The Host Unknown Podcast - Episode 83 - The Super Spreader Amateur Hour
Episode Date: November 26, 2021This Week in InfoSec (11:00)With content liberated from the “today in infosec” Twitter account23rd November 2011: It was reported that Apple took over 3 years to fix the iTunes installer vulnerabi...lity which the FinFisher remote spying Trojan exploited.Apple Took 3+ Years to Fix FinFisher Trojan Holehttps://twitter.com/todayininfosec/status/133102846161239244820th November 2000: eBay cancelled a listing for Kevin Mitnick's Bureau of Prisons inmate ID card due to uncertainty about his right to sell it. This was after an initial claim it was a prohibition from committing a "violent felony" and profiting from it.eBay pulls Kevin Mitnick trinkets: Taking a firm stand against "violent felons"https://twitter.com/todayininfosec/status/1329940298399703042 Rant of the Week (18:50)SSL keys, sFTP passwords and more exposed after someone broke into GoDaddy Managed WordPress using 'compromised password'GoDaddy has admitted to America's financial watchdog that one or more miscreants broke into its systems and potentially accessed a huge amount of customer data, from email addresses to SSL private keys.In a filing on Monday to the SEC, the internet giant said that on November 17 it discovered an "unauthorized third-party" had been roaming around part of its Managed WordPress service, which essentially stores and hosts people's websites.GoDaddy’s chief information security officer Demetrius Comes said his company "immediately began an investigation with the help of an IT forensics firm and contacted law enforcement."Those infosec sleuths, we're told, found evidence that an intruder had been inside part of GoDaddy's website provisioning system, described by Comes as a "legacy code base," since September 6, gaining access using a "compromised password."GoDaddy’s latest rebranding is a break from its sexist past Billy Big Balls of the Week (28:36)Huge fines and a ban on default passwords in new UK lawThe government has introduced new legislation to protect smart devices in people's homes from being hacked.Recent research from consumer watchdog Which? suggested homes filled with smart devices could be exposed to more than 12,000 attacks in a single week.Default passwords for internet-connected devices will be banned, and firms which do not comply will face huge fines. Industry News (34:36)Sky Slow to Fix Bug in RoutersGoDaddy Announces Data BreachTeen Accused of Stealing Bitcoin Worth $36.5MMultiple Bugs Enable Eavesdropping on 37% of Android PhonesApple Sues “State-Sponsored” Spyware Firm NSO GroupMalicious JavaScript Loader is a Multi-RAT DispenserYouTube Live Crypto Scams Made Nearly $9m in OctoberUK Introduces New Cybersecurity Legislation for IoT DevicesUkrainian Cops Bust Mobile Device Hacking Group Tweet of the Week (43:09)https://twitter.com/sociosploit/status/1462440968658079763https://twitter.com/Raspberry_Pi/status/1463803587180511233?s=20 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
Have I told you about my new motorbike?
Yes.
You're listening to the Host Unknown Podcast.
Hello, hello, hello. Good morning, good afternoon, good evening from wherever you are joining us.
And welcome to episode 83-ish of the Host Unknown Podcast.
Welcome one and all. Jav, how are we?
I can, I'm pretty sure this is midlife crisis 2.0.
No, you're already... Must be on about version 9, come on.
You were on 2.0 a few years ago, even your Twitter handle testifies to that.
Oh yes, oh yes. No, that's the AI 2.0.
Okay, we'll call it version X then.
Why?
What's happened?
Oh, nothing.
I got a new motorbike.
A Rolex and a convertible.
And a mistress.
Yeah.
Wow.
Baby steps, baby steps. A short mistress. Yeah. Wow. You know, baby steps, baby steps.
A short mistress.
Or she's pregnant.
Yeah.
You guys are too much.
Yes, we are.
You can't afford us at all.
Yeah.
I was talking to somebody about this, about the midlife crisis
and how, you know, these sort of like olden, balding fat men
seem to just buy, you know, sports cars and motorbikes and all that sort of thing.
And how sad it is.
And they're trying to recover their lost youth.
And the fact is, in many cases, you know, their kids have left home.
They've paid off their mortgages.
They're at their highest earning potential.
They have a whole crapload of disposable income.
potential they have a whole crap load of um disposable income and so they go and buy the car the bike the house the boat the whatever that they've always wanted their entire lives and they
can only just now afford it so midlife crisis i think is a little bit um uh over egged in my opinion
so just to clarify in order to get the uh you know the sports car and you know all the the stuff you
want to do um get your kids to leave home.
Prerequisites are you need to be fat and balding.
I just want to judge my journey here.
Well, exactly.
I mean, of a poll of three of us, I think that works.
Yes, yes.
You know what?
There's this book that was being recommended to me,
and I just read a bit of it.
It's called Die With Zero.
