I have this horrible feeling that the only way we’re going to wake the world up to the need to patch their ageing versions of Windows against the BlueKeep vulnerability is to wait until a malicious worm begins to spread around the world.
For those who haven’t been following the security news over the last few weeks, BlueKeep (technically known by the unglamorous name of CVE-2019-0708) is a vulnerability in the Windows 7, Windows XP, Server 2003 and 2008 versions of Remote Desktop Protocol (RDP).
Some estimates suggest that despite Microsoft releasing a patch on May 14, almost one million vulnerable PCs are connected to the internet, and potentially open to exploitation.
Microsoft is clearly concerned, having taken the unusual step of issuing patches for old versions of Windows which it no longer officially supports, and publishing reminders on its blog for users to take action.
The NSA is clearly concerned, urging administrators and users to patch in a press release and distributing a security advisory.
And the UK’s National Cyber Security Centre is clearly concerned. The NCSC, part of GCHQ, privately reported the vulnerability to Microsoft in the first place, and have said that BlueKeep “poses a serious threat” and recommended that organisations and individuals apply their security patches as soon as possible.
In the back of many people’s mind is the WannaCry ransomware outbreak, which struck hard in May 2017, despite patches having already been pushed out by Microsoft.
No-one wants another attack like that. Make sure your computers are patched and secured now.
You may also want to consider the following additional measures suggested by the NSA:
Block TCP Port 3389 at your firewalls, especially any perimeter firewalls exposed to the internet. This port is used in RDP protocol and will block attempts to establish a connection. Enable Network Level Authentication. This security improvement requires attackers to have valid credentials to perform remote code authentication. Disable remote Desktop Services if they are not required. Disabling unused and unneeded services helps reduce exposure to security vulnerabilities overall and is a best practice even without the BlueKeep threat.
For more discussion on the BlueKeep vulnerability and its possible exploitation be sure to check out this episode of the “Smashing Security” podcast:
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
That's not a bad idea, Carole. I think we could make a difference.
Well, better than Microsoft's outreach at only getting 2,000.
Oh, come on!
I wonder if we could beat Microsoft. I wonder if Smashing Security could beat Microsoft at, you know, we have a lot of listeners.
I'm not sure it would be possible to actually work out who might be listening to us or not. Oh, phishing, hush hush.
It's about saving the world, Graham.
Smashing Security, episode 131, Zap Yourself from the Net and Patch Now Against BlueKeep with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 131. My name is Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 131. My name is Graham Cluley.
And I'm Carole Theriault.
And we are joined once again this week by—
By a ghost, very quiet ghost.
Because it's just you and me. Why is it just you and me again, Carole?
Because we're frackin' busy right now and it's InfoSec this week and we had to do talks.
Anyway, to make up for all that disappointment, I suppose we better explain what's coming up on the show this week. Yeah, let's crack on.
Thanks to this week's sponsors, Recorded Future and MetaCompliance. Their support helps us give you this show for free. Now get your note-taking devices out, folks.
In this info-packed pod, Graham will be warning us of a new threat and telling us what we should do about it.
Meanwhile, I'm gonna look into how realistically viable it is to erase a person's digital footprint. All this and more coming up on this episode of Smashing Security.
In this info-packed pod, Graham will be warning us of a new threat and telling us what we should do about it.
Meanwhile, I'm gonna look into how realistically viable it is to erase a person's digital footprint. All this and more coming up on this episode of Smashing Security.
Ahuga, ahuga, ahuga, warp, warp, alert, alert, alert, Kroll. We are on a countdown to destruction.
Sorry, a countdown to destruction?
Well, but maybe not uncertainty. Something ghastly this way comes, I have to say, because do you remember a couple of years ago? Of course you do. You remember WannaCry, right?
Yes.
Everyone listening to the show, you at home right now, there you, yes, you, you remember WannaCry as well, don't you?
The ransomware which wreaked havoc around the world, bringing corporate networks to their knees, brought the National Health Service here in the UK to its artificial hips.
The ransomware which wreaked havoc around the world, bringing corporate networks to their knees, brought the National Health Service here in the UK to its artificial hips.
Oh yeah, it was a serious nightmare here in the UK.
Tremendous.
Because many hospitals and health services were just crippled. Yeah, awful.
That worm was able to spread so quickly because it exploited a critical vulnerability in Windows.
And even though Microsoft had issued a security patch for that vulnerability almost 60 days beforehand, WannaCry still successfully struck.
Many computers had not been properly protected against it. And, well, we saw what happened.
Now, now Microsoft is saying that it really, really wants you to patch your computers again.
And even though Microsoft had issued a security patch for that vulnerability almost 60 days beforehand, WannaCry still successfully struck.
Many computers had not been properly protected against it. And, well, we saw what happened.
Now, now Microsoft is saying that it really, really wants you to patch your computers again.
Okay. I have to ask a question. I haven't used Microsoft products in a very long time. However, how come updates aren't automatic? How come updates aren't automated? Right?
Well, you're right. Many, many consumers may well have automated those updates, and that's fantastic. Some people sadly have not.
And of course, in an enterprise environment, you don't necessarily want to have automatic updates because there have been occasions when Microsoft's updates have gone a little bit awry and caused more problems than they tried to fix.
