The Host Unknown Podcast - Episode 71 - Thank You For the Music
Episode Date: September 3, 2021This Week in InfoSecWith content liberated from the “today in infosec” twitter account1st September 1997: Nmap was first released as a simple port scanner via an article in issue 51 of Phrack maga...zine which included the source code.http://phrack.org/issues/51/11.htmlhttps://twitter.com/todayininfosec/status/130086427849755852831st August 2014: A user of the message board 4chan posted leaked photos of actress Jennifer Lawrence and numerous other celebrities.https://mashable.com/archive/celebrity-nude-photo-hackhttps://twitter.com/todayininfosec/status/1300537361676283905 Rant of the WeekGuntrader site hacked and plotted onto Google Maps Billy Big Balls of the WeekScam artists are recruiting English speakers for business email campaignsAccording to Intel 471, forums are now being used to seek out English speakers, in particular, to bring together teams able to manage both the technical aspects and social engineering elements of a BEC scam. If a scam is to succeed, the target employee must believe communication comes from a legitimate source -- and secondary language use, spelling mistakes, and grammatical issues could all be indicators that something isn't right, in the same way that run-of-the-mill spam often contains issues that alert recipients to attempted fraud. "Actors like those we witnessed are searching for native English speakers since North American and European markets are the primary targets of such scams," the researchers say.In addition, threat actors are also trying to recruit launderers to clean up the proceeds from BEC schemes, often achieved through cryptocurrency mixer and tumbler platforms. One advert spotted by the team asked for a service able to launder up to $250,000. "The BEC footprint on underground forums is not as large as other types of cybercrime, likely since many of the operational elements of BEC use targeted social engineering tactics and fraudulent domains, which do not typically require technical services or products that the underground offers," Intel 471 says. "[...] Criminals will use the underground for all types of schemes, as long as those forums remain a hotbed of skills that can make criminals money." Industry NewsBangkok Airways Admits Attackers Stole Passenger DataMicrosoft Cloud Databases ExposedUK Government Considers New Regulations for Video Streaming PlatformsIndonesians Told to Delete Unsecured Tracing AppVictim of Cyber-Theft Sues Parents of Alleged CulpritsAustralian Couple Admits “Serious Cyber Hacking Offenses”WhatsApp Fined a Record €225m for GDPR ViolationsSacked Employee Deletes 21GB of Credit Union FilesUK Researchers Invent Device to Thwart USB Malware Tweet of the Weekhttps://twitter.com/JackRhysider/status/1433097343692324864https://cybarrior.com/blog/2019/04/05/eagle-eye-reverse-lookup-tool-for-social-media-accounts/ "The Box" © Charlie Langford Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
have you donated to your mate matt hancock who's running the uh london marathon this year
yeah i donated the minimum amount just so i could tell him what i thought of him
just like half the country yeah yeah it's probably in the process raised so much money
well i mean it is for a good cause but a cause that you know he could have it's just like the
cyber equivalent of um you know old uh
school fates where you could pay to throw throw something in your teacher's face yeah yeah that's
exactly it you pay a small amount just so you can call matt hancock yeah
you're listening to the Host Unknown Podcast.
Hello, hello, hello. Good morning, good afternoon, good evening from wherever you are joining us.
And welcome to episode 71 of the Host Unknown Podcast. the host unknown podcast an auspicious day it would seem because uh well today there was an
announcement that abba have just dropped two singles and will be releasing a new album uh
we might as well just play the outro music now because nothing could top that i'll let you i'm
gonna let you finish but first i gotta say kanye west also dropped a new
album i thought you said you were gonna let me finish yeah but first i gotta say it's wasted man
it's honestly all the culture oh is that a cultural reference oh my god you tell me you
you haven't seen the memes i mean the one of the billion billion memes of kanye getting up on
stage and interrupting taylor swift saying i'm gonna let you finish but first oh well i remember
him doing that and just thinking he's a bit of a cock so uh so that works and with what you just
did last week you you did not get the reference to the eight mile rap and today you don't get the reference to Kanye West how old are you Tom
he was the oldest person at ABBA's last concert in the crowd I believe they last performed 40
years ago their new concerts that they're going to be doing them sort of virtually not like through
a zoom call or something but they're gonna they're gonna have sort of like virtual representations of them on the screen on the on the stage and they've called
them avatars come on that's brilliant that's brilliant okay we can insert some tumbleweed
music so i mean tupac did this at coachella, like, years ago. Oh, yeah.
Yeah, that's right.
But, you know, technology will be much, much better now.
So rather than sort of like just some, you know,
old Victorian smoke and mirrors thing, it'll actually look quite good.
And the music will be better.
Debatable.
Come on, it's ABBA. It's ABBA.
I've got a lot of love for ABBA, but you can't go off to park like that.
You can't do dirty.
Oh dear, Jav, how are you, sir?
Very good, very good, thanks.
I went to the cinema last night for the first time in like two years or so so so when when are you doing your pcr testing yeah exactly yeah no i done one this
morning and my daughter was off this morning to get hers for school as well but yeah we saw free
guy with ryan reynolds it was amazing i really want to see that film. It was really good fun.
Highly enjoyable.
Anything with Ryan Reynolds in it?
Yeah.
Except maybe Green Lantern.
Yeah.
Yeah.
I mean, he's good in it.
The film's pretty rough.
Yeah.
