The Host Unknown Podcast - Episode 74 - Was it me or was it a long week?
Episode Date: September 24, 2021This Week in InfoSec (04:56)With content liberated from the “today in infosec” Twitter account18th September 2015: Google notified Symantec that the latter issued 23 test certificates for five org...anizations, including Google and Opera, without the domain owners' knowledge. Symantec performed an audit and announced that an additional 2,622 test certificates were mis-issued.Sustaining Digital Certificate Securityhttps://twitter.com/todayininfosec/status/143938865326496563820th September 1996: An email began spreading about a destructive virus named Irina. Some virus nerd called Graham Cluley discovered it was a hoax "marketing ploy" from Penguin Books.Computer Viruses and Hoaxeshttps://twitter.com/todayininfosec/status/1307862674387144705 The Box © Charlie Langford Rant of the Week (12:55)Investigation launched after MoD email blunder Billy Big Balls of the Week (20:55)Tick, tick, tick … TikTok China just limited kids to 40 minutes' use each day Industry News (34:17)Experts Concerned Over New Digital Secretary's Lack of Cyber KnowledgeRomance Scammers Make $133m in First Half of 2021Former IT Exec Pleads Guilty to Insider Trading ConspiracyData of 106 Million Visitors to Thailand BreachedEuropean Police Bust €10m Mafia Fraud RingPrison for AT&T Phone-Unlocking FraudsterAfghan Interpreters' Data Exposed in MoD BreachHalf of Web Owners Don't Know if Their Site Has Been AttackedUS Eye-Care Providers Report Data Breaches Tweet of the Week (41:43)https://twitter.com/aprivateguy/status/1441091095471874053?s=20https://twitter.com/ReverseICS/status/1441048111292506112And just for Andy...https://twitter.com/AlyssaM_InfoSec/status/1441135546961563649?s=20 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
Yeah, so when I was up at, uh,
came to the aerodrome, right, I was walking the dog,
and up there they've got, like, a lot of the livestock,
so we went through and there was a, um,
a flock of cows.
Heard of cows.
They were cutting through.
Of course I've heard of cows, I saw a flock of them yesterday.
You're listening to the Host Unknown Podcast.
Hello, hello, hello, good morning, good afternoon, good evening from wherever you are joining us and welcome to episode 75. Is it 75? I think it's 75 of the Host Unknown podcast.
And Andy, we're going to have to improve your grammar, you know.
There's nothing wrong with my grammar.
your grammar you know there's nothing wrong with my grammar i was thinking more about your grammar school that you went to that obviously didn't teach you anything i'd speak proper oh okay
in it yeah well i did it was about uh 20 years ago i went to school to get educated and today i is it
dear me how are you andy uh good it's that uh end of uh q2 end of the you know sales half year so yeah very busy which i know not many infosec people appreciate but you can be uh infosec
busy at the end of a sales quarter yeah yeah well working for vendors we know that don't we jav yep work yes
i can see you're fully committed today to this podcast you know we're stuck with monosyllabic
answers i i wake up in the morning and piss excellence just like ricky bobby so you know
so basically all your excellence has now gone and,
and,
you know,
maybe a fuller bladder would have helped today.
So,
so busy week,
Andy,
because I felt like a really long week for me.
I have to say.
It has been.
Yeah,
it's absolutely a long week and it is not over yet.
So I think we've still got the whole of Friday to get through.
And then maybe a bit on Saturday.
And then, you know, squeeze in a bit more work on the Sunday.
Absolutely.
Until we get through the end of the month, it's going to continue to be busy.
And then it's straight back on to, right, let's start the next quarter with a bang.
Exactly.
Doesn't help.
Doesn't help.
Jav, how are you?
Apart from empty bladders empty bladder that's good so
i don't have to ask you for a convenience break during recording what can i say jav you know age
takes its toll on all of us yeah so i'm waiting till i get to your age so i can get one of those
bags pop in so that i don't need to go anywhere I can just uh relieve myself on the move or not so to speak
you're such a horrible person to work with I don't know how you could I feel sorry for your
colleagues I mean you say it's been a long week I'm gonna ask your colleagues they're gonna say
man it's been a doubly long week long yeah I I'm I'm just amazed that you consider this work because you certainly don't put the effort in.
