So I am now a certified security awareness and culture professional, or SACP.
SACP.
Let's just say SAC.
SACP.
I don't know. I'm trying to think of how we're going to make a
song about that but yes sack p really i mean i'm sorry i'm uh but yeah no it's it's uh there's a
organization called h layer credentialing and they've um uh H layer dot com. And yeah, it's it's actually a really good sort of knowledge building and knowledge test process.
It goes through a lot about how to like it goes through the basics of like what is security awareness and what is security culture, how to build it, some of the psychology behind it, what makes a good program and campaign and how to build it some of the psychology behind it what makes a good program
and campaign and you know how to build one yourself so it it was it was it was quite a good
good uh well put together cert so i i uh i being the good person i am there's that service i can't
remember what it's called but you know you you link to it and it and it pulls your certs and
it publishes them the badges to linkedin i did wonder why you suddenly announced the fact that you have a c i
double sp on linkedin this morning for some i'm like really jab you know you're kind of like
well as you said to me you're a week late and a dollar short yeah yeah so um so yeah this was it also published my cissp sir and now people
people are now congratulating me on linkedin for having having winning i suppose it's it's
nice of them but goes to show how much attention people pay yeah all six of them yeah yes so uh well that's true yeah what about me
what have i been doing well i was um i decided to get me soldier in iron and move my bits out
again last night and have a go at replacing the battery in an old iphone managed to sever a cable
as i took it apart so ebay is delivering another replacement cable to me.
So there's that.
And I've ordered some more Lego, and that's coming soon.
What else have I done, really?
I mean, obviously, huge amounts of work, if my boss is listening.
Vast amounts of work.
But, yeah, not a huge amount, actually, not a huge amount.
I've been cooking proper food because I'm now a subscriber to HelloFresh,
which means I actually get to eat more than just toast and marmalade.
Wow.
It all sounds riveting.
I don't know.
Between the two of us, I tell you what,
you're putting up credentials that are like a decade out of date
onto LinkedIn, and I'm sort of fanboying over HelloFresh.
I know.
What next?
You're going to say that, oh, I listened to the Smashing Security podcast.
I mean, like, how low can you go?
Well, I mean, I do listen. Well what i listen to half of the podcast obviously um the uh but uh yeah i i was i was i went around to see caroli the other
day actually and um my podcast was on in the background i say my pod our podcast i said mine
because it was andy last week but um um you know podcast she was listening to our podcast. I said mine because it was Andy last week. But she was listening to our podcast
in the background as I walked in, which I thought was rather cool. So yeah, it was quite refreshing.
She was making sure that we didn't diss her after inviting her on and her having to decline. So she wasn't disappointed because we did diss her, you know,
but, you know, such is life.
Not listening to us for the content or anything,
but just like, what did they say about me?
Yeah, that's right.
I mean, who would do that anyway, right?
But then again, you know, if it was anyone other than Carole,
I would have my suspicions.
But no, I'm sure she wasn't listening to it just for that.
No, she's a good person.
Absolutely.
Anyway, let's move on, shall we?
Let's see, what have we got coming up today?
Well, this week in InfoSec, a penguin was born.
You're going to have to carry on listening to work out what that is.
Rant of the week gives us 10 easy steps to cyber security and let me tell you number five will amaze you
billy big balls of the week is all about a prison break but maybe not quite how you imagined it
interesting news brings us the latest and greatest security news stories from around the world. And finally, tweet of the week shows us another charlatan has been added to the errata
list. And we'll tell you more about that at the time. But perhaps that's why Andy's missing this
week. Don't know. We shall see. We shall see. Let us move on, shall we, to this week's...
Well, it's going to be odd.
It's going to be odd.
I'm going to say it's going to be odd because it's this week's...
This week in InfoSec. you see we're still both waiting for andy to jump in we are we're just waiting for him to jump in
with his monotone voice to read a wikipedia article out to us well that's true yeah that's
right that's right you know we might as well, like the Smashing Security robot voice.
Yes.
I mean, even that's got more charisma.
Yeah, yeah.
The one that edits the first half.
But, yeah.
I'll do the first one.
I'll do the first one.
You do the first one.
On this day, on the 25th of August, 1991, Linux completes 30 years.
How's that?