I thought you were going to say the bible i've been recommended that a few times
our savior lord jesus yeah the premise is that you should aim to have zero in your bank account
when you die but give or take because you know what's the point in leaving inheritance to your
kid when you die if they if they're like 50 or 60 at that time you know giving how long people live these days or
whatever the thing is like at that time after 40 or 50 they don't really need your money
they need it in their 20s and 30s probably more um yeah mom if you're listening, don't listen to Jav. Yeah. Tom doesn't need money.
No, no, no, no, no.
Tom does.
Save for your toy boy.
Tom has credit cards.
So is that book, is it similar to The Monk Who Sold His Ferrari?
I have not read that one, and I've only been recommended this one.
So based on that limited information as an advocate,
I can say absolutely it is just like that book.
Based on the title alone?
Yeah.
Okay.
All right.
I see we're going as detailed as ever.
No, no, no.
So think of this formula, yeah?
We have this useful bit of life in between childhood and retirement.
Where we work and we make money
but what a lot of us forget to do is use that money is to use that money to to have a fulfilling
life or to buy fulfilling experiences steady andy but uh because because it's very easy to get caught up in the
work money work money and not take time out to say well what am i actually working for it's not
just for the money it's what that money can can actually get me in life we're going far too deep
far too yeah that's what she said so how's it oh anyway how is your new motorbike job anyway oh it is i'm still running it in because
it's only got like literally it's only got 50 miles on the clock but surely engines don't need
running in anymore that was that was not these days that was from a time when you know the gears
and stuff were hand cut and stuff like that no apparently it still needs running in 800 miles i
need to take it back in and they'll
tighten everything up and um make sure it's all lubricated and and good to go you're sure you're
not we're still talking about a bike yeah you're not going to then i can once that's done then i
can properly thrash it so we are talking about your proctologist right yeah anyway anyway talking
of ourselves andy how are you what's what's going what's going on this
week with you i feel violated today i've literally before the show like i logged on get abuse from
jav we start the show i'm getting abuse again it's a happy thanksgiving everyone yeah happy
yeah i've walked into the uh the black fr Friday where everyone just beats the shit out of each other.
He's a bald fat man.
I'm going to eat some Haribo's and cry in the corner.
We are recording this on Thursday,
which is,
which is,
um,
Thanksgiving.
Yeah.
So,
although we will only release it once I've edited it on,
on a black Friday.
So why not just release it later today?
Because I'm not going to get around to it.
I'm busy.
I've got an AGM to run tonight and stuff like that.
I've got a job and stuff and things.
Really?
Could afford us.
No, I've got photographic evidence of me doing my job last night.
Yeah, looking at slides like everyone else yeah i know
i know talk about bad timing well that's just the epitome of any of your presentations yeah
common feedback
so what have you been up to this week, Andy?
Not too much.
I just got pinged on the, as I was telling you,
I just got pinged on the COVID app saying that I've been in contact
with someone who's tested positive.
And I am perplexed because it said I came in contact
with someone yesterday.
And bar taking my dog for a walk, I have not been near anyone.
Did you get it from your dog?
I don't think he took a test.
He certainly didn't notify anyone.
Maybe he ate one.
Yeah.
I had one of those the other day.
Thankfully, because double shot and a booster.
Had mine on Saturday.
I don't have to.
You don't have to isolate yeah i answered the
question you take an lft and if it's negative you're fine but uh yeah but i said these nfts
are unstable right you know it's just a big pipe there's no point in getting into that i'm just
not prepared to take the risk so yeah and i don't want another picture of an angry duck yeah
or whatever it is.
Yeah, that's LFT for those of us who are wondering.
Oh, dear.
Well, yeah, as I said, I did a talk at Rant last night,
which was really good.
It was good.
Well, those of you who don't know about Rant, it's a pretty raw sort of forum and gathering of InfoSec folks,
and there's lots of talking and how can I put it?
Checking and challenging.
Yeah, and live challenging and live feedback from the audience
whilst you're delivering your letter.
Constructive heckling.
Constructive heckling, yeah.
And they ply everyone with alcohol.
Yeah.
What could possibly go wrong?
But, no, it was really good.
I had an absolute blast.
It's kind of like Twitter, but in real life.
Yeah, it is actually.
It is actually.
And the whole, I don't have a question, but I do have a cormorant.
Yeah.
Sorry, comment.
Sorry, I always confuse seagoing birds and you know comments from the audience uh
but uh but yeah it was it was really good it was really nice to be out and uh uh see a whole bunch
folks some some old team members and you know people from all around and basically the phrase
of the night was it's been years since i've seen you oh yeah of course it has uh so yeah it was great it was really nice excellent
you know I it is a great event the format I absolutely love and it's not for the uninitiated
though no and I think you were there with me Tom one year we went there and there was a guy from
I can't read I'm thinking IBM but it was like one of the big companies I think it was IBM because I
think we mentioned him last night.
