There’s bad news if you’re a cryptocurrency investor. Billions of dollars worth of wealth were wiped out this weekend after a South Korean cryptocurrency exchange was hacked.
The exchange in question is called Coinrail, and if you visit its website right now you’ll see a “System maintenance” message that tells you more than they’re just updating the servers. The devil’s in the detail – the site is down because it got hacked over the weekend.
The statement on Coinrail’s website says that some (but not all) of the cryptocurrency exchange’s digital currency was stolen by hackers. Coinrail claims that 70% of the cryptocurrencies it holds are being stored safely in a cold wallet which is not connected to the internet, and thus considerably more difficult for criminals to access.
Coinrail hasn’t released much information about what has occurred, but has released released the names of a few of the tokens affected in the hack: ATC from Aston, NPXS tokens from the Pundi X project, and NPER project tokens.
In all, the hackers are thought to have stolen about 30% of Coinrail’s virtual currency, and that news has sent shockwaves through the markets.
Even a hack of a relatively unknown South Korean cryptocurrency exchange like Coinrail can have a big impact on cryptocurrencies worldwide, because of media coverage. Media coverage gives investors the jitters which makes them sell more cryptocurrency which then leads to more media coverage, and so on and so on…
Stephen Innes, head of Asia Pacific trading at Oanda Corp, told Bloomberg that he believed panic-selling was to blame for the drop in cryptocurrency value:
This is ‘If it can happen to A, it can happen to B and it can happen to C,’ then people panic because someone is selling. The markets are so thinly traded, primarily by retail accounts, that these guys can get really scared out of positions. It actually doesn’t take a lot of money to move the market significantly.
So far this year Bitcoin is down about 50% in value. On Sunday alone it fell 6% after news of the Coinrail hack broke. And it’s not just Bitcoin that’s suffering, other commonly traded digital currencies like Ethereum have also taken a dive.
The problem with Bitcoin seems to be its very volatility – the thing which attracted many investors when its price was rocketing skywards last year, and is now proving a challenge as more people view cybersecurity as a huge threat to virtual currencies.
There is, of course, going to be plenty of speculation about who might be behind the Coinrail hack, and no doubt some will cast an eye north of South Korea’s border in their search for likely culprits. However, in cases like these it’s very difficult to attribute an attack on a cryptocurrency exchange with any certainty – as there are so many criminals who would salivate at the thought of breaking in and making off with millions of dollars.
Why is cybersecurity such a big issue to cryptocurrency exchanges and not seen as such a significant threat to traditional financial insitutions?
Mikko Hyppönen summed up the situation well in a tweet:
Cryptocurrency exchanges are ideal targets for attackers. Small companies with a lot of money. Run by startups, with small security teams and no experience. And if you get in, the loot is already anonymized and untrackable. https://t.co/uvBd6Shnox
— @mikko (@mikko) June 11, 2018
My advice? If you have a cryptocurrency investment, don’t leave your wallet lying around in an online exchange. Keep it somewhere safer.
In a past episode of the “Smashing Security” podcast we’ve talked about how you may wish to consider having your own hardware wallet that stores your private keys, so you have true control about when and where your funds are moved… rather than put your trust in a cryptocurrency exchange.
And, it should go without saying, if don’t invest anything that you cannot afford to lose.
Listen to this edition of the “Smashing Security” podcast to hear further discussion on this topic:
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
The Russians aren't going to try and disrupt their own World Cup, are they? They want that to go swimmingly.
So what sort of cyber attacks do you think we might see which are in relation to the World Cup? Could these be sort of retaliatory attacks from other countries against Russia?
Or might we see patriotic Russian hackers attacking Brazil, for instance?
So what sort of cyber attacks do you think we might see which are in relation to the World Cup? Could these be sort of retaliatory attacks from other countries against Russia?
Or might we see patriotic Russian hackers attacking Brazil, for instance?
Well, beware if England gets to the final. Not only am I going to lose about £100, but there could be cyber shenanigans afoot.
What? What? Just from you, John? Are you saying you're going to be doing the hacking? Is that what you're suggesting?
No, I am not. Oh my goodness, don't use my poor bandwidth connection to lie about me, sir.
No.
Smashing Security, Episode 82: World Cup Cybersecurity, Crypto Crashes, and a Bang of a Password Fail with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security, Episode 82. My name is Graham Cluley.
Hello, hello, and welcome to Smashing Security, Episode 82. My name is Graham Cluley.
And I'm Carole Theriault.
And we're joined today by a special guest. He's returned to the show. It's John Leyden, security correspondent at The Register. Hello, John.
Hi, John.
Hello, Carole. Hello, Graham.
Oh, it's a bit echoey, John, where you are. Where on earth are you?
I'm in an art gallery, I'll have you know, in Manchester. Because now that this is an award-winning show, I decided that I just needed to up my game somehow.
And it's the only way I could think of doing it.
And it's the only way I could think of doing it.
Are you snarfling up their Wi-Fi?
I think I may well be snarfling up their Wi-Fi.
Okay, well, fingers crossed it keeps going for the whole length of the show.
So you've gone to this highly cultured place and you've decided to ring up the Smashing Security podcast. You thought that would be the appropriate thing to do.
What if someone comes and tells you to hush?
Well, I have to speak very quietly then, won't I? I have to make sure I make my point quite quickly.
This week's episode of Smashing Security is sponsored by VirusTotal. Now, you probably know VirusTotal as a malware research tool.
Over 1 million files are uploaded every day by folks analyzing malware and attempting to determine what different antivirus products call a sample.
But you can do much more than that with VirusTotal Intelligence, which helps you get more context about your alerts through advanced malware threat hunting.
Relationship and behavioral visualization, as well as historical analysis on billions of malware samples.
To learn more about how VirusTotal Intelligence can help you, visit virustotal.com/learn or email the team at .
And be sure to say you heard about them on the Smashing Security podcast. And welcome back. Well, the big news over the weekend— did you see what happened? With the bitcoin price.