Perfect, perfect.
I almost thought you were Andy there.
It's like he's in the room, isn't it? It is.
Anyway, so yes, 25th of August, 1991, Linux completes 30 years.
It's an interesting way of putting it.
How about Linux is 30 years old?
I don't know.
But yes, this week in 1991,
Linus Torvalds announced the first version of Linux.
He actually wanted to call it Freaks,
but his friend Ari Linke named it as Linux.
At least that's how the story goes.
Because as I understand about Linus Torvalds,
he's not a shy man, as I understand it.
So it wouldn't surprise me if it was him that actually named it Linux
or Linux or whatever you want to call it.
Version 1 would later be released in march 1994 now
there's a there's a twitter link there it's worth going to reading the thread etc um but what's
fascinating was he just announced this on like a bulletin board and it was hey i'm doing this it's
a hobby um not going to be able to support this this and this because I don't have the hardware.
Let me know what you think and blah, blah, blah. And then fast forward 30 years,
and it's still the third most popular operating system.
But actually from those very humble beginnings, it has become a powerhouse. I mean, huge numbers of data centers are run using Linux.
There's obviously the free open source community-driven Linux projects,
but there's also ones that are actually run by some of the big boys,
IBM, for instance.
Doesn't IBM own Red Hat?
Is that right?
Yeah, that's right.
And so full-on support for it and things like that.
So it is a very, very serious operating system,
normally liked by people with beards, sandals,
and pens in their top pocket. But I use it on Raspberry Pi.
So I have four Raspberry Pis running in my house at the moment. They're all running a version of Linux of some description and some flavor. So yeah, it's extremely popular. It's a fascinating story and i i read a book years
ago about it and it really was you know a labor of love and a part-time project coding most of
it in his bedroom as i recall yeah as most of these uh stories from back in the day are
before the days of um you know shared office space everyone was coding out of their bedrooms
that's right yeah yeah it kind of tells you something doesn't it you know that's probably because they're too busy
taking advantage of the free tea and coffee and beer and snacks in these office spaces that not
a lot happens that's right that's right no i think what what's really cool about linux though on a
serious note is they've not tried to be another Microsoft or,
um,
Apple or anything like that.
They stayed very true to their,
to their core,
which,
which is what,
what gives it the,
the,
the sort of the,
uh,
the,
the,
the stereotype of being liked by old,
old men with beards and sandals and pens in the top pockets.
But,
you know,
it stayed true to what it is.
It's still a very quick, um, you But, you know, it stayed true to what it is. It's still a very quick, you know,
they don't focus so much on building a GUI or anything.
It's just like, here it is, get it to work.
And, you know, all the open source nature of it
has really helped it grow.
So I hope it remains true to its core for many years to come.
Well, we love Linux,
even though we don't understand it particularly well.
Yes, that's a good way of putting it.
I think that's pretty much where it is.
Yeah, yeah.
A bit like Andy.
Yeah, we love Andy.
We don't particularly understand him.
Exactly.
Why don't you take the second one, Jeff?
Okay.
So in this story, it takes us back to 2004, a mere 17 years.
Yes.
Get the calculator out.
Get the calculator out.
The U.S. Department of Justice announced the results of Operation Web Snare.
And for those not familiar, Operation Web Snare resulted in the arrest or conviction of over 150 individuals involved in cybercrime.
Sounds thrilling. It was. It was a massive cross-agency investigation.
There were like 36 U.S. attorney's offices involved,
the criminal division of the Department of Justice,
37 of the FBI's 56 field divisions, 13 of the Postal Inspection Service's 18 field divisions,
the FTC, together with a variety of other federal, state, local and foreign law enforcement agencies.
So at that point, Attorney General Ashcroft, John Ashcroft,
At that point, Attorney General Ashcroft, John Ashcroft,
he was sort of like the head honcho, I suppose, at the time. He directed it to make, and they made full use of the Identity Theft Penalty Enhancement Act
signed into law by President Bush earlier that year.
It did do something right then.
Yeah.
I'm not even going to go there.
So, you know, the Act itself prescribes stiff prison terms
for those who use identity theft to commit crimes
and bloody, bloody, blah.