Oh.
See, that's a secret.
I make it look effortless.
Sometimes less is more.
This is not going anywhere.
I don't care what you were doing.
Let's move on to the show.
Right, what have we got coming up for you today well this week in infosec relives a semantic screw-up and celebrates nerds of the world billy big balls something something jaina
as seen on reddit emails us a little bit more than we needed to know that's a rant of the week
oh is it a rant of That's a rant of the week. Oh, is it a rant of the week?
Geez.
A rant of the week.
Shut up.
You don't have to talk
while you're tight.
No, I'm saying this is
why you need stuff
written down because
you're just making
stuff up.
Well, it was going to
be a Reddit as seen
on Reddit, wasn't it?
That was for about a long time ago.
We work in an agile format here.
We're all about making, you know, scripting fast.
By agile, you mean deleting stuff.
And breaking the script while we go along.
What have we got coming up today?
Well, this week in InfoSec relives a semantic screw-up
and celebrates nerds of the world.
Billy Big Ball's something, something, something,
Diana, rant of the week,
emails us a little bit more than we really needed to know.
Industry news brings us the latest and greatest security news stories
from around the world.
And finally, tweet of the week is a work in progress at the moment.
Let's see what Andy can pull out of the bag.
Moving swiftly on, let's get on to one of our favourite parts of the show.
This week in infosec
is that part of the show where we take a stroll down infosec memory lane with content liberated
from the today in infosec twitter account so our first story takes us back six years to a different era
when on or around the 18th of September 2015,
Google notified Symantec that the latter issued 23 test certificates
for five organizations, including Google itself and Opera,
without the domain owner's knowledge.
And then as a result of this, Symantec performed an audit and then later announced that an additional
2,622 test certificates were missing. Now, so back in, according to the NetCraft survey from 2015,
Symantec was responsible for about one in every three SSL certificates used on the web globally,
which made it the largest commercial certificate issuer in the world.
And obviously SSL certificates or TLS certificates are used to encrypt those connections between browsers
and HTTPS-enabled websites, which is pretty much all of them these days.
And the idea is that they verify that users are actually visiting the websites they're intended to and not spoof versions and obviously people issue these
certificates are supposed to be you know organizations known by the certificate authorities
and you know they are trusted by default in the browsers and operating systems so back at a time
when infosec advice was to check that little padlock in the browser uh it turns out you can't
even trust that padlock um and google really went to town on semantic after this one i think you
know they sort of berated them for the next year um you know and demanded that semantic uh you know
evidence how they um rightly so you know i mean it's one of the fundamental parts of trust in the internet right
yeah yeah and so yeah i mean google really took them to town publicly as well um you know there's
a whole blog where they're just posting updates about how they're you know verifying um semantics
you know claims that no private keys were exposed um you know how employees actually use the tool
um you know they want to see the audit logging mechanism, you know,
to show that it couldn't be modified or, you know, tampered with.
And so, yeah, very early, almost six years ago,
was it early sort of supply chain management,
but really sort of done publicly as well.
So hadn't Symantec fairly recently taken over from someone else is it
verisign or something like that yeah so semantic actually acquired uh quite a few companies um so
that they acquired verisign uh geotrust thought and rapid ssl as well um you know so they had a
lot of control uh over the web.
Because it used to be secured by VeriSign,
and then it suddenly changed to secured by Symantec.
And it's like, what?
That seems odd.
That seems like a sideways step in the business model.
And now no one really cares.
I mean, wasn't Chrome the first to stop showing the padlock or something?
They stopped having it go green.
Yeah.
They were like, yeah, it doesn't add anything.
Yeah.
It just confuses people.
And friends of the show, Troy Hunt, has a real thing about it as well, doesn't he?
Well, so does Scott Helm. He blogs a lot about SSL certs and how the internet works.
Well, if Troy does, then Scott definitely, you know, obviously does.