Carole, John, do you religiously follow the price of bitcoin?
Over 1 million files are uploaded every day by folks analyzing malware and attempting to determine what different antivirus products call a sample.
But you can do much more than that with VirusTotal Intelligence, which helps you get more context about your alerts through advanced malware threat hunting.
Relationship and behavioral visualization, as well as historical analysis on billions of malware samples.
To learn more about how VirusTotal Intelligence can help you, visit virustotal.com/learn or email the team at .
And be sure to say you heard about them on the Smashing Security podcast. And welcome back. Well, the big news over the weekend— did you see what happened? With the bitcoin price.
Carole, John, do you religiously follow the price of bitcoin?
Nope.
No, I don't.
I know it's dropped, but I don't religiously follow it.
Very sensible not to, I recommend for your general mental health.
Well, it's bad news if you were a cryptocurrency investor, because billions of dollars worth of wealth were wiped out this last weekend after a South Korean cryptocurrency exchange was hacked.
And if you visit the website right now of Coinrail, South Korean cryptocurrency exchange, you will see that they're undergoing a little bit of system maintenance.
Those are the only words in English. Now, I don't speak Korean.
Well, it's bad news if you were a cryptocurrency investor, because billions of dollars worth of wealth were wiped out this last weekend after a South Korean cryptocurrency exchange was hacked.
And if you visit the website right now of Coinrail, South Korean cryptocurrency exchange, you will see that they're undergoing a little bit of system maintenance.
Those are the only words in English. Now, I don't speak Korean.
But Google Translate certainly does.
It does. Yes. So Google Translate.
I was thinking you'd go, oh, wow, that's a good idea.
System maintenance. I thought, oh, this is fine. But when you translate it with Google Translate, you find out that the site is down because it got hacked over the weekend.
And according to CoinRail, hackers stole about 30% of its virtual currencies, and that has sent shockwaves through the market because even though most of us probably haven't heard of Coinrail, right?
I mean, I imagine they might be known in South Korea, but not in the rest of the world. Their hack still had a big impact on cryptocurrencies around the world.
And it's because of media coverage.
And according to CoinRail, hackers stole about 30% of its virtual currencies, and that has sent shockwaves through the market because even though most of us probably haven't heard of Coinrail, right?
I mean, I imagine they might be known in South Korea, but not in the rest of the world. Their hack still had a big impact on cryptocurrencies around the world.
And it's because of media coverage.
Okay.
And whenever a cryptocurrency exchange gets hacked, the media jumps onto the story. You know what journalists are like, don't you, John?
Oh, wait, wait, wait. We're talking billions of dollars here.
Well, this isn't chump change.
Maybe in Cluleyland it is, but—
Well, it's not billions of dollars which have been taken from Coinrail. Okay, so the Coinrail hack, it's estimated maybe it's $20 or $30 million, which again, not chump change.
But what's happened is the media coverage about that has given investors the jitters around the world and made them sell more cryptocurrency, which in turn has led to more media coverage.
And you get into this sort of whirlpool of fear and, oh my goodness, sell, sell, sell, sell, sell, sell, sell.
The more you sell, the more stories there are, the more people who sell. So I put it to you, Mr. John Leyden, representing journalists today, that it's all your fault.
But what's happened is the media coverage about that has given investors the jitters around the world and made them sell more cryptocurrency, which in turn has led to more media coverage.
And you get into this sort of whirlpool of fear and, oh my goodness, sell, sell, sell, sell, sell, sell, sell.
The more you sell, the more stories there are, the more people who sell. So I put it to you, Mr. John Leyden, representing journalists today, that it's all your fault.
Well, I'm more worried about the prospects that Donald Trump and Kim Jong-un may resort to Google Translate and what that might happen with that. But that's just a little segue.
You think Donald Trump in his meeting with Kim Jong-un has just got an Android phone with him doing the translation because he doesn't need anybody.
He just needs a minute or two to decide whether this is someone he can do business with, whether he can denuclearise the Korean Peninsula.
He just needs a minute or two to decide whether this is someone he can do business with, whether he can denuclearise the Korean Peninsula.
Based on the handshake, the flick of the hair.
Well, so far this year, bitcoin is down around about 50% in value.
Well, from its peaky height.
Well, yes. And it was an extraordinary height, wasn't it? Coming towards the end of 2017.
And some people predicted that it would keep on going higher and higher, and some people I still think maybe it will, but on Sunday alone it fell 6%, and by the time this podcast is released, who knows?
Who knows where it will be? And it's not just bitcoin that's suffering. Other commonly traded digital currencies like Ethereum have also taken a dive.
Now, there are profits to be made, of course. Some people go, hehehe, if all this selling's going on, what I'm going to do is I'm going to sell short and bet on the prices to fall.
And some people predicted that it would keep on going higher and higher, and some people I still think maybe it will, but on Sunday alone it fell 6%, and by the time this podcast is released, who knows?
Who knows where it will be? And it's not just bitcoin that's suffering. Other commonly traded digital currencies like Ethereum have also taken a dive.
Now, there are profits to be made, of course. Some people go, hehehe, if all this selling's going on, what I'm going to do is I'm going to sell short and bet on the prices to fall.
Exactly. Yeah.
Oh, Carole, is that the kind of thing you do on the stock market?
No, it's something I read about and watch fiction TV.
Billions.
Is all about that.
I can imagine you going to the casinos in the south of France, maybe, and sometimes, you know, being a bit of a gambler. Would that be true of you, dripping in diamonds?
No, no, I'm not a gambler.
I know you go to art galleries, John, but do you frequent casinos as well? Have you ever dabbled in that?
I'm more interested in sports betting, and I may have a small bet against England winning the World Cup. Either way, I win on that.
Oh, that's going to bring it home.
Are there good odds on that, John?
No, I can jinx every other team.
Oh, I see.
So some people wonder, well, why is cybersecurity such a big issue to cryptocurrency exchanges and not seen as much of a threat to traditional financial institutions like banks?