The web snare, operational web web snare targeted just basically online economic
crimes so identity theft counterfeit software computer intrusions other intellectual property
crimes and um you know as uh you know they they more than 160 investigations were opened and they identified more than 150 000 victims with
estimated loss of more than 215 million something that these days uh ransomware operators call a
slow week yes that's right yeah that's exactly right i was just thinking that
but uh but yeah no i think it just goes to show that, you know,
there have been these big efforts time and time again throughout history.
And, you know, I don't think we can underestimate how much effort
that was put into this.
But it just goes to show that once Pandora's box opened,
no matter how much effort you put into trying to arrest these people, the payoff just gets bigger and bigger.
So, you know, they for to coin a phrase, they just accept the risk the criminals do and they they go for it or they find find people they can recruit.
find people they can recruit actually um another reason is um there was a job posted for by the sas that's right i saw that and they it was accidentally leaked that it was for the sas
and they had all sort of confidential information in there but it was for like a reverse engineer
like nation state hacking like kind of of like for the good guys.
But they were paying them £33,000 a year.
I mean, that's not a lot more than your average squaddy.
It's not, no.
But then when you have such a massive private industry
that is willing to pay a lot more,
and then you have a criminal syndicates that
are willing to pay way way more than that yeah you know you're really competing against um you know
you want people who really want to do it for the for for the honor of doing it as opposed to
trying to make a living out of it i reckon they didn't accidentally leak the fact that it was for the SAS. Oh, okay.
I don't.
The British Army's marketing is actually pretty strong on the whole.
Yeah, it's made a few screw-ups like most marketing groups,
but they're pretty good because why would you want to do that job for 33K?
Oh, hang on.
I get to hang out with the SAS. that's pretty cool that is pretty cool that's
pretty cool you know um it's a bit like they um they did a thing i know it wasn't the british army
but it was a similar concept for the royal marines and it said basically if you want to join the royal
marines call this number and then it looked like the poster had been ripped off.
And you had to work out how to get hold of the number.
And the bottom line was, if you can work out where to call us,
you can join us.
Ah, very interesting.
But it's that kind of psychology of trying to get people
to aspire to something.
Do you know what I mean?
So, yeah, I'm not convinced that it was a mistake.
I reckon it was completely on purpose.
But we'll find out soon enough, I'm sure.
You know what?
I don't care.
That is such a good story.
I'm sticking with it.
I think that's the way to go.
Wasn't it also the anniversary of the Iranian embassy siege?
It was, yes.
Or was it the anniversary?
Yes.
It was either the Iranian embassy or the unveiling of,
or the death anniversary of one of the big Scottish guy
with the big handlebar.
Oh, yes.
The first guy in basically yeah
yeah yeah that's right they unveiled a statue to him and didn't they in scotland that's right
that's not it was of him but it was for a larger cause a greater cause but that's right yeah that's
right yeah because that that was um up until that point nobody really knew what the sas was
nobody actually understood who they were, what they did,
or anything like that.
And then they went very, very public.
Because I was looking into this the other day because I saw that news thing
as well, and I realized that they actually broadcast that live
to the nation as as it happened which of
course you could not do now because the people on the inside will be able to see what's going on
yes um but of course back then all they had to do was just cut the aerial you know
you know that's it you ain't getting anything you know um and um you know i don't even think
well you could get portable tvs because my dad had one in
his car at the time uh no in the early 70s but it was a pretty much a one-off uh made by apple
no no no and um um but yes so that was broadcast live and it was i think it was was it thatcher at
the time i think it was and she was basically sending a really clear message about
you know basically don't fuck with with us and otherwise you get these boys in black coming in
but yeah it was a very interesting operation and then and the thing that really interested me was
it nearly um failed horribly because there were two teams one going in the back back of the
building and one going in at the front of the building. And the people in the front, as they rappelled down, one guy got caught in his ropes just as
the flashbang was thrown into one of the windows, which set the curtains alight,
and then set this guy alight who suffered burns and was actually basically blocking the way into
the windows. And so every operation depends on having you know all
the parts working so if they weren't able to get into the front of the building quickly enough it
could have entirely uh caused the mission to fail so even with all of the careful planning and all
of the training stuff always goes wrong which is something that we could probably learn in infosec
very very good point no you were saying that and that's immediately where my mind was racing i was
like we have all these incident response plans and and what have you and business continuity plans
but it is actually in the in the heat of the moment that you actually get to see what works
what doesn't work and sometimes it's just blind bad luck.