So our second story takes us back a mere 25 years,
just almost yesterday, to the 20th of September 1996,
when an email began spreading about a destructive virus named irena and then some
virus nerd called graham clully graham clully uh discovered it was a hoax marketing ploy from
penguin books of all people what so what on earth were they thinking well i guess it was still kind of the early days
but really yeah it was uh i guess still obviously early days but there's a great link via web
archive you know just to show how long ago this was this is almost the before times of the internet
um you know it's practically on a uh you know bbs uh where they pulled the information from
um but there's a great write-up uh from this guy was it graham clully i'm not sure i've never heard
of him i don't know but it just some as you say just some nerd from the 90s right yeah so there's
a nice list of virus hoaxes like the good times virus and you know irena's in there um authored
by this graham clully um and you know he talks about how he is at the the virus bulletin conference
uh in brighton england uh when he first received this message so obviously you think back then
like is someone got a virus alert is he american if he says brighton, England? Because that's kind of like the common thing.
Is Graham and Carly?
Yeah, I am assuming gender here,
so I don't know whether Graham is.
Okay, so is this individual,
I mean, I'm assuming American as well,
because that's quite a common thing,
you know, Brighton, England, you know.
Yeah.
Yeah, I mean, this person obviously knew about viruses
back in the day, you know, because they... Probably doesn't now. They went on to say that, yeah, well. I mean, this person obviously knew about viruses back in the day, because they went on to say that, yeah, well, I mean, it's old hat, right?
If you can make a career out of something.
I doubt it.
I doubt it.
But, yeah, it goes on to say that, you know,
when they heard the content of the email,
they could spot it as a hoax straight away.
But just think, 25 years ago,
you would actually contact someone
and ask whether they thought this was a virus or not.
Well, how times have changed.
And they could just hear about it
and tell you whether it's...
It's almost like there's a virus whisperer.
Is that what this Graham was?
Graham Clully is a virus whisperer.
That's a cool title.
That is.
Graham Clully, virus whisperer.
Yeah.
You should make a film about that.
I know.
I know.
Maybe we could find him in whichever old folks' home he is in,
probably in Florida somewhere.
Yeah.
Or Texas, maybe.
Mind you, if he's in Texas, he's probably dead.
Yeah.
From the Rona.
You just don't know.
But if anyone knows, send us an anonymous tip.
Indeed.
On our Secured by Semantic hotline.
Which is theveryfinechaps
at
hostunknown.tv
.google.com
thank you
very much
Andy
this week
in
InfoSoul
this
is
the podcast
the queen
listens to although she won't admit it
talking of royalty i've spent a week this week at uh uh a house in dartmoor that used to be owned
by james hewitt he of um the princess diana uh allegations allegations of an affair.
And apparently she was there.
She frequented that place quite often.
Lovely, Andy.
Thank you.
Let's move right on to...
Listen up!
Rant of the Week.
It's time for Mother F***ing Rage.
And this week, the rant falls to me, surprisingly.
I've taken over from Tom.
Yeah.
He's normally the angry, ranty one,
but the doctor has advised him to keep his blood pressure under control
lest he suffers a stroke and his face balances out.
Anyway, do you remember a few weeks ago, we discussed a story
about the SAS putting some details in a job advert and how it was a blunder. And then Tom,
you said that, oh, I think the SAS are so clever, they've done it on purpose to see how many people would actually pick up on it
and yeah you know the we discuss yes the the British military very good SAS obviously special
forces but you know one of the best armies in the world and what have you and um now I think after
reading this story I think it's not a mistake that the SAS made because there are some
very dumb people within the MOD. And an investigation has been launched after the MOD
sent an email to 250, well, more than 250 Afghan interpreters waiting relocation to the UK
by copying name, email addresses and other information into the body of an email.
Sorry, so email addresses went into the body of the email?
No, no, the email address went into the to field
and then other information was put into the body of the email
so it wasn't even just a slip of oh this should have gone bcc not not cc or two it was a slip of
that and also putting stuff in the main body it appears that way it appears oh my host unknown
has not seen the email yet but um the email is understood to have originated,
and I love this acronym, the Afghan Relocations and Assistance Policy, ARAP or ARAP.
ARAP. No, that's the American version.
I was going to say someone's mispronounce that. So all I can imagine is that there was like these,
you know,
over 250 interpreters getting this email,
hiding out in somewhere in Afghanistan.
And they're like,
oh my God,
what is this?
They reply,
you're all saying Habibi,
Habibi,
remove me,
unsubscribe.
And then someone else replying like,
can you stop hitting reply all?
And for three days, it's just going on.
Who dished new computer?
Yeah.