And Miek Gohibban, a friend of the show, pointed out in a rather good tweet, I thought, earlier this week that cryptocurrency exchanges are different from banks because they tend to be small companies.
So some people wonder, well, why is cybersecurity such a big issue to cryptocurrency exchanges and not seen as much of a threat to traditional financial institutions like banks?
And Miek Gohibban, a friend of the show, pointed out in a rather good tweet, I thought, earlier this week that cryptocurrency exchanges are different from banks because they tend to be small companies.
Yeah.
They don't have much in the way of resources, but they have a lot in the way of money, which they're holding onto.
And they're often startups and they've got little or virtually no experience and little maturity in their security team. So why wouldn't they be attacked?
Why wouldn't criminals try and break into them because of the rewards?
And don't forget that if they manage to steal money from a cryptocurrency exchange, that money is anonymous and untrackable, untraceable. So terrific, right?
And they're often startups and they've got little or virtually no experience and little maturity in their security team. So why wouldn't they be attacked?
Why wouldn't criminals try and break into them because of the rewards?
And don't forget that if they manage to steal money from a cryptocurrency exchange, that money is anonymous and untrackable, untraceable. So terrific, right?
And that's also, yeah, exactly. And that's also part of the allure for people who want to invest or transfer funds that way.
Once it becomes a more ubiquitous service where banks are actually running crypto services, you're going to lose a lot of the transparency and anonymity that comes with the service.
Once it becomes a more ubiquitous service where banks are actually running crypto services, you're going to lose a lot of the transparency and anonymity that comes with the service.
So what's our advice? Not for the criminals.
We're not suggesting people jump on this bandwagon of attacking cryptocurrency exchanges, but we want to give some advice for regular users.
And we've covered this sometimes in past episodes of Smashing Security.
We're not suggesting people jump on this bandwagon of attacking cryptocurrency exchanges, but we want to give some advice for regular users.
And we've covered this sometimes in past episodes of Smashing Security.
Stay away from cryptocurrency?
Well, I think it's hard for some people to stay away from it because they're still seeing an opportunity there, aren't they?
But certainly, if you have a cryptocurrency investment, don't leave your wallet full of bitcoins or Ethereum or whatever it is lying around in an online exchange, because who knows how well they are being secured.
My preference is to have a hardware wallet that stores your private keys. So you're not leaving it somewhere up on the net.
But certainly, if you have a cryptocurrency investment, don't leave your wallet full of bitcoins or Ethereum or whatever it is lying around in an online exchange, because who knows how well they are being secured.
My preference is to have a hardware wallet that stores your private keys. So you're not leaving it somewhere up on the net.
Makes sense.
And it's more difficult for the hackers to get in and to steal information. I'd rather have it there than put my trust in a cryptocurrency exchange.
Where do you store your secure wallet, Graham?
Like I'm going to tell you, Carole.
Is it close to your person?
Let's not start that again.
Where the sun don't shine.
Oh, charming. Well, that would be more buttcoin, I think, than bitcoin, wouldn't it?
Now, soon as we've gone lavatorial, I think maybe now is a good time to point out that no less a luminary of the security industry, a veteran, than John "Mad" McAfee— do you remember what his proclamation was about the price of bitcoin?
Now, soon as we've gone lavatorial, I think maybe now is a good time to point out that no less a luminary of the security industry, a veteran, than John "Mad" McAfee— do you remember what his proclamation was about the price of bitcoin?
No, but he did say something crazy, didn't he?
He said he wanted to run for president, didn't he?
Yeah, turned out that wasn't a crazy option. Turned out voting for John McAfee would have been quite sensible.
Would have been a sensible No, when it comes to bitcoin, John McAfee has said that if bitcoin has not reached $1 million by the end of 2020, so he's got, what, 18 months or so, he says he will eat his own dick on national TV.
Would have been a sensible No, when it comes to bitcoin, John McAfee has said that if bitcoin has not reached $1 million by the end of 2020, so he's got, what, 18 months or so, he says he will eat his own dick on national TV.
Sorry, eat what?
His penis on national TV. Flambéed, I imagine. Now, I don't know if that'll be pay-per-view or whatever.
Lordy.
John, what's your story for us this week?
Well, this week is a very important week in sports, and in fact, the day the podcast comes out is the first day of the World Cup in Russia.
Can I just say, I think this is the first time anyone has whispered a story to us. I love it. Carry on. It's perfect.
Okay. So high-profile sports events are very much tied to national prestige. And when the Winter Olympics were in Russia, Russia did very, quotes unquotes, very well.
After that, it was called out by whistleblowers for cheating. And after that, the World Anti-Doping Organization got hacked and a lot of information was released from that.
So there's a continuum between sports events, national prestige, and things that go on in cyberspace.
And the situation in Russia is quite fraught generally, because no less a person than Robert Hannigan, former head of GCHQ, last week said that the UK was perhaps at cyber war with Russia.
This is partly to do with tensions around the Skripal poisoning, but also there's other things afoot.
And the UK intel agency and its Western counterparts don't really know what's going on with Russia, what its military doctrine might be.
And that has gone back a few years to an attack on French TV station TV5Monde, which took it off the air for several hours and was initially blamed on the Cyber Caliphate.
Do you remember that?
After that, it was called out by whistleblowers for cheating. And after that, the World Anti-Doping Organization got hacked and a lot of information was released from that.
So there's a continuum between sports events, national prestige, and things that go on in cyberspace.
And the situation in Russia is quite fraught generally, because no less a person than Robert Hannigan, former head of GCHQ, last week said that the UK was perhaps at cyber war with Russia.
This is partly to do with tensions around the Skripal poisoning, but also there's other things afoot.
And the UK intel agency and its Western counterparts don't really know what's going on with Russia, what its military doctrine might be.
And that has gone back a few years to an attack on French TV station TV5Monde, which took it off the air for several hours and was initially blamed on the Cyber Caliphate.
Do you remember that?
Yeah, yeah, yeah.
But subsequently that was attributed by Western intelligence agencies to a unit of Russian military intelligence, GRU.