Anyway, yeah.
So that was the highlight of your week?
Of yesterday, yes. So that was the highlight of your week? Of yesterday, yes.
Of highlights of yesterday?
Get you with your I've had a good time.
Yeah, it was a good day.
I bet you don't know who said that either.
You did just then.
Oh, man, there's so much to teach
there's just not enough time
I just don't know
where to
well
maybe this will be
proof of
that you can teach
an old dog new tricks
on the weekend
watch the movie
8 Mile
and then watch the movie
Straight Outta Compton
ah
yes yes
that's about that
popular skiffle beat combo
from New York, wasn't it?
Yeah, just watch it.
It'll be good.
Andy, what about you?
What have you been up to?
It's been all right.
I was listening to
last week's show
to hear you two
come to talk about
Oh my God.
One of our best, I think.
One of our best.
You guys literally dissed the NCSE top 10 cybersecurity tips.
Well, yes.
Because it wasn't detailed enough.
No, that's not.
Because we all know that one size fits all.
That's not what we dissed it for.
That's not what we dissed it for.
And we didn't really diss it.
Like, have an asset register.
Oh, my God, what crazy.
What a crazy recommendation. Hatch asset register. Oh, my God, what crazy... What a crazy recommendation.
Patch your systems.
Oh, my God, what a crazy thought.
That wasn't the...
That's exactly what happened.
This is you rewriting history again,
like you saying that you've never been off on a show.
So we can come on to that one afterwards, right?
When you guys tell me which episode I was off, right? show so we can come on to that one afterwards right when you guys tell me which episode i was off right and then we can come back to this one but as i
was listening to that look i'm gonna let you finish but let me just first say it means i'm
gonna have to listen to all the old episodes and i'm not doing that so it actually reminded me of
a time i used to have a friend that worked on a cruise ship and he told this story of like an
onboard guest an american uh who like chewed him out one day because of lack of information about how to get around the boat
right and the cruise ship obviously had maps and signposts all over and you know guests were
actually given a map as well how to get around and where to go and this guest actually came
up to him complained that her portable map didn't have a you are here icon on it so she said it was
impossible to figure out where she was in order to navigate around the boat this is a paper map
a paper map right and so what i'm saying is sometimes you have to stop spoon feeding people
in order to make the world a better place and uh you know ncse can make recommendations but they can't do it for you
no absolutely absolutely but what ncse normally get hands out really sensible down to earth
advice and this just seemed to be really sort of up in the air well kind of obvious stuff rather
than sort of say of course it's obvious because people still aren't doing it this is the problem
it's not like you know the whole thing was that
it would have been really useful to just say to caveat something in the document or whatever you're
saying these are not easy to do you know don't think of this as a as a top 10 checklist that
you can just sit down one afternoon and go through i think we said that didn't we i think that's
exactly what i said that's exactly if and Andy had been paying attention rather than trying to work out
how he's going to be outraged at us, then maybe we would have heard it.
I had to come back to save my show.
So that was your highlight of the week,
was listening to how good a show we did.
Actually, upon listening to the show,
the funeral was actually the highlight of the week.
Let's put it that way.
Anyway.
I thought you were going to say something worse,
like smashing security was the highlight of the week.
Oh, come on, let's not go that low.
Come on, Carole does a brilliant job on there.
She does.
It's just...
Anyway, Tom, what have you been up to?
I repaired two iPhones.
Because I can.
You're putting kids in third world countries out of a job now.
Still on brand then, I see.
Yeah.
Yeah, right.
A couple of old iPhone SEs. I got some specific jobs, right. A couple of old iPhone SEs.
I got some specific jobs for them.
A couple of old iPhone 11X.
11X Maxes you no longer use.
No, these are the original iPhone SEs.
And one had a cracked screen, and both of them had really bad batteries in them,
obviously given their age.
So I opened up the first one which i just needed
to replace the battery on and then immediately snapped the cable to the touch id so had to
order up a new touch id button um so yeah got um the battery and button replaced on one and the
battery and the the screen replaced on the other it was it was quite interesting it was it was quite fascinating literally by the end of the um end of the the um repair i didn't even need the instructions i knew
my way around it completely wow see your small hands have come in handy it wasn't my hands that I sent you a picture of the other week. Well, that wasn't your finger.
I thought you just had a little stubby thumb.
Sorry, Mum.
So, yeah, that was the highlight of my week, really.
Oh, and we had a little sort of off-site with the UK team of the company yesterday.
That was good fun.
Good to see everybody, as always.
So, yeah, it was nice.
It was all very good.
Well, speaking of your company,
I saw that you are launching a new some sort of cyber chat or podcast.
That's right, a new podcast.
Well, I wouldn't say it's a rival podcast.
I mean, that one's professionally produced and has some real guests on it.
But, yes, it's coming out.
It starts on Tuesday, and of which I believe you two
are the guests in the final episode, episode number six.
In about six weeks' time, it'll be worth listening to.
Yeah.