And that wasn't it.
Apparently, just yesterday, a second breach has been found,
potentially compromising the safety of more Afghans who may be eligible to relocate to the UK.
Dozens of people were mistakenly copied into an email earlier this month, with their names,
email addresses visible to all recipients.
I think this is more of a BCC versus CC thing.
And the MOD has apologised,
but at least one of the recipients is from the Afghan National Army.
Ooh, dear.
So the MOD has apologised at what?
The funerals of these people?
Yeah, something like that.
I mean, Jesus, it's unforgivable when you, this kind of intelligence leak.
It is.
It is.
I mean,
having said that,
I suppose sending an email list out there isn't quite the same as a wayward
drone strike.
No,
no.
I mean,
on a scale of one to 10,
definitely.
But you know,
the implications could be pretty much the same.
And,
and this is why these guys need generic email addresses. Like, you know, The implications could be pretty much the same.
This is why these guys need generic email addresses,
like ilovetacos at hotmail.com.
Yes.
Because you can't trust people.
When you're dealing with the government,
you just can't use your full name.
The problem is, though,
they'll look at that when they're hiring interpreters in the first place and go, well, this person's not very professional.
There is that.
There is that.
So there is that dilemma.
But before everyone thinks I'm just picking on their MOD,
I did have a quick search for any other recent email breaches.
Other governments also mess up.
Yeah, I mean, governments, high-profile departments,
military, everyone messes up.
And just a couple of days ago,
over 1,000 Stoke-on-Trent Council tenants' data
was breached also in an email blunder.
The employee sent the email, placed the addresses of all 1043 recipients
in the two address box rather than the BCC, meaning that all of your council tenants now knew where
all of the other council tenants email addresses were. So maybe not quite the same impact but just to show that we are fair we are balanced we
are we aren't anti-mod we we are just anti-poor security we're anti-everybody we hate you all
we hate you all equally yes
uh yeah i just you know councils, I kind of get it.
I'm a little bit more accepting of that because these aren't, you know,
the best paid or even best motivated people.
Their working conditions aren't great.
And the MOD, I know, again, very, very similar kind of staffing.
But the actual implications of these kinds of leaks are so severe in that field
that you'd think there would be far stronger controls you know not just soft controls but
technical controls like you know if you're putting more than more than 20 people into a two field
there should be some kind of prompt that comes up and says are you sure you're sending this to the right place you know i guess it depends what they're using i don't think by default office
um you know actually says i mean i don't know about what uh google business is like or
but yeah office by default says you know this this is going to go to x many people
yeah yeah but it's easy to switch off but it's and it's not that prominent either is it it's
not like you know you in in the military for something quite so critical you need a big
flashing red screen basically yeah i mean it's it's it's easy to ignore people just get blind
to it after a while even if it is a big big flashing it's uh that sort of thing but but i
love how you said
that you know councils are forgiven because they're poorly paid working bad circumstances
and what have you because the mod definitely is uh very well paid and they work in luxury
air-conditioned offices around the world well i did i did say they're they're the same but the
implications are greater there so in my defense oh not in my mind like why why do you let
the truth get in the way of a good story that's uh because you don't what oh okay you know mr
integrity all of a sudden well somebody has to be on this show. Rant of the Week.
We are officially the most entertaining content
amongst our peers.
Yes, we are. Right,
shall we move
directly on to this week's
Bully Big Balls
of the Week. So, the Bully Big Balls of the Week.
So, the Bully Big Balls
falls to me this week.
Jav and I just swap in roles, it seems.
So,
I don't know if
either of you two have heard of this
newfangled
app that
the younger
generation and the feeble-minded adults get kind of
addicted to called TikTok.
Have you come across that?
What's it called?
TikTok.
TikTok.
Yeah.
Sounds familiar.
Yeah.
Well, it's well known for being extremely addictive the algorithms
uh basically they're little short videos and if if you're you know a kid it's basically dancing and
you know silly skits and short videos and little loops and voiceovers and stuff like that and if
you're a you know like i say a feeble-minded middle-aged man, it's mostly barely adult women jumping around and shaking jiggly things for them to ogle.
And the algorithm recognizes this, the backend algorithm recognizes this, and delivers more and more similar content to the point where people do get very addicted to it. It's very difficult.