If it can go wrong, it will go wrong.
You cannot rely on everything working completely reliably.
So, yeah, and that's something, you know,
these are people who are extraordinarily highly trained.
You know, this is more than just a job and a nine to five for them. This is,
this is their way of life. And they've been doing it for, I think at the time, like 20 years,
you know, they were sort of, they'd been in the armed forces, which is a whole lot more than
most people in our industry, right? Yeah. Yeah. That's right. No, fascinating insight into that.
I'm sure some listeners will correct us on our,
or at least my lack of military knowledge,
but hey, I don't know much about this stuff.
Yeah, well, I mean, please do correct us.
Obviously, my memory's pretty poor.
I'm of that age now.
But there is a brilliant film on Netflix.
I'll just close on this.
It's called Six Days, I think.
A British film.
Jamie Bell, Mark Strong.
And it's all about just that, what happened.
It doesn't glorify it at all.
Slightly, it's not exactly a completely faithful retelling of it,
but it certainly gives you a look and feel of it.
Anyway, thank you, Chav.
That was this week's...
This week in InfoServe.
Sketchy presenters,
weak analysis of content,
and consistently average delivery.
Like and subscribe now.
Yes, please.
So, shall we move straight on?
Why not? Yes. Let's do it. Let we move straight on? Why not?
Yes.
Let's do it.
Let's get straight on to...
Listen up!
Rant of the Week.
It's time for Mother F***ing Rage.
I feel like I have to caveat this immensely before I start.
Because I'm not really ranting about it. I'm just kind of talking about it. Yeah'm I'm not really ranting about it I'm just kind of talking about it yeah
I'm not angry I'm just disappointed we had to fit it in somewhere and this was the only you know
so this is um so apparently this was a post published in May but i only just saw the tweet because it was retweeted by the social team just recently uh in in the last week but by our good friends uh off the show at ncse
who have updated the 10 steps to cyber security and this this was last updated. Sounds like Alcoholics Anonymous.
I can't remember when they last had it.
We can add into the show notes, but it's long overdue.
Yeah.
And there's an infographic they published along it.
It's 10 steps.
It's 10 years ago.
Okay.
So 10 steps to cybersecurity, and they've just revamped it for the modern era.
And there's a nice infographic there.
And it looks really good when you first look at it.
And then you start thinking about it. And this is guidance for, okay, they do say it's not for the average person.
This is for security people or people responsible for security within
their organization force,
uh,
medium and large enterprises.
And the large ones I get the medium ones,
I'm still a bit on the fence about,
but,
um,
what's the slightly ranty nature.
It's,
it's a bit like saying,
Oh,
why don't you just patch and think, that's great advice.
Why don't I just patch?
Why didn't I think of that before?
Yeah, exactly.
Do you want to lose weight?
Eat less and exercise more.
Exactly.
Or just have one of your trio not turn up.
Yes, exactly.
And that's how this feels.
So some of the 10 points on here are things like asset management.
Know what data and systems you have and what business need they support.
Because that's not difficult at all, is it, to go across your environment
and understand where all your data is and what it is and who owns it
and what classification it is. That's not difficult at all. Not in the slightest. Or the other one is
supply chain security. Collaborate with your suppliers and partners. Oh, that's just a couple
of, you know, evening sprints worth of work, that is.
Easy. I mean, I know all of my, everyone in my supply chain,
and they're happy to collaborate with me as well.
They don't just say pay me or find someone else.
Well, I don't even know who gives me my electricity and gas, for Christ's sake.
All I know is that my electricity and gas has gone up by about 50 in the last year oh i've got i've got a referral code for a good company you can use if you want brilliant okay
uh vulnerability management keep your systems protected throughout their life cycle
god it's genius why didn't i think of that here i am on windows 95 recording this i know i know i mean like my i mean like
my xp machine does such a good job of this xp was the best operating system ever it did it was
the power of nt and the friendliness of windows 95 loved it it was such a good platform i i um it was a sad day when i when i sold my last uh pc to on ebay
anyway i digress um other things uh identity and access management control who and what can access
your systems and data uh so i'm we're not saying we're being a bit post-unown about it all,
but this is a very good advice.
