The Host Unknown Podcast

This Week in InfoSec (06:23)With content liberated from the “Today in InfoSec” twitter account and further afield19th January 1999: The Happy99 worm first appeared. It invisibly attached itself to emails, displayed fireworks to hide the changes being made, and wished the user a happy New Year. It was the first of a wave of malware that struck Microsoft Windows computers over the next several years, costing businesses and individuals untold amounts of money to resolve. 19th January 1999: RIM introduces the BlackBerry. The original BlackBerry devices were not phones, but instead were the first mobile devices that could do real-time e-mail. They looked like big pagers.  It is alleged the name “BlackBerry” came from the similarity that the buttons on the original device had to the surface of a blackberry fruit.London riots: how BlackBerry Messenger played a key role Rant of the Week (18:01)Singapore gives banks two-week deadline to fix SMS securityA widespread phishing operation targeting Southeast Asia's second-largest bank – Oversea-Chinese Banking Corporation (OCBC) – has prompted the Monetary Authority of Singapore (MAS) to introduce regulations for internet banking that include use of an SMS Sender ID registry.Singapore banks have two weeks to remove clickable links in text messages or e-mails sent to retail customers. Furthermore, activation of a soft token on a mobile device will require a 12-hour cooling off period, customers must be notified of any request to change their contact details, and fund transfer threshold will by default be set to SG$100 ($74) or lower.MAS has also offered a vague directive requiring banks to issue more scam education alerts, and to do so more often. Billy Big Balls of the Week  (25:49)Train Robberies Are BackFreight trains loaded with valuable merchandise sitting on apparently unguarded tracks make for awfully inviting targets.For months, Union Pacific freight trains have been getting systematically robbed in the Los Angeles area, according to local news reports, as thieves target valuable merchandise and online orders from retailers like Amazon sitting on delayed trains.Superyacht Security: The 10 Best Ways To Protect From Pirates And Paparazzi Industry News (33:12)European Regulators Hand Out €1.1bn in GDPR FinesNCA: Kids as Young as Nine Have Launched DDoS AttacksGovernment to Regulate Crypto Advertising in New Crack DownMan Charged with Smuggling Tech Exports to IranResearchers Hack Olympic Games AppRed Cross: Supply Chain Data Breach Hit 500K PeopleEleven Arrested in Bust of Prolific Nigerian BEC GangTwitter Mentions More Effective Than CVSS at Reducing ExploitabilityBiden Signs Memo to Boost National Cybersecurity Tweet of the Week (42:00)https://twitter.com/blkcybersources/status/1483826713561862159?s=21https://twitter.com/BLKCybersources/status/1483826713561862159/photo/1 Come on! Like and bloody well subscribe!

This week in Infosec (06:30)With content liberated from the “today in infosec” twitter account12th January 1981: Time Magazine published "Superzapping in Computer Land". Its primary focus was four 13-year-olds from New York City who broke into 2 computer networks and destroyed 1 million bits of data. Yes, a whopping 0.125 MB. Have a read of the article.Superzapping in Computer Land - The ride of the "Dalton Gang"https://twitter.com/todayininfosec/status/148135276347683225613th January 1989: The “Friday the 13th” virus strikes hundreds of IBM computers in Britain. This is one of the most famous early examples of a computer virus making headlines.THE EXECUTIVE COMPUTER; Friday the 13th: A Virus Is Lurking Rant of the Week (13:43)Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of appsUsers of popular open-source libraries 'colors' and 'faker' were left stunned after they saw their applications, using these libraries, printing gibberish data and breaking.Some surmised if the NPM libraries had been compromised, but it turns out there's much more to the story.The developer of these libraries intentionally introduced an infinite loop that bricked thousands of projects that depend on 'colors' and 'faker.'  Billy Big Balls of the Week (23:18)Info-saturated techie builds bug alert service that phones you to warn of new vulnsAn infosec pro fed up of having to follow tedious Twitter accounts to stay on top of cybersecurity developments has set up a website that phones you if there's a new vuln you really need to know about. Industry News (30:37)FlexBooker Reveals Major Customer Data BreachForensics Expert Kept Murder Snaps on PCRomance Scammers Stole £92m From Victims Last YearEuropean Union to Launch Supply Chain Attack SimulationEuropol Ordered to Delete Vast Trove of Personal InformationTeen Makes Tesla Hacking ClaimTwo Years for Man Who Used RATs to Spy on Women and ChildrenFCC Proposes Stricter Data Breach Reporting RequirementsNew "Undetected" Backdoor Runs Across Three OS Platforms Tweet of the Week (38:32)https://twitter.com/dominotree/status/1481646565869584385?s=21 Come on! Like and bloody well subscribe!