Oh, did we?
He did not make it past slide two or three or something. Yeah, that's right.
And that was exactly the story that I said.
Yeah, that's right.
I think he started to sell, didn't he, as well?
I know that might have been a different one,
but apparently there was one where a guy started to sort of just talk
about his product and he just got eviscerated.
Yeah.
Absolutely eviscerated.
Yeah, I think this one, he was setting up for the product.
So he was talking about the need, the market, this, that.
Oh, because so-and-so is the biggest threat vector.
And they're like, well, who says it's the biggest threat vector?
Well, we have this research.
Show us the research.
And it was just like went downhill.
Yeah, that's right.
Yeah.
He looked like he was in trouble quite quickly yeah quite quickly man overboard yeah that's
right man down man down he's already dead stop uh right well let's see what we've got coming up for you today this week in infosec takes us back to a
time a vendor took three years to fix a reported vulnerability uh and of course we question
ourselves is this a an old story or a new one uh rant of the week is dedicated to password security 101 and how even telling daddy to fix it just doesn't always work.
Billy Big Balls is a shifting mindset for the industry,
backed up with teeth and endorsed by at least two industry heavy hitters.
Industry news brings us the latest and greatest security news stories
from around the world and tweet of the week,
reminisces of the times when we would happily raw dog the,
who wrote this?
Raw dog the internet and then make useless things to do useful tasks.
Yes, indeed.
So let's go on to our favourite part of the show,
the part of the show we like to call.
This week in infosec it is that part of the show where we take a stroll down infosec memory lane with content
liberated from the today in infosec twitter account and we are in danger of
rehashing stories if our man doesn't start updating that account but our first story will
take us back a whole decade to the 23rd of november 2011 when it was reported that apple
took over three years to fix the iTunes installer vulnerability,
which the Finn Fisher remote spine Trojan exploited.
So do you remember when iTunes controlled everything
and you had to have it installed on a separate device
and sort of sync up with a cable?
God, those were good times.
So if you think that Equifax was hacked
because it didn't install a patch for the Apache web server
that had been available for two months previously, if you think that Equifax was hacked because it didn't install a patch for the Apache web server, um,
you know,
that had been available for two months previously,
um,
you know,
want to cry malware that spread worldwide because of,
um,
you know,
a patch that had been available for a couple of months,
um,
to think that three years is an acceptable time for patching just seems
absolutely ludicrous these days.
Yeah. Um, but no no a big company like apple
you know i won't focus on that it'll be really fascinating to understand or to sort of lift the
veil behind ah no let's leave it till next week ah maybe next month maybe next year it's in the
backlog yeah exactly i mean was it just not seen as critical or what? I mean, maybe it wasn't. I mean, in all fairness, Mac malware was not huge, even as recently as 2011. It still wasn't huge, but nonetheless, Steve Jobs had the reality distortion field, as they would call it.
Yeah.
He probably just applied it to that.
And he said, it does not exist.
This is not the vulnerability you're looking for.
And everyone's like, yes, it's good.
And ironically, he died in 2011.
And then it was fixed.
And then it was fixed.
Yeah.
Or maybe it was in his queue.
It was in his backlog that he was going to address it.
And then when they migrated it after, you know, his accounts were.
Someone else picked up all his Jira tickets.
Yeah, exactly.
There we go.
Man, this SLA is screwed.
Yeah.
And from the grave, you know, Stevie's saying, no, it isn't.
But, yeah, no, naturally there's a uh link in the
show notes where um obviously brian krebs was on this like white on rice and he's done a nice
little write-up um you know he doesn't let anyone slide on these sort of things so anyway our second
story is taking us back 21 years to the 20th of nove 2000 when eBay cancelled a listing for one of Jav's colleagues
Mr Kevin Mitnick they cancelled listing for his Bureau of Prisons inmate ID card due to the
uncertainty about his right to sell it can you believe that on the eBay they actually check
whether someone's allowed to sell? Wow.
But that shows how small they were back then.
They had the time to do that.
But this is after an initial claim that it was prohibited.
It's prohibited from selling basically because he committed a violent felony.
And so the online auction house, you know, just a week earlier, 21 years ago.
So the online auction house, you know, just the week earlier, 21 years ago.
It was an authentic Mitnick merchandise put up by his father on behalf of Kevin,
who himself was barred from using computers at the time. And of course, barred from accessing the web under the terms of his supervised release.
So this laminated plastic card was apparently carried by Kevin during his stint in, uh, federal correctional Institute in California.
Um,
you know,
it was used for ID and as a,
basically a debit card for prison vending machines and,
um,
yeah,
exactly.
Uh,
so it had his,
uh,
name on it is mugshot and obviously his federal prison number.