I'm not saying this is bad advice.
What I'm saying is that calling it 10 steps to cyber security
is a bit misleading.
These are like 10 skyscrapers to cyber security.
There's an awful lot of steps in the skyscraper
that you have to walk up and the lifts out of order yeah it's it's that kind of um you know you know how you can best avoid
being stabbed just don't be stabbed yes genius you know or how do you avoid getting stabbed in a pub? Don't go into the pub.
Yeah.
I have to go in there, you know.
Modern problems require modern solutions.
Exactly.
Exactly.
But, yeah, this is, I mean, that's the thing.
That's the only thing I take a bit of exception.
It's a nice infographic.
All the steps are absolutely needed.
But it doesn't actually fully convey the amount of effort
that is hidden within each of these steps,
or steps, they call it a step, it's not a step,
within each of these individual five-year,
multi-million pound projects that you'll need to kick off
to get anywhere near this level level so i you know i saw
an interesting tweet and um someone said why are why aren't there more talks about defeating
ransomware at security conferences and someone's response was that would be like the medical association getting together and
presenting a talk on preventing obesity by saying you need to eat healthier and work out more and do
this and do that yeah exactly there's a lot of truth to that yeah yeah so you know, NCSE, they do very good stuff, I have to say.
You know, I've been very pleasantly surprised by them over the last few years.
And the quality of the stuff they put out there is good.
It's common sense. It's down to earth, all that sort of thing.
This feels, well, they've been doing this for years 10 years
so maybe this whole approach just needs to be re-looked at 10 years this is something you'd
expect to have seen 10 years ago well just do this just do the basics and the basics are hard
you know so maybe they'd need to you know maybe year 11, this will look like something slightly different.
Hope so.
Or maybe we're just reading it wrong.
We just saw the infographic and not understand the intent behind it
and everything.
But I'm just calling it like I see it.
So please don't put me on another list, NCSE.
I'm already on plenty.
You're already on a whole bunch.
Yeah.
Excellent. Thank you, Jav, for bunch. Yeah. Excellent.
Thank you, Jav, for this week's... Rant of the Week.
Jav, we're going to go straight on.
You're going to do the next one as well.
So with Andy not here,
I'm just going to be throwing things at you to do.
So let's just go straight on to...
Rant of the Week.
Wow, this just feels like an interview.
An interview.
Big Balls of the Week.
So if you run a notorious prison in Iran.
Iran. Yeah, Iran. run a notorious prison in iran iran yeah iran then they're just you're just making our podcast international so that i know i know so that
the uh our american listeners know what country we're talking about that's right
uh it's it's iran darling iran iran
and uh they they have this prison there called even evan isn't that a water
yes oh no that's evian sorry so the um there was. So there's been a hacker group that were able to hack into the prison CCTV system.
And who would have thunk it?
You buy some internet connected stuff.
You put it out there.
You probably don't have the skills to audit the code or to see what's exposed to the Internet.
And someone, you know, they say they hacked it.
I bet someone was just doing a sweep through Showdown or something.
I was going to say Showdown.
Yeah.
Oh, what's this?
Yeah.
Yeah.
Admin.
Admin.
What are they doing to that prisoner?
Yeah, exactly.
Admin, admin and i mean yeah and uh so they
they started um posting some of the videos um publicly and the uh the head of the prison system
actually in in iran actually acknowledged that um they were uh they were real and he took responsibility for the unacceptable
behaviors like so i'm not sure what the unacceptable behavior was that the i i think there's a man whose
family is going to be looked after very well for the rest of their lives but he may not be around
to witness it see i think think he means that it was unacceptable
for the prisoners to get their blood on the batons
or the uniform of the prison officers.
For their heads to hit the doorknob seven times as they fell.
Yeah.
But it's great fly-in-the-wall documentary stuff.
If you look on Twitter, we've got a link there.
There's some clips there.
And the best one is where they have the clip of the actual security guards.
The control room?
The control room where all the screens start going off.
It's so funny.