This Week in InfoSec (6:20)With content liberated from the “today in infosec” twitter account1st January 1997: The Cult of the Dead Cow admitted it was responsible for the Good Times virus hoax of 1994.Good times virushttps://twitter.com/todayininfosec/status/1212558619205607426[Covered this story last month so will axe it]2nd January 1975: Gates and Allen Name "Micro-Soft".  Microsoft founders Bill Gates and Paul Allen write a letter to MITS, the Albuquerque, New Mexico, company that manufactured the Altair computer, offering a version of BASIC for MITS's "Altair 8800" computer. The contract for BASIC reflected the first time Gates and Allen referred to themselves as the company Microsoft, spelled in the document as "Micro-Soft."Gates and Allen name Micro-SoftMicrosoft v. MikeRoweSoft3rd January 1977: Apple Computer, Inc. is IncorporatedApple Computer, Inc. is incorporated by Steven Jobs and Stephen Wozniak. Its IPO, which took place three years later, was the largest one since the Ford Motor Company went public in 1956. The stock rose almost 32% that day giving the company a market valuation of $1.778 billion. Seven years later, on January 24, 1984, the company revealed the Macintosh personal computer in a publicity campaign that compared IBM with Big Brother and Apple as the savior of the masses.Apple becomes first company to hit $3 trillion market value, then slips Rant of the Week (17:22)Remember Norton 360's bundled cryptominer? Irritated folk realise Ethereum crafter is tricky to deleteBack in June, NortonLifeLock, owner of the unloved PC antivirus product, declared it was offering Ethereum mining as part of its antivirus suite. NortonLifeLock's pitch, was that people dabbling in cryptocurrency mining probably weren't paying attention to security – so what better way than to take up a cryptocurrency miner than installing one from a trusted consumer security brand?In return for you installing their cryptominer on your home PC, NortonLifeLock skims off a mere 15 per cent of whatever digital currency you generate. https://twitter.com/jwz/status/1478022085737803776?s=20 Billy Big Balls (25:18)A set of balls to bring us back Former CEO of Theranos Elizabeth Holmes convicted on 4 countsUS clothing supplier Pro Wrestling Tees hit by data breachA quick story that is near and dear to mine and Andy’s heart - which Thom will have absolutely no idea about. But Pro wrestling Tee’s - which sells t-shirts designed by professional wrestlers, has discovered that some customers’ credit card numbers have been compromised in a data breach. a small portion of our customers’ credit card numbers had been compromised,” reads a breach notification letter signed by Pro Wrestling Tees owner Ryan Barkan“We immediately conducted a thorough investigation of our system and concluded that a malicious virus was the source of the breach.”A cybersecurity firm has since helped to remove the malware.Barkan added that they had found “no evidence that current individual personal information has been compromised”, or evidence “of any current misuse of your information” – despite admitting that the payment details were accessed.You may be thinking that this isn’t a big deal. But what kind of Jabroni thinks it’s a good idea to attack a wrestling store. It’s almost like they’re looking for a smack down. I get it, they may have thought - oooh what a rush, but whatcha gonna do? Whatcha gonna do when the feds come looking for you brother? Criminals can rest in peace - and that’s the bottom line, cos the host unknown podcast said so. [That was this weeks BILLY BIG BALLS] Jav: Industry News (39:53)Microsoft Fixes New Year's Day Exchange Server BugUK Defence Academy Attack Forced IT RebuildInvestigation Launched into App “Selling” WomenFTC: Patch Log4j Now or Risk Major FinesUK's Information Commissioner Starts New Role Amid Major ChangesMorgan Stanley Agrees to Data Breach SettlementCredential Stuffers Compromised 1.1 Million AccountsCrypto Firm Pulls the Rug from Under Investors with $10m ScamMan Pleads Guilty to $50m Investment Fraud Scheme Tweet of the Week (43:15)https://twitter.com/avrovulcanxh607/status/1445102818348699746Ceefax replica goes TITSUP* as folk pine for simpler timesBut creator runs server from home – we can forgive himA young man who would have been around 10 when the plug was pulled on Ceefax has recreated the BBC's teletext information service online, replete with a digital remote control to punch in the number of your choice.NMS Ceefax The joke that Jav didn't understand: Come on! Like and bloody well subscribe!

