After months of worry, BlueKeep vulnerability is now being exploited in mass-hacking campaign

That's not a bad idea, Crom. I think we could make a difference there. Well, it's better than

Microsoft's outreach at only getting 2,000. Oh, come on! I wonder if we could beat Microsoft. I wonder if Smashing Security could beat Microsoft. You know, we have a lot of listeners.

I'm not sure it would be possible to actually work out who made the biggest impact.

It's about saving the world, Graham.

Smashing Security, episode 131. Zap yourself from the net and patch now against BlueKeep with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, episode 131. My name is Graham Cluley. And I'm Carole Theriault. And we are joined once again this week by... By a ghost. A very quiet ghost. Because it's just you and me. Why is it just you and me again, Carole?

Because we're fricking busy right now and it's InfoSec this week and we have to do talks. Anyway, to make up for all that disappointment, I suppose we better explain what's coming up on the show this week. on. Thanks to this week's sponsors, Recorded Future and MetaCompliance, their support helps us give you this show for free.

A hooga, a hooga, a hooga, warp, warp, alert, alert, alert, Carole. We are on a countdown to destruction. Sorry, a countdown to destruction? Is

this a bit of fear and doubt? Well, but maybe not uncertainty. Something ghastly this way comes, I have to say, because do you remember a couple of years ago? Well, of course you do. You remember WannaCry, right? It was a serious nightmare here in the UK. Horrendous. Because many hospitals and health services were just crippled. Yeah, awful. That worm was able to spread so quickly because it exploited a critical vulnerability in Windows. And even though Microsoft had issued a security patch for that vulnerability almost 60 days beforehand, WannaCry still successfully struck. Many computers had not been properly protected against it and well we saw what happened. ask a question sorry. I haven't used Microsoft products in a very long time. However, how come updates aren't automated? How come updates aren't automated?

Right? Well, you're right. Many consumers may well have automated Windows updates, and that's fantastic. Some people sadly have not. And of course, in an enterprise environment, you don't necessarily want to have automatic updates because there have been occasions when Microsoft updates have gone a little bit awry and cause more problems than they try to fix. So it's understandable. If you've got thousands and thousands of computers in your company, you don't want some dude in Microsoft to say, hey, let's push out a patch to all of those computers because you're going to get it in the neck as the IT administrator if your network goes down and you stop making money. I'm not sure that's true. So, well, you know, it's certainly there's a lot of apprehension about automatic updates in many situations in some environments. So what is happening right now is Microsoft is warning that it really wants people to patch their vulnerable computers again. In fact, it's issued two warnings in the last couple of weeks. We don't even know what they're vulnerable to at the moment. Well, let me explain. There is once more a critical vulnerability in older versions of Windows that could be exploited by a worm just like WannaCry managed. This flaw is being called BlueKeep and it exploits what's known as a dangling pointer. You're so juvenile. A dangling pointer bug in remote desktop services. And that... That's still jiggling. Yes. So this flaw was first spotted by the UK's NCSC, who are part of GCHQ, the Intelligence Gathering Agency, and they informed Microsoft. And Microsoft did release a patch back on May the 14th. However... So two weeks ago about, right? Well, it's about three weeks going now by now, isn't it? I don't know. We're

like an old married couple. It was a Saturday. It wasn't a Friday. It was a Saturday. It happened at four o'clock. Remember? Don't you remember? What's wrong with you?

You can't remember anything. You don't remember? WannaCry? It was 2017. It was 2016. It was 2017. Oh, I'm sorry, listeners. So Microsoft believes this vulnerability to be so serious that they've taken the unusual step of issuing patches for old versions of Windows they no longer officially support. So Windows 2003, Windows Vista, Windows XP, these are operating systems they said we are never, ever going to release another security update for. They said you've really got to get off those operating systems. Well, they've done it to protect against BlueKeep.

Okay, fine, fine. I get that. But I think that maybe if Microsoft want to retire a product that they sold in good faith to people, maybe they should do a buyback scheme, right?

But it's not a question of making it cheaper to buy the software. The problem is the computers which are possibly running these older operating systems aren't capable of running more up to date. Well,

That would be true certainly in things like the NHS or certainly was in case of WannaCry. But do you think for home users who are also potentially exposed to this, that's still an issue?

There's still lots of people who don't want to change their operating system or don't want to update their computer if it's working just fine. I just last night, I was around my father-in-law. Fun times. And I was updating Microsoft Word for him. And he was terribly befuddled because something had changed its look. And, you know, it was, this isn't the same as it used to be. I want it to be the old way. And he went through a lot of pain when he upgraded to Windows 10. It's just, what is all this ghastliness?