It's like this guy, he's sitting there, he's looking at it and and screens we're reading the paper at first yeah exactly then
he's looking at he doesn't get and then he gets up this is the funny part he gets up he moves
one step to his right and sits down in the chair next to him it's like why are you doing that i think his body's on sort of you know autopilot is like
i have to do something i don't know what to do sit down and think about it man
you get these other gods coming in and they're like take it they've got their phones out and
they're recording the screen with it all and it's uh it And it's like something out of a movie.
It's quite funny.
But then at the same time, I kind of felt for him
because this is probably how people feel in organisations.
You know, when you walk in and you see that ransomware screen
on your desktop or something, it just makes your heart sink
and think, oh, my God.
You do feel for him, yes.
And then the footage flicks to a prisoner literally being dragged
across the floor in front of multiple other guards.
And this prison, every prison is known for its abuses.
So you're kind of like, yes, you feel for him and then you think,
oh, my God, this is all part of a really quite an awful environment.
Whether that person is part of it or not, that whole complex is just,
it just leaves a really bad taste in your mouth.
Oh, you know, that's kind of like a lot of prisons around the world are like,
in many countries.
I'm sure.
Are similar.
So it's, I mean, it's.
That's not a great defence though, Jav.
Oh, well, I mean, it's, you know, it's just like this other prison.
They're just as bad as each other.
Well, look, look, look, look.
What they say, don't do the crime if you can't do the time.
So if you want to avoid prison abuses, just don't do anything illegal.
Don't get arrested.
Don't do anything illegal in Iran.
Iran.
Exactly.
Or America, as the Iranians would call it.
Yeah.
But yeah, this piece of advice, if the NCSE were to come up with advice,
it's like, listen to your government.
Don't do anything illegal.
Don't post anything illegal.
But fair play to the hacker group or Dave in his basement
who ran Showdown, one or the other.
Fair play to them for making it public and actually disrupting it and actually bringing it
into the public eye.
I mean, there's these kind of abuses going around the world,
and we know that, but every now and then having them sort
of brought into focus does kind of, you know,
it helps to educate people about the different environments
that and the different countries and uh different governments that there are around the world and
what we can um you know what we maybe should be either doing about them or be actually a bit more
reflective as to where we live and what happens in our country?
Wake up, sheep, all seeds.
This is where I was just about to say, call me cynical,
but the timing's really convenient and it's a really good way to say,
oh, look at that, look at those countries are really bad.
We need to invade them and help liberate the people.
Yeah, well, we've got some troops hanging around in that area.
I mean, why don't we just, you know, drop them off on the way through?
Think of it like, you know, they're coming out of Afghanistan,
out of Kabul.
They're putting destination into their military tom-tom, you know,
U.S. of A, via Iran.
Yeah.
Avoid motorways and tolls. It's like Uber Pool, isn't it? Yeah, it's like motorways and tolls it's like uber pool isn't it you just
you know we got all this ammo we can't you know not use it exactly exactly so
oh dear me well it's a good one and uh it would be really interesting to see how they did it or
at least you know at a high
level because was it was it something so poorly configured that even i could have worked it out
with a bit of showdown or was it did it actually require some sort of um you know some real sort
of wizardry uh uh to to make that work you see now i think it's if it was just poorly configured
that would actually be the better outcome that would be the better it's if it was just poorly configured that would actually be the better
outcome that would be the better answer because if it was that it was configured and still someone
got in it just goes to show look don't get any of these interconnected devices because
no matter how good they say they are no matter how much effort you put into configuring them
and this was a prison but this could happen anywhere i mean just ask matt hancock i mean cctv is everywhere yeah that's right that's right what may be the
iranian ico should get involved yes i heard elizabeth dunham's stepping down isn't it
there's probably a role for her yeah yeah, yeah. Because she can go to Iran
and do nothing at the ICO there as well.
Exactly.
Anyway,
thank you,
Jeff.
That was this week's
Billy Big Balls
of the Week.
Are you not entertained?
What? To judge his work. You're listening to europe's most entertaining content bro what are you talking about man the host unknown podcast
jeff do you know what uh what time is it yes it's uh just five but no hold on
it's hold on let me get on my Andy voice.
It's that time of the show where we head to our news sources
over at the InfoSec PA Newswire,
who have been very busy bringing us the latest
and greatest security news from around the globe.