TikTok have also now seeded their own videos into it, encouraging people to stop after a certain
time. I think one of them is a young lady brushing her teeth saying, hey, isn't it time to go to bed,
which in of itself is probably suggestive for some of these people uh but um so yes it's
known to be addictive uh etc the big move though and the story we're talking about today you're
very very judgmental of some people who are using an app do you have some bad memories or something
or is there some trauma associated with this because you've been bullied on this platform is it because you're too old to use it is this the problem probably probably yeah i think i
think after a certain age this sort of you know the maturity kicks in and the you know the um you
know we look for other you know more constructive avenues to to. Like moaning about those youngsters.
Well, I'd hardly call you two youngsters.
What are you listening to?
That's not music.
Well, I also say that about you two as well.
So, you know what?
It's really weird, Tom.
It's like you're this really weird generation.
You don't like the classic or you don't understand any older references like hip hop or wrestling.
Older references?
You don't understand anything new like TikTok.
And what do you actually like or what was that one year in history that you think, oh, that was good.
If only time had stood still then,
the world would have been perfect.
1973?
You know,
Bowie's... It starts with a 19.
Are you sure it starts with a 19?
Well, Bowie was riding on
the man who sold the world
and Ziggy Stardust and the Spiders from Mars.
What, that Nirvana song?
Oh, shut up.
I do know that Nevermind was released 31 years ago today.
So, yeah.
I know some stuff.
I know some stuff.
I read it in my broadsheet.
Back to your story, Tom.
Sorry.
Oh, back to my...
Okay, thank you.
Thank you.
So your little segue in there is over now, is it?
It's 30 years ago today as well.
Just seeking clarification.
Oh, that's right. 1991, wasn't it?
That's right.
Yeah.
So, but TikTok China has made a very bold move by limiting kids to just 40 minutes,
four zero minutes of use each day on their platform.
They also, their algorithm has been tweaked for these particular users
to deliver more wholesome content, whatever that might be.
Now, the caveat to this, of course, is you can
join this platform and be whoever you want. You either don't have to register or if you do
register, you don't have to necessarily tell the truth as to who you are and what age you are and
all that sort of thing. But if you have and you are under 14 years of age uh tiktok
will move into youth mode um like i say just restrict you to 40 minutes now i believe and
please gentlemen as i'm sure you will do anyway correct me wrong but i believe this follows on
the back of china's decision to restrict gaming uh to kids to to 40 minutes a day as well.
So it seems very, well, funny enough, very authoritarian of the Chinese government to do this,
which, you know, more than, but a very bold move nonetheless.
nonetheless. And especially as there is some really interesting research into the benefits that gaming and computers can bring to people. So I read one the other day, link is not in the
show notes because I can't remember where it was, but kids and young adults...
Sounds plausible.
It sounds plausible. Yeah, exactly. I'm taking a leaf out of Jad's book here.
So young adults, kids who play a lot of computer games,
are actually significantly better at recalling a series of events,
let's say a crime scene or a traffic accident or something like that,
because their visual acuity is so much higher
they're used to looking out for detail on screens and small movements and things like that and so
actually they can they are better at reporting um you know the incident as it actually happened
uh rather than the rest of us fuddy duddiesuddies that basically say, no, I didn't see a gorilla walk into a room of people dancing
and all that sort of thing.
But nonetheless, I digress.
No, no, no, don't digress.
This is brilliant.
This is like, Your Honour, I'd like to have his testimony thrown out
because he does not own the latest Xbox 360 or PlayStation 5.
That would mean visible convenience.
He only plays Call of Duty, not World of Warcraft.
Yeah.
And his highest kill streak has been 12,
so he clearly doesn't pay enough attention to detail.
Yeah.
Yeah.
So, interestingly, and some of the comments in this people there's a lot of capital
letters in this some people are you know should not strong-arm any form of parenting upon the
customers you know yeah and if i had a teenage kid it would be simple if you want to use something like tiktok buy your own phone and internet with money you
earn and things like that so there's a lot of people on here uh on the internet very uh very
angry about this even though they probably don't even live in china yeah and i think this is more
about the chinese government's control over people.
I mean, I may not have told you previously, but I do use TikTok on occasion.
Do you?
Yeah.
But you know what?