And before they canceled the auction,
the bid for the card was over a thousand dollars
in less than 48 hours and apparently it came with other items were available but it also came with
a certificate of authenticity and an autographed free kevin bumper sticker which um yeah were big
back then right they were sort of pieces of history. But eBay customer service representative claimed that the company stopped the auction under its policy,
which prohibits sellers convicted of a violent felony from profiteering from their misdeeds.
Didn't they look it up and realize that it wasn't violent?
Well, do you know what?
I don't know.
It was just such a great time back then right
so this was 2000 if you think we're probably just getting to the stage where you could
you know you could still email abuse at yes you know the domain name and get through to someone
you know someone would actually respond that would go into someone's mailbox uh and likewise i think
ebay you know you could say call them up and say look you know this item is copyright or you know this is stolen and ebay
oh we'll get right on that um but nowadays you go for yeah automated systems and like you know
thanks for your message you know please follow this this automated workflow it's only if it's
the front page of the papers that they actually take notice of.
Yeah, exactly.
So different times.
Exactly.
I mean, just to put it in perspective, I think in 2000, Amazon was only selling books online.
Yeah.
And Google didn't buy YouTube until 2006.
Do you remember the old Google videos?
What? Oh, they were horrible.
No.
Google videos. Yeah, Oh, they were horrible. No. Google videos.
Yeah, it was competitor to YouTube.
Did not come...
What, do you remember...
What was it?
Google Plus?
Yes.
Oh, yeah, I had that.
Yeah, I had a platform on there.
Yeah, yeah.
Dreadful platform.
It was.
Awful.
So bad.
Google Wave, anyone?
What the hell is Google Wave?
That was...
What was the IM that switched to email if the person
went offline g chat was it no no i think it was called g stalker wasn't it no it's like you could
literally be talking to someone in real time if they went offline the client would switch to email
oh was this a google product yeah oh i don't know it's it's hard to tell because they'll
release something one week and then you know make a big deal about it get tens and hundreds of
thousands of people onto it and then and then say no i don't like it fail fast fail often yeah yeah
yeah well 2000 i think andy was still using icq yeah i was i'm uh 1792009 if anyone wants to look me up.
Does it still exist?
I guess it does.
You need to speak Russian to use it there.
And if you've got a problem,
you need to phone that hotline
that's underneath a whole bunch of papers
and stuff on somebody's desk.
That's a reference to last
week's show, folks, so if you haven't listened to it,
go listen to it. Anyway, thank you, Andy, to last week's show folks so if you haven't listened to it go listen to it anyway thank you andy for uh this week's
sketchy presenters weak analysis of content and consistently average delivery
but they still won an award. Like and subscribe now.
Yeah, so we shall now be moving on to this week's...
Listen up!
Rant of the Week.
It's time for Mother F***ing Rage.
And as millennia of tradition dictate,
I shall be taking the rant of the week.
Surprise. Yes, I shall be taking the rant of the week. Surprise.
Yes, I know.
And we're going to be talking about that web hosting provider, GoDaddy.
GoDaddy.
One, what a really weird name in the first place anyway.
But two, they've been a little bit shoddy again.
So there's, you know, many, many companies will suffer from breaches and things like that, right?
But some of the, you know, and we all accept that it's going to happen.
And if you're, you know, if you're on the end of a targeted and sophisticated attack, et cetera, you know, we see it as an inevitability. But many companies out there, some of the largest ones
and the ones that run sort of like core infrastructure, et cetera,
we kind of think they've got their shit together, to be honest with you.
If we think about Amazon maybe or Microsoft, et cetera,
whilst they may get hit, they tend not to drop the pool dramatically.
Now, GoDaddy, they run hundreds of thousands of websites globally for many corporate customers.
They've got a bit of a checkered history anyway.
They used to do some sort of pretty sexy but slightly inappropriate adverts aimed at nerds who didn't have lady life partners, let's say.
And some of their other business techniques and business approaches
are not really that great, but hugely popular,
probably because they're fairly cheap, etc. Well, this year, it turns out that they announced to the SEC in America
that on November 17th, just a few days ago,
it discovered that an unauthorized third party had been roaming around
part of its managed WordPress service,
which essentially stores and hosts people's websites.
So it lost SSL keys, SFTP passwords, and more as a result of this.
Now, the fact that even the phrasing of roaming around makes you wonder,
oh, my God, how much access did this person have?
Obviously, there's CISO, Demetrius Combs,
said his company was immediately beginning an investigation with the help of an IT forensics firm and contacted law enforcement.
I'm sure that was Mandiant.
But it'd be, again, very interesting to see who else that might be.
So, yeah.
But to have their environment so heavily, heavily compromised is really...
By a single password.
By a single password, yeah, by a single account, really quite scary.
They were able to view up to 1.2 million customer email addresses and customer ID numbers.
The SFTP and database of usernames and passwords of active user accounts were accessible.