Well, the fact is
it's taken about four months to even get this far so uh and didn't we also like record it like fourth
in like fourth in line or something yeah yeah that's right so why is it taking so long how
much editing did you put into it that it took you four months to get everything i said yeah that's
right that's right do you know how difficult it is to find a voice actor who can actually say things that
make sense um you know this sounds like andy that isn't 12 years old
but uh yeah we had a we had a few technical challenges and a few um production issues and uh some uh sorry more fundamental
things like we changed the name which meant uh the teaser that went out um was dubbed over
by me with the name uh so that was quite funny it's it does sound a little bit like a
a badly dubbed indian film um at one point but i think we got away with it because
nobody said anything yet everyone's gonna go back into watch it again i know i know well if you spot
it well especially after we've said the name change i mean i think it's quite straight quite
easy now but uh yeah yeah you know right into the show we'll read it out we'll read out your
incredulous remarks uh but uh yeah
yeah yeah but it's good i'm looking forward to it because it's it's it's a bit of a labor of love
and i we've got some great guests on there apart from the last episode but we've got some really
good episode really good guests and um there was a point where we thought it wasn't going to be
released at all which was really just was really disappointing because I had some great conversations with the guests,
really, really interesting.
They're only barely half an hour long, to be honest with you,
so easily digestible and probably a whole lot more educational
than this podcast, to be honest with you.
Lies.
Okay.
Well done.
What have we got coming up for you today well this week in infosec we revisit theodore's gift to the infosec community i thought this was i thought this
was infosec not sort of tolkien um rant of the week is bad for the UK, but it would, however, be a welcome excuse in the USA to exercise your freedoms.
Billy Big Balls is written in perfect English this week.
Industry News brings us the latest and greatest security news stories from around the world.
And Tweet of the Week is about stalkerware, which refreshingly does not pretend to be anything else.
So let's move swiftly on to Andy and...
This week in InfoSec.
And I'm going to let you finish, Andy, but just before you... I was going to just before you did a great job last week yeah i was gonna say
i'm gonna let you finish but let me just first say we i think we we nailed it last week didn't
we jeff i actually thought it was me talking it was uncanny wasn't it i literally pre-recorded
it and sent it in for you guys. Yeah, yeah, exactly.
That's why we nailed it.
So to take our loyal listeners back to what they all tune in for,
this is that part of the show where we take a stroll down the InfoSec memory lane with content liberated from the Today in InfoSec Twitter account.
So our first story takes us back a mere, click on the calculator, 24 years ago to the
1st of September 1997, when Nmap was first released as a simple port scanner via an article
in issue 51 of Frack magazine, which actually also included the source code at the time.
So if you do not work in cyber
sec there is a free and open source network scanner created by gordon lyon aka fire door
which is called nmap and it's extremely popular and when it was first released it didn't even
have a version number because there were no new releases planned. But it got so popular that less than a week after it was released,
it got an improved version.
And then three months later, he actually registered in secure.org,
and the rest has become history.
Wow.
And it's a tool so popular, it was even used by Trinity
in the 2003 film Matrix Reload.
Right.
Oh, that's right.
Yes.
Yeah, still very much part of any
cyber security swiss army knife but it was spawned 24 years ago this week
wow yeah what whenever i whenever i hear about nmap it always reminds me of the thing, what was it, nine years ago, 2012,
when the slightly dodgy online magazine, Hacking Nine,
and they were known for sort of publishing stuff without any kind of editorial overview, blah, blah, blah.
And so to highlight this, a bunch of people, and in fact,
I think I've got their names here.
Where is it?
David Harrison, Sherry Davidoff, Avery Buffington, Sahil Khan, blah, blah, blah.
They created a document called The Guide to NMAP.
Chapter one was about the internet considered harmful,
otherwise known as DARPA-influenced checking
kludge scanning, or DICS.
And that was actually the entire, basically,
how the rest of the document went.
It was completely made up, filled with little sort of things like that.
So they even sort of say to enable the Dix plugin,
we also specify the dash SC, dash SV parameters, blah, blah, blah.
Dix will trigger a remote pool overflow, blah, blah, blah.
So it's filled with stuff like this
it's utter rubbish and hacking nine just published it without even understanding it in the slightest
um and i'm not sure if hacking nine is still around now but they did seem to be um very
prevalent around then and they were often continually asking for people to to publish in fact i even
think they published something written by me once which just goes to show you absolutely no editorial
oversight yeah exactly exactly so yeah that's what i think of whenever i hear about nmap
yeah interesting our second story will take us back a mere seven years ago to the 31st of August 2014
when a user of the message board 4chan so you already know uh you know which direction this
is going um a user of the message board 4chan posted leaked photos of actress Jennifer Lawrence
and numerous other celebrities wow so it's that long? It just feels like yesterday.
No, it was just yesterday when you last looked at them, Jeff.
No.
This is, I mean, this was an event that got, you know, various names.
And obviously, it actually had a massive impact in various online communities.
And it still occasionally trends.
It was Fapgate, wasn't it?
The Fapening.
Oh, and the Fapening, yeah.
Yeah, so it's known as the Fappening or Celebgate.
Yeah, that's right.
And obviously it's referred to the hacking and leaking
of hundreds of nude photos of over 100 celebrities.
I think the poster children for that were, at the time,
Jennifer Lawrence and Rihanna.
Yeah.
Just because, you know, their status at the time.
But all these pictures were leaked, obviously,
on the now closed image sharing forum.
But they're still available, I believe.
Yeah, as well as Reddit.
And obviously, this is once they're published, that's it.
It's difficult to get them down.