So it's understandable if you've got thousands and thousands of computers in your company, you don't want some dude in Microsoft to say, hey, let's push out a patch to all of those computers because you're going to get it in the neck as the IT administrator if your network goes down and you stop making money.
And of course, in an enterprise environment, you don't necessarily want to have automatic updates because there have been occasions when Microsoft's updates have gone a little bit awry and caused more problems than they tried to fix.
So it's understandable if you've got thousands and thousands of computers in your company, you don't want some dude in Microsoft to say, hey, let's push out a patch to all of those computers because you're going to get it in the neck as the IT administrator if your network goes down and you stop making money.
I'm not sure that's true.
So, well, you know, it's certainly— there's a lot of apprehension about automatic updates in many situations, in some environments.
So what is happening right now is Microsoft is warning that it really wants people to patch their vulnerable computers again.
In fact, it's issued two warnings in the last couple of weeks.
So what is happening right now is Microsoft is warning that it really wants people to patch their vulnerable computers again.
In fact, it's issued two warnings in the last couple of weeks.
We don't even know what they're vulnerable to at the moment.
Well, let me explain. There is once more a critical vulnerability in older versions of Windows that could be exploited by a worm just like WannaCry managed.
This flaw is being called BlueKeep, and it exploits what's known as a dangling pointer. You're so juvenile. A dangling pointer bug in Remote Desktop Services. And that—
This flaw is being called BlueKeep, and it exploits what's known as a dangling pointer. You're so juvenile. A dangling pointer bug in Remote Desktop Services. And that—
I'm still giggling.
Yes. So this flaw was first spotted by the UK's NCSC, who are part of GCHQ, the intelligence gathering agency, and they informed Microsoft.
And Microsoft did release a patch back on May the 14th.
And Microsoft did release a patch back on May the 14th.
However, so two weeks ago about, right?
Well, it's about three weeks ago now, by now, isn't it? I don't know, but it was like an old married couple.
It was a Saturday. It wasn't a Friday. It was a Saturday. It happened at 4 o'clock. Remember? Don't you remember? What's wrong with you? You don't remember anything.
You don't remember WannaCry is 2017 or 2016. It was 2017.
Oh, I'm sorry, listeners.
So Microsoft believes this vulnerability to be so serious that they've taken the unusual step of issuing patches for old versions of Windows they no longer officially support.
So Windows 2003, Windows Vista, Windows XP.
These are operating systems they said, "We are never ever going to release another security update for." They said, "You've really got to get off those operating systems." Well, they've done it to protect against BlueKeep.
So Windows 2003, Windows Vista, Windows XP.
These are operating systems they said, "We are never ever going to release another security update for." They said, "You've really got to get off those operating systems." Well, they've done it to protect against BlueKeep.
Yeah, okay, fine, fine. I get that. But I think that maybe if Microsoft want to retire a product that they sold in good faith to people, maybe they should do a buyback scheme, right?
Well, but it's not a question of making it cheaper to buy the software.
The problem is the computers which are possibly running these older operating systems aren't capable of running more up to date.
The problem is the computers which are possibly running these older operating systems aren't capable of running more up to date.
Well, that would be true, and certainly in things like the NHS, or certainly was in case of WannaCry.
But do you think for home users who are also potentially exposed to this, that's still an issue?
But do you think for home users who are also potentially exposed to this, that's still an issue?
There's still lots of people who don't want to change their operating system or don't want to update their computer if it's working just fine.
I just last night, I was around my father-in-law's updating Microsoft Word for him, and he was terribly befuddled because something had changed its look.
And, you know, it was just, this isn't the same as it used to be. I want it to be the old way. And he went through a lot of pain when he upgraded to Windows 10.
He's just, what is all this ghastliness?
I just last night, I was around my father-in-law's updating Microsoft Word for him, and he was terribly befuddled because something had changed its look.
And, you know, it was just, this isn't the same as it used to be. I want it to be the old way. And he went through a lot of pain when he upgraded to Windows 10.
He's just, what is all this ghastliness?
And I will feel the same when I'm his age, when I'm presented with Apple 87 or whatever. I'm not far off, how dare you.
Well, last week Microsoft issued its second warning about BlueKeep, begging computer users to patch their systems.
Reports have emerged that there are nearly 1 million computers directly connected to the internet which were vulnerable to this BlueKeep flaw.
Reports have emerged that there are nearly 1 million computers directly connected to the internet which were vulnerable to this BlueKeep flaw.
Oh, it's so nice that they're able to tell that just by sniffing around on the internet and looking around.
Well, you can scan ports. Yeah, exactly.
Now, some of those are quite likely to be honeypots set up by researchers, but I doubt that they account for 923-odd thousand vulnerable computers.
And the thing is, it doesn't mean that that many computers are the only ones you have to worry about because some of those computers will be inside organizations.
So if that one gets compromised by WannaCry 2, or whatever we want to call it, exploiting BlueKeep, then the malware could spread further inside that organization as well.
So you only need one vulnerable computer on your network.
Now, some of those are quite likely to be honeypots set up by researchers, but I doubt that they account for 923-odd thousand vulnerable computers.
And the thing is, it doesn't mean that that many computers are the only ones you have to worry about because some of those computers will be inside organizations.