I will feel the same when I'm his age, when I'm presented with Apple 87 or whatever. I'm not far off, how dare you.

Well, last week, Microsoft issued its second warning about BlueKeep, begging computer users to patch their systems. Reports have emerged that there are nearly one million computers directly connected to the internet, which were vulnerable to this BlueKeep flaw. It's so nice that they're able to tell that just by sniffing around on the internet and looking around. Well, you can scan ports. Now, some of those are quite likely to be honeypots set up by researchers, but I doubt that they account for 923,000 vulnerable computers. And the thing is, it doesn't mean that that many computers are the only ones you have to worry about, because some of those computers will be inside organisations. So if that one gets compromised by WannaCry2 or whatever we want to call it, exploiting BlueKeep, then the malware could spread further inside that organisation as well. So you only need one vulnerable computer on your network.

Yeah, exactly. Take heed, folks. Take heed.

Right. So there's a real risk that we might see a big worm. And the bigger risk, maybe, is that it will actually take the worm itself to wake people up to the threat and get them to patch. When Microsoft first made its announcement about this problem and began alerting people, a scan was done of the internet, how many vulnerable computers, and they came up with almost a million. Then two days later, they did another scan, and what they found was good news. The number of vulnerable computers has gone down. To what? It had gone down by about 2,000. Oh, no. So we're talking years and years and years, if we just let nature take its course or until a worm comes out and then that maybe wake people up to it.

Maybe we need to put a challenge out to all our thousands and thousands and thousands of listeners to go out and tell one person who you don't think is very computer savvy, who uses Windows, to make sure they update. If we all do that, that would be a good thing.

That would be a good thing. So if you're at the bus stop or if you're...

With a Dell, bashed up Dell laptop.

Under their arms. Oh, so, I hope you've been updating that. I see you're using Windows XP still. No, you need to keep up to date. That's not a bad idea, Carole. I think we could make all the difference there. Well, it's better than Microsoft's outreach at only getting 2,000. Oh, come on. I'm not sure it would be possible to actually work out who made the biggest impact or not.

It's about saving the world, Graham. So at the time of recording, there's no sign of an actual malicious worm exploiting this vulnerability, but it's likely to only be a matter of time. And there've already been a number of researchers and white hats who have successfully created exploits demonstrating how the flaw could potentially be exploited by a worm. I'm imagining I'm doing that if I had a Windows machine. Okay. Yes, don't do this if you've got a Mac, by the way. Yeah, well, it'd be hard. It'd be difficult to find that Control Panel. Or if you've got a PlayStation as well. Again, not going to work. Or if you're listening on your Game Boy. Again, not going to happen. So you're in Windows Control Panel, choose System and Security, and you will see an option there which says Windows Update. Click on that. Right? Yep, when they actually are. It wasn't a very big jump of faith, that one, was it? What? Teach them well? No, children are the future. Yeah, good. Right. It's on the ball that guy.

Anyway, there you go. BlueKeep, protect yourself. And I hope by the time the next podcast comes out, we don't have to say, oh dear, we all got hit by that BlueKeep worm. Worm? You sound drunk. Drunk. Yeah. Drunk. What story have you got for us this week, Carole?

Well, Graham, do you remember The Fugitive with Dr. Richard Kimble, who was accused of a crime he didn't commit?

So there was a TV show, wasn't there, in the 1960s? Yeah, there was a movie as well. A movie starring Harrison Ford. Harrison Ford. Harrison Ford, yes, yes.

Now, I want you to imagine that you're in a similar scenario, okay? Inspired by the storyline, I decided to write one just for you. Okay. So an occasionally entertaining cybersecurity pundit and podcaster, Graham, has found out that his podcast co-host, Carole, has been murdered ferociously in her own studio. It looks like someone strangled her with her Sony MDR headphones. The local Thames Valley police force locate you and accuse you of murdering me. You start thinking of all the rubbish emails and communiques you've sent over the last 20 years of knowing me.

I've never even met her. I podcast remotely. We're not in the same room. It couldn't possibly be me. I know, but think of all the stuff sent to me over the years and even sent about me. All the stuff we edit out from the show. I'm being framed. I'm being framed.

You, Mr. Graham, need to scrub your digital footprint clean of any incriminating evidence.

