The Host Unknown Podcast - Episode 76 - Our Best Episode Ever
Episode Date: October 8, 2021This Week in InfoSec (08:01)With content liberated from the “today in infosec” Twitter account8th September 2009: FBI director Robert Mueller disclosed that his wife banned him from banking online... after he nearly fell for an email phishing scam.Wife bans FBI head from online bankinghttps://twitter.com/todayininfosec/status/13140022932269056003rd October 2017: A week after he retired as the result of Equifax's data breach, former CEO Richard F. Smith told members of Congress one person in the IT department was at fault.Equifax Breach Caused by Lone Employee’s Error, Former C.E.O. SaysHow the Equifax hack happened, and what still needs to be donehttps://twitter.com/todayininfosec/status/1312589059559170050 Rant of the Week (16:35)IKEA: Cameras were hidden in the ceiling above warehouse toilets for 'health and safety'IKEA has removed hidden security cameras from its warehouse in Peterborough, England, after an employee spotted one in the ceiling void while using the toilet. As Seen on TikTok (24:59)Facebook rendered spineless by buggy audit code that missed catastrophic network config errorFacebook has admitted buggy auditing code was at the core of Tuesday’s six-hour outage – and revealed a little more about its infrastructure to explain how it vanished from the internet.As described by rey.nbows on TIK TOK Industry News (34:18)Facebook Whistleblower to Testify Before SenatePandora Spills Secrets of Super RichDeepMind Technologies Sued Over Data SharingFacebook Blames Global Outage on Configuration ErrorText Message Giant Reveals Five-Year BreachSquid Game Scenes Cut Over Data ExposureNCSC: Revoke Admin Access for BYOD Users ImmediatelyInfosec Experts: Twitch Breach “As Bad as it Gets”US Creates National Cryptocurrency Enforcement Team Tweet of the Week (42:42)https://twitter.com/cybersecstu/status/1446104732578328583https://twitter.com/SmashinSecurity/status/1445520598017314826 The Box © Charlie Langford Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
But at least you've got to be happy it's Friday though, right?
Oh, man.
Oh, yes.
But even better than that, I've got something for that.
Mufasa, you know we're finally here, right?
Well, we...
It's Friday then.
It's Saturday, Sunday, what?
It's Friday then.
It's Saturday, Sunday, what?
It's Friday.
It's Friday.
It's Friday.
Andy, from Hanksport, you shall be known as Mufasa.
You're listening to the Host Unknown Podcast.
Hello, hello, hello. Good morning, good afternoon, good evening from wherever you are joining us and welcome to episode 76 of the Host Unknown podcast.
Even though you've tried to call it episode 75 for the third week running.
I know, I know, right?
Well, I've got a problem with renaming things, so, you know, like I said,
you should now henceforth
be known as mufasa for for since we only ever speak on fridays anyway right and you're my hype
man right yeah yeah woo yeah mufasa everyone needs a hype man like that oh brilliant brilliant
we'll put the we'll put the link to that little video in the show notes, I think. It's well worth it.
It's well worth it.
If it's high energy just listening to it, wait until you watch it.
Oh, dear.
Sandy, how have you been this week?
Not too bad.
I think, you know, the end of Q2 was last week,
so this week is, you know, the sort of calm after the storm.
Is that a saying?
The wreckage after the storm, it were the clean up operation something about the eye of the needle or storm
or something yeah yeah exactly although i i will say i didn't mention this before um obviously you
had your mic on when you went to go make yourself a cup of tea yeah uh did you say siri turn off the bedroom lights yes of course you're such an apple fan boy well otherwise i have to the bedside light i have
to go into the bedroom and press a button but as i'm walking past to make a cup of tea notice the
lights are on you know i mean i i use it to switch the lights off at night i open my blinds you know
all that sort of stuff it's easy i just feel sorry that you made the housekeeper change their name to
siri no no i put an advert specifically in for someone called siri You're not an oppressive employer. Absolutely.
Actually, do you know what?
I realise I use it an awful lot, I have to say,
and I really like it.
But the problem is that it's like this morning,
I asked Siri what time it was.
And I think because it was...
Because you couldn't turn your wrist. No, my watch was on charge, so I'm just lying in bed thinking,
you know, should I get up?
And I often say, so I wake up in the middle of the night
and I just say, you know, what time is it?
But I think because I hadn't spoken overnight
and because I'm sort of...
You sometimes get a bit complacent.
It just sort of came out as, as I was in and wondered
why I wasn't being told the time, you know.
And did it say, Tom, have you been drinking again?
Yeah, that's right.
Anyway, it doesn't say Tom, it says sir.
Of course.
