The Host Unknown Podcast

Episode 110 - Andy is Hot Hot Hot

Episode Summary

This week in InfoSec talks about the phone that changed everything Rant of the Week brings us the latest on remote working Billy Big Balls talks of a group of people playing fast and loose with company assets Industry News brings us the latest and greatest security news stories from around the world And Tweet of the Week reminisces about groundhog day

Episode Notes

This week in InfoSec

With content liberated from the “today in infosec” twitter account and further afield

28th June 2000: The Pikachu virus began spreading. It is believed to be the first virus targeting children, incorporating Pikachu from the Pokémon series.

29th June 2007: Nearly 6 months after it was introduced, Apple’s highly-anticipated iPhone goes on sale. Generally downplayed by Old Word Technology pundits after its introduction, the iPhone was greeted by long lines of buyers around the country on that first day. Quickly becoming an overnight phenomenon, one million iPhones were sold in only 74 days. Since those early days, the ensuing iPhone models have continued to set sales records and have completely changed not only the smartphone and technology industries, but the world as well.

26th June 1997: The US Supreme Court ruled the Communications Decency Act unconstitutional on a 7-2 vote. The act, passed by both houses of Congress, sought to control the content of the Internet in an effort to keep pornography from minors. In an opinion written by Justice John Paul Stevens, the Supreme Court ruled the act a violation of free speech as guaranteed by the US Constitution. 


Rant of the Week

Quick mention just to get the blood boiling: India extends deadline for compliance with infosec logging rules by 90 days

India's Ministry of Electronics and Information Technology (MeitY) and the local Computer Emergency Response Team (CERT-In) have extended the deadline for compliance with the Cyber Security Directions introduced on April 28, which were due to take effect yesterday.

The Directions require verbose logging of users' activities on VPNs and clouds, reporting of infosec incidents within six hours of detection - even for trivial things like unusual port scanning - exclusive use of Indian network time protocol servers, and many other burdensome requirements. The Directions were purported to improve the security of local organisations, and to give CERT-In information it could use to assess threats to India. Yet the Directions allowed incident reports to be sent by fax – good ol' fax – to CERT-In, which offered no evidence it operates or would build infrastructure capable of ingesting or analyzing the millions of incident reports it would be sent by compliant organizations.

FBI warning: Crooks are using deepfake videos in interviews for remote gigs

Deepfakes and Stolen PII Utilized to Apply for Remote Work Positions

The US FBI issued a warning on Tuesday that it was has received increasing numbers of complaints relating to the use of deepfake videos during interviews for tech jobs that involve access to sensitive systems and information.

The deepfake videos include a video image or recording convincingly manipulated to misrepresent someone as the "applicant" for jobs that can be performed remotely. The Bureau reports the scam has been tried on jobs for developers, "database, and software-related job functions". Some of the targeted jobs required access to customers' personal information, financial data, large databases and/or proprietary information.

"In these interviews, the actions and lip movement of the person seen interviewed on-camera do not completely coordinate with the audio of the person speaking. At times, actions such as coughing, sneezing, or other auditory actions are not aligned with what is presented visually," said the FBI in a public service announcement.


Billy Big Balls of the Week

Trio accused of selling $88m of pirated Avaya licenses

Rogue insider generated keys, resold them to blow the cash on gold, crypto, and more, prosecutors say

Three people accused of selling pirate software licenses worth more than $88 million have been charged with fraud.

The software in question is built and sold by US-based Avaya, which provides, among other things, a telephone system called IP Office to small and medium-sized businesses. To add phones and enable features such as voicemail, customers buy the necessary software licenses from an Avaya reseller or distributor. These licenses are generated by the vendor, and once installed, the features are activated.

In charges unsealed on Tuesday, it is alleged Brad Pearce, a 46-year-old long-time Avaya customer service worker, used his system administrator access to generate license keys tens of millions of dollars without permission. Each license could sell for $100 to thousands of dollars.

Pearce, of Oklahoma, then sold those licenses to Jason Hines, 42, of New Jersey, and others who sold them onto resellers and customers worldwide, prosecutors claimed. Pearce's wife, Dusti, 44, is accused of handling the finances and accounting in this alleged criminal caper.

On top of this, Pearce is accused of using his admin privileges to get into internal accounts of former Avaya workers to generate more software keys. He allegedly covered up his tracks by altering information in the accounts over many years.

Great balls but the bigger balls was from this article on the World Economic Forum:

How aligning cybersecurity with strategic objectives can protect your business

All filler with no thriller!

Cybersecurity is not a technical problem, it’s a business problem

Bridge the communications divide

Relationships may be damaged, not broken

Culture of Cybersecurity!


Industry News

Snoopers’ Charter Ruled Partially Unlawful

Ransomware Suspected in Wiltshire Farm Foods Attack

FBI: Beware Deepfakes Used to Apply for Remote Jobs

Amazon Fixes High Severity Vulnerability in Amazon Photos Android App

Ukrainian Cops Bust Multimillion-Dollar Phishing Gang

Nevadan Arrested for Alleged $45m Metaverse Investment Fraud

Info-Stealing Campaign Targeted Home Workers for Two Years

North Korea's Lazarus Group Suspected of $100m Harmony Hack

Former Canadian Government IT Worker Pleads Guilty Over NetWalker Ransomware Attacks


Tweet of the Week