Yes, I do. And the idea, you think, is to make it as hard as possible for the cops to associate you with anything related to my unfortunate and very devastating demise. Right. But where to start, right? Where do we look? Yeah, I thought I could change my name to Steve Gibson from the Security Now podcast. That may be a sense. Just try and divert the police onto another security podcaster. Yes. Okay, well, that's interesting because there are services out there where what they try to do is to delete your online profile. So one of them is called Delete Me and one is called DeSeat Me. These are just two I looked at. D-E-S-E-A-T. DeSeat you from the seat. Oh, okay. Yes. Similar situation to you, the murderer. How do you wipe clean the photocopier? Yes. After you've taken a... Yes. That's very good, Graham. I'm impressed. I'm impressed. Well, exactly. I'm now going to have an account with them. The police can go to them. Right. So what have you been doing for Mr. Cluley? Yeah. Exactly. Because he's wanted for murder. Murder. Yeah. Well, that's the worst thing, yes.

For you, yeah, your ego would really take a hit there. Now, okay. Now, would you ask Google to remove any personal information from its many, many services? Because there are webpages that allow you to do this.

Well, I have previously logged into Google and asked it to delete information and not track information. And I've been through their account settings in the past. Yes, right. But that's different. Are you talking about the actual search results? Because sometimes when you do a search result, it says some of the search results have been hidden.

For example, you may have information on Blogspot from days of yore. You might have information on YouTube videos. You might have left crazy comments somewhere. Oh, yes, definitely. Saying, God, cool, this is a stupid video, because there's lots of places you might be and you may want to get that scrubbed. So I'll put the link inside the show notes if anyone's interested in doing something like that. And there's also a link there if you want Google to remove some old cached data. Again, I don't think there's any guarantee that it will do this, but it's a way of you to be able maybe to mitigate and limit the amount of information about you.

So if I understand you correctly, what you're saying is if you don't want to use services like DeSeatMe or DeleteMe, you can at least get Google kind of promises or it's offering to delete some of the records it stores about you to do the cleanup and that's for free I imagine.

I'm just giving you a few little options here on how you can reduce it so you can try and trust a third party to do it with you and for you by using services or paying for services. You can also go look at Google. Google is a bit of a monster on the web right, they're the ones that hold the most amount of information about most of us, you know, because you want to basically you don't want the cops to get you right?

It's very good that you're mentioning all this and giving me these tips, Carole, before the actual murder takes place. This is very handy. I'm sure plenty of our listeners are appreciating this as well.

All our listeners, if something happens to me, they're going to know who to point the finger at Mr. Cluley.

Well, I imagine that all this advice only applies if you're the murder victim, right? Not if anyone else. I don't want to give anyone else any ideas regarding murdering anybody else. Not that I want you murdered either, Carole, but maybe... I'm not telling

anyone how to murder anyone other than...

No, but you're sort of telling them how to cover their tracks. Interesting. Interesting.

Okay, carry on. Now, another idea is removing everything that might be stored on the cloud, right? And keep everything local. So a lot of people, you know, the real big privacy experts would say everything should be on a removable hard disk, right? And all backups should be on hard copy only, like on a USB key or whatever. Do you have any thoughts on that?

Well, I have both local backups and online backups because I like to have backups in different places. As long as they're sort of encrypted and secure, I don't mind that too much.

Yeah, that suggests, though, that you're more concerned about not losing data that you have as opposed to safeguarding your data from prying eyes.

No, I don't think so, because all of those backups are encrypted and I sort of hold the master key for them. Right. So other people shouldn't be able to access them, although I'm using cloud-based services in some cases for those backups. It's not as though I believe they would be easy for others to peruse. But like there is a pitfall, right, if you get too obsessed with erasing your entire footprint on the web. Because you're flirting, A, you're flirting a bit with privacy burnout where you just can't care anymore. You know, it's like my nephew was over yesterday and he was playing Wii and he was doing some kind of sword fighting thing and he was really into it. Yes, maybe you've come here under an assumed name. Maybe your name isn't Graham Cluley. Maybe your name is Emily Buckwater or something. And yeah, that would be. It does seem rather a nuclear option to me.

But I think for the rest of us maybe a smarter approach is not to panic about all the data that's out there on you but focus on what, just focus on the important stuff like stuff that's personally identifiable and lock that down as much as possible and every user obviously has to decide for themselves what information they're comfortable sharing and what information they want to keep private.

So if for instance Google had a search record that I'd been searching in the web for details of, you know, how to strangle someone with a microphone cord or something like that. So those are the sort of things to remove rather than, you know, what time does Waitrose supermarket shut tonight?

Or I'd like to make a fish pie tonight, give me a recipe. The thing is, I don't know. I think there should, you know, we should all try and retain some measure of privacy, because if we don't, we're strangling life out of our individual right to have it. So now there's a few things. So here's just a few little things we can do. So EU subjects, anyone who lives in the EU can use GDPR to get companies to delete previously collated identifiable info. It's not easy, but for some services where you've shared a lot of information, it may be very worthwhile.