Codenamed APT28, quite notorious in the world of cyber espionage.
Codenamed APT28, quite notorious in the world of cyber espionage.
And it was interesting how the world's media sort of jumped on that TV5Monde story and instantly just went with the accepted story, oh, it's the Cyber Caliphate who've done this, you know, and then suddenly it became, oh no, actually it's the Russians instead.
But there we saw a TV station which was actually taken off air effectively by hackers and very public example of the kind of— now I'm not sure why TV5Monde was actually taken off air.
But I think maybe the most memorable thing which happened during that attack was when the journalists from the TV station went on air to explain what was happening.
And they had in the background, stuck on a wall behind them, some of their social media passwords.
But there we saw a TV station which was actually taken off air effectively by hackers and very public example of the kind of— now I'm not sure why TV5Monde was actually taken off air.
But I think maybe the most memorable thing which happened during that attack was when the journalists from the TV station went on air to explain what was happening.
And they had in the background, stuck on a wall behind them, some of their social media passwords.
Yes, I remember that.
Which is just, you know, so you had the head of security for the TV station. I was saying, oh yes, well, we've, you know, obviously doing a French accent.
Oh yes, we have now sorted these out. We're not going to have any more problems from the hackers.
And of course, their Twitter or Facebook or whatever was at the same time being taken over by hackers who were watching. Just incredible incompetence on their part, but also common.
Oh yes, we have now sorted these out. We're not going to have any more problems from the hackers.
And of course, their Twitter or Facebook or whatever was at the same time being taken over by hackers who were watching. Just incredible incompetence on their part, but also common.
If I could just interject and try and tie things together, what Robert Hannigan said, and perhaps go some way towards answering, he thinks that Russia is live testing attacks.
Right.
And TV5Monde was an example of that. And VPNFilter is perhaps another example of it live testing attacks. If you remember when VPNFilter first came out.
This is a strain of malware that affects routers.
When it first came out, there was speculation that it might have been put together by the Russians and it might be a prelude to the attack on the Champions League in Kyiv last month between Real Madrid and Liverpool.
Oh, yes.
This is a strain of malware that affects routers.
When it first came out, there was speculation that it might have been put together by the Russians and it might be a prelude to the attack on the Champions League in Kyiv last month between Real Madrid and Liverpool.
Oh, yes.
Could it really be powered by sports? Could there really even be a tie, do you think?
Well, I think it was the date, wasn't it?
There was a thought that maybe it would be used to disrupt communications or disrupt energy systems while this very high-profile event was happening in Kiev.
There was a thought that maybe it would be used to disrupt communications or disrupt energy systems while this very high-profile event was happening in Kiev.
So nothing really happened on that front, at least around the Kiev final. But to sort of paraphrase Donald Rumsfeld, VPNFilter is a kind of known unknown.
We know it's out there, but we don't know what it's for.
We know it's out there, but we don't know what it's for.
So is the advice, John, still for end users to reboot their routers?
It's rebuilt the routers and applied software as available. This is quite a potent threat. It's more potent than Mirai, another botnet that infected Internet of Things things.
So, but John, we've got the World Cup starting today in Russia. Okay. A competition being watched by hundreds of millions of people around the world.
Yeah.
The Russians aren't going to try and disrupt their own World Cup, are they? They want that to go swimmingly.
So what sort of cyber attacks do you think we might see which are in relation to the World Cup.
Could these be sort of retaliatory attacks from other countries against Russia, or might we see patriotic Russian hackers attacking Brazil, for instance?
So what sort of cyber attacks do you think we might see which are in relation to the World Cup.
Could these be sort of retaliatory attacks from other countries against Russia, or might we see patriotic Russian hackers attacking Brazil, for instance?
Well, beware if England gets to the final. Not only am I going to lose about £100, but there could be cybersecurity shenanigans afoot.
What, just from you, John? Are you saying you're going to be doing the hacking? Is that what you're suggesting?
No, I am not. Oh my goodness, don't use my poor bandwidth connection to lie up with me, sir.
No, let's think really out of the box and let's admit that attribution in cyberspace is difficult. Maybe somebody in Ukraine is playing the long game.
Maybe it was them that have come up with VPN filter and maybe bang, they're about to unleash on Russia. Or maybe it's just something else. We don't really know. It's a mystery.
You know, it's a game of two halves, isn't it, John?
No, let's think really out of the box and let's admit that attribution in cyberspace is difficult. Maybe somebody in Ukraine is playing the long game.
Maybe it was them that have come up with VPN filter and maybe bang, they're about to unleash on Russia. Or maybe it's just something else. We don't really know. It's a mystery.
You know, it's a game of two halves, isn't it, John?
A game of two halves.
One thing that is sure, and I would add on a side note, is that anybody who is lucky enough to have tickets to see the World Cup in Russia would be well advised to lock down their devices and to use a VPN whilst they're in the country.
And of course, also be wary of turning mobile data off because they might have a very nasty bill. At the end of things.
And of course, also be wary of turning mobile data off because they might have a very nasty bill. At the end of things.
Yeah.
That ends the public service part of Smashing Security.
Well, no, I think that's a valid point actually, because there will be listeners probably who are traveling out there and good luck using a VPN in Russia, which hasn't been banned.
Good luck using Telegram, which Russia wants to shut down and block its citizens from using as well.
It's difficult when you go to some countries these days to keep yourself secure, isn't it?
Good luck using Telegram, which Russia wants to shut down and block its citizens from using as well.
It's difficult when you go to some countries these days to keep yourself secure, isn't it?
Because leave your phone at home.
Maybe you'll just take your old vibrating brick, your old Nokia with you instead.
Nothing wrong with a vibrating brick.
Says the voice of experience. That's outrageous. I'm sorry about that. All right, Carole, what story have you got for us this week?
All right, I'll just jump in. No slow buildups this week. If you want to sell a firearm in most states of the US, the buyer needs a permit.