Industry News.
Crunch time for liquid as crypto exchange loses 97 million dollars to hackers industry news man gets three years for stealing nude photos from college victims
industry news that's not funny. Hackers leak footage of Iranian
prison. That sounds familiar.
Industry news.
Oli network hacker returns
remaining funds.
Industry news.
AT&T denies data
breach. Industry news.
Time to fix high severity apps
increases by 10 days.
Industry news.
Drug dealers get 27 years after police crack encrochat comms.
Industry news.
70% of cyber pros believe cyber insurance is exaberating ransomware.
Is what?
Making it worse.
Industry news.
Angry birds developer accused of illegal data collection.
Industry news.
And that was this week's... Industry news.
I hate you.
Hate me?
You should hate your English teacher.
Man, these words weren't around when I was in school.
I know what it means.
I know how to spell it.
Well, you obviously know what it means because you described it.
I mean, I'm impressed by the quick thinking, to be honest with you.
It also has a far greater comedic effect as well.
But, oh, dear me.
No, very good, very good.
So this AT&T story, they allegedly have a data breach and they're saying no we don't
yeah that that's you know what companies like AT&T they're so big I don't even think they know
all the time well actually listen to NCSE have an asset management policy AT&T and you would
have known whether this is yours or not um you know it's really weird because there's some researchers
at a place called restore privacy yeah and they analyze a sample that the threat actor shared
and they're saying well it seems to be authentic based on available public records uh and also the
user who posted it has a history of major data breaches and exploits and then um at&t uh corporate
comms uh say based on our investigation today the information appeared in the chat room does not
have appeared to come from our systems um well i i've read the first line in the last line of the
thing of of the article and the last time was
interested in a threat actor told researchers it doesn't surprise me i think they will keep denying
it until i leak everything which that's quite confident it is it is um so so the problem is
that there's so much data out there on everyone and there's been so many
breaches uh you just don't know where the data i mean this is the thing so so on one hand even if
it's a fake even if it's not from at&t this whole thing has got at&t tied up resources and trying to
prove that it wasn't them. Yeah.
Hitting their share price potentially, you know, all that.
I mean, it could just be a way of shorting their stock so their price dips whilst they, you know, refute all of this.
Somebody buys it and then once it's all proven as rubbish,
their stock goes up and somebody sells the stock.
So that has happened in the past where some criminals got access to someone's Twitter account.
And they said that we've been hacked and the price dropped and they said, oh, we've regained control.
The price went back up.
And all of that happened before the financial institution in question could actually respond themselves.
Yes. Yes.
Yeah.
Although I don't think that this is something that will
impact at&t share price you've seen how big they are yeah yeah the gains will be marginal to say
the least oh if if at all i think even if they didn't didn't do anything they they would have
made the same amount of money yeah but uh but it's interesting it's interesting about like you know
of money yeah but uh but it's interesting it's interesting about like you know you say they say and because if it is at&t if it has actually them then there's a whole thing about not only
investigating but notifying regulators customers and impacted people offering them a year three
credit monitoring yeah you know it becomes a real big big pain so um yeah, I really don't know.
Maybe if they had a supply chain management policy in place,
this wouldn't have happened.
Yeah, absolutely.
Actually, they need a copy of that infographic.
Yes, they do.
They do.
Yes, very good.
Very good.
Well, thank you for the industry news. I think it's time we swiftly moved on.
This is the Host Unknown Podcast, the couch potato of InfoSec Broadcasting.
Very true. Let's get on to this week's Tweet of the Week.
And we always play that one twice's Tweet of the Week. And we always play that one twice.
Tweet of the Week.
So I'll take this one.
I saw this in Twitter this week.
It's an actual story that I found and put into the show notes.
Incredible.
So this is by Security Errata.
errata uh now security errata they um is is a website um and one of the things they uh they do is they they highlight charlatans within the industry um so gregory evans for instance is in
there a bunch of a few others um and they I've been told, they offer the individuals that actually get put onto this
website, every opportunity to refute everything that's said about them.
And they only go on there literally after, you know, possibly a couple of years of communications
with them well the quote the uh tweet today says today we added frank w abagnale
jr to errata slash charlatans links in the show note folks worth taking a look so if you don't
know who frank abagnale is he uh was featured in the film uh is it Catch Me If You Can? Yeah, that's right.