Well, I guess you can try and if you did have something which was potentially a little bit embarrassing, one thing you could do is try and lose it in the noise, couldn't you?

Yes, like needle in the haystack approach, right?

But if there are websites which are saying something nasty about you, then maybe you want lots of web pages which are saying something nice about you. And then people are less likely to stumble across the one which has something unpleasant. So do some good people and get people to write about it. And maybe people will forget those mistakes you've made in the past, such as that unfortunate microphone murder.

And you know what we could do? We could actually distill it to the big ones. So I've made a list of five big things I would do. The best result for the least amount of effort, according to me. Let's see if you agree with it, right? So first, delete messages, pics, tweets, comments, emails that you no longer want or basically make you look bad, right, Graham? Lock down apps and profiles as much as possible. So if they ask for, you know, I need to know your location at all times and you're thinking why you're just a chess app, you can turn that off.

Right. And look at your privacy settings is basically what you're saying as well. So if you're on social media, make sure that you're not sharing it with the entire world, but just sharing it with the people on the social network that you want to share your personal information with.

Yeah. And some people would say, why share anything personal on social media at all? Why don't you just go, oh, look, it's pretty outside today. You don't have to. You want to use different passwords for every account. Obviously, you know, I use a reputable password manager. I find it useful. I think you do too, Graham. We talk about it a lot. Use multi-factor authentication. So 2FA, it's also known as. Very good. And then the things you can consider is encrypt your data like Graham does. Use a VPN, which helps obfuscate your traffic and what you're looking at. And most importantly, don't kill anyone, especially not your co-host.

I think maybe that should have been number one, Carole. Rather than...

I want to end on something powerful.

Okay. So if you only remember one thing, Graham...

Yeah, don't kill me. Quote, most business security breaches are the result of one thing, sloppy password practices. Effective enterprise password management is a must to ensure that your employees are properly protecting their accounts. Unquote. That's my co-host, Graham Cluley. This is what he says on the LastPass Enterprise page. And most of you know how much I hate to admit when he's right, but he is. Sloppy passwords are a huge contributor to security breaches within an organization. The way to manage that is get a password manager. And the one we recommend is LastPass Enterprise. Check it out at lastpass.com slash smashing. We also are sponsored by Meta Compliance. Now, Meta Compliance reduce cybersecurity risk by providing a platform for training.

Yeah, they do online training. They've gamified it. It's animated e-learning. It teaches you and your staff all about the risks of phishing and other threats which may impact them inside business. And best thing, it's not boring. No, not boring at all. You learn everything. GDPR, malware, data security, password safety. You can grab it all and save yourself a ton of cash because you're a Smashing Security listener. Go to smashingsecurity.com slash metacompliance. On with the show. And welcome back. And you join us at our favourite part of the show, the part of the show that we like to call Pick of the Week.

Pick of the Week. Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website or an app. Whatever they wish. It doesn't have to be security-related necessarily.

Better it not be after last week's debacle.

Well, mine has a tangential security connection. Do you mean tangential? Oh, I don't know. It's okay. Did I say tangential?

Yes. Is that what happens if you go to the tanning salon without your underpants?

Oh, dear. Anyway, my pick of the week this week is a TV show which I've been binging on. And it's not a barrel of laughs.

I thought you'd been all busy, busy. You keep saying how busy you are.

Well, I managed to slip in four hours of TV watching. I've still got one episode to go of Chernobyl.

Oh, I've been hearing about this everywhere. What are you watching it on? Well, it is available on HBO in the United States and Sky Atlantic over here in the UK. And we don't have Sky, but Mrs. Cluley wanted to watch the final season of Game of Thrones, and so we found an online service where we paid some money and it hasn't quite expired yet. So I had to poke around and see what else they had to offer us. So you're jumping on the Chernobyl bandwagon along with every other journalist out there. Is that right? Well, there you go, that's what I've done. If you haven't had a chance to watch it, go and watch it. If it's not on your streaming service, hopefully it will be someday and you'll get a chance to watch it because it was quite interesting. Thank you for bringing so many really lighthearted and interesting topics to the show. Well, that's what we do. That's what we do on the show, Carole. Well, sometimes it's a giggle, sometimes it's smutty, and sometimes it's deadly serious. Welcome to the world of Smashing Security. Well, until this morning when I sent you the video that I am featuring on my pick of the week, had you heard of Nellie Bly?

No, I'd never heard of Nellie Bly.