So if that one gets compromised by WannaCry 2, or whatever we want to call it, exploiting BlueKeep, then the malware could spread further inside that organization as well.
So you only need one vulnerable computer on your network.
Yeah, exactly. Take heed, folks, take heed.
Right, so there's a real risk that we might see a big worm, and the bigger risk maybe is that it will actually take the worm itself to wake people up to the threat and get them to patch.
When Microsoft first made its announcement about this problem and began alerting people.
When Microsoft first made its announcement about this problem and began alerting people.
Right.
A scan was done of the internet, how many vulnerable computers, and they came up with, you know, almost a million.
Then two days later, they did another scan, and what they found was good news — the number of vulnerable computers has gone down. To what? It had gone down by about 2,000.
Then two days later, they did another scan, and what they found was good news — the number of vulnerable computers has gone down. To what? It had gone down by about 2,000.
Oh no.
So we are talking years and years and years if we just let nature take its course, or until a worm comes out and then that maybe wake people up to it.
Maybe we need to put a challenge out to all our thousands and thousands and thousands of listeners to go out and tell one person who you don't think is very computer savvy, who uses Windows, to make sure they update.
If we all do that, that would be a good thing.
If we all do that, that would be a good thing.
That would be a good thing. So if you're at the bus stop, or if you're—
You see someone with a bashed up Dell laptop under their arm, tell them, "Oh, so how — yeah, I hope you've been updating that."
"I see you're using Windows XP still. Now you need to keep up to date." That's not a bad idea, Carole. I think we could make all the difference.
It's better than Microsoft's outreach at only getting 2,000.
Oh, come on now.
I wonder if we could beat Microsoft. I wonder if Smashing Security could beat Microsoft at — you know, we have a lot of listeners.
I'm not sure it would be possible to actually work out who might be doing this or not.
It's about saving the world, Graham.
So at the time of recording, there's no sign of an actual malicious worm exploiting this vulnerability, but it's likely to only be a matter of time.
And there have already been a number of researchers and white hats who have successfully created exploits demonstrating how the flaw could potentially be exploited by a worm.
So it may only be a matter of time. So you've got to patch.
If you're in an organization, you know how you could also test that RDP, Remote Desktop Protocol, is not exposed to the internet unless absolutely necessary.
You know, just cut it off at the knees, if you want, and that way there'll be no future exploitation of that protocol either. That'd be good.
This flaw, just to underline, it affects versions of Windows from Windows XP through Server 2008 R2. Windows 8 and Windows 10 aren't affected by this.
But if you don't know how to patch, and I know it's sort of like, oh, you're telling us to patch, how are we going to do it? Here is my very simple guide.
And there have already been a number of researchers and white hats who have successfully created exploits demonstrating how the flaw could potentially be exploited by a worm.
So it may only be a matter of time. So you've got to patch.
If you're in an organization, you know how you could also test that RDP, Remote Desktop Protocol, is not exposed to the internet unless absolutely necessary.
You know, just cut it off at the knees, if you want, and that way there'll be no future exploitation of that protocol either. That'd be good.
This flaw, just to underline, it affects versions of Windows from Windows XP through Server 2008 R2. Windows 8 and Windows 10 aren't affected by this.
But if you don't know how to patch, and I know it's sort of like, oh, you're telling us to patch, how are we going to do it? Here is my very simple guide.
Yeah, ready.
Right, I want you to go to Windows Control Panel.
Okay, I'm imagining I'm doing that if I had a Windows machine.
Okay, yes, don't do this if you've got a Mac. Yeah, well, it'd be hard, it'd be difficult to find that Control Panel.
Or if you've got a PlayStation as well, again, not going to work. Or if you're listening on your Game Boy, again, not going to happen.
So you're in Windows Control Panel, choose System and Security. And you will see an option there which says Windows Update. Click on that.
Click on Windows Update and follow the instructions.
Chances are, if you haven't updated against this flaw, there's probably bunches of other vulnerabilities and flaws you haven't patched up against as well.
Or if you've got a PlayStation as well, again, not going to work. Or if you're listening on your Game Boy, again, not going to happen.
So you're in Windows Control Panel, choose System and Security. And you will see an option there which says Windows Update. Click on that.
Click on Windows Update and follow the instructions.
Chances are, if you haven't updated against this flaw, there's probably bunches of other vulnerabilities and flaws you haven't patched up against as well.
Yeah, update 'em all, kids!
Update everything. If you can, turn on automatic updates, particularly if you're a home user. Inside business, I understand it's a more complicated decision.
You can determine that for yourself, but you've got to keep your computer systems updated, not only for your own safety and to prevent you becoming infected by ransomware, but because of all the other people on the internet.
Right? Let's do something for, let's do something for everyone, right? Let's, let's be loving. I believe that children are our future.
You can determine that for yourself, but you've got to keep your computer systems updated, not only for your own safety and to prevent you becoming infected by ransomware, but because of all the other people on the internet.
Right? Let's do something for, let's do something for everyone, right? Let's, let's be loving. I believe that children are our future.
Right? Yeah, well, they actually are. It wasn't a very big jump of faith, that one, was it?
What, what? Teach them well?
No, children are the future. Yeah, good. Great. It's on the ball, that guy.