I know that even now, every month, there's people that go out,
trace and try and delete these images from the web um and it's just a messy legally challenging just damn near impossible task to keep up with
it's one of those things that the the more effort you put into deleting them the more likely they
are to stay around and if you were harder it gets yeah yeah if you were just to leave it alone they
would just you know before you know it they they'd um they just end up being on on the
dark web otherwise known as page two and three of the google search yeah well i mean yeah i mean it's
a tricky one um so i mean the guy that leaked all of this back he was 36 years old at the time ryan
collins um he essentially hacked into these icCloud accounts by sending phishing emails to all
of these celebrities. Probably spear phished them. Targum
explicitly said that I think the account was something like Apple Privacy Security
or Apple Security Privacy at iCloud.com or something like that.
And he basically asked them to provide their usernames and
passwords and emails
that were crafted to look exactly like an official email from apple or google and then once in he
downloaded all these photos uh from the alkali the iCloud and then published them obviously I
think he started off selling them um before you know someone got just decided to dump the whole
lot um and he did go to trial in 2016.
So two years later, he was sentenced to 18 months in prison
on account of hacking into more than 600 people's iClouds.
Wow.
After pleading guilty on account of unauthorized access
to a protected computer to obtain information.
But as you say, like this, it does feel like yesterday because i guess the fallout
from this uh was huge across the industry it wasn't just it really highlighted so i guess
how women are targeted way more than men you know like yeah yeah definitely um you know in quite a
toxic way as well but it also highlighted other issues like apple's lack of um two-factor authentication or lack of enforcement of or
enforcement of yeah and how um reddit manages communities yeah um you know how how all of these
people sort of self-regulate themselves i mean even 4chan um you know came in for criticism
and you know they they kind of said yeah it's not great um but i know that you know reddit moved to
ban all of this stuff and they got a lot tighter on what was published and stuff.
And it turns out that I think two of the celebrities were under the age of 18 on some of the photos,
which obviously in the US is, you know, counts as like child porn.
Yeah.
You know, under their law.
So it's quite a like a massive event. And as you say, it's still going on now. You know, under their law. So it's quite a like a massive event.
And as you say, it's still going on now. You know, sites will occasionally pop up.
And then other people sort of added their I guess added photos to it, you know, sort of said, oh, I also have photos of this celebrity, you know, pay me X amount.
And, you know, I'll give you access to them. But, you know, they kind of mix and blend in the fakes with the real stuff.
And it's just it's just become a nightmare to kind of manage that information going on.
But, yeah, only seven years ago.
It's one of those things that I think you have to be quite binary about
in the sense that you either lock down everything,
you make sure you don't even, you know, the best,
just like the NCSE advice last week, you know,
if you don't want your photos being leaked on the internet,
don't take photos, you know, that might be leaked.
Or conversely, just, you know, if they're out there, forget it.
I don't care if there are photos out there of me, you know,
and the less interest I pay to them, probably the less interesting
they will be to other people as well.
I mean, that's difficult to say because you're not an attractive
young celebrity lady in her early 20s.
I'm certainly not a lady, no. But there are plenty of people out there. And I think it's
slightly more common amongst younger people uh that there is
no such thing as as real privacy and if if stuff gets out there then fine publish and be damned
well i mean it's different if you send it to someone versus if you're taking it for yourself
oh no absolutely it's automatically uploaded to icloud you know this is the problem that a lot
of these celebrities they weren't sending these to other people.
No, no.
You know, they were taking pictures of what they thought would be private.
Well, they were.
I think even Jennifer Lawrence said that she was sending it to her boyfriend at the time.
Oh, she did to her boyfriend, yeah.
But then there's plenty of others where, you know, they were just, you know, taking photos at home.
Yeah.
Yeah. Yeah, but, yeah, it's, well, I mean, anything,
sharing the unauthorised sharing of stuff like that anyway
is particularly heinous and upsetting and disgusting anyway.
And, you know, people should just learn not to be quite such horrific dicks
for a start.
And it's illegal in many cases.
I think it falls under revenge porn
now it does now it does yeah which is which is absolutely how it should be um and uh but yeah
i think you're right andy i think there was a huge amount of movement on the sort of the
two-factor authentication front uh as a direct result of this yeah i think jennifer lawrence came out with it with a few
statements then that were very very on the point because she she human she said look i'm a human
and deserve human rights and and what have you and um i think she said something that even some
of her friends or people that she she had a lot of respect for said that, oh, yeah, I saw the pictures.
Yeah.
And she said that, I respect them a lot.
I love them.
Some of them are very dear to me.
But I was thinking I didn't say,
I didn't give you permission to look at my naked body.
Yeah.
And, you know, it's like so.
And I think that's such a powerful statement because strip away all the 2FA or all the technical controls or the security and everything.
There's that certain common human decency there that is like, you know, you don't have permission, so don't do it.
Yeah. Yeah, that's right. That's right. And also, why would you say to somebody, oh, those photos, those naked photos of you that were leaked, I saw them.
You look great, honey.
I'm so sorry.
It's like, really?
A kind of vacuous kind of thought process is going on in your head
when you say that.
No idea.
Yeah.
But it is Hollywood, so I don't know.
Very true.
Very true.
So, Andy, thank you very much uh for
this week in infosu that almost turned into a rant of the week i have to say
uh which is good and quite uh quite coincidental actually because let's move straight on to...
Listen up!
Rent of the Week.
It's time for Mother F***ing Rage!
So a few months ago, there was a hack of a site called Gun Trader,
which is a UK site.