For a subset of active customers, the SSL private key was exposed. These are core parts of ensuring the internet remains safe. Not good
either because the report actually goes on and says GoDaddy is not exactly earning an A plus
grade so far. Last year, it admitted to losing, not just having compromised, but losing the SSH usernames and passwords
for around 28,000 users.
How do you lose them?
I mean, it makes me think they were hit by ransomware.
They had their backups encrypted and they refused to pay it,
which may or may not have been a good strategy.
But the fact that we don't know tells you something about the transparency
of their internal system.
So, yeah, GoDaddy can go F itself, it seems, when it comes to managing your services.
Personally, I wouldn't recommend using them.
You say that.
I did.
Did you not hear me?
No, no.
You say that.
It's a statement.
I'm not saying you can say that.
I'm saying you say that.
I think you're right.
It's a big loss, obviously.
And all this data that has been stolen on customers, even if it doesn't impact their systems, it makes it right for phishing attacks and all that kind of stuff but i do think like reading the responses that they're taking
i think that given the devil it's due it's um they they have taken a lot of the right steps
they contacted law enforcement they contacted regulators they contacted a forensic investigation
they've reset passwords that were effective they've they're reissuing ssh keys so so they are going through obviously
you could say this is the least you'd expect anyone to do i think it's the legal minimum
isn't it it's the least you expect anyone to do yeah they are being transparent about it so it
does seem as if they've got a incident response plan in place and a communications plan in place
which is the the sliver of a silver lining yes you're
right but also as part of that ir plan they have to accept that people will just slag them off
regardless and that is what we're doing we're fulfilling our obligations as part of this process
and picking holes in everything they do from our armchairs. Do they take security seriously is what I want to know.
Yeah.
I mean, that phrasing is very clearly missing.
Yeah.
As Tom alluded to, if you've seen their adverts,
you know they're a brand that doesn't care about people slagging them off.
Yeah, this is true.
And I think this is it. I think when you have a certain reputation in the market,
let's look at Ryanair, for instance, right?
If Ryanair was to suffer a ransomware attack or something, you know, or the business was attacked through not necessarily no fault of its own, but, you know, was genuinely suffered some kind of, you know, criminal malfeasance.
Most people would just point and laugh
because they're not a very nice company.
They're not nice people to do business with.
They're constantly looking to rip their customers off.
Their CEO is a bit of an arse.
So I think part of it is if you if you run with this kind of um perception of you and if you if you
if you know if you run with it and say yeah you know we're the we're the slightly edgier you know
virgin on assholes you know whatever but we don't care you know we know you hate us and we don't
care you're going to get a much more negative response when you are genuinely attacked than if you are actually,
you know,
good people to do business with.
So I will say that for balance,
they have rebranded in recent years.
So the whole sort of bikini marketing.
Are they called Go Father now?
Well,
funny enough that they want to be known as the Go,
but they realized that didn't work, so they are still Go Daddy.
Go Mummy?
But they actually switched to Go Mummy temporarily.
What?
In 2015.
I do not remember that at all.
Yeah, and they were actually voted or rated as one of the top workplaces
for women technologists to work alongside apple and
google um good that's interesting that is very yes i think the problem is that uh you know this
perception of them is uh it's going to take them a lot longer but i believe it yeah it's been the
last few years that since that previous ceo um blake irving left yeah um you know that's when they
dropped all the the sort of bikini marketing um and they've actually championed you know sort of
mentorship programs and you know equal pay and all that um you know stuff that should be happening
but yeah yeah yeah really gone to the forefront of it absolutely and for for a bit additional balance i think if you if you
take pride in someone getting breached because they're not very nice people i think the problem
is with you tom and not with them it's it's it's a bit like oh did you hear number 37 down the road
got robbed last night well i never liked gary who lives there i'm glad he got robbed yeah well you know what gary's like
but i think you know reputation wise i think it does go to show that actually turning a reputation
around is hard work you know and if if it's what is it they say you can you know it's it's easier
to lose 10 customers than it is to gain one or something like that.
Yeah, it's very challenging.
But we'll see.
This is an unfolding story.
And also, in the interest of balance, this is a rant, not something we want to look at in balance.
Yes.
So, yes, yes.
That was this week's Rant of the Week.
This is the Host Unknown Podcast.
The couch potato of InfoSec Broadcasting.
Billy Big Balls of the Week.
Yes, it is Billy, billy big balls and uh this is uh something that it's not only a billy big balls
move by the uk government it's something that two of the billies on this uh podcast have had
something to do with i think the word heavy was definitely used when uh referencing those
heavy hitters that's right yes i only heard the
heavy part the heavy hitters look i know the christmas cardigan i wore last night a ranted
shrunk from last year but blimey okay so um the uk government has introduced new legislation
to protect smart devices in people's homes.
But I think this applies to smart devices or any IoT device
that you could be using in your small business or even your large enterprise.