Okay, that's very cool. Because, you know, she was an American journalist from, you know, the Victorian Times. So there's no real reason that she might make it into your school books, particularly those when you were at school, I'm sure, featured many, many men of historical note as opposed to women.

It's true. I'm sure they did. Queen Elizabeth, Queen Victoria.

Yes. Well, they had to be queens to get mentioned. Boudica.

Yeah. Yes, I suppose.

Now, I had never really read a lot about her or watched any documentaries on her before. So when I saw this little Atlantic article show up in my feed this week, I checked it out. Now, just for those who don't know, Nellie Bly is the name of one of the first daredevil gotcha female journalists. And her shtick was to go undercover and do, quote unquote, stunt reportage. So where you never really identify yourself as a reporter, but then later on do a gotcha and expose the company or the person explaining all your experiences with not holding anything back.

Right. So she's like an undercover investigative journalist getting the scoop.

She did something. OK, so what she's best known for was her first big stunt or what I know to be her first big stunt. So it was in 1887. She got herself committed to the women's asylum in New York City. So it's called Blackwell Island. And she spent 10 days there as a psychotic patient faking psychosis. And the point was to collect stories and facts and then expose them all in her column.

My goodness. Yes. And, you know, she had to trust. She just went up to, I think it was the editor of The World, Mr. Pulitzer, and she basically said, OK, he offered her this. He said, we can't get in. We're all guys. We can't get in there. Can you? And so she did. That's the terrifying thing, isn't it? I mean, if you throw yourself, I don't know if you've ever done this, Carole, if you've ever put yourself into a mental asylum and pretending to be mad.

Podcast, Graham, is a similar analogy.

And then, of course, if you're trying to get out afterwards and you're trying to convince them that you're sane, well, that is what a mad person would do, isn't it?

Yeah. And it's an unbelievable story. And it's led to many, many more stunts. And it's kind of all touched upon in this gorgeous 12-minute video. The film director, Penny Lane, uses animation and documentary-style reenactments. And they're mostly drawn from primary sources, including Bly's own writing and published interviews, and basically tries to tell the story of this fearless Victorian newspaper woman. So check it out. It's beautifully scripted and animated, I think. What did you think, Cluley?

I really enjoyed it. And I liked that the animation part of it was sort of made out of newspaper headlines. They actually sort of made the landscape. And like you said, there was this asylum story, but there was also a story of how she set the world record for going around, circumnavigating the world, you know, on train and steamboat. And she did it in about 72 days.

Yeah, she wanted to beat Jules Verne's Around the World in 80 Days concept.

She met him en route when she was in France. And I also got a little tidbit because I was quite fascinated by this little video. I thought you would like it. I was reading up about her on Wikipedia and I found out that she married, when she was in her early 30s, she married some 73-year-old uber businessman. And of course he popped his clogs just a few years later and she inherited quite a lot. She was quite a woman. And this was also the days before the suffragette movement as well. I mean, she went all around the world. She only took one dress with her and a couple of pairs of underpants.

Oh, and you know what? She was annoyed that people focused on that and so was I watching this video. Everyone kept talking about her outfit, the fact that she didn't have a humongous trunk. Honestly.

Well, if she'd had a humongous trunk in Victorian times, Carole, she'd have been the elephant woman. Boom, boom. Oh, whoa. Well, that just about wraps it up for this show. Carole, if you want to follow us on Twitter, you're already following us on Twitter. But if you at home want to follow us on Twitter, we are at Smashing Security. No G. Twitter wouldn't allow us to have a G. And we're also on Reddit. You can continue the discussion with us up there at smashingsecurity.com slash reddit.

And shout out to our sponsors Recorded Future and Medic Compliance. Their support helps us give you this show for free so check out their offers please and high five to you listeners as well. We're so glad you listen to us week in week out until

Next time cheerio bye bye bye. Have you got your pop screen on? I have a problem. What's your problem?

The A on my keyboard, 30 seconds ago, decided to stop working. Any advice? It's going to make taking notes a real pain.

Only the letter A? Have you dropped some coffee on it? What have you done?

No, no, no, nothing. Just the letter A. It's just not responding at all? Look, I'll write you a message in the little thingy-majig. Yeah, go on then. Okay, I'm pressing a lot of A's.

I'm not seeing anything. Oh. Look. Okay, I'm looking. You've written... I'm pressing A-A-B-B, A-A-B-B. Oh, the B's are coming through, but no A's.

Yep. Anyway, fun times, even with caps lock. So the key's dead. So I need a new keyboard. So that's fun.

Welcome, everybody, to the latest episode of Smashing Security.