This Week in InfoSecWith content liberated from the “today in infosec” twitter account16th December 1988: 25-year-old computer hacker Kevin Mitnick was charged for crimes including theft of software from DEC (Digital Equipment Corporation), including VMS source code and allegedly causing $4 million in damages to DEC.Ex-Computer Whiz Kid Held on New Fraud Countshttps://twitter.com/todayininfosec/status/147163999100882534415th December 1994: Netscape Communications Corporation releases Netscape Navigator 1.0, the world’s first commercially developed web browser, although this particular version was free for non-commercial use.15th December 1995: Developed by researchers at Digital Equipment Research Laboratories, the AltaVista search engine is launched. It was the first worldwide    web search service to gain significant popularity. One of the most popular search engines in the early world wide web, Google didn’t overtake AltaVista until 2001. AltaVista was eventually purchased by Yahoo! in 2003. Rant of the Week (15:49)Thom starts but quickly hands the baton Jav who takes a clear lead on this weeks rant... about Andy. This is Andy's response:Songs that build up tension and stumble forward: Songs that skip a beat Billy Big Balls of the Week (21:34)National Lottery scratch card fraud: Men jailed over £4m jackpot claimI talk about the time Thom went solo with (TL)2 ventures and highlights how going solo is a brave move for someone in a cushy CISO job.  Industry News (28:23)Hackers Target India’s Prime Minister“Worst-Case Scenario” Log4j Exploits Travel the GlobeChristmas Payroll Fears After Ransomware Hits Software ProviderGrindr Fined €6.5m for Selling User Data Without Explicit ConsentLog4j Looms Large Over Patch TuesdayFrance Orders Clearview AI to Delete DataRegulator: Venues Must Protect User Privacy During #COVID19 ChecksAll Change at the Top as New Ransomware Groups EmergeUS and Australia Enter CLOUD Act Agreement Tweet of the Week ( 38:09)https://twitter.com/GeekChickUK/status/541242616407687168?s=20 Come on! Like and bloody well subscribe!

Andy’s mattressThis Week in InfoSec (11:46)With content liberated from the “today in infosec” Twitter account 7th December 1999: The Recording Industry Association of America sues the peer-to-peer file sharing service Napster alleging copyright infringement for allowing users to download copyrighted music for free. The RIAA would eventually win injunctions against Napster forcing the service to suspend operations and eventually file bankruptcy. In the end the RIAA and its members would settle with Napster’s financial backers for hundreds of millions of dollars.How The Founder of Napster Trolled Metallica at the VMAsShawn Fanning at the MTV Video Music Awards in 2000 December 2009, when Yahoo! Doesn't Want You To Know Its Spying Price List; Issues DMCA TakedownCompliance Guide for Law Enforcement Rant of the Week (22:37)The vice president should not be using Bluetooth headphonesThis week, Politico opened its newsletter with an article on Vice President Kamala Harris’ aversion to using Bluetooth headphones. The VP was “Bluetooth-phobic,” the story claimed, “wary” of her AirPods and cautious with her technology use to an extent former aides described as “a bit paranoid.” Proof could be seen in her televised appearances: wires dangling from her ears in an interview with MSNBC’s Joy Reid or clutched in her hand during the famous “We did it, Joe” call.But for a high-profile public official, this is a lot more reasonable than you might think. As security