How are you doing anyway? I'm all right anyway i'm all right i'm all right but somewhat surprising i am on a
downer with apple this week absolute downer yeah so friend of mine bought a new macbook um my
photographer friend bought an m1 macbook and she's having problems with lightroom classic on it which
in theory it should work fine And Apple have been awful.
I actually think she's got a faulty machine because, you know,
to be blunt, it's working fine everywhere else.
You know, so I lent her an Apple Silicon Mac Mini, working fine on there.
Does not work fine on her laptop.
She's been given the run around so much um she's gone beyond the um you know the distant sale return time because they
say oh try this leave it for a few days and then call us back and then so she calls them back and
they go well we haven't got any notes on that, so try this. And so she's been playing again and constantly being sort of jerked
around basically.
Then somebody says, oh.
Buy a new one.
Well, somebody said, somebody did say, well,
why don't you just use a different computer?
Brilliant.
And then they say, okay, well, what we'll do is we will ship you a brand
new one in a box that you can then take to an Apple store
and swap for an Intel one.
Goes to the Apple store, the business team.
They say, no, not a chance, you're smoking pot.
She phones them back, asks for this individual by name
because they said, just ask me by name.
The person they speak to says, no, we don't do that,
and there's no notes on here anyway, and I don't believe that anybody would have said that classic awful
went to another shop just trying to sort it out
and this is the best part i'm going to tweet this later one of the apple inverted commas geniuses
said uh well the reason people pay a lot more money for Apple is because they don't have to
spend 50 quid a year on antivirus because Macs don't get viruses.
You know, and she had someone else with her who witnessed this.
It's not like just getting a bit wound up about them.
I mean, like Jesus Christ, you know,
the 1990s called and want their education
so yeah um tim i know you're listening i know you're a fan of the show sort it out
jeez it's getting to the point where we're going to go legal i think yeah we're gonna have to drop
them as a sponsor as well i think we are we don't want your sponsorship if you behave like this no no we'll take the financial hit so that was that's
been my week trying to help her get through this it's been a nightmare no i can't defend that no
i can't well i can't obviously that's why i said it so appalling it's it's literally just running
through a script and no end-to-end process.
Just you have to do this, then you do this, and, oh, we haven't got any notes,
therefore we start again.
We're not going to listen to what you've said.
So, ugh, annoying.
Annoying.
Anyway, so, yes, I think we should find out what we've got coming up today in non-Apple news.
Well, this week in InfoSec asks us who amongst us can say we have never been fooled before?
As a famous person once said, fool me once, shame on me, you.
Fool me again, shame on something, something, something.
you for me again shame on something something something uh rant of the week has some serious questions about the people who installed security cameras in a particular shop as seen on tiktok
breaks down the facebook outage for us far quicker and far better than graham did on smashing security
industry news brings us the latest and greatest security news stories
from around the world.
And Tweet of the Week asks a question,
although we haven't decided if it's a would-you-rather or a whodunit.
Excellent.
So let's move swiftly on to our favourite part of the show and...
This week in InfoSec.
It is that part of the show where we take a stroll down InfoSec memory lane
with content liberated from the Today in InfoSec Twitter account.
So, Tom, a quick question for you.
Have you ever been fooled by a phishing attempt?
No, I haven't.
But I am still waiting for that lovely chap from Nigeria to deposit that money in my account.
to uh to deposit that money in my account yeah although to be fair i think a few of your friends almost got uh scanned by a facebook profile that's set up in your name yes yeah yeah that's
true they're asking me why i haven't accepted their friend request i'm like who what or the
invites to the uh the various events that were going on yeah Yeah. Anyway, so this is a tongue-in-cheek story, really,
that a mere 12 years ago, on the 8th of September 2009,
FBI Director Robert Mueller disclosed that his wife had banned him
from online banking after he nearly fell for an email phishing scam.
Which, I mean, crazy to think it uh but it was so the same day uh you know he announced this the fbi in los angeles had announced the indictments
of like 100 people across the us and egypt um they'd arrested 30 people in california navada
north carolina as part of operation fish fry obviously with a ph on those um which at the time was the
largest cyber crime investigation to have taken place in the u.s uh and so what was happening
like egyptian hackers were accused of targeting two particularly u.s financial institutions and
fishing the tanks uh fishing attack fishing tanks fishing attacks and then tanks, fishing attacks. He's thinking of that Vegas thing.
Yeah, exactly.
And then they're using those sort of stolen bank credentials to get unauthorized access to accounts.
And then obviously they coordinated with people in the U.S.
to transfer the money out.