In terms of all the platforms out there, they have like a wellness hub, you know, and they encourage positive behaviors and they've got an amazing support network for people um you know for various you know if you think like teenagers that go through
struggles mental health um you know self-harm those type of things which i don't think other
platforms sort of advertise a safe space to discuss you know but these um you know tiktok
has an entire hub dedicated to this um they've got their own psychologists as well who work for the
company that uh you know produce videos and talk through things um but they also have the own built
in stuff as well to encourage you to use it less uh you know so if you're scrolling through for
you know like 40 minutes at a time it'll say if it's late i'll say right you know go to bed tiktok
still going to be here tomorrow um you know if you're scrolling through it during the day it'll
say hey look you know why don't you get outside, get some fresh air,
go and get a drink or make TikToks outside.
So they actually, as immersed in the experience,
it's not like a little pop-up that comes up in the corner.
It's actually part of what you're scrolling through
that you have to go through.
And it's presented as a normal normal video
if if i understand it this is a bit like what you're saying is it's a bit like a drug dealer
selling drugs but also running a recovery clinic and yes telling you how to get hold of the nearest
ambulance yeah and also saying hey look you know what this is uh
this is your fourth fourth bag in a row why don't you uh take a break other drugs are available
well it'll be like look you know i'm still going to be here tomorrow man you don't need to be doing
this more tonight it's less like a drug dealer and sounds more like my GP. Well, you get smack off your GP.
Well,
illegal.
Through the pharmaceutical name, whatever it is,
I have no idea how to pronounce it.
But they're
always like, here's your medicine,
only take this many.
Your prescription will only work for like
three more times, then you have to come see me again.
The pharmacist is in on the deal.
So I think it's a good industry if you give it the veneer of legitimacy.
Of credibility, yeah.
Yeah, exactly.
I think it's more about the Chinese government controlling people
starting from a very young age now
rather than anything to be held accountable for.
How dare a communist and draconian government impose these measures on its people?
It's come as such a surprise to us all.
So, you know, I'm not entirely against the premise.
And let me just explain why.
the premise and and let me just explain why because very little is understood as to the long-term impact of uh being on a phone or device all day long and going through social media we're
only just scratching the surface as to what what some of the impact is we could do more we could
do more and while in principle, absolutely agree that,
you know,
people should be free to choose,
but we need to see what the pros and cons are.
And there is a lot of evidence showing the detrimental nature of a lot of
social media platforms like Facebook and Twitter,
Instagram,
even the other day,
Instagram,
there was something about Instagram and how,
how it impacts the,
the, the body images of, of, of teenage girls, day, Instagram, there was something about Instagram and how it impacts the body images of teenage girls from a very young age and what have you.
So I think in the absence of anything that, and I think everyone's trying to work it out as we go along.
we go along uh so i think something like that we should be really thankful it's the chinese government doing it because then we can view it almost like a a control sample and we see the
results in a few years time and if they're doing better then hey maybe they've done something right
and if they've gone completely crazy and they're they're hacking it and there's civil war then we
like hey that's a step we should avoid but again... No one's going to trust the research that comes out of China.
Exactly what I was going to say.
You think this is going to be a failed experiment,
according to the Chinese government?
We can observe, isn't it?
We can observe ourselves.
Through what?
We'll send in the UN.
Exactly.
Hans Blix can go in
and if he doesn't get
the results he wants, he can impose sanctions
and write
strongly worded letters to them.
Yes.
And what happens if they don't do
anything?
He'll send another follow-up
letter.
Exactly.
He'll start off with, as per my
previous email.
There was a...
When you're talking about, you know, we don't know the long-term effects,
wasn't there that comedian who said,
this is ages ago,
if Pac-Man had affected us as kids, we'd all be
running around in dark rooms,
munching pills and listening to repetitive music.
Billy Big Balls of the Week.
Andy, what time is it?
It's that time of the show where we head over to our news sources at the InfoSec PA Newswire,
who have been very busy bringing us the latest and greatest security news from around the globe
industry news
experts concerned over new digital secretary's leak of cyber One does never cease. Industry news. Romance scammers make $133 million in the first half of 2021.
Industry news.
Former IT execs plead guilty to insider trading conspiracy.
Industry news.