Anyway, there you go. BlueKeep, protect yourself. And I hope by the time the next podcast comes out, we don't have to say, oh dear, we all got hit by that BlueKeep worm. Worm?
You sound D-R-U-N-K.
Drunk? Yeah. Drunk like Pelosi. What story have you got for us, this week, Carole?
Well, Graham, do you remember The Fugitive with Dr. Richard Kimball, who was accused of a crime he didn't commit?
Ah, so there was a TV show, wasn't there, in the 1960s?
Yeah, there was a movie as well.
A movie starring John, uh, Harrison Ford.
Harrison Ford.
Harrison Ford. Yes, yes.
Now I want you to imagine that you're in a similar scenario, okay? Inspired by the IMDb storyline, I decided to write one just for you.
Okay.
So an occasionally entertaining cybersecurity pundit and podcaster, Graham, has found out that his podcast co-host Carole has been murdered ferociously in her own studio.
It looks like someone strangled her with her Sony MDR headphones. The local Thames Valley Police Force locate you and accuse you of murdering me.
You start thinking of all the rubbish emails and communiqués you've sent over the last 20 years of knowing me.
It looks like someone strangled her with her Sony MDR headphones. The local Thames Valley Police Force locate you and accuse you of murdering me.
You start thinking of all the rubbish emails and communiqués you've sent over the last 20 years of knowing me.
I've never even met her. I podcast remotely. We're not in the same room, it couldn't possibly be me.
I know, but think of all the stuff sent to me over the years and even sent about me.
All the stuff we edit out from the show because—
The many, many missives that could be misconstrued.
I mean, someone, if they got their hands on it, might say that there's, you know, these missives show rather a lot of opportunity and motive. Just saying. Just saying.
I mean, someone, if they got their hands on it, might say that there's, you know, these missives show rather a lot of opportunity and motive. Just saying. Just saying.
I'm being framed. I'm being framed.
You, Mr. Graham, you need to scrub your digital footprint clean of any incriminating evidence.
And the idea, you think, is to make it as hard as possible for the cops to associate you with anything related to my unfortunate and very devastating demise, right?
But where to start, right? Where do we look? So I thought we'd have just a little powwow on this. I have a few suggestions.
I thought we could pro and con the suggestions, and you could obviously come up with your own.
And the idea, you think, is to make it as hard as possible for the cops to associate you with anything related to my unfortunate and very devastating demise, right?
But where to start, right? Where do we look? So I thought we'd have just a little powwow on this. I have a few suggestions.
I thought we could pro and con the suggestions, and you could obviously come up with your own.
Yeah, I thought I could change my name to Steve Gibson from the Security Now podcast. That may be a sense of just try and divert the police onto another security podcaster.
Yes. Okay, well, that's interesting because there are services out there where what they try to do is to delete your online profile.
So one of them is called Delete Me and one is called Deseat Me. These are just two I looked at. So you can see it as in lie, like D-E-S-E-A-T, remove you from the seat.
So one of them is called Delete Me and one is called Deseat Me. These are just two I looked at. So you can see it as in lie, like D-E-S-E-A-T, remove you from the seat.
Oh, okay. Yes.
It's really interesting. On one of them, it seems the way it works is it scrubs your email looking for onboarding emails with certain services, online services.
So for example, if you'd used it to sign up to Facebook, it would find that original email and then provide you a way to get your information off of it.
So for example, if you'd used it to sign up to Facebook, it would find that original email and then provide you a way to get your information off of it.
Okay. All right.
And these are important. The reason I'm talking about this is it's important, for example, maybe kids are now graduating and they had a bit of a wild time in college.
Wild time.
And, you know, they need to get a job and they're saying, yeah, no, maybe the whole photocopying my butt thing isn't going to go down too well, right, with my new job.
So how do you get rid of that stuff, right? Similar situation to you, the murderer.
So how do you get rid of that stuff, right? Similar situation to you, the murderer.
How do you wipe clean the photocopier?
Yes.
After you've taken a— Yes.
That's very good, Graham. I'm impressed. I'm impressed. You would have a smaller digital footprint if you used maybe some of these services.
But A, you've got to trust that they're going to do the right thing by all the data that they have access to, right? You're giving them access to your email to scour that.
But A, you've got to trust that they're going to do the right thing by all the data that they have access to, right? You're giving them access to your email to scour that.
Well, exactly. I'm now going to have an account with them. The police can go to them. Right. So what have you been doing for Mr. Cluedo?
Yeah, exactly. Because he's wanted for murder.
Murder.
Yeah. And it will make it harder for your podcast fans to actually find your stuff online, right? Well, that's the worst thing.
Yes. For you.
Yeah. Your ego would really take a hit there. Now, okay, would you ask Google to remove any personal information from its many, many services?
Because there are webpages that allow you to do this.
Because there are webpages that allow you to do this.
Well, I have previously logged into Google and yeah, asked it to delete information and not track information. And I've been through their account settings in the past, yes.
Right, right.
Right, right.
But that's different.
Are you talking about the actual search results? Because sometimes when you do a search result, it says some of the search results have been hidden.
For example, you may have information on Blogspot from days of yore. You might have information on YouTube videos. You might have left crazy comments somewhere.
Oh, yes. Yes, definitely.