And for more than a year, applicants for concealed weapon permits— this is weapons where you're not wearing them on display, but they're concealed— in the state of Florida were being given the green light without the right background FBI NICS checks.
Let me just let you take that all in for a second.
And for more than a year, applicants for concealed weapon permits— this is weapons where you're not wearing them on display, but they're concealed— in the state of Florida were being given the green light without the right background FBI NICS checks.
Let me just let you take that all in for a second.
What's a NICS check?
So NICS stands for the National Instant Criminal Background Checking System. I don't know how they got NICS from that.
And basically, this is the background checking system that's used federally by licensed firearm traders.
It came from the 1993 Brady Act that was signed by Clinton, and it requires that everybody who wants to transfer a firearm must do so without violating state and federal laws, right?
So if someone was not of age to have a firearm, or if someone had limited mental capacity, or if someone had a warrant out for their arrest, or someone was a criminal, they would maybe be told, no, you're not allowed to have a firearm in that particular state.
And basically, this is the background checking system that's used federally by licensed firearm traders.
It came from the 1993 Brady Act that was signed by Clinton, and it requires that everybody who wants to transfer a firearm must do so without violating state and federal laws, right?
So if someone was not of age to have a firearm, or if someone had limited mental capacity, or if someone had a warrant out for their arrest, or someone was a criminal, they would maybe be told, no, you're not allowed to have a firearm in that particular state.
Yeah, I hope so. Yeah, yeah.
Now this has been going on for years, even before the internet. In the old days, you would do it by phone, right?
You'd call up and you'd check and say, look, I want to check on this person. It was basically a way to kind of check systems and databases that were out of state.
And of course, now you do it via the internet.
You'd call up and you'd check and say, look, I want to check on this person. It was basically a way to kind of check systems and databases that were out of state.
And of course, now you do it via the internet.
Right.
So getting back to our story, between February 2016 and March 17th, that's 13 long months, the Florida Department of Law Enforcement did not run the legally required background NICS checks from the FBI, but were somehow approving the permits for concealed weapons.
So even if you would have failed this background check, if you were a criminal, or if you had some sort of mental problem or whatever it was, mental health problem, yeah, you would actually be approved to purchase and have a permit for a concealed weapon.
Right. Now what the flip happened here? Right now I hope you're sitting down because this is a crazy, crazy story.
The employee who worked at the Florida Department of Law Enforcement, yes, who was responsible for the NICS checks, forgot her password and then just kind of forgot about the whole database background checking for concealed weapon permit thingy.
The employee who worked at the Florida Department of Law Enforcement, yes, who was responsible for the NICS checks, forgot her password and then just kind of forgot about the whole database background checking for concealed weapon permit thingy.
So, so, okay, so their job is to do the check-in and they log into some system to do the check-in, right?
It's instant, it's an instant check, right? So let's say it takes a minute to run.
Obviously it would be wrong if that was open for anyone in the world to access, you know, you have to be an authorized person.
So there's a password, there's some form of authentication.
So there's a password, there's some form of authentication.
Exactly.
This employee forgot the password, and so they just stopped doing it for 13 months.
Yeah, let me tell you. So I've pieced this all together. Let me tell you how this happened. Okay, so picture the scene. You're working in the Florida Department of Law Enforcement.
I am.
Around April last year, the administrator does something, you know, gee, I haven't seen NICS denial for concealed weapons in forever. What's going on?
And she decides to look into that. This is your boss.
And she decides to look into that. This is your boss.
This is my boss, right?
So she looks into this. And not only has NICS not received any appeals since September 2016 from the Florida Department of Law Enforcement.
Because presumably sometimes people apply for one of these and they're told, no, you can't. And then people appeal and say, well, no, he can't have a gun.
He's 8 years old.
Right. And then the 8-year-old says, oh, please, please. It'd be really handy. Could I have one? So an appeal is put in. All right.
Right. Okay.
They haven't had any appeals.
And not only that, no report has been sent from this office since February 2016. So "What?" says the administrator. This is really weird.
So she goes and sees the employee, surname Wilde, who was responsible for managing the NICS database since 2013, okay?
So this is three years before the problem actually started occurring.
So she goes and sees the employee, surname Wilde, who was responsible for managing the NICS database since 2013, okay?
So this is three years before the problem actually started occurring.
Right.
Okay? And says something like, "What's going on? Why are we not seeing any appeals lately? Why is there no report?" So for 13 months.
And Wilde looked, quote, "bewildered." This is from the report. And said, quote, "I had a login issue and never followed up."
And Wilde looked, quote, "bewildered." This is from the report. And said, quote, "I had a login issue and never followed up."
Are you sure it's not Wilde who felt bewildered?
Wilde.
Bewildered. It's a little joke. Bewildered. Her name is Wilde. It's in the name. It's brilliant.
So Wilde did log an issue in April 2016 saying she couldn't get into the system. This was, turns out to be about 40 days after the actual login issue took place.
So she's trying to get into the system, can't get into the system. 40 days later, raises the issue, saying that she can't get into the NICS database.
There was a bit of back and forth, someone trying to help them gain access to the system, but she seems to kind of got bored with the emails and effectively stopped responding to them.
So she's trying to get into the system, can't get into the system. 40 days later, raises the issue, saying that she can't get into the NICS database.
There was a bit of back and forth, someone trying to help them gain access to the system, but she seems to kind of got bored with the emails and effectively stopped responding to them.
Oh, it doesn't sound like this person is completely in the wrong then.
So they couldn't log in, they raised an issue or a support problem, said, "Oh, by the way, I can't log in" with the NICS people or with tech support.
Tech support came back and said, "Well, you should be able to log in." And she's like, "Well, I can't." And they were like, "Well, have you got caps lock turned on?" "Yeah, I've made sure caps lock isn't turned on.
Don't worry about that." "Well, are you typing it like this?" "Yes, I'm typing that."
So they couldn't log in, they raised an issue or a support problem, said, "Oh, by the way, I can't log in" with the NICS people or with tech support.