It's been likened to Gumtree.
a uk site it's been likened to gum tree uh it's basically a an area where uh gunsmiths and private gun owners uh that's legally registered gun owners um can go and trade
uh the firearms that they have and what it does it's got a big sort of crm database and it it does a lot of the paperwork
for you because anybody who um who knows anything about owning firearms is that it's a paperwork
nightmare uh so i used to own shotguns i used to do clay pigeon shooting quite a lot uh i've
since sold them but every time you sell a seller a gun you have to um synchronize with
the person you're selling to uh you have to fill in each other's gun certificates you then have to
send a letter to the um your local constabulary or your your county constabulary confirming that
a trade has happened etc what gun trader does is selling a car with the
v5 logbook right yes but it's it's but but you like i say you have to actually write a letter
there's no form to fill in that you just sort of tick a box and off you go it's you know writing a
letter um etc it is that principle but it's it's just a little bit more old-fashioned but what gun trader would do is deal with all that for you in the background um as well as facilitate the uh selling of the
of uh selling and purchase of the weapons and um the the the key thing here as well is is if you are
a uh a gunsmith and you're buying and selling weapons a lot, it takes a huge amount of the paperwork away. All very good. Unfortunately, they were hacked a few months ago. 111,000
UK firearms owners' addresses and details, including longitude and latitude, as well as IP address, location of where the account was last used, etc.
That data, whilst it was breached, it was lost a few months ago,
somebody in their infinite wisdom, and I'm sure it's for malicious purposes, has plotted the list of those 111,000 details into a Google Earth file on a site for hunt saboteurs.
So as Gareth Caulfield tweets about, and he makes a very simple statement,
this is a worst-case scenario.
tweets about it and it makes a very simple statement this is a worst case scenario so for our non-uh uk listeners uh hunt saboteurs as you know we're in the uk or as you may know in the uk
uh there's a an old tradition of hunting foxes using horses and dogs and it's a very divisive
sport in adverted commas uh not something i partake in despite what uh andy and jav might say
um normally done by the uh slightly more sort of upper middle classes etc um because well for a
start cost a lot of money to own a horse um and um hunt saboteurs are people who are trying to
stop this uh from happening um without going into too much detail, there's various government legislation, blah, blah, blah, but hunt saboteurs go and literally saboteur the hunts.
By actually making these details available, these home addresses
of these people available to hunt saboteurs, you've quite literally
set up an environment where hunt saboteurs can go directly to gun owners,
to their homes, and actually either break in or cause extreme distress.
Not least because just because you own a gun doesn't mean that you agree with blood sports
and hunting, et cetera.
agree with blood sports and hunting, etc. It's going to lead to potential criminal acts which would be classed under the Terrorism Act of 2000. It's likely to cause,
to be used by criminals for targeted break-ins and the theft of said guns.
And worst case scenario, and thankfully I didn't use Gun Trader,
but people who have sold their guns, who have no firearms whatsoever on the premises, they may well be targeted as well for break-ins
as a result of this.
The other thing as well is since it also gives the physical location,
the longitude and latitude of where you last logged into this account,
various people have said that they've logged into this account
from their parents' house, from partners' houses,
from friends' houses or whatever.
So those people who have very little relation with the weapons themselves,
even if they exist, are also going to be targeted.
So this is a, well, quite literally, as Gareth Caulfield says,
this is the worst case scenario.
So this is just horrendous and just goes to show that, you know,
just a simple breach of your records, if a company says, ah, but no credit
cards were stolen, that means nothing.
Actually, people can use this data for various other reasons to target you for other criminal
acts as a result.
So yeah, this is really concerning and um very scary to be honest with you
it's a good rant and surprisingly i've got nothing to disagree with
other than the u.s would just be everyone's house right yeah exactly well this is it this is this is
why i said in the intro you know bad news for the uk UK. At least in the US they'd be able to say,
well, I can exercise my freedoms by shooting you.
It's easier to say who hasn't got a gun in the US.
Well, yeah, exactly.
But what I found really strange in that whole thing
is that you said that you've never been fox hunting.
Nope.
You don't have friends that, you know, been fox hunting and no you don't have friends
that you know go fox hunting lies i do know i didn't say that i do know people who go fox hunting
um and i can't like i said i don't agree with it it's not something i feel is needed um i think
it's a tradition that was based out of a need to uh reduce you know centuries ago out of a need to...
When you couldn't shoot peasants anymore, right?
Yeah, that's right.
Well, you used them to flush the foxes out.
But no, I mean, foxes are particularly vicious animals.
They have a very cutesy image.
They are particularly vicious animals.
If they're hungry, they'll break into a farmer's chicken coop.
They will kill all the chickens and take one away with them if he's you know so they they are very destructive animals but there are
far better ways of controlling the fox population than hunting them with horses and dogs and horns
and you know people wearing red jackets and white jodhpurs although frankly everybody looks good in
white jodhpurs but um it's i i don't know, you know, as an aside, I don't agree with it.
But whether you agree with it or not, publishing people's, you know,
home addresses on a site dedicated to violent acts, albeit in defence
of something they feel gives them the moral high grounds, but, you know,
that's a purely subjective viewpoint.
But publishing home addresses on a site that is known for carrying out violent acts against
people is not a good thing.
That is just particularly scary.
It is.
Especially as your address may be in there just because someone happened
to log into this website from your address.