Saying, "God, this is a stupid video." So there's lots of places you might be and you may want to get that scrubbed.
So I'll put the link inside the show notes if anyone's interested in doing something like that.
So I'll put the link inside the show notes if anyone's interested in doing something like that.
Okay.
And there's also a link there if you want Google to remove some old cached data.
Again, I don't think there's any guarantee that it will do this, but it's a way of you to be able maybe to mitigate and limit the amount of information about you.
Again, I don't think there's any guarantee that it will do this, but it's a way of you to be able maybe to mitigate and limit the amount of information about you.
So if I understand you correctly, what you are saying is if you don't want to use services like DeleteMe, you can at least get Google, it kind of promises, or it's offering to delete some of the records it stores about you to do the cleanup.
And that's for free, I imagine.
And that's for free, I imagine.
I'm just giving you a few little options here on how you can reduce it so you can try and trust a third party to do it with you and for you by using services or paying for services.
You can also go look at Google. Google is a bit of a monster on the web, right?
They're the ones that hold the most amount of information about most of us, you know, because you want to basically— you don't want the cops to get you, right?
You can also go look at Google. Google is a bit of a monster on the web, right?
They're the ones that hold the most amount of information about most of us, you know, because you want to basically— you don't want the cops to get you, right?
It's very good that you're mentioning all this and giving me these tips, Carole, before the actual murder takes place. It's very handy.
I'm sure plenty of our listeners are appreciating.
I'm sure plenty of our listeners are appreciating.
You know what, all our listeners, if something happens to me, they're going to know who to point the finger at, Mr. Cluley.
Well, I imagine that all of this advice only applies if you're the murder victim, right? Not if anyone else.
I don't want to give anyone else any ideas regarding murdering anybody else. Not that I want you murdered either, Carole, but maybe.
I don't want to give anyone else any ideas regarding murdering anybody else. Not that I want you murdered either, Carole, but maybe.
I'm not telling anyone how to murder anyone other than—
No, but you're sort of telling them how to cover their tracks. Interesting. Interesting. No, carry on.
Now, another idea is removing everything that might be stored on the cloud, right? And keep everything local.
So a lot of people, you know, the real big privacy experts would say everything should be on a removable hard disk, right?
And all backups should be on hard copy only, on a USB key or whatever. Do you have any thoughts on that?
So a lot of people, you know, the real big privacy experts would say everything should be on a removable hard disk, right?
And all backups should be on hard copy only, on a USB key or whatever. Do you have any thoughts on that?
Well, I have both local backups and online backups because I like to have backups in different places. As long as they're sort of encrypted and secure, I don't mind that too much.
Yeah, that suggests though that you're more concerned about not losing data that you have as opposed to safeguarding your data from prying eyes.
No, I don't think so because all of those backups are encrypted and I sort of hold the master key for them.
Right.
So other people shouldn't be able to access them, although I'm using cloud-based services in some cases for those backups.
It's not as though I believe they would be easy for others to peruse.
It's not as though I believe they would be easy for others to peruse.
But there is a pitfall, right?
If you get too obsessed with erasing your entire footprint on the web because you're flirting, A, you're flirting a bit with privacy burnout where you just can't care anymore.
You know, it's like my nephew was over yesterday and he was playing Wii and he was doing some kind of sword fighting thing and he was really into it.
And as soon as we kind of yanked the handset out of his hand, he literally just collapsed on the ground. He was so focused.
He was just like, he literally got burnout, literally just was like, oh, he just collapsed and didn't move for about 15 minutes.
So I'm wondering if people are going to, you know, you run into that kind of danger if you really start looking at trying to make everything private.
And the other problem with it is it actually might have a counter effect of employers or dates, future dates, finding it strange that they can't, you know, find any information about you online.
If you get too obsessed with erasing your entire footprint on the web because you're flirting, A, you're flirting a bit with privacy burnout where you just can't care anymore.
You know, it's like my nephew was over yesterday and he was playing Wii and he was doing some kind of sword fighting thing and he was really into it.
And as soon as we kind of yanked the handset out of his hand, he literally just collapsed on the ground. He was so focused.
He was just like, he literally got burnout, literally just was like, oh, he just collapsed and didn't move for about 15 minutes.
So I'm wondering if people are going to, you know, you run into that kind of danger if you really start looking at trying to make everything private.
And the other problem with it is it actually might have a counter effect of employers or dates, future dates, finding it strange that they can't, you know, find any information about you online.
Yes, maybe you've come here under an assumed name. Maybe your name isn't Graham Cluley. Maybe your name is Emily Buckwater or something.
And yeah, that would be— it does seem rather a nuclear option to me.
And yeah, that would be— it does seem rather a nuclear option to me.
But I think for the rest of us, maybe a smarter approach is not to panic about all the data that's out there on you, but focus on what— just focus on the important stuff, like stuff that's personally identifiable.
And lock that down as much as possible.
And every user obviously has to decide for themselves what information they're comfortable sharing and what information they want to keep private.
And lock that down as much as possible.
And every user obviously has to decide for themselves what information they're comfortable sharing and what information they want to keep private.
So if, for instance, Google had a search record that I'd been searching the web for details of, you know, how to strangle someone with a microphone cord or something like that.
So those are the sort of things to remove rather than, you know, what time does Waitrose supermarket shut tonight?