So, you know, protecting IoT devices is a challenge.
We've just found ourselves swamped by all of these smart things
over the last few years and no
one's really stopped to think is this a good idea because a lot of these are severely vulnerable
you know easy to exploit no updates available no patching you know patches don't or if they
are available then no one knows how to ssh to the box and update it. Not if they're on GoDaddy because those credentials have been lost.
Yes, yes, that's right.
That's right.
So there's all these issues.
So there was, over the last couple of years,
there's been working groups between the government and industry
and calling in notable experts such as Tom and myself to sit there and eat their free croissants.
We took that free dinner.
Yes, we did.
Yeah, exactly, exactly.
What's that sound in the background?
That's Alexa sort of telling Tom to stop talking shite.
Apparently so.
Well, it's Siri, but yeah.
Master Tom, you told me to warn you when you are talking shite.
Do you want to start that little bit again, Javan?
I'll keep quiet and you carry on.
What was I saying?
I have no idea.
Yeah, neither do I.
Anyway, so there are lots of these devices,
and they're poorly secured.
We saw with Mirai, the botnet, So there are lots of these devices and they're poorly secured.
We saw with Mirai, the botnet that launched those devastatingly large DDoS attacks.
And literally it had about 15 hard-coded passwords that it would try for all these CCTV cameras out there and what have you.
And just in that, they recruited so many devices. So there's a few proposals that have been put out in this legislation
and uh one of the main ones is that um you know easy to guess default passwords pre-loaded on
devices are banned so all products now need new unique passwords that can't be reset to factory
default and i think this on its own is such a a big uh big i mean it's a small
thing but it's it could have big massive impact it's gonna yeah it's gonna fix 90 plus percent
of the problem yeah exactly exactly um there are two other things that have been introduced in this
the second point is that customers uh must be told when they buy the device, the minimum time it will receive vital security updates and patches.
And if it doesn't get them or they can't, then that also must be told up front.
Of course, I think this is one of those ones where a bit more customer education is needed.
Because, you know, if you go to buy one of those, say, a camera that's connected to the internet and the vendor says, well, we don't provide updates and patches.
Most people will say, I have no idea what that means, but it's...
But it's only 20 quid.
Yeah, exactly.
Exactly.
And the third and final one is that security researchers will be given a public point of contact to point out flaws and bugs.
So basically a vulnerability disclosure program.
Like a bounty thing without the bounty.
Yeah, I mean, they could have the bounty in there.
I think that there's no thing, but there just needs to be a way
because that's been a big frustration of researchers.
They just don't know who to report it to, or they report it and it goes ignored,
or worse still, they report it and then they get threatened with legal action.
More to the point yeah exactly yeah so i think this is a a really bold move but it's it's an essential move i think it's the rate at which technology changes it's so difficult to keep
up to date with stuff or whatever so i think from that scheme of thing these are very sensible
fundamental steps to just make at least the casual attacker can't willy-nilly just run a scan
and try the default admin NIMDA password and try to get in.
So, yeah, I think it's a fantastic move.
I hope we – hopefully this will put enough of an onus on the manufacturers
to just think about security in a while.
And maybe just as a result of this, there'll be a bit of a knock on effect.
We'll say, OK, what are the things could we potentially improve?
Not that I'm holding my breath about that, but, you know, it should be a good thing.
So, yeah, well done, UK Gov on passing this legislation.
Never thought I'd ever congratulate any government on passing passing legislation of any form certainly not this one no but that's what uh your third midlife crisis does to you yeah
yeah that's right that's right well done the dmcs dcms oh yeah dcms the department of culture media
yes that's right, well done then.
Billy Big Balls of the Week.
This is the Host Unknown Podcast.
Home of Billy Big Ball Energy.
Sure is.
Andy, what time do you think it is right now? Let me just check it's oh wow it's that time of the show where we head over to our news sources over at the infosec pa newswire
who have been very busy bringing us the latest and greatest security news from around the globe
industry news sky slow to fix bug in routers. Industry news.
GoDaddy announces data breach.
Industry news.
Ian accused of stealing Bitcoin worth $36.5 million.
Industry news.
Multiple bugs enable eavesdropping on 37% of Android phones.
Industry news.
Apple sues state-sponsored spyware firm NSO Group.
Industry news.
Malicious JavaScript loader is a multi-rack dispenser.
Industry news.
YouTube live crypto scams made nearly $9 million in October.
Industry news.
UK introduces new cybersecurity legislation for IoT devices. nearly $9 million in October. Industry news.
UK introduces new cyber security legislation for IoT devices.
Industry news.
Ukrainian cops bust mobile device hacking group.
Industry news.
And that was this week's...
Industry news.
I'm surprised it's only 37% of Android phones.
Well, I am the 63%.
What, you own all of those other phones?
I'm one of the 63%.
Yeah, that's quite shocking.