So the U.S. defendants were allegedly recruiting runners
to set up bank accounts that, you know,
funds were then, you know, from the compromised accounts
were then transferred into and from the compromised accounts were then
transferred into and then people had to withdraw um and in the fbi estimate there were thousands
of bank customer victims that were impacted about this so but despite being the person oversaw you
know this whole operation uh director muller actually received an email purporting to be from
his bank uh which he said perfectly legitimate and then prompted him to verify his personal information,
which obviously he started to follow.
And it was just at the last minute he sort of hesitated
and had this sudden realisation that it may not be such a good idea.
I can just imagine his wife running up behind him going,
no, and slapping the mouse out of his hand pretty much so yeah he's
probably just you know mentioning it in the background hey that's funny honey the you know
the banks just asked us to verify our dates of birth our social security numbers what was the
name of your first dog yeah but uh he said that you know he although being a a few clicks away
from this classic scam he did did immediately change his passwords,
and he tried to pass the instant off to his wife as a teachable moment,
but she certainly wasn't having any of it.
And she said, you know, this isn't just your money.
This is our money, and there's no more internet banking for you.
It's interesting, because one, he's in a position where obviously he can get away with not
having to do internet banking he's probably got people to do that for him right but i mean even
today let alone 2009 the us is not known for its very modern banking practices right yeah today
you can't you it's very difficult to not have internet banking because
the branches just aren't there and the closing and alarming rates yeah and the um which which
is is fine you know they're changing face to the high street and you know things evolve and all
that sort of thing and anyway most banks uh would be better off as a cafe anyway. But, yeah, nowadays, if you don't feel confident enough
to use online banking or whatever, then you're stuck.
You get left behind.
You don't get to pay bills.
You don't get to do anything.
Yeah.
No, shocking.
But, yeah, our second story is one that is ingrained in InfoSec history for many reasons,
and not least because it's about one of the most significant data breaches of all time.
However, it is only from four years ago on the 3rd of October 2017, a week after he retired as the result of Equifax's data breach, former Chief
Executive Officer Richard F. Smith told members of Congress that one person in the IT department
was at fault.
Now, this is the whole...
It was the intern!
It was pretty much the intern defense, right?
So while testifying before Congress in Washington,
the credit reporting company's former chief executive told members that the Equifax data breach, which exposed the sensitive personal information
of nearly 148 million Americans,
and as we later found out, millions more people from around the world,
was the result of a mistake by one single employee. And that single employee was not himself.
You know, it wasn't the CISO or any other member of the OPCO. No, the designated scapegoat for this
event was someone in the IT department who was supposed to confirm that an email to patch
department who was supposed to confirm that an email to patch systems went to the right person um and it was on you know multiple occasions during this testimony that uh smith referred to
an individual in equifax's technology department who had failed to heed security warnings and did
not ensure the implementation of software fixes that would have prevented the breach. Now, that's just lawyers protecting the company,
the company's reputation over an individual's reputation.
Yeah.
I mean, yeah, obviously, I'm just giving the cliff notes,
but it was later reported as, you know,
a combination of technical and human errors.
But there's no doubt that, or at least the security industry
will never forget that, you know that the awfulness of this data breach is only matched
by the shithousery of the execs who attempted to scapegoat that one IT person.
Yeah.
So, I mean, one person may be the root cause as such,
but the actual fault lies with the environments in which they're operating in and the environments in which they're operating in and
the culture in which they're operating in yeah i mean obviously you know you don't just have okay
one person so essentially right they're told uh you know a particular vulnerability existed
and so someone said hey this vulnerability exists you need to go and patch it within 48 hours
yeah um and apparently that communication didn't go to the right people okay and so it was actually
three months later that the vulnerability was exploited so you know there's a three-month
period where no one was checking whether it was patched or not right it wasn't showing up on any
scans that it needs to be patched it wasn't detected that hey you know we've exceeded the
sla for this pack you know we wanted it done in 48
hours nothing's happening so i mean that there's multiple failings that occurred in this one
very difficult to blame one particular person yeah i just as you say shithousery of the highest order
blaming the most junior person possible uh i think it was done recently with the interns
in fact i'm waiting for facebook
yeah and i'm waiting for facebook to blame an intern for their bgp error uh which i still
don't understand so i'm looking forward to that particular story um so yes absolutely shocking
this week in InfoSec.
You're listening to the award-winning host unknown podcast.
Officially more entertaining than Smashing Security.
In your face!
All right, let's move straight on to what appears to be my regular spot here.
Listen up!
Rant of the week.
It sounds like mother f***ing rage.
Okay, this one is particularly shocking.
It uses, it's obviously a technology thing.
There's a security and a privacy element here. But what it comes down to is just plain old human nastiness.