Yeah, yeah.
So you used to own a shotgun for clay pigeon shooting?
Maidstone 3.
Yeah.
So why was it then when we in Vegas a few years ago went down to the gun range, were you so bad?
I wasn't bad. And anyway, it's a different type of shooting.
OK.
He was holding it side on.
It's because I wasn't allowed to shout, pull.
it's because I wasn't allowed to shout,
Paul!
That was this week's... Rant of the Week.
You're listening to the award-winning
Host Unknown podcast,
the show which Smashing Security
sets their out-of-office to.
Right, Jav
I think we should move on to you
actually for well
we all know which one it is because
we're all doing the same ones every week but it's
this week's
Billy Big Balls
of the Week
yes
Billy Big Balls this week
are our friendly neighbourhood cyber criminal gangs and we know
that over the years criminals they try to adapt their techniques and processes they try to get
better and better try to increase their chances of success and one on one side they they improve their technical abilities soft skills are just
as important in the criminal world as they are in the real world so when you receive a phishing email
what's one of the biggest red flags on it language language yeah definitely language exactly exactly sense of urgency all that stuff yeah
yeah so it's it's a lot of it is grammar spelling and my favorite is when they the
at the end of the uh email they they use the word kindly so so thank you for your cooperation
kindly tim cook apple you know that that kind of but anyway it's it's
language and so scammers are getting a bit fed up of their their perfect plans being foiled by some
pesky kid who doesn't know how to speak english properly or type it properly so according to
intel 471 forums are now being used to seek out English speakers, in particular to bring
together teams able to manage both the technical aspects and social engineering elements of a BEC
scam. BEC stands for business email compromise. It's one of those nasty ones where they, it's also
known as CEO fraud, where they will claim to be someone within your
organization or a trusted partner or vendor. And the thing that's tricky about these ones is that
there's usually no malicious link or attachment in there. So there's nothing you can scan.
It just comes through and it's like, hey, I'm the CEO, this invoice needs to be paid now.
Or it'll come from your partner and say,
we're updating our bank account details.
Please, can you make future payments to this bank account
in the Cayman Islands or wherever?
Thank you kindly.
Yeah, thank you kindly, John Walsh.
Sure.
But, you know, so grammar and all these things are a problem.
So these actors are now using native English speakers to draft more convincing or more accurate BEC scams.
And what this research has found that in addition, they're also trying to recruit launderers to clean up the proceeds.
Is that North launderers or South launderers?
I'm not from Bolton. I've never been to Bolton. So they're also looking for money launderers who can set up their cryptocurrency mixers, which is basically how they launder stolen bitcoins or cryptocurrencies.
And one advert asked for a service that could launder up to $250,000.
That's not a lot.
It's not a lot, but, you know, if that's like one pop at a time or something,
I think, you know.
Oh, I see.
I see.
Not here's a whole stack of cash, go do it, but up to $250,000 each time
we drop you the cash, as it were.
Yeah, something like that.
Gotcha.
we drop you the cash as it were yeah something like that gotcha um so i i think it's it's quite a a big billy big ball move on their part well a advertising on these forums which they know are
being monitored by researchers and law enforcement all the time but they just don't care and you know
really upping their game in in that. I think that's the key thing.
They're just doing product improvement, right?
They are.
It's just weird.
How can they improve the quality of their leads?
It's obvious, right?
Improve the language.
But how has it taken them so long to get to this point?
It is something I think they've been doing for a while.
It's just... Really?
Not from what I've been receiving.
Well, there is that other aspect, isn't it,
where they deliberately misspell things to get the sort of people
who are more susceptible to scams.
Exactly.
This is true, yeah.
It's almost like a reverse psychology, isn't it?
Yeah.
It's just trying to find the more gullible people.
The other reason, I think, is also that maybe in a sort of scam,
the scammer kind of way, they've advertised for the last decade
for native English speakers, and they've had lots of people saying,
oh, I'm definitely a native English speaker.
He says desperately trying not to do a foreign accent.
But, you know, and so and a great he's a he's
a proper english speaker and then they come up with something that says you know please do the
needful thank you kindly yes yes i mean like google translate only goes so far yes
but it is an interesting thing um and like to Andy's point, it is product improvement.
Yeah.
Because I have also read reports about how some of these actually do like A-B testing on their emails, just like our marketing department.
So they send two variations of them out and they'll see which one gets a better response.
And then they'll go with that to their main customer list,
or hit list, whatever.
It would be fascinating to see if they send out the perfectly spelt one
versus their traditionally misspelt, which one really does get the more hits.
If their original idea of weeding out the fools, as it were,
or weeding out so that they do just get the fools,
whether that is actually going to net them more people.
Wouldn't you love to see – they should publish research papers on this.
They should.
They should go speak at conferences and all that.
Yeah, yeah, absolutely.
Virtually, of course, because otherwise there would just be people
waiting in the wings with a
set of handcuffs yeah spot the fed becomes a very real game that's right
but yeah no i think you know this this will carry on improving you'll get better
i think along with advancements in spearfishing or or like um more oscent to facilitate better spearfishing um i think this will just get
worse and worse in in fact i've i've heard of some use cases of um uh some of this deep fake
type of ai type of technology to send uh to automatically put together a spearfish email based on social media data that it goes out and collects.
So you put it in that this is the person, this is their profile, and it will find out keywords and everything.