Tech support came back and said, "Well, you should be able to log in." And she's like, "Well, I can't." And they were like, "Well, have you got caps lock turned on?" "Yeah, I've made sure caps lock isn't turned on.
Don't worry about that." "Well, are you typing it like this?" "Yes, I'm typing that."
And then she got bored of the emails. So she stopped reading them and stopped responding. So she effectively ghosted them.
And she is quoted as saying in the investigation, "I dropped the ball. I know I did that. I should have been doing it." And no, she did nothing wrong at all.
And she is quoted as saying in the investigation, "I dropped the ball. I know I did that. I should have been doing it." And no, she did nothing wrong at all.
She did absolutely the right thing. I mean, it became far too difficult to check up on people. So the path of least resistance is to say, "Yes, of course you can have guns.
Everyone can have guns." It's like Oprah. "You've got a gun. You've got a gun. Everyone in the room is getting a gun." Fantastic.
Everyone can have guns." It's like Oprah. "You've got a gun. You've got a gun. Everyone in the room is getting a gun." Fantastic.
Well, the Agriculture Commissioner, Adam Putnam, told—
Let's get the Agriculture Commissioner involved. Well, they're the ones who are responsible for firearms, right?
Are they the ones that are supposed to guard the guards, to coin a phrase?
I think they guard the guards, yes.
I suppose farmers have guns, don't they? Okay, so he's getting involved. What's he got to say for himself?
Okay, so he told the Tampa Bay paper that basically 365 applications required a federal background check during that time.
And upon learning of Wilde's negligence, the department immediately completed full background checks on the applications in question, ended up revoking 2,191 of them.
Oh, 80%, about 80% were revoked.
And what makes this whole thing worse for me is that NICS have been maintaining their telephone checking, background checking system during all this, and each call only takes a few minutes for each applicant to be approved or denied.
Just check out this NICS video that explains everything.
FFLs are strongly encouraged to register with eCheck And don't forget, even as a registered eCheck user, you can still use the telephone to reach one of our contracted call centers.
Think about it. On average, the NICS eCheck provides responses to its users in under 2 minutes.
So in the time it took to watch this announcement, you could have received your results. So I don't know what the fuck, man.
I don't know how anyone in the office didn't notice for 13 months either. 13 months.
And upon learning of Wilde's negligence, the department immediately completed full background checks on the applications in question, ended up revoking 2,191 of them.
Oh, 80%, about 80% were revoked.
And what makes this whole thing worse for me is that NICS have been maintaining their telephone checking, background checking system during all this, and each call only takes a few minutes for each applicant to be approved or denied.
Just check out this NICS video that explains everything.
FFLs are strongly encouraged to register with eCheck And don't forget, even as a registered eCheck user, you can still use the telephone to reach one of our contracted call centers.
Think about it. On average, the NICS eCheck provides responses to its users in under 2 minutes.
So in the time it took to watch this announcement, you could have received your results. So I don't know what the fuck, man.
I don't know how anyone in the office didn't notice for 13 months either. 13 months.
It's a little bit sloppy, isn't it?
I mean, maybe she was just embarrassed.
It's just a weird statistical anomaly. Yeah, somebody sort of think, oh, what's going on here?
Well, I think the takeaways on this, we're all guilty of forgetting a password. I've certainly forgotten loads in my life.
And if, so it's important that an institution or an organization has clear policies, procedures, and systems in place for people who forget passwords, a button that says, forgot your password, click here and we'll help you.
Or if you forget your password, please contact this person. And build in team redundancies.
How could one person be in charge of all this and there's no one else who's kind of checking in? There's no reporting mechanism. It's very bizarre to me.
Maybe educating employees on actually what they're doing.
She told the Tampa Bay Times that when she was working at the Agricultural Department mailroom, she was suddenly given oversight of the background check database in 2013.
And she says, I didn't understand why I was put in charge of it.
So from her own words, she was put in charge of this thing that she was never really introduced to or explained how it worked or how important or vital it was.
And I'm not trying to excuse her behavior. She should have figured it out.
And if, so it's important that an institution or an organization has clear policies, procedures, and systems in place for people who forget passwords, a button that says, forgot your password, click here and we'll help you.
Or if you forget your password, please contact this person. And build in team redundancies.
How could one person be in charge of all this and there's no one else who's kind of checking in? There's no reporting mechanism. It's very bizarre to me.
Maybe educating employees on actually what they're doing.
She told the Tampa Bay Times that when she was working at the Agricultural Department mailroom, she was suddenly given oversight of the background check database in 2013.
And she says, I didn't understand why I was put in charge of it.
So from her own words, she was put in charge of this thing that she was never really introduced to or explained how it worked or how important or vital it was.
And I'm not trying to excuse her behavior. She should have figured it out.
I think she's shown a lack of initiative. It's clear that they were passing this job on to anyone. It's like, oh, crumbs, I don't want this job.
Let's give it to Martha, who is working in the mailroom. Put her in charge of it.
She should have found some other moron to take over the job and say, oh yeah, try and work out what the password is if you can. Just passing the buck all the time.
Let's give it to Martha, who is working in the mailroom. Put her in charge of it.
She should have found some other moron to take over the job and say, oh yeah, try and work out what the password is if you can. Just passing the buck all the time.
No, you know, I'm not surprised that she was fired for this mistake or this behavior, but I am surprised if Florida Department of Law Enforcement doesn't get a little slap on the wrist for having let this go on for so long.
So did they get a shot of her?
Yep, they did.
Haha.
Boom. You're so good. You're so good.
Well, and the other thing, the other thing is—
On that bombshell.
The other thing is, you know, why don't more enterprises have a password manager inside their organization to handle this on a sort of corporate level?
Because otherwise passwords do too easily get forgotten, don't they? Or aren't managed properly.
Because otherwise passwords do too easily get forgotten, don't they? Or aren't managed properly.
If more people listen to our show, Graham, I think more password managers would be out there.
Ah.
And thanks once again to VirusTotal for sponsoring this episode of Smashing Security.