So the headline is in the register, IKEA, cameras were hidden in the ceiling above warehouse
toilets for health and safety.
So, yes, Peterborough, one specific warehouse, interestingly,
not across the board, not a company decision, it seems,
or a corporate decision, but, yes, a discovery end of September
was made when the lights were switched off and somebody noticed
what appeared to be a small red light between the panels
of a suspended ceiling in the bathroom, toilets in the UK, bathroom in America.
When they investigated, they found the hidden camera.
And then also when they stuck their head up further,
they found a number of other cameras above both the men's
and the women's toilets.
above both the men's and the women's toilets.
IKEA have admitted that they had been in place since 2015,
although the company did not say when they were last used.
So apparently IKEA said they were placed there for another purpose,
which is possible. mean you know what purpose
no no as in as in before maybe the toilets were there um you know because these things are these
environments can be quite modular right you know you can throw up a wall etc although with toilets
they tend to be quite static because of the plumbing yeah not quite sure what other purpose
there are um they have uh in support of our health and safety policy we have a drug testing policy
in place as per industry standards so that other purpose it would transpire is to make sure that
people are i don't know using their own urine in a paper cup who knows well
so i guess throwing in that statement about drugs testing is it is it that they're making sure that
people aren't swapping out urine or are they looking to see if people are doing some coke in
the toilet yeah exactly who knows who knows serious questions ikea i know i know um and and you know are they then uh washing their
hands and and drying them on some of their new ikea higner towels and uh you know all that sort
of stuff um the fact is you don't put cameras in toilets.
Full stop.
Well, the exceptions may be in certain institutions,
and I'm thinking of like, you know.
Prisons.
Prisons, people who are vulnerable and need to, you know,
are on some kind of self-harm and suicide watch.
You know, people who may have been arrested on suspicion of trafficking drugs,
you know, that sort of thing, and waiting for the drugs to pass through their body,
all that sort of stuff.
But, you know, in 99.99999% of the rest of the world,
you just don't do it.
I'd love to see their risk assessment on who gets to see the footage
and where that footage goes and, you know, all that sort of stuff.
Well, do you know what?
I think the key thing here
is right as i read the story they're saying that um they've now confirmed that the cameras have
been removed yes you know which is a so they're not even doubling down and saying no this we're
doing this for a valid reason they're saying oh shit we got caught Which, given that this is just in Peterborough,
and given that IKEA and the Swedes generally are lovely people
and just all round, I can't help but think this was a local management decision.
Do you know what I mean?
Yeah, but I don't know.
As soon as anybody in an IKEA warehouse reads this,
they're going to be going into the toilet, standing on the pan
and sticking their head up in the ceiling void straight away, right?
Or wondering why there's yellow tape around the toilets, you know,
the day that the story breaks whilst people are, you know,
going in there decommissioning things.
But, yeah, I don't know.
going in there decommissioning things but yeah i don't know i i this smacks to me of of a local management either very badly advised decision or just local management being horrible pervs
and i mean that in a yeah not in a let's not kink shame here, but in a you need help kind of way.
Yeah.
So this is, I mean, we're talking about 2015, right?
This is only six years ago where privacy has been a topic for a while.
Do you know what?
I think 1915 it was understood that you tend not to watch people taking shits
in their own, you know, in some kind of private space.
Even the Victorians understood that.
In fact, they probably understood it more than anyone.
You know, jeez.
Shocking.
Absolutely shocking.
So it will be very interesting to see what comes out of this.
Just watch the cctv well and and and see you know see what comes out of this and see the look of relief on uh the people's
concerned faces um but yeah i will also be interested to see what the ICO does about this.
Probably nothing from what we can say,
but we have to be careful about slagging off the ICO now because friends of the show, Mr Bonner works for them.
Oh, really?
Yeah.
I've been getting threatening letters from the ICO recently.
Oh, is that because you've cancelled your data protection registration
with your company yeah i had a letter i had the same letter from them uh and they keep saying
you know you've got 14 days to tell us why you don't need this and uh i've just filed it with
you know the rest of my letters that i get about about my company the rest of the letters that
come in brown envelopes yeah exactly best
thing is they don't even come to me direct here they go to a uh you know to the accountant to the
registered office yeah a registered office yeah rather than uh direct to me so you get them like
at least three weeks later i do i get the pdf copy of them like a couple of days later yeah
copy of them like a couple of days later yeah yeah so shocking behavior so yeah i mean a second story of shithousery it would seem um quite literally we're really going down the panel
in the shithouse yeah exactly exactly so yes not very clever not very smart uh ikea, you need to sort this out.
We don't want to be making any links between the meatballs.
I was just about to say that!
How Ikea can afford to sell those meatballs so cheaply.