researchers were quick to point out, Bluetooth has a number of well-documented vulnerabilities that could be exploited if a bad actor wanted to hack, say, the second most powerful person in the US government. Billy Big Balls of the WeekFeds charge two men with claiming ownership of others' songs to steal YouTube royalty paymentsAlleged scheme said to have netted $20m since 2017"Batista and Teran perpetrated their fraud by falsely representing to Y.T. [YouTube] and to A.R., an intermediate company responsible for enforcing their music library, that they were the owners of a wide swath of music and that they were entitled to collect any resulting royalty payments."The government claims that around April, 2017, two men, through their company MediaMuv, LLC, entered into a contract with A.R., which administers and distributes YouTube royalty payments, claiming to control a 50,000 song catalog of music.They subsequently sent the corresponding song files to A.R., which in turn uploaded the files to YouTube, the indictment claims. The court filing cites as an example the song "Viernes Sin Tu Amor," which A.R. is said to have uploaded to YouTube in 2017 and has earned around $24,000 in royalty payments since then.This was allegedly done for numerous songs, with A.R. eventually, at the direction of the MediaMuv, writing to YouTube "to bulk clear potential copyright conflicts from MediaMuv's entire music catalog." Industry News (36:28) Nine State Department Phones Hijacked by SpywareCyber-attack Closes UK Convenience StoresFrench Transport Giant Exposes 57,000 Employees and Source CodeHotel Guests Locked Out of Rooms After Ransomware AttackPassports Now Most Attacked Form of IDAWS Outage Hits Eastern USIT Execs Half as Likely to Face the Axe After BreachesMost Phishing Pages are Short-livedHalf of Websites Still Using Legacy Crypto Keys Tweet of the Week (44:08)https://twitter.com/TJ_Null/status/1469006847449440262https://twitter.com/johnjhacking/status/1468860997272174594 Come on! Like and bloody well subscribe!

This Week in InfoSec (06:57)With content liberated from the “today in infosec” twitter account4th December 2013: Troy Hunt launched the site "Have I Been Pwned? (HIBP)". At launch, passwords from the Adobe, Stratfor, Gawker, Yahoo! Voices, and Sony Pictures breaches were indexed.  https://twitter.com/todayininfosec/status/13350202387657441291st December 1996: America Online launches a new subscription plan offering their subscribers unlimited dial-up Internet access for $19.95/month. Previously, AOL charged $9.95/month for 5 hours of usage. The new plan brought in over one million new customers to AOL within weeks and daily usage doubled among subscribers (to a whole 32 minutes per day!). AOL goes unlimited Billy Big Balls of the Week (16:06)https://www.bleepingcomputer.com/news/security/former-ubiquiti-dev-charged-for-trying-to-extort-his-employer/ Industry News (21:15)Clearview AI to be Fined $22.6m for Breaching UK Data Protection LawsCyber Essentials Set for Major Update in 2022Texas School District to Scan Children's DevicesMI6 Boss: Digital Attack Surface Growing "Exponentially"Organizations Now Have 76 Security Tools to ManageTwitter to Remove Private MediaRussian Bulletproof Hosting Kingpin Gets Five YearsPolice Arrest 1800 in Major Money Laundering CrackdownPhishing Scam Targets Military Families Tweets of the Week (29:50)https://twitter.com/j_opdenakker/status/1466380453036838913https://twitter.com/bettersafetynet/status/1466460853105053699  Come on! Like and bloody well subscribe!