That is a shocking number.
That's like, well, that's two out of five phones, roughly.
Yeah, but if you consider the markets where Android phones are dominant,
you know, maybe not necessarily.
You know, the sort of low-cost phones where people aren't necessarily using them
for internet browsing and stuff, so they're not going to be updating them regularly
and they're happy with older models.
That's true.
Yeah, very true.
And some of them you can't even update anyway they're just stuck on jelly bean or whatever
version it is yeah was it kit kat yeah yeah i mean how do you do a partnership so old it's called
marathon yeah that's right but um you know it's it reminds me that there's a tweet by Huawei the other day, and it said, like, Black Friday deals 100% off all our phones sold in the US.
Oh, well played, Huawei.
Well played.
Oh, dear.
And I'm intrigued just to see or understand what a multi-rack dispenser is,
because that sounds slightly horrific.
This made me laugh a bit because for years,
Word or AutoCorrect used to change my name to Java Malice.
Java Malice.
Yeah, yeah.
Okay, so what is a multi-rack dispenser?
I have no idea.
It's something.
It's a JavaScript loader that's distributing eight remote access Trojans at a time.
Okay.
That's kind of like taking an Uzi. Rather than using a sniper's rifle, it's like taking an Uzi.
Rather than using a sniper's rifle, it's like using an Uzi.
You just aim it in the general direction.
This is what they call the Gillette version model of thing.
Add another blade to it and it'll be a better razor.
Oh, dear.
Yeah.
What I found interesting was the teen accused of stealing bitcoin worth 36.5
million yeah and um what what was interesting about it was they use a swim swap attack to gain
access so sim swapping is where you um you you take the you you get the sim number that the phone
number of the of the victim onto your own,
you claim it basically, so that when you log on to their account,
the text, the 2FA comes to them.
The 2FA, well, yeah, the two step, sorry, get it right.
So, yeah, it gets through to your phone.
And I think this is really, really interesting
because I think this is something we'll we've seen
in the past but i think we're only going to see more of this as attacks against as more and more
companies roll out some form of multi-factor or two-step authentication we're going to see more
and more attacks against these kinds so um i think it's it's a it's a worrying trend but i think i
think the use of sm SMS is probably the cheapest implementation
of this two-step or MFA approach, right?
It is.
And obviously it's the cheapest for a reason,
and it means it's probably the most vulnerable,
but also having the most people using it.
And I think there's got to be a market there. Well,
I'm sure there is a market there, but for companies to fill that gap and sort of show,
actually, you don't have to spend a fortune to have a far more secure, you know, 2SA or MFA
approach to this. Yeah. Although I do think like, I don't't know you say it's the cheapest and easiest and it might
but then you've got all these uh microsoft and google have their authenticator apps
yeah yeah i think they they should be just as easy and cheaper to to um but then then you've
got to ask why are they still doing doing it through text i mean some of them are also through
email as well yeah yeah uh i guess that's the even cheaper
one you know it is i think sometimes it's just about user experience i don't think i think as
technologists we sometimes forget that not everyone is familiar with downloading an authenticator app
yeah so but they're more familiar with receiving a text message so it could be just yeah and the
other problem is when you upgrade your phone it it doesn't automatically, you've got to reset up all your accounts again,
which is a real hassle.
Use Authy, A-U-T-H-Y.
Now, I don't know, I'm not going to get into the, well,
if it saves it, then they can be cracked, et cetera,
but you can transfer it from device to device.
So you don't have to reset them up.
device so you don't have to reset them up uh i know in fact i only use microsoft one and uh the i think the other one i use is a semantic one just for an e-trade account but i only use i only don't
use orthi when i cannot use anything else right okay so um just uh you know the way this works
the first time i got an iphone um it was micro SIM, I think it was, at the time.
So I went into the shop in Clapham, like a car phone warehouse in Clapham, said, I need a micro SIM from my SIM.
And they said, what's your number?
What's your address?
And then they just gave me a new SIM there and then. they said uh you know it'll be active in like 20 minutes
there was literally no no id taken wow nothing um and yeah what they you can actually just cut
a sim card to become a micro one nano sim yeah yeah i didn't want to do that i know back then
you could get those things to do yeah i actually just wanted one yeah didn't trust yourself with sharp objects no no i'm not i'm not
a diy kind of person it's uh really yeah i only feel satisfied when i pay someone to do it for me
exactly yeah where else does that extend in your life? Yeah.
Anyway, excellent.
That was a good one.
There are plenty of stories in there.
Plenty of stories.
And all of them huge if true.
Huge if true.
We are officially the most entertaining content amongst our peers.
In your face.
You don't have to talk over the jingle, you know.
No, sorry.
It was an inside thought that came out.
I just thought of Graham and I thought, in your face.
Never a show goes by without mentioning smash insecurity.
Carole and Graham, I apologise for Jav.