So those are the sort of things to remove rather than, you know, what time does Waitrose supermarket shut tonight?
Or I'd like to make a fish pie tonight, give me a recipe.
The thing is, I don't know, I think there should, you know, we should all try and retain some measure of privacy because if we don't, we're strangling the life out of our individual right to have it.
So now there's a few things. So here's just a few little things we can do.
So EU subjects, anyone who lives in the EU, can use GDPR to get companies to delete previously collated identifiable info.
It's not easy, but for some services where you've shared a lot of information, it may be very worthwhile.
The thing is, I don't know, I think there should, you know, we should all try and retain some measure of privacy because if we don't, we're strangling the life out of our individual right to have it.
So now there's a few things. So here's just a few little things we can do.
So EU subjects, anyone who lives in the EU, can use GDPR to get companies to delete previously collated identifiable info.
It's not easy, but for some services where you've shared a lot of information, it may be very worthwhile.
Well, I guess you can try and— if you did have something which was potentially a little bit embarrassing, one thing you could do is try and lose it in the noise, couldn't you?
Yes, like needle in the haystack approach, right?
But if there are websites which are saying something nasty about you, then maybe you want lots of web pages which are saying something nice about you, and then people are less likely to stumble across the one which has something unpleasant.
Mm-hmm.
So do some good, people, and get people to write about it, and maybe people will forget those mistakes you've made in the past, such as that unfortunate microphone murder.
Okay.
Okay.
And you know what we could do? We could actually distill it to the big ones. So I've made a list of 5 big things I would do.
The best result for the least amount of effort according to me. Let's see if you agree with it, right?
So first, delete messages, pics, tweets, comments, emails that you no longer want or basically make you look bad, right, Graham? Lock down apps and profiles as much as possible.
So if they ask for, you know, I need to know your location at all times, and you're thinking, why? You're just a chess app. You can turn that off.
The best result for the least amount of effort according to me. Let's see if you agree with it, right?
So first, delete messages, pics, tweets, comments, emails that you no longer want or basically make you look bad, right, Graham? Lock down apps and profiles as much as possible.
So if they ask for, you know, I need to know your location at all times, and you're thinking, why? You're just a chess app. You can turn that off.
Right. And look at your privacy settings is basically what you're saying as well.
So if you're on social media, make sure that you're not sharing it with the entire world, but just sharing it with the people on the social network that you want to share your personal information with.
Yeah.
So if you're on social media, make sure that you're not sharing it with the entire world, but just sharing it with the people on the social network that you want to share your personal information with.
Yeah.
And some people would say, why share anything personal on social media at all? You want to use different passwords for every account. Obviously, use a reputable password manager.
I find it useful. I think you do too, Graham. We talk about it a lot. Use multifactor authentication. So 2FA, it's also known as. Very good.
And then the things you can consider is encrypt your data like Graham does. Use a VPN, which helps obfuscate your traffic and what you're looking at.
And most importantly, don't kill anyone, especially not your co-host.
I find it useful. I think you do too, Graham. We talk about it a lot. Use multifactor authentication. So 2FA, it's also known as. Very good.
And then the things you can consider is encrypt your data like Graham does. Use a VPN, which helps obfuscate your traffic and what you're looking at.
And most importantly, don't kill anyone, especially not your co-host.
I think maybe that should have been number 1, Carole. Rather than hitting away at the—
I want to end on something powerful. Powerful.
Okay. So if you only remember one thing, Graham—
Yeah, don't kill me. Quote, "Most business security breaches are the result of one thing: sloppy password practices.
Effective enterprise password management is a must to ensure that your employees are properly protecting their accounts." Unquote. That's my co-host Graham Cluley.
This is what he says on the LastPass enterprise page. And most of you know how much I hate to admit when he's right, but he is.
Sloppy passwords are a huge contributor to security breaches within an organization.
The way to manage that is get a password manager, and the one we recommend is LastPass Enterprise. Check it out at lastpass.com/smashingsecurity.
We also are sponsored by MetaCompliance.
Effective enterprise password management is a must to ensure that your employees are properly protecting their accounts." Unquote. That's my co-host Graham Cluley.
This is what he says on the LastPass enterprise page. And most of you know how much I hate to admit when he's right, but he is.
Sloppy passwords are a huge contributor to security breaches within an organization.
The way to manage that is get a password manager, and the one we recommend is LastPass Enterprise. Check it out at lastpass.com/smashingsecurity.
We also are sponsored by MetaCompliance.
Now, MetaCompliance reduce cybersecurity risk by providing a platform for training. They do online training. They've gamified it.
It's animated e-learning, teaches you and your staff all about the risks of phishing and other threats which may impact them inside business.
It's animated e-learning, teaches you and your staff all about the risks of phishing and other threats which may impact them inside business.
And best thing, it's not boring.
No, not boring at all. You learn everything. GDPR, malware, data security, password safety.
You can grab it all and save yourself a ton of cash because you're a Smashing Security listener. Go to smashingsecurity.com/metacompliance.
You can grab it all and save yourself a ton of cash because you're a Smashing Security listener. Go to smashingsecurity.com/metacompliance.
On with the show.
And welcome back. And you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week.
Pick of the Week. Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security related necessarily.