This Week in InfoSec (11:00)With content liberated from the “today in infosec” Twitter account23rd November 2011: It was reported that Apple took over 3 years to fix the iTunes installer vulnerability which the FinFisher remote spying Trojan exploited.Apple Took 3+ Years to Fix FinFisher Trojan Holehttps://twitter.com/todayininfosec/status/133102846161239244820th November 2000: eBay cancelled a listing for Kevin Mitnick's Bureau of Prisons inmate ID card due to uncertainty about his right to sell it. This was after an initial claim it was a prohibition from committing a "violent felony" and profiting from it.eBay pulls Kevin Mitnick trinkets: Taking a firm stand against "violent felons"https://twitter.com/todayininfosec/status/1329940298399703042 Rant of the Week (18:50)SSL keys, sFTP passwords and more exposed after someone broke into GoDaddy Managed WordPress using 'compromised password'GoDaddy has admitted to America's financial watchdog that one or more miscreants broke into its systems and potentially accessed a huge amount of customer data, from email addresses to SSL private keys.In a filing on Monday to the SEC, the internet giant said that on November 17 it discovered an "unauthorized third-party" had been roaming around part of its Managed WordPress service, which essentially stores and hosts people's websites.GoDaddy’s chief information security officer Demetrius Comes said his company "immediately began an investigation with the help of an IT forensics firm and contacted law enforcement."Those infosec sleuths, we're told, found evidence that an intruder had been inside part of GoDaddy's website provisioning system, described by Comes as a "legacy code base," since September 6, gaining access using a "compromised password."GoDaddy’s latest rebranding is a break from its sexist past Billy Big Balls of the Week (28:36)Huge fines and a ban on default passwords in new UK lawThe government has introduced new legislation to protect smart devices in people's homes from being hacked.Recent research from consumer watchdog Which? suggested homes filled with smart devices could be exposed to more than 12,000 attacks in a single week.Default passwords for internet-connected devices will be banned, and firms which do not comply will face huge fines. Industry News (34:36)Sky Slow to Fix Bug in RoutersGoDaddy Announces Data BreachTeen Accused of Stealing Bitcoin Worth $36.5MMultiple Bugs Enable Eavesdropping on 37% of Android PhonesApple Sues “State-Sponsored” Spyware Firm NSO GroupMalicious JavaScript Loader is a Multi-RAT DispenserYouTube Live Crypto Scams Made Nearly $9m in OctoberUK Introduces New Cybersecurity Legislation for IoT DevicesUkrainian Cops Bust Mobile Device Hacking Group Tweet of the Week (43:09)https://twitter.com/sociosploit/status/1462440968658079763https://twitter.com/Raspberry_Pi/status/1463803587180511233?s=20 Come on! Like and bloody well subscribe!

IRISSCON - https://www.iriss.ie/ This week in Infosec (12:19)With content liberated from the “today in infosec” twitter account15th November 1994: The earliest known example of the Good Times email hoax virus was posted to the TECH-LAW mailing list. Variants of the hoax spread for several years. In 1997, Cult of the Dead Cow (cDc) claimed responsibility for initiating the hoax. Good Times Virus Hoaxhttps://twitter.com/todayininfosec/status/119535364385739162312th November 2012: John McAfee went into hiding because his neighbor Gregory Faull was found dead from a gunshot the day before. Belize police wanted McAfee to come in for questioning, but McAfee stated the police were “out to get him”. John McAfee hiding from police after businessman's murder in Belizehttps://twitter.com/todayininfosec/status/1326993312247656451 The Box © Charlie Langford Rant of the Week (18:52)Amazon tells folks it will stop accepting UK Visa credit cards via weird empty emailHow will you be able to buy things you can't afford now?Amazon has confirmed it will no longer accept payment via Visa credit cards issued in the United Kingdom after several Reg readers wrote in complaining of a cryptic message they'd been sent this morning.The online sales giant has indicated the move was "due to the high fees Visa charges for processing credit card transactions." Billy Big Balls of the Week (26:22)New Memento ransomware switches to WinRar after failing at encryption(The embodiment of: Improvise, adapt, overcome)A new ransomware group called Memento takes the unusual approach of locking files inside password-protected archives after their encryption method kept being detected by security software. Industry News (33:15)FBI Fixes Misconfigured Server After Hoax Email AlertCryptojackers Disable Alibaba Cloud Security AgentChina Telecom Appeals Against US BanEmotet is Rebuilding its BotnetGhostwriter Disinformation Operation Linked to BelarusUS to Sell $56m in Seized Crypto-CurrencyThreat Actors Discuss Leasing Zero-Day ExploitsChina's APT41 Manages Library of Breached CertificatesRussian Cybercrime Forums Open Doors to Chinese-Speakers Tweet of the Week (39:15)https://twitter.com/benawad/status/1460738174783791105 Come on! Like and bloody well subscribe!