Data of 106 million visitors to Thailand breached
Industry News
European police bust 10 million euro mafia fraud ring
Industry News
Prison for AT&T phone unlocking fraudster
Industry News
Afghan interpreters data exposed in MOD breach
Industry news
Half of web owners don't know if their site has been attacked
Industry news
US eye care providers report data breaches
Industry news
And that was this week's
Industry news
Huge if true
Well I was going to say huge
But 133 million
Doesn't sound like a lot
Well I was literally just going there
And I'm thinking now scammers are producing
Quarterly results right
In terms of how they're doing
As a company
We should see an uptick in the next few days
yeah exactly maybe confidence in their uh in their scam has dropped in the criminal underworld
um you know it's like well these are lower than expected earnings but you know we're doing a
course correction and we're going to reissue uh uh you know expected earnings uh over over the second half of 2021.
We can still turn this around.
We're hiring a new scam director,
global scam director to lead the team.
Oh, dear.
What's that interesting one?
Obviously, the experts being concerned
about the digital secretary's lack of cyber knowledge.
This is obviously about the appointment of Nadine Dorries.
Yes.
Nadine Dorries, who tweeted that she doesn't know her own password.
She tweeted it, and I actually replied to her on this,
but she said we can't all be expected to...
I'm sorry, say again?
Didn't she share it? She admitted to sharing it with her staff. Yes't she? I'm sorry, say again? Didn't she share it?
She admitted to sharing it with her staff?
Yes.
That's exactly what I was going to say.
Yeah.
So she said, you know,
ministers can't be expected to know their passwords for this.
Everybody knows that when I go into my office,
the first thing I shout is, what's my password?
That's appalling.
I actually replied to her and said, that is appalling.
That would be a fireable offense in most companies it would but i i i don't feel that bad about her because i think
this is more an indication as to how systems are not designed for a lot of use cases. And I think poor user design is one of the big problems
that leads to all of these things.
But then what are we going to do?
Go to, when we say passwordless, right?
So say, you know, she has a device where it's pushed to authenticate.
Yeah.
She'll walk in the room and say, right, who's got my phone?
Can they just press the little button that's come up?
Exactly. Exactly. You know, there's a physical amount of work. Yeah. yeah she'll walk in the room say right who's got my phone can they just press the little button that's come up exactly exactly you know yeah you hire someone and say right this is your job if you see an authenticate now button pop up just press yes yeah this is your sole job because i can't be
bothered to remember this stuff that's exactly it i think it's a really cavalier attitude to
this sort of thing and and i think uh yeah it's a really cavalier attitude to this sort of thing.
And I think, yeah, it's very concerning, to be honest with you.
But on brand for government, I guess, because if you think, you know, the amount of... Who's that director that sort of got cancelled for a tweet that he did 10 years ago?
Or something he said on an online platform 10 years ago?
And, you know, we've seen stories of people being penalised for stuff they said
when they were a lot younger.
And yet we've got a new digital,
you know, digital and culture secretary
who literally just the other day said,
no, this is security stupid.
And, yeah, no, no blowback whatsoever.
We should have got Dido Harding on.
Should have hired Dido Harding.
Maybe she's unavailable.
Well, we would have been protected against sequence attacks at least.
But I find it, well, mind you, it doesn't surprise me at all
because who in this current government is qualified anyway?
So, I mean, we've got a bloody journalist running the country.
Jennifer O'Curie, surely.
Do you know what?
She'd be a much better choice in the decimals.
Oh, she would.
That's what I'm saying.
Oh, yeah, yeah.
You're asking somebody who's qualified.
Yeah, absolutely.
Absolutely.
You know, whatever the reasons for why we might know Jennifer Okuri,
she's qualified in this field.
And she would do a far better job.
Oh, it makes me angry.
Calm down, Tom.
Calm down.
Remember your breathing exercises.
Exactly.
You know, just this morning, sitting in my armchair,
rustling my broadsheet in anger.
And that was this week's Rant of the Week.
Anything else in there pop out for you?
I was surprised that half of web owners do actually know
when their website is breached.
Yeah, that's true.
Yeah, I think it's very, very surprising.
Unless the website has been defaced or they've been ransomwared or something.
You're not going to know.