It's still not very good at all, but it will try to figure out things like, oh, this person posts a lot about, know foxes so maybe if i send a send a phishing email claiming to be
from the you know fox hunting society of uh of um oxford or something then maybe they're more likely
to click on that link interesting god how dare they use this technology against us, eh? I know, I know. It's just not fair, is it?
No.
No, exactly.
Exactly.
Thank you very much, Jav, for this week's...
Billy Big Balls of the Week.
So when I ask you this next question, Andy,
don't take it literally like Jav did last week.
So, Andy, what time is it?
It's that time of the show where we head over to our news sources over at the InfoSec PA Newswire,
who have been very busy bringing us the latest and greatest security news from around the globe.
Industry News.
industry news bangkok airways admits attackers stole passenger data industry news microsoft cloud databases
exposed industry news uk government considers new regulation for video streaming platforms
industry news indonesians told to delete unsecured tracing app industry news
victim of cyber theft sues parents of alleged culprits industry news australian couple admits
serious cyber hacking offenses industry news whatsapp find a record 225 million euros for GDPR violations. Industry News.
Sacked employee deletes 21 gigabytes of credit union files. Industry News. UK researchers
invent device to thwart USB malware. Industry News. And that was this week's...
Industry News.
Huge, if true.
How do we find out if we were one of the people that was in that 21 gig of deleted files?
Are you a credit union customer?
I've never heard of credit union but it sounds
like i should be um yeah so uh yeah i don't think you're going to be um involved in this
is that like a credit card uh it's a credit union based in new york you just say the same words
again what's a credit union is a credit union yeah but in New York. So I'm just going to keep saying it as I click on the link and read the story, okay?
So I'm stalling here.
Yeah, now, I recognise that I could have done that, but this being an audio podcast.
Mortgage loan applications.
Ah, right, right, right, right, right, okay.
In New York.
Okay.
That wouldn't have benefited anybody, would it?
What, deleting the data so this is
an employee that uh uh before he actually left before they disabled his account he actually
just went in and destroyed all the data um so all of their customers uh 20 000 files 3 500
directories that's probably rather than sort of you know struck one against the big man has probably just fucked up a lot of people
trying to buy houses, right?
Well, and also people who have mortgage loans with these people as well.
Well, now that might be a good thing.
Oh, you no longer have a mortgage with us.
The house must be yours.
Yeah.
So the story actually says that although she may have thought she was getting
back at her employer by deleting files,
she's done just as much harm to customers.
Yeah, yeah, I can see that.
Yeah, not good.
Not good.
It's not like Fight Club where, you know, the end of it where you blow up buildings
and suddenly there's no credit cards.
Spoiler alert.
After she was terminated, after her employment was terminated it took them
40 minutes to disable her account
40 minutes now i would suggest that 40 minutes is probably not that bad on average yeah i wouldn't yeah that was bad either that's right but it does go to show how
important it really is to be better at that yeah wow frog march people out immediately
yeah well i mean the thing is what as they are in the meeting it should be suspending the account
right not deleting it but just suspending it so that they
can't log in because if for whatever reason at the end of that meeting they decide not to fire
that person will you just you know re-enable the account but during that meeting there should be a
coordination between hr and whoever and it that at this time their account will you know must be um
you know suspended yeah oh Hang on a second.
Do you know what?
So she is facing 10 years behind bars.
Whoa.
She's pleaded guilty.
No, she's submitted a plea.
No, yeah, admitting one count of computer intrusion.
But it says two days after she was fired,
but yet later on it says that the it the company didn't request termination
until you know two days later and then 40 minutes after they requested it was disabled
two days yeah oh well there you go there you go if and if i was a customer, I would be suing the company for incompetence.
Yeah, definitely one up there.
If you've lost my mortgage application and caused me untold pain and misery
as I'm about to buy my dream house, that's through your incompetence.
You should sue them anyway.
And if they say we don't have you as a customer,
say exactly because my records were deleted.
So what happens to my house?
Yeah.
Yeah.
Brilliant.
I think you should just pay me all the money.
Yeah.
Yeah.
Oh my God.
Um,
and also the other story about WhatsApp,
uh,
gents,
I think we need to find another place to, to have our, uh, my God. And also the other story about WhatsApp. Gents, I think we need to find another place to have our conversations on.
So what were they actually doing?
I saw that it was this record fine, but it's Facebook and I.
No idea, but it can't be good, and it can't be good for us
and our private conversations that must remain between us all at all times.
But if they've been fine, surely they've now learnt their lesson and now they're going to do things better isn't that the
whole i'm sorry who are we talking about here drop in the ocean 225 million euros learn their lesson
we're talking about facebook right because they're known they're known for actually
implementing changes as a result of fines and doing better, aren't they?
Lots of doing business, my friend.
Well, that's how they view it, exactly, because they're scumbags.
Hold on, this isn't rant of the week.
You know, if you want a rant, I want to see how, like, you know,
the airline, they really Bangkoked up with their breach.
Oh, I'll tell you what.
They're set up for that.
I mean, I'll tell you what, you could have seen that coming a mile away.
It doesn't matter.