Oh my God, I was just about to say that.
Oh dear.
Anyway, that was this week's rant of the week i think we can move on and we we're using one of our new segments right now
yeah we've had it for a while we've just not yeah yeah exactly we're just not quite used to it
it's not just for kids celebrities twerkers and people showing off their cars. No.
As seen on TikTok.
Indeed.
So an event which has annoyed consumers and non-consumers of Facebook alike, I guess for reasons on the opposite end of the spectrum earlier this week.
So I know another podcast did try and do, you know, to and cover this one but it was deemed i guess it
wasn't funny it wasn't informative um it just in my opinion uh you know i've tried giving it a try
but uh multiple times it just didn't didn't really get anything out of it so it may sound like a
little people but what we have here is that a tiktok user called rainbows has summed up in two minutes what uh other people
have tried to explain uh in a much longer period of time uh so i shall there's a link in the show
notes there's some great visuals that go with this but otherwise i uh suggest we play the audio
what caused the facebook outage bibliography i started with this thread by Guardian technology editor Alex Hearn,
as well as Facebook engineering's own response.
Basically Facebook and its channel platforms like Instagram and Whatsapp
were all inaccessible for the better part of the day.
In a lot of countries Facebook is basically the internet,
so it caused a lot of confusion and stress.
I was surprised given how massive Facebook is, like what could have caused this?
Did they have a hack? Was it a cyber attack? How'd they go down for this long?
Turns out, no, it was hilariously more simple than
that. So picture you're an employee at Facebook and you're responsible for updating the quote
backbone routers that coordinate network traffic between Facebook's data centers. This means telling
the internet where Facebook is, but also, and this is key, telling Facebook where Facebook is. So
you're the Facebook employee, you send this update, but it turns out the update is bad. And suddenly
the routers basically are broadcasting like, hey, we don't know where we are.
So when the internet reaches for Facebook, it can't find it.
The internet can't see Facebook anymore, which sounds bad, but actually is totally fixable.
You just need to send another update being like, no, no, I'm over here.
Try it. You go to send the fix it message from the same portal that you used to send the break it message.
And you get booted off.
So you start to get kind of nervous, like what is going on here?
Basically, Facebook is essentially made out of itself. The business infrastructure runs on the same pathway that the
social media platforms do. So when those pathways get shut down it's not just the social media
platforms that get shut down, it's the entire business. That portal you just got kicked off of
is also made out of Facebook so it needs to connect to those routers that you just knocked
down in order to fix the routers that you just knocked down. You go to log into the portal again, but that would also require Facebook infrastructure.
Okay, so we need a physical hardware override. You go to the building where the physical servers are,
except you can't get in because guess what the smart card reading system on the doors uses to
authenticate users? You can't even message the head of physical security and get him to come
down with the key because your corporate messaging app also runs on Facebook. What is the lesson?
When you're building your gigantic tech infrastructure,
don't build all the systems you would need to fix it out of the same systems
that would be being fixed.
But that's it.
Our social media overlords are now embarrassed,
but fully functional.
And we,
well,
we have these great memes.
I love the fact that God didn't get into the physical environment.
The old Facebook authentication.
Oh, man.
Just the hubris of that company.
I laughed and laughed and laughed when I heard about them being offline.
Best day of the week.
Best day of the week.
Man, that was a really good explanation actually the fact that it was it was you know built on its own infrastructure if you see what
i mean and yeah you know there's no sort of separation of of inverted commas church and
state as it were yeah well that's one of the key things right in business continuity is yeah you
know you don't store your BC plans
on your own infrastructure, right?
You put them in a cloud environment or something.
Well, the old adage is you don't keep your backup tapes
in a safe in the building.
Yeah.
Because when the building burns down, you can't get to your backup tapes.
I mean, I know I'm going back a bit.
Fireproof safe, right?
Yeah, fireproof.
Obviously, we're not idiots.
Although it does remind me of the story I was told at a training I did many,
many years ago about a guy who's a fairly large-ish company,
but his job was running backups overnight.
And they didn't want to spend money on a third-party storage
facility. So the guy would just take it home and put it in a fire safe that the company provided
at his house. We're talking late nineties here, obviously. As a creature of habit, he'd leave work
and he'd get on one of the first tubes home and he'd always sit in the same spot towards the front,
a particular seat, et cetera, drop his bag on the floor.
What he didn't realise was that tube trains generally run on electricity
and have massive magnetic motors underneath where you're sitting.
And where he dropped his bag every morning was where one of these massive
magnets was, which basically degaussed all of the tapes every time
he took them home to keep them safe.
Oh, brilliant.