With Leonardo DiCaprio.
And very entertaining film.
And if what you take from the film is, you know, if not verbatim,
then certainly take the essence of the film.
Frank Abagnale was a very talented forger who was able to avoid getting arrested multiple
times and outwitted the FBI throughout most of his career. And then eventually did get arrested
and went to work for the FBI to absolve himself almost and to sort of improve their ability to detect forgeries.
Turns out that's not actually true.
Turns out most of his claims are complete fabrications.
And if anything, that film was the ultimate in sort of forging
of his credentials and his lifetime because many people have an image
of Frank Abagnale as a result of that film, as a little bit of a criminal
but one of the good criminals who you know got turned around etc
he seems to have completely fooled everybody and actually not as good as he says he was uh has lied
repeatedly about his arrest record has lied about all of his exploits etc and therefore has been put into the errata slash charlatans list.
So this really surprised me, I have to say.
So it's definitely worth a look, to say the least.
So you're saying that a known, convicted, self-confessed Yes. Has conned us.
You're surprised.
I know, I know, right?
It all makes so much sense now.
Oh, dear.
So, yeah, fascinating.
But whatever the case, certainly an interesting individual,
to say the least.
Yeah, absolutely. And, and you know i think it's
it's it's probably one of those cases where you know a lot of people like to
exaggerate on their on their skills and what they've done and whatnot and i think sometimes
what happens is it gets to a point where you've, the lie has spread so much, it actually gets out of control.
Yeah, yeah, that's exactly what I was going to say, yeah.
And then you can't just turn around and say, oh, wait, it was just a prank, bro.
Yeah.
But, yeah.
I think you also get to the point where you start believing it yourself.
Exactly, exactly.
I think you're right.
It's like when you phone in sick when you're not
actually sick and then you know halfway through the day you think oh i've got been pretending to
feel sick all day and now i feel a bit sick yeah you know there's a there's a psychological thing
i might have mentioned this before where it says as humans we're really bad at lying to others
because other people could so what we but what we're really good at is lying
to ourselves so what we do is we actually lie to ourselves first to say oh i i actually scored four
goals in football last week and once you convince yourself then you can actually become a really efficient liar because you're not lying. Yes.
I love that.
Love that.
But, yeah, no, it's unfortunate because, you know,
if he has made millions throughout his career, it's not from the actual exploits.
It's probably from speaking fees that he's accumulated based on this book.
Sorry, movie.
Yeah. Yeah, that's right.
That's right.
But the weird thing is, in essence,
he's made his speaking fees by doing exactly what he said he was doing.
Exactly.
Which was fooling people.
So it's this weird kind of meta environment in which he's not lying,
in a sense, because he's lying.
Weird.
Anyway, I'm not going to get involved in that inception.
Mind blown.
But that was this week's...
Tweet of the Week.
Right.
We have come to time, I believe. We have we have jeff thank you so much it's it's it's flown by
today um it's it's been i feel just kind of lighter more more um easier less less sort of
weight on my shoulders it's it's been a joy, to be honest with you.
It has.
It's been absolutely a pleasure.
And it's been interesting.
I mean, I've really enjoyed the conversation today.
Yeah, yeah.
It's not hard work at all, is it?
No, not in the slightest.
No, no.
Well, thank you, Jav.
Appreciate your time as always.
And have yourself a lovely weekend. Yeah, you too, Jav. Appreciate your time as always and have yourself a lovely weekend.
Yeah, you too, my friend.
Stay secure.
You've been listening to the Host Unknown Podcast.
If you enjoyed what you heard, comment and subscribe.
If you hated it, please leave your best insults on our Reddit channel.
Worst episode ever.
R slash Smashing Security.
I don't think I'll send Andy the invitation next week.
Don't bother.
Don't bother.
This is really good.
Yeah.
Yeah, exactly.
Nice and easy.
Nice and easy.
Let's have a look at the viewing figures as well.
You know, I'm pretty sure we'll refute those.
Yes.
What I can also do is I can laugh a few times for you now,
so you can add it in to the end of your gag, so it looks like we were having a really good time and perfect yeah right
uh still recording go okay
tom you're so funny