Better not be after last week's debacle.
Well, mine has a tangential security connection.
Do you mean tangential?
Oh, I don't know.
Oh, it's all right.
Did I say tangential?
Yes.
Exactly what happens if you go to the tanning salon without your underpants.
Oh dear.
Anyway, my pick of the week this week is a TV show which I've been binging on. And it's not a barrel of laughs.
I thought you'd been all busy, busy. You keep saying how busy you are.
Well, I managed to slip in, I've managed to slip in 4 hours of TV watching. I've still got 1 episode to go of Chernobyl.
Oh, I've been hearing about this everywhere. What are you watching it on?
Well, it is available on HBO in the United States and Sky Atlantic over here in the UK. And we don't have Sky. But Mrs. Cluley wanted to watch the final season of Game of Thrones.
And so we found an online service where we paid some money and it hasn't quite expired yet. So I had a poke around, see what else they had to offer us.
Now Game of Thrones is over and they had Chernobyl. I thought, oh, everyone's talking about that. I'll go and see it. Oh my goodness.
And so we found an online service where we paid some money and it hasn't quite expired yet. So I had a poke around, see what else they had to offer us.
Now Game of Thrones is over and they had Chernobyl. I thought, oh, everyone's talking about that. I'll go and see it. Oh my goodness.
Is it good?
It is chilling. It does, of course, dramatize the true story of the Chernobyl nuclear accident.
Fun.
And well, no, it turns out, Carole, not so much fun. And yeah, there's some occasional bit of little gallows humor. It is tremendously well done.
I heard that. I heard it's shot so beautifully.
It is incredibly filmed and it is just absolutely gripping. It has the actual accident itself, has its aftermath, the cleanup, and of course the cover-up.
Yep. So you're jumping on the Chernobyl bandwagon along with every other journalist out there.
Is that right? Well, there you go. That's what I've done. If you haven't had a chance to watch it, go and watch it.
If it's not on your streaming service, hopefully it will be someday and you'll get a chance to watch it because it was quite interesting.
The security— do you remember the security link, Carole? The security link?
If it's not on your streaming service, hopefully it will be someday and you'll get a chance to watch it because it was quite interesting.
The security— do you remember the security link, Carole? The security link?
What? Tangentially?
Tangentially was because there was, of course, a Chernobyl virus.
Back in the day. Oh, that's very tangential.
Which triggered on the date. And I suppose it was a failure of their industrial control system as well, was it not?
But no, I imagine many people listening— I mean, I'm of an age where I remember the Chernobyl accident, and I imagine you do too, Carole, but there will be listeners who were too young to remember it.
But it really comes across in this program just how much more serious it could have been. I mean, it was horrendously serious.
But no, I imagine many people listening— I mean, I'm of an age where I remember the Chernobyl accident, and I imagine you do too, Carole, but there will be listeners who were too young to remember it.
But it really comes across in this program just how much more serious it could have been. I mean, it was horrendously serious.
Thank you for bringing so many really lighthearted and interesting topics to the show.
That's what we do. That's what we do on the show, Carole. Sometimes it's a giggle, sometimes it's smutty, and sometimes it's deadly serious. Welcome to the world of Smashing Security.
So let's hear from you what your pick of the week is.
So let's hear from you what your pick of the week is.
Well, until this morning when I sent you the video that I have featuring on my pick of the week, had you heard of Nellie Bly?
No, I'd never heard of Nellie Bly. Okay, that's very cool.
Because, and then, you know, she was an American journalist from the Victorian times.
There's no real reason that she might make it into your school books, particularly those when you were at school, I'm sure featured many, many men of historical note, as opposed to women.
There's no real reason that she might make it into your school books, particularly those when you were at school, I'm sure featured many, many men of historical note, as opposed to women.
It's true. I'm sure they did. Queen Elizabeth, Queen Victoria.
Yes. Well, they had to be queens to get mentioned. Boadicea. Yeah.
Yes.
Now, I had never really read a lot about her or watched any documentaries on her before. So when I saw this little Atlantic article show up in my feed this week, I checked it out.
Now, just for those who don't know, Nellie Bly is the name of one of the first daredevil gotcha female journalists, and her shtick was to go undercover and do quote unquote stunt reportage.
So where you never really identify yourself as a reporter, but then later on do a gotcha and expose the company or the person, explaining all your experiences with not holding anything back.
Now, just for those who don't know, Nellie Bly is the name of one of the first daredevil gotcha female journalists, and her shtick was to go undercover and do quote unquote stunt reportage.
So where you never really identify yourself as a reporter, but then later on do a gotcha and expose the company or the person, explaining all your experiences with not holding anything back.
Right, so she's an undercover investigative journalist getting the scoop.
She did something— okay, so what she's best known for was her first big stunt, or what I know to be her first big stunt.
So it was in 1887, she got herself committed to the women's asylum in New York City.
So it's called Blackwell Island, and she spent 10 days there as a psychotic patient, faking psychosis.
And the point was to collect stories and facts and then expose them all in her column. My goodness.
And, you know, she had to trust that they would pull her out 10 days on because she said there was no way you could get out of there had they not sprung her out.
She just went up to, I think it was the editor of The World, Mr. Pulitzer, and she basically kind of said, okay, he offered her this. He said, we can't get in. We're all guys.