The old school stories, I remember we had one where,
I won't say the company, but their requirements for us to have backup were so ancient
like they had to be the physical sort of tapes that you know you took out and stored in a
fireproof safe and although we had a fireproof safe i used to store um haribo in it right because
i said like if there's ever a disaster like we need haribo exactly right those things that's
what's going to get us through it not uh not tapes that are probably going to melt with the heat around it anyway.
No, I think that's the point of a fireproof safe.
It is, but they're only resistant for a certain amount of time.
Yeah.
And also...
Especially the cheap ones you bought.
Yeah, it's going to weld shut over time.
Actually, they're really heavy.
We couldn't even move it.
We had to get a third party to come with specialist equipment yeah yeah um but but uh we got audited one time
and i remember having to you know all of our tapes were just complete utter lies right they said
monday tuesday wednesday thursday friday you know week one week two weeks but they were just labels
we stuck on these tapes none of them actually did because we used this to this backup
at the time right so we were actually storing off-site but it's just this to this which was
not allowed by this particular company's uh you know terms of use and i remember the auditor came
in to sort of text message one of the guys to get the haribo out the safe and replace it with tapes
before um before we got there.
And it was so funny walking in.
I was like, you know, can someone open the safe?
And, you know, they all sort of pulled stuff out and just,
we made it like, oh, you know, here we go.
It's like April, May, June, July.
You know what we do?
We rotate on a weekly basis.
Different pens, different handwriting.
Yeah, exactly.
And I'll tell you, if he had asked us to restore something,
we would have been screwed because I don't think the DLT drive
actually connected to anything.
Well, no, you just slap the tape in and go, right,
let's grab a coffee while that restores.
And in the meantime, you do a restore from your disc.
Give the guys the signal.
Yeah, that's right.
Little does he know, he hasn't spotted the fact
that the dlt scuzzy cable is hanging loose out the back of it you know yeah and we're restoring
from something called semantic backup meanwhile the uh yeah the the tape drive is something
completely different and and for the young kids out there sc Scuzzy, it's like USB, but much more expensive and much slower.
Yes, and much more unforgiving when it was disconnected.
Oh, my God.
Oh, my God.
I mean, things would just fall over at the drop of a hat
if you pulled out, Scuzzy.
Yeah.
Wasn't Apple's solution to that was FireWire, wasn't it?
It was.
Was that an Apple thing, FireWire?
Yeah, I think it was.
Well, I think it was an international thing, but Apple adopted it
and made it their own, as it were.
But FireWire was good, I think.
I like FireWire because it took all the load off the CPU.
But low adoption.
But very low adoption, yeah, exactly.
off the CPU.
But low adoption.
But very low adoption, yeah, exactly.
But, yeah, you were saying about this particular vendor requiring tapes,
right?
The fact is ransomware now, tapes are actually quite a good way of ensuring that your backups don't get encrypted.
True.
But, you know, this was, well, about 2006.
Yeah. And at the time, you know, this was about 2006.
And at the time, you know, the thought wasn't.
Yeah. No, no, absolutely.
Well, the fact that it was so rigid just goes to show that the person in charge of security there was probably about, well, 60 to say the least.
This is how we've done it since Bletchley Bloody Park.
You know, I don't know. I don't know. Excellent.
Excellent. Excellent.
That was a really good explanation
and a nice little trip down memory lane.
Thank you.
It's not all twerking in booty shorts.
Scene on TikTok.
Andy, what time
is it?
It's that part of the show where we take a
stroll down. No, it's not that part of the show where we take a stroll no it's not that part of the show
where we take a stroll down infosec memory you've got you've got two jobs andy two jobs
it's that time of the show where we head over to our news sources over the infosec pa news wire
who have been very busy bringing us the latest and greatest security news from around the globe
industry news latest and greatest security news from around the globe. Industry News Facebook blames global outage on configuration error.
Industry News
Text message giant reveals five-year breach.
Industry News
Squid game scenes cut over data exposure.
Industry News
NCSC revoke admin access for BYOD users immediately.
Industry News.
InfoSec experts, Twitch breach as bad as it gets.
Industry News.
US creates national cryptocurrency enforcement team.
Industry News.
And that was this week's...
Industry News. And that was this week's... Huge if true.
Huge if true.
Huge if true.
I love the Netflix squid game scenes cut because they used actual phone numbers.
Oh, no.