No, not Carole, just Graham.
Anyway, it's time for... Tweet of the Week.
And we always play that one twice.
Tweet of the Week.
So I'm going to take this one,
and then I'm going to hand over to my learned colleague, Jav.
Although I see he's deleted the first one he had,
and he's now got a second one, so I'll let him take that one.
So this tweet is one which made me chuckle.
It's from Hutch, and it says,
Ah, the good old days when you could measure someone's propensity for clicking on sketchy shit by the number of toolbars in their
browser and then they have a screenshot and it has everything in it the dog pile toolbar the
ass toolbar yahoo toolbar out of vista toolbar aol everything google fox news in this instance
there it's just i mean it's so nostalgic when you look at this it could genuinely be a uh
a today in infosec uh all on its own just in a visual um but remember it wasn't even that long
ago when i'm sure it's some software like adobe used to come with some sort of bundle toolbar
everything that you had to unclick you know yeah it was absolutely shocking how we used to do this
crap back then and obviously it would slow down your machine and it's like,
what are we looking for?
Yeah.
Yeah.
When your parents come to you and say,
oh,
my browser's not working.
And literally they've got like five or six lines of toolbars.
It's like,
oh my God.
You've lost half your screen real estate.
Yeah.
Just to all of it.
Oh,
it's crazy.
I mean,
this is,
this is back in the days when you
know line wire was a good idea right you know this is where we're saying yeah let's just open
my machine to the world and see if i get any good stuff uh and quite often you didn't yeah
well sometimes you did i mean like you know what what like what? I can neither confirm nor deny, but I heard from others
that you could sometimes get good, like, song albums and stuff like that.
Well, the annoying thing about that was it was, you know,
the songs just weren't what they were labelled as.
You know what I mean?
Yeah, yeah.
You think you're getting, like, the Avril Lavigne CD or something,
and it would end up being some old version of,
I don't know,
Beach Boys,
really bad analog rip that,
you know,
had been circled.
It would already be.
It's almost like it was clickbait.
Like they were trying to get you to download it.
Yes.
So that you wouldn't know what else was coming down with it.
Yeah.
And the album covers were like,
you know,
album art.exe it was yeah
yes yes nice one nice one so uh there's another tweet of the week because you know we we play the
jingle twice why not have tweets twice why not and uh this one is uh a tweet by raspberry pi and it's it stated a master class in
over engineering and there's a gif and i encourage you to go to the link because i i as always i
choose the best things to explain over the media yeah over the an audio medium it's a broken clock
it doesn't work at all so someone made a little robotic arm that goes
in and moves the needle forward a minute every minute uh so this robot arms keeps a broken clock
going and i think that is so representative of so much of what goes on in security it's uh it's
scary we could do a whole episode just on that
it's probably how half the internet actually still continues to work yeah yeah definitely
some kids some basement somewhere yeah made something and it just for giggles yeah we'll
come back to it and uh fix it and so we generally did a previous company we uh we had a proof of concept um you know and
it was like built and it's like you know real sort of shaky infrastructure really cheap parts it's
like look we're not going to invest in it now but if it's successful you know we will come back to
it yeah it's like five years later never went back to it it became a core part of like this product
offering you couldn't even take it down for maintenance
because it was so critical to the service.
You know, it happened so much.
And there's this company that I can't name at all.
But it took data from one system and it done a conversion
so that it met the right format and passed it on to another system.
And so you're checking what this component
was and literally a developer who no longer worked there had made it on their developer desktop
and and so you go into the dev floor and it was underneath their desk it was like one of those
massive beefed up towers there was a big sticker on it saying, do not power off.
Oh, my God.
I think we used to have a name for those kind of computers.
They were called SUDs, so systems under desks.
I thought it was funny.
Yeah, yeah, whatever.
I thought it was funny.
Anyway, thank you. We'll be there.
Thank you very much, both of both of you sweet of the week
and that brings us swinging wildly round into the end of the show gentlemen thank you both so much
for your time jeff thank you uh i do hope uh you're you're going to remain under the speed
limit this weekend on your on bicycle? Always, always.
I would never imagine, like, going speeding or anything.
It's just a...
Not until you've run it in, anyway.
And, Andy, I do hope you've got plenty of dog walking
and quarantining lined up for the weekend.
So I would just say stay secure, my friend.
Stay secure.
You've been listening to the host unknown podcast if you enjoyed what you heard comment and subscribe if you hated it please leave your best insults on
our reddit channel worst episode ever r slash smashing security nobody's gonna know. Nobody's gonna know. They're gonna know.
How would they know?
How would they know?
This is Mikko.
I'm an InfoSec rock star.
And I listen to
the Host Unknown
podcast
every time I go to a sauna.
And I go to a sauna a lot.
Well, they can find me on Twitter as
Mikko, that's M-I-K-K-O
or on my website, which is