No, no, you're not going to know.
you're not gonna know no no you're not gonna know you know a website is is your um in my in most cases is just the the poster you've stuck up in the local bus shelter right
yeah stick it up there and you leave it and get on with it yeah in in the vast majority of cases
yeah i mean that that's where like you know i think companies like
wordpress and platforms like that are by helping quite a lot because they they offer some level of
scanning or whatever you built into the platform and as long as you stick to
you know not not using all these third-party untrusted plugins or extensions, you can be pretty safe.
But, yeah, I don't know.
See, I'm just happy.
If I get spammers coming to my website, I'm just happy.
Oh, look at the stats go up.
Yeah, still counting them.
Yeah, exactly.
A win is a win is a win.
Right, thank you very much, gents.
That was this week's...
Industry News.
Marvellous.
Let's move very swiftly on to Andy and...
Tweet of the Week.
We always play that one twice.
Tweet of the Week.
This is one that Jav pointed out earlier.
And it's from a private guy on twitter who basically posted
a link to a story about a major far-right platform that got hit by a data breach um
and so that data breach revealed the names and addresses of proud boys q anon and texas right
to life backers um and i think when i when i first saw it you know you're thinking oh
man this is funny like you know it's typical but then i thought the type of people that are part
of these groups anyway and register with their real names and you can pretty much tell who they
are anyway you know i don't actually think we're gonna gonna be surprised with this one anymore. Would they perchance have Trump flags
outside their house?
Yeah, Trump 2024,
you know, talking about Hillary, the crooked
Hillary, and stole
the election. And they drive cars
with 911
protect and serve written on the side.
Yeah.
Yeah.
But there was another one which I did see.'s um a guy called uh k reed whiteman
who said that he port scanned his new furnace uh it has ssh open uh on it and now he wants to try
and find out the password uh so this is just i guess you know as the ongoing uh iot uh rolls
out around the place this guy's got a new furnace in his house,
which can be connected to the internet.
I mean, what could go wrong with connecting a heating appliance
to the internet?
Has he tried admin-admin?
You'd hope so.
I mean, yeah, or maybe root-root or root-tor.
Yes, that's the one.
So if any of our American friends, American listeners are listening in,
so a furnace in the US is just a boiler in the UK, right?
I wouldn't be able to clarify that distinction.
Okay.
Well, Andy, I just saw this other tweet for you that you would appreciate it's by alissa miller
i i'm saying you can appreciate it because you have to click on the link and go through to it
because it's a picture and it is a three pound sour gummy worm it's huge it takes up like it's folded up and it goes up and around the entire
chopping board um it is like one serving of diabetes you know it looks obscene it looks so
for me i'm not a fan of the sours anyway but three pounds is actually uh less than one and a half kilos, which is rookie numbers, if I'm honest.
I think it sounds impressive because it's reported in pounds,
but in kilos, that's like 1.4 kilos?
Yeah, it's about one and a half kilos.
It's 2.4 pounds to a kilo?
It's no five kilo Toblerone, you know what I'm saying?
Ah, yes. yes oh yes you you
have that one yeah i've impressed people with the size of your toblerone andy
it's a good start but yeah it's yeah work to be done
lovely thank you andy for this week's Tweets of the Week.
Tweets of the Week.
We draw to a close.
As usual, we hope you've enjoyed this week's show.
I certainly did, apart from the contributions made by Jav and Andy.
But, you know, outside of that, wonderful, wonderful.
Jav, thank you very much for your time,
and I hope you have a lovely weekend.
Oh, thank you so much, my good friend.
I really appreciate our time we spend together on this show every day
and all of our friendly banter, which is completely not real at all.
So you have a good weekend too.
You have a good weekend too. You have a good weekend too.
Try to avoid those buses
and don't accidentally
dial into smashing security again.
And I would say
I'm so glad we don't do this every day.
Andy, thank you very much, sir.
Stay secure, my friend.
Stay secure, my friends. Stay secure. You've been listening to the Host Unknown Podcast.
If you enjoyed what you heard, comment and subscribe.
If you hated it, please leave your best insults on our Reddit channel.
Worst episode ever.
r slash Smashing Security.
We done? We out? We out. Oh, thank God god couldn't happen quick enough like pulling teeth like pulling teeth
tom's about to take out his dentures and say what
what's that you say shoddy