There's a whole bunch of phone numbers you can use it's like the the phone
number yeah it's like the phone phone number equivalent of like 127.001 you know but there's
there's numbers that they use i can't believe they did that it's that sounds like filmmaking 101 you'd think that uh yeah should have dealt with that um
but i mean there's a couple of things in there so this major telecom service provider that revealed
as a victim of a five-year breach um cineverse uh they were they root text messages for hundreds of
global telco customers um and they state they they um
they reach more people and devices than anyone on earth i definitely do now well they certainly do
now um so as they were going through a merger process uh with another company um they discovered
they identified an incident going back in may where basically
unauthorized access to its systems was found to have been ongoing since may 2016
so yeah 235 of their customers had their credentials um you know sort of compromised and
so in terms of what it actually allowed them to do, it just allows them to take all the customer data and any sort of trade secrets, intellectual property, PII of employees, customers, suppliers, vendors, financial materials, anything in the company.
But it could also get the content of text messages, including one time passcodes um used for for two-factor authentication although um
having access to the one-time passwords is is fine but the actual surely the act of
synchronizing that with an actual attack would be very challenging well i guess you know who
sort of hacks telco providers right it's well hackers yeah yeah but you do you also have those uh you know sort of nation states
you know it's a good target for them if you've got companies that you know i'm not saying that
intellectual property theft is rife but no ip theft is rife but it's there it does exist yeah
so it's um i mean it's it's massive supply chain uh You know, hack on this one, which is a big one.
But I guess the other big story this week is the Twitch data breach,
which took place.
I don't know if you've seen much about this.
Do you know what?
I saw it was Twitch and thought, not my problem.
You're not impacted by this.
As for the young kids and the gamers.
Yeah. So this is, well, you may like the fact that Bezos
obviously paid nearly a billion dollars for this product,
or this company.
And, you know, hackers have gone in and just taken everything,
like source code, clients, consoles, you know, personal data, user data,
and just distributed it for free.
125 gigs labeled as part one was posted to 4chan.
It's interesting they're robbing hood in it, as it were.
Yes.
Yeah, well, to be fair, I mean, 4chan's not known for its,
I guess the people that think long term.
I'll put it that way.
No. You don't have strategists on 4 term. No. I'll put it that way.
No.
You don't have strategists on 4chan.
No, you don't.
You just have people who like to share nudes.
Yeah, exactly.
So they probably downloaded all this stuff and looked out for the Twitch streamers that may have had a nip slip or something, kept that for themselves,
and then just posted everything else.
Yeah.
God. themselves and then just posted everything else yeah god do you know the one story here that i
think has just disappeared and um why there isn't more uh activity around it is the pandora breach
it's just like the panama papers everybody's looking at it and going well yeah we know they're
all bastards and we know they're all bastards and we know
they're ripping us off and they're spending money where they shouldn't do but what are we going to
do about it and i think the same thing here pandora spills secrets oh vladimir putin has
channeled money into x y and z properties who knew yeah you know three terabytes of data yeah
is in there i mean i'm sure there's going to be some interesting stuff in there,
but the fact that it's barely made a ripple, really.
There should be global outrage at some of this,
and I think we're just tired of it,
and we know that these people are just bastards.
Yeah, I was going to say the people, as you mentioned, Putin,
the Czech Republic's prime minister, you know, he hit a $22 million chateau in the French Riviera.
King Abdullah of Jordan, you know, he's purchased 14 luxury homes in secret that no one knew about.
You know, and this is...
Does he rent them out as airbnbs or something
probably yeah i mean this is a country that that has foreign aid to support its people
um you know so the way these all these but like you say we know that this is what the rich are
doing you know we know this is what government's doing it's and they obviously have influence over
the media and you know sort of quell the quell the storms on some of these and they just ride it out until it becomes a non-story
uh yeah it wouldn't surprise me if you know maybe that facebook outage was a
a little smoke screen yeah or the twitch thing the twitch hack you know was yeah it was funded
by the jordanian government uh that's just a theory, by the way. It's allegedly, you know, my Siri lawyer is telling me
to backpedal dramatically on that.
However, Mr. King Abdullah II of Jordan,
if you wish to sponsor the show, we are open.
We are, absolutely, given we've just dropped Apple as a sponsor.
We have a slot just for you.
Yeah, exactly.
Hey, Siri, remind us to contact King Abdullah of Jordan
for host unknown sponsorship.
Before I can help with that, you'll need to turn on personal requests.
Check your iPhone for a notification or go to home settings in the home app.
Well, that's just frankly embarrassing.
Industry News.
You're listening to the Host Unknown Podcast.
Bubblegum for the brain.
And now it's time for our favourite jingle.
Tweet of the Week. And we always play that one jingle. Tweet of the Week.
And we always play that one twice.
Tweet of the Week.
And today's Tweets of the Week, plural, fall to me.
We have two.
So the first one from CyberSecStew.
Okay, today's question.
What is the one tool you can't live without in InfoSec?