Over a million files are uploaded to VirusTotal every day for analysis and to determine what different antivirus products call them.
But you can do much more than that with VirusTotal Intelligence.
VirusTotal Intelligence helps you get more context about alerts through advanced malware threat hunting behavioural visualization, as well as historical analysis of samples.
Learn more by visiting virustotal.com/learn, and be sure to let VirusTotal know that you heard about them from the Smashing Security podcast. And welcome back.
Can you join us on our favourite time of the show? It's the part of the show that we like to call Pick of the Week.
Over a million files are uploaded to VirusTotal every day for analysis and to determine what different antivirus products call them.
But you can do much more than that with VirusTotal Intelligence.
VirusTotal Intelligence helps you get more context about alerts through advanced malware threat hunting behavioural visualization, as well as historical analysis of samples.
Learn more by visiting virustotal.com/learn, and be sure to let VirusTotal know that you heard about them from the Smashing Security podcast. And welcome back.
Can you join us on our favourite time of the show? It's the part of the show that we like to call Pick of the Week.
Pick of the Week.
Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a website, an app, a podcast, whatever you like. See how I changed that round after last week?
That's good, that's good. It doesn't have to be security-related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a website, an app, a podcast, whatever you like. See how I changed that round after last week?
That's good, that's good. It doesn't have to be security-related necessarily.
Shouldn't be security-related.
Doesn't have to be. Can be if you want.
Shouldn't be.
All right, now my Pick of the Week this week is a website, and it's called Is It Normal normal.com. And I chose this with both of you in mind.
Oh really?
Did you Google yourself and find yourself on the site?
Because you might occasionally find yourself in situations thinking, I wonder if this happens to normal people. I wonder if this, you know, how likely is this to happen?
And you just may find it strange. So basically you can post your question up there and others will vote as to whether what you're describing is normal or not.
And then you won't feel like such a weirdo.
And you just may find it strange. So basically you can post your question up there and others will vote as to whether what you're describing is normal or not.
And then you won't feel like such a weirdo.
It's a bit— okay, I'm looking at it now and I'm finding it's not the most boring questions the most popular recently.
Well, let me tell you, I'll look at the most popular all time. It's not always about popularity, Carole, if you delve a little bit deeper.
So for instance, is it normal that I let my dog eat popcorn off my tongue? 29% said yes. That was normal. That's perfectly normal.
So for instance, is it normal that I let my dog eat popcorn off my tongue? 29% said yes. That was normal. That's perfectly normal.
I think maybe it needs an arbiter like me just to say yes or no.
So do you think that was normal or not, Krill?
Definitely not.
All right.
No, I'm not saying it's a bad thing.
You're more of a cat woman than a dog woman.
No, no, I love dogs.
Hey, I've got a question on this one. Is it normal to crowdsource hygiene and health tips?
Involving canines and popcorn.
How about this one? How about this one? Is it normal to love holding in poop? Oh, that's— yeah, this is all-time most popular.
Is it normal to let my more attractive wife have affairs?
I would say no, it's not.
Wow.
Oh, and what was the vote, by the way, on holding on poop?
67% said yes. I guess so.
I don't know who the poorly put people on 4chan.
Am I normal if I want to eat people? 27% of people said yes.
Okay, forget this. It's no longer my pick of the week. I'm officially withdrawing isitnormal.com as my pick of the week.
It looks—
We're getting rid of it.
It's terrible. Some strange dystopia, kind of like Lord of the Flies but with Reddit 4chan.
So my alternative pick of the week this Pick of the Week is any website other than isitnormal.com.
Great.
So it's the inverse of isitnormal.com because clearly going to isitnormal.com is in itself not normal.
Exactly.
You should be ashamed of yourself.
You should be ashamed of it. We hope that next week's will be much, much better. I'm going to be watching it.
Okay, John, what's your Pick of the Week?
My Pick of the Week. Right. I've gone for something that is not only not related to security, it's not even related to IT.
Is it an art gallery, John?
It's not an art gallery, but it is culturally enriching.
Alright.
It's the Camino de Santiago, a 780-kilometre walk between the French Pyrenees and the Cathedral of Santiago de Compostela.
Flip right off, you've done that walk.
I have done the last 200 kilometers. Now I know that both of you will think, what the hell is this? Why is he even mentioning it? But I'm going to try and sell it to you.
First of all, imagine, if you will, a situation where you don't have to worry about the phone, you don't have to worry about email, any of that.
Life is just stripped back to good food, wine at the end of the day, and companionship and conversation and walking exercise and with scenery.
First of all, imagine, if you will, a situation where you don't have to worry about the phone, you don't have to worry about email, any of that.
Life is just stripped back to good food, wine at the end of the day, and companionship and conversation and walking exercise and with scenery.
What if the person you're with's boring?
No, because you've got the companionship of people that you're traveling with.
Okay, you could probably always push them off the path as well, Carole, if they are very boring and tedious. Okay, does it take you through any sort of rocky mountains?
Okay, you can get—I thought Carole might be resistant to this, so one thing is that if you imagine going into Galicia, you can go into towns and villages there where they have the best tapas in the world.
Yeah, I could just go there. I could meet you there. You walk and I'll wait there in a little tapas bar.
You could meet me there. But you could go to Merida and you could have—have you ever tried pulpo? Octopus?
Yes, delicious. Delicious if done properly.
Yeah. It's a place in Merida, you know, it's cooked very well and have it with local white wine or cider flavor with it, cooked in olive oil with a little paprika. And it's the best.
It really is. And it's even better after a hard day's walk. So, okay.
It really is. And it's even better after a hard day's walk. So, okay.
So basically, okay. I was just going to say you've moved from a walking 750 kilometers to octopus.
That's one of the.
Which is a freaking long way.
It is a long way.
Yeah, but the tapas is great, Graham. It's worth it.
And I'm not saying it's for everyone, but—
Good. I'm glad you're not saying it's for everyone. We don't want all our listeners, John, going on this horrendously long walk. They might not have Wi-Fi.
They might not be able to download next week's episode.