We can't get in there. Can you? And so she did.
So it was in 1887, she got herself committed to the women's asylum in New York City.
So it's called Blackwell Island, and she spent 10 days there as a psychotic patient, faking psychosis.
And the point was to collect stories and facts and then expose them all in her column. My goodness.
And, you know, she had to trust that they would pull her out 10 days on because she said there was no way you could get out of there had they not sprung her out.
She just went up to, I think it was the editor of The World, Mr. Pulitzer, and she basically kind of said, okay, he offered her this. He said, we can't get in. We're all guys.
We can't get in there. Can you? And so she did.
That's the terrifying thing, isn't it? I mean, if you throw yourself— I don't know if you've ever done this, Carole, if you've ever put yourself into a mental asylum.
And joining this podcast, Graham, is a similar analogy.
And then of course, you try— if you're trying to get out afterwards and you're trying to convince them that you're sane, well, that is what a mad person would do, isn't it?
Yeah. And it's an unbelievable story, and it's led to many, many more stunts, right? And it's kind of all touched upon in this gorgeous 12-minute video, right?
The film director Penny Lane uses animation and documentary-style reenactments, and that they're mostly drawn from primary sources, including Bly's own writing and published interviews, and basically tries to tell the story of this fearless Victorian newspaperwoman.
So check it out. It's beautifully scripted and animated, I think.
The film director Penny Lane uses animation and documentary-style reenactments, and that they're mostly drawn from primary sources, including Bly's own writing and published interviews, and basically tries to tell the story of this fearless Victorian newspaperwoman.
So check it out. It's beautifully scripted and animated, I think.
What did you think, Clue? I really enjoyed it. And I liked that the animation part of it was sort of made out of newspaper headlines. They actually sort of made the landscape.
And there was this asylum story, but there was also a story of how she set the world record for going around, circumnavigating the world, you know, on train and steamboat.
And she did it in about 72 days.
And there was this asylum story, but there was also a story of how she set the world record for going around, circumnavigating the world, you know, on train and steamboat.
And she did it in about 72 days.
Yeah, she wanted to beat Jules Verne's Around the World in 80 Days concept.
Yeah. She met him en route when she was in France. And I also got a little tidbit because I was quite fascinated by this.
I thought you would.
I was. And I was reading up about her on Wikipedia and I found out that she married when she was in her early 30s.
She married some 73-year-old uber businessman and of course, he popped his clogs just a few years later, and she inherited quite a lot. She was quite a woman.
Well, and this was also the days before the suffragette movement as well. I mean, she went all around the world. She only took one dress with her and a couple of pairs of underpants.
Oh, and you know what?
She married some 73-year-old uber businessman and of course, he popped his clogs just a few years later, and she inherited quite a lot. She was quite a woman.
Well, and this was also the days before the suffragette movement as well. I mean, she went all around the world. She only took one dress with her and a couple of pairs of underpants.
Oh, and you know what?
She was annoyed that people focused on that. And so was I watching this video.
But everyone kept talking about her outfit, the fact that she only— she didn't have a humongous trunk. Honestly.
But everyone kept talking about her outfit, the fact that she only— she didn't have a humongous trunk. Honestly.
Well, if she'd had a humongous trunk in Victorian times, Carole, she'd have been the elephant woman. Boom, boom. Okay. Oh, whoa. Well, that just about wraps it up for this show.
Carole, if you want to follow us on Twitter, you're already following us on Twitter, but if you at home want to follow us on Twitter, we are at Smashing Security, no G.
Twitter wouldn't allow us to have a G. And we're also on Reddit. You can continue the discussion with us up there at smashingsecurity.com/reddit.
Carole, if you want to follow us on Twitter, you're already following us on Twitter, but if you at home want to follow us on Twitter, we are at Smashing Security, no G.
Twitter wouldn't allow us to have a G. And we're also on Reddit. You can continue the discussion with us up there at smashingsecurity.com/reddit.
And shout out to our sponsors, Recorded Future and MetaCompliance. Their support helps us give you this show for free. So check out their offers, please.
And high five to you listeners as well.
And high five to you listeners as well.
We're so glad you listen to us week in, week out. Until next time, cheerio, bye-bye. Bye. Have you got your pop screen on? I have a problem.
What's your problem?
The A on my keyboard 30 seconds ago decided to stop working. Any advice? It's going to make taking notes a real pain. Only the letter A?
Have you dropped some coffee on it?
What have you done? No, no, no, nothing. Just the letter A. It's just not responding at all.
Look, I'll write you a message in the little Sting machine.
Yeah, go on then.
Okay, I'm pressing a lot of A's.
I'm not seeing anything show up. Oh, look. Okay, I'm looking. You've written—
I'm pressing A, A, B, B, A, A, B, B.
The B's are coming through, but no A's.
Yep. Anyway, fun times, even with cap lock. So the key's dead. So I need a new keyboard. So that's fine.
So welcome everybody to the latest episode of Smashing Security.
I've seen the mitigation suggestion to disable RDP, but no specific instructions on how to do that.
What is the best practice here? Setting the control panel service for Remote Desktop Services to Disabled? A Registry Key somewhere? Group Policy?
http://lmgtfy.com/?q=How+to+disable+RDP