This can be a vendor tool, command line tool, or literally anything.
More creative, the better.
Let's go.
And the responses are fairly standard, mostly relating to Word, PowerPoint, or Excel, it would seem.
Well, as an InfoSec professional, what tool would you use more?
Excel, to be honest with you.
As a whole, Excel because it will do pretty much anything.
Yeah, see, I spend most of my time between PowerPoint and Word.
Oh, I agree.
I completely agree.
But Excel is the one that you can do the most with. You can run a program, you know, a security program with Excel. I probably use most of my time on PowerPoint, or I would have as a CISO. But Excel is the tool you need to get the job done.
Hmm.
We do have other replies here, like Python.
Like, what the hell are we going to do with Python?
I do like this one.
My desk need a solid surface to bang my head against,
which I thought was really good.
Lolcat, because everything is better with constant rainbows.
I love this one.
Greenshot.
I love Greenshot.
I wish they had a Windows release newer than 2017.
What's Greenshot?
Never heard of it.
No, I do see Johnny Walker as a favourite info sector.
Johnny.
Oh, dear.
The other one here was Rogaine.
Can't relate. Okay, I had to Google this this looking at my hairline i'm glad i did
and also the uh the other one is google uh well yeah lots of people agree with do you know what i
i um it always amazes me when people ask me for a bit you know tech support you know friends etc
on computers and all my computers, my computer's doing this.
It's throwing me this command.
And so I'll take that command and I'll paste it into a Google search
and hit return and then find the answer.
And I go, wow, how did you do that?
That was amazing.
I said, you just saw me Google for the answer.
SMG.
Yeah.
Subject matter Googler.
Yeah.
Oh, dear.
So that was the first one.
And the second one, we could not let this pass because we need to find out who did this.
So from the Smashing Security podcast, and we were tagged in this.
So they said, hey, at Host Unknown TV, as well as a bunch of
others who I've never heard of, you know, Bittner, Risky Business, you know, don't know them. Anyway,
they said, own up, which one of you left us this review on Apple podcasts? And the review is brilliant. It says, not funny, not informative, one star.
I've given this podcast a try multiple times over the years,
hoping to both enjoy it and get something out of it.
Unfortunately, each time has been disappointing.
There are a plethora of other cybersecurity podcasts that are more,
well, with-while.
I think they mean worthwhile.
Yeah.
And then they say, like, the Host Unknown podcast.
I'm going to hazard a guess and say this person is English
because they use the word plethora.
So we'll see what happens there.
I'm impressed to see that you actually changed your location
to the U.S. as well.
I didn't think you knew how to use a VPN. Oh, it is, actually. Do you know uh but i'm impressed to see that you actually changed your location to the us as well i didn't think you uh you knew how to use a vpn oh it is actually do you know what i've only just noticed that guy helps if you read the show notes doesn't it united states of america but it could
still be an english person over there you never know and that's your date of birth as well isn't Third of the Third 67. Where's Third of the Third 67?
In the username.
A-N-G.
So, yes.
If that was you, please let us know.
Please.
I'm not a fan of one-star reviews.
I'll just say this.
If you've got nothing nice to say, don't say it.
Well, there's that. But also, is it really one star or is it three stars and you're just pissed off do you mean it's like one stars like you normally when you when you're looking so you've got to
filter out the ones and the fives and just read what the actual um yeah what the constructive criticism is in the other. Just like Amazon reviews.
Yeah, exactly.
So this was left by AMG6733.
Yeah, if that's you, please let us know. Please comment on our review.
Blair, can you leave one on ours?
That would be awesome.
Then we could have a matching pair.
Look, because if Smashing Security can do something,
we want to do it better
so if you could leave a zero star review for us that would be great
oh dear anyway that was uh this week's
and that brings us to the close of the show Andy, thank you so much for your time this week.
No, thank you.
It's been a pleasure.
Yeah, I hope you have a wonderful weekend.
Indeed, you too.
We will see you all next time.
Thank you very much.
Stay secure, my friends.
Stay secure.
You've been listening to The Host Unknown Podcast.
If you enjoyed what you heard, comment and subscribe.
If you hated it, please leave your best insults on our Reddit channel.
Worst episode ever.
R slash Smashing Security.
That went really well.
It did.
I've got a nagging feeling.
Yes. I don't know. Did we forget something? I donging feeling yes i don't know did we forget something i don't know i don't i don't i really it's like when you leave home for a long holiday you you think there's that
one thing you've forgotten but you know you go on a long car journey and think yeah god did i pack
the dog yeah exactly but then you remember actually the thing you forgot and it was just
really not important anyway.
Yeah.
So I think we'll be all right.