They might not be able to download next week's episode.
Well, look, outside of technology, I quite like hiking, and other hikes are available. The Routeburn in New Zealand, the Nelson Trail, up near the Yangtze in China, other things.
Get some exercise, get off the net. Yeah, look, in my defense, I've just been to the Infosecurity Show last week, which was cyber to the power of tech.
And when I was asked to come up with a recommendation, I wanted to come up with something that was so opposite of that.
Get some exercise, get off the net. Yeah, look, in my defense, I've just been to the Infosecurity Show last week, which was cyber to the power of tech.
And when I was asked to come up with a recommendation, I wanted to come up with something that was so opposite of that.
Well, you certainly have done that.
And to be honest, John, it is still better than isitnormal.com.
Yes. Way better.
It is.
So it's the Camino de Santiago.
Yes.
Terrific. Carole, what's your pick of the week? And try and make it even more cultural than John's.
I'm gonna win this week once again for pick of the week. So I was reading Wired during my morning reading this morning, and I had to share this little snippet. So let's go back.
You know how annoying it is when you go to Google and you do a search because you're trying to learn something, especially if you're writing a story, for example, you're trying to do a search on something you don't know a lot about, and it always provides you with a wiki page, a Wikipedia page at the top.
While I admire Wikipedia and what it's trying to do, I think I would be much more comfortable with a well-known fact-checked site.
A site like Encyclopedia Britannica to give me non-Fox News Cliff-style note info on a topic.
So say hello to Britannica Insights extension powered by the folks at Encyclopedia Britannica. So you plug in this little extension.
And every time you do a search, it provides you with Britannica Insights. So for example, I was looking up Brady Law earlier for my story. Smashing Security.
And you can see from my screenshot here, I have a little sidebar with a bit of information on it.
It also gives me the Wikipedia information, but I have a bit more information that I find a bit more trustworthy.
You know how annoying it is when you go to Google and you do a search because you're trying to learn something, especially if you're writing a story, for example, you're trying to do a search on something you don't know a lot about, and it always provides you with a wiki page, a Wikipedia page at the top.
While I admire Wikipedia and what it's trying to do, I think I would be much more comfortable with a well-known fact-checked site.
A site like Encyclopedia Britannica to give me non-Fox News Cliff-style note info on a topic.
So say hello to Britannica Insights extension powered by the folks at Encyclopedia Britannica. So you plug in this little extension.
And every time you do a search, it provides you with Britannica Insights. So for example, I was looking up Brady Law earlier for my story. Smashing Security.
And you can see from my screenshot here, I have a little sidebar with a bit of information on it.
It also gives me the Wikipedia information, but I have a bit more information that I find a bit more trustworthy.
Oh, okay. All right.
So check it out, Google users. It's an extension there. Now those that use things like Startpage or more secure browsers may not have rights to allow this to run.
There's many Google users out there.
There's many Google users out there.
Oh yeah, I've heard they've got a few users.
So specifically designed to work with Google search results, it's going to put up a little extra box giving you the Britannica definition.
Then they're not going to have anything like the number of entries that something like Wikipedia is going to have, obviously.
So specifically designed to work with Google search results, it's going to put up a little extra box giving you the Britannica definition.
Then they're not going to have anything like the number of entries that something like Wikipedia is going to have, obviously.
No, certainly, because I decided to go take a look for you, right? Because you have your own Wikipedia page, but interestingly—
Not created by me.
I'm sure, I'm sure. But interestingly, you're nowhere to be found in the archives of Britannica.
Just a matter of time, Carole. Just a matter of time. You know, wait till the Queen's birthday honours. Oh no, we've had those. Wait till the Queen's New Year's honours. Who knows?
I'm sure I won't be overlooked again. Well, on that excellent, fascinating— I don't know if that was the best actually, Carole.
I don't know how we can compare a 700-odd mile walk to a plugin for Chrome which displays Encyclopedia Britannica results.
I'm sure I won't be overlooked again. Well, on that excellent, fascinating— I don't know if that was the best actually, Carole.
I don't know how we can compare a 700-odd mile walk to a plugin for Chrome which displays Encyclopedia Britannica results.
One's easier to check out, just saying.
You could look up the Camino de Santiago in Encyclopedia Britannica.
I think I liked your pick better than you like mine, Carole. So that's good.
And on that bombshell, we've just about wrapped it up. You can follow us on Twitter @SmashingSecurity, no G, Twitter wouldn't allow us to have a G.
You can buy things in our online store at smashingsecurity.com/store, including t-shirts and stickers and mugs.
And John, if anyone wants to follow you online, where's the best place that they can do that?
You can buy things in our online store at smashingsecurity.com/store, including t-shirts and stickers and mugs.
And John, if anyone wants to follow you online, where's the best place that they can do that?
Follow me online at the Register and on Twitter @jleyden, J-L-E-Y-D-E-N.
Thank you for joining us today, John. Really appreciate it.
Thank you very much.
And thank you for listening at home as well. If you like the show, why not rate us on Apple Podcasts?
That's how people can find us. If you say it's good, they're going to think, hey, maybe I'll check it out.
Give us a nice review.
They don't trust us. They trust you.
And you can go to smashingsecurity.com for past episodes as well and details on how to get in touch with us. Until next time, cheerio, bye-bye.
Au revoir. Adios. There we go, a cultural episode from the museum.
Is it normal that I let my kitten bite my nipple? Now, when you read this story, she does go into some detail.
Apparently she found a little kitten and it was nuzzling between her, on her sort of unborn tail.
Apparently she found a little kitten and it was nuzzling between her, on her sort of unborn tail.
I don't think you should tell that one.
What?
I think it just sounds a bit grubby.
Right.
This is yet another reminder that "the cloud" is not your computer. Once you learn to backup a file or image a hard drive, you can and should ditch the cloud services for security reasons. Local storage can be made to be convenient.
Replicating cloud services with your own services and a VPN seems like an untapped market. Perhaps a custom Linux distro to run on your own hardware can be part of the answer.