This Week in InfoSec (09:55)With content liberated from the “today in infosec” twitter account10th November 1983: At a security seminar, Len Adleman used "virus" in connection with self-replicating computer programs. Afterwards, use of the term took off. But it wasn't the first use of "virus" in this way - the 1973 movie "Westworld" used it to describe malfunctions spreading in robots.https://twitter.com/todayininfosec/status/1193706921733189632 Rant of the Week (14:24)EU pharmaceutical giants run old, vulnerable apps and fail to use encryption in login formsAccording to the report, Outpost24's "2021 Web Application Security for Healthcare," EU pharmaceutical businesses often run large numbers of web applications and 3.3% of those scanned by the firm are deemed "suspicious," including open test environments that should have been closed. In addition, 18% of organizations analyzed are using outdated, unpatched web components that contain known vulnerabilities. US healthcare organizations have roughly the same amount of suspicious apps in operation but tend to run far fewer apps on the whole -- however, 23.74% of them are outdated.Over 200 EU pharmaceutical application forms noted in the report are operating without encryption, which puts users at risk of both the interception and theft of their information online. Outpost24 said that basic SSL failures, privacy policy misconfigurations, and cookie settings also feature as common security and compliance problems. The damage a cyberattack can cause a healthcare or pharmaceutical company can be severe. The COVID-19 pandemic put a target on the back of many of these organizations, with an Oxford University lab with COVID-19 research links and the UK Research and Innovation organization being only two examples of recent victims of incidents leading to data theft and disruption.  Billy Big Balls of the Week (21:18)Hack leaves fertility clinic medical data at riskThe Lister Fertility Clinic said the firm, which it used for scanning medical records, had been "hacked" by a"cyber-gang", in a letter sent to about 1,700 patients. Industry News  (27:32)Ukraine Unmasks Armageddon Group as FSB OfficersFacial Recognition Firm Could Be Ordered to "Close" in UK, Warn ExpertsOne in Three Workers Monitored by Their EmployersRobinhood Data Breach Hits Seven Million CustomersUS to Charge Suspects Over Kaseya Ransomware AttackClass Action Against Google BlockedAnglers Redirected to PornhubScam PACs Allegedly Stole $3.5m from Trump VotersResearchers Uncover Prolific Hacker-for-Hire Group Tweet of the Week (35:44)https://twitter.com/bcmerchant/status/1457849195738451975https://twitter.com/sherrod_im/status/1458460638561382401 Come on! Like and bloody well subscribe!

This week in infosecWith content liberated from the “today in infosec” twitter accountHonourable mention for the Morris Worm3rd November 2000: A Dutch hacker gained access to Microsoft's network by exploiting a vulnerability Microsoft issued a patch for 10 weeks earlier. The Patch MS Forgot to Applyhttps://twitter.com/todayininfosec/status/132380788942589542425th October 2013: Adobe revealed that a breach of 2.9 million customer accounts made public 3 weeks earlier actually affected 38 million users.Adobe breach THIRTEEN times worse than thought, 38 million users affectedhttps://twitter.com/todayininfosec/status/1323807889425895424  Rant of the weekCisco fixes hard-coded credentials and default SSH key issuesBilly big balls These Parents Built a School App. Then the City Called the CopsStockholm’s official app was a disaster. So annoyed parents built their own open source version—ignoring warnings that it might be illegal.[INDUSTRY NEWS]Cops Receive Stalkerware TrainingConti Group Leak Celebs' Data After Ransom Attack on JewellerVenmo to Reimburse Hacking VictimsBlackMatter Group Speeds Up Data Theft with New Tool Student Loans Company Dismissals Highlight Insider Risk NSO Group Blacklisted by US for Trade in SpywareCyber-Incident Impacts UK Labour Party#SecTorCa: Jeff Moss Defines the Role of Hacking Threat Actor Claims 'Groove' Ransomware Gang Was HoaxTweet of the weekhttps://twitter.com/summer__heidi/status/1456099556622364672  Come on! Like and bloody well subscribe!