Well, they should have seen it coming a mile away
because someone was able to exfiltrate, what is it,
200 gigs of data from their network,
and no alarm bells went off no nothing went off luckily
no nothing operational off the airline was impacted just passenger data yeah yeah and even
in passenger data the credit it's only partial credit card information i bet they focus on that
yeah that's what they say yeah there is no evidence that credit card data yeah exactly exactly but what was taken i'll tell you what was taken it was your name if you're
a passenger it's your name your passport number yeah your your address yeah your flying history
yeah your special meal requests um so someone could find out you're lactose intolerant and poison you you're you're you're no that what they could do is say you know um well say you're say you're
always um getting a halal meal or a uh i switch mine up every time i fly yeah
ain't no one building a profile on me that's it that's it again focus on
the on the on the on the piece of data that is the most easily replaceable of the lot the credit
card yeah exactly whereas your passport your your home address you know not easy to replace your home address is it no
especially if your data has been deleted by credit union exactly exactly
or if the data is uh if that home address is also a registered gun owner see what we did there folks see what we did there anyway i think we need uh to move on but um
yeah that was that was this week's industry news industry news andy over to you in the
dying embers of the show uh let's uh see what you've got for us for this week's
Tweet of the Week.
And we always play that one twice.
Tweet of the Week.
So this is a tweet from Jack Recider.
I don't know how to pronounce his surname.
I've never...
Recidor.
Recidor.
Recidor.
Yeah, Recidor.
So Jack is the host of the darknet diaries podcast um and he has surfaced this
tool brought it back to people's attention his tweet basically reads this is eagle eye it's a
tool used to find people's social media accounts you feed it the name of the person and an image
of them it does a reverse look up on the image uses facial recognition
and then tries to find any instagram facebook youtube twitter and other profiles of that person
um so it's actually been around for a few years there's a link in the show notes as to how this
tool works um and it as it says it uses facial recognition to try and get the right profile
because obviously there's a lot of people with certain names on there um and yeah it's i guess it what's really good is it does
that validation right it compares the photo you've given it with the other profiles and instagram
accounts and facebook and things like that and at the end you get a nice little pdf report uh so
it's open source you can modify it however you want.
It's very similar to Sherlock, which you may be familiar with,
but Sherlock can't do the reverse image searching.
But obviously, the great thing on this thread is that a lot of people
are kind of creeped out by it.
But there's nothing here, I think, that people don't do manually,
if you know what I mean.
It can do it at volume and speed. Yeah. I think that people don't do manually, if you know what I mean.
Yeah, it's just it can do it at volume and speed.
Yeah, and also you get a nice little presentable report at the end of it.
Oh, I could do a nice report.
I couldn't do the techie stuff, but I could do you a nice report.
Oh, you can reverse search someone's image, right?
Yeah.
It's just doing that matching, right, to figure out whether or not it's the same person. Yeah, but I just…
Rubbish with faces. That's what I got i got people for actually i don't have people now
those days are long gone those days are yeah well you're last at an abba concert right
and on a plane and on a plane but yeah just the fact that people are freaked out by it and i
i kind of get it but also and this is one of those things where you know we talked earlier
about how women are sort of more unfairly targeted by yeah um you know sort of men when it comes to
sort of leaks and you know those sort of creepy shots i actually think women do more of this
like osin research on guys they're dating or guys that their friends are dating well yeah kind of do it better than guys do yeah because
because dating a bloke sometimes you know results in very real physical danger if you're dating the
wrong guy yeah for sure but you don't need to go in and figure out that you know his this guy's
sister went on holiday to you know fileraki you know six years ago you know there's a level it gets to and sometimes
where she says oh my brother jack is back in prison again for hitting his missus that's that's
what they do it for yeah well i think that's where it starts off and then it becomes kind of like
entertainment as well so sometimes you know you know my wife does it all the time she'll like you know start looking at you know
she'll oh we know yeah yeah no no she'll she'll like you know be really interested and some of
it's just curiosity but i think there's a there's a very real reason why so many people do it and
and uh shockingly i'm i'm with tom on this one i think. I think it's really easy to say from a safe place that it's unneeded.
But I think anyone that's in that position...
I don't think anyone said it's unneeded.
I think this is more people are freaked out that it's automated,
I think is the point.
Whereas there's nothing here that you can't do yourself.
It's all about efficiency.
It is.
It is about efficiency
and and the thing is it just makes it more accessible to the more casual stalker
and yeah and on the bombshell of jav agreeing with me uh thank you andy you're gonna kill it here
yeah just just i'll quit while i'm ahead and andy thank you for this week's tweet of the week well folks we have sped around the
corner and we've just crossed the finishing line of this um of this week's podcast gentlemen thank
you so much for your time efforts contributions and love as. Jav, thank you very much, sir.
You're welcome.
And Andy, thank you very much.
Stay secure, my friend.
Stay secure.
You've been listening to The Host Unknown Podcast.
If you enjoyed what you heard, comment and subscribe.
If you hated it, please leave your best insults on our Reddit channel.
Worst episode ever.
R slash Smashing Security.
What do you want, Jav?
Because you agreeing with me makes me feel very uncomfortable.
I know.
It's awkward for me too.
Let's not speak about this to anyone.
You complimented me earlier this week on Twitter and now you're agreeing with
me.
I'm like,
yeah,
something's going on.
I'm bringing you up for the big four.
Yeah.
You know what?
You're going to see like in a few weeks,
the signs are all there.
Why don't we see?
Oh dear.
I'm just glad that you're not going to ask me for money.
I know you have got none