DLA Piper and its insurers clash over multi-million NotPetya payout

Whinge bags? Are they not American? Americans, we don't say whinge.

Oh, what do you say? Oh, this is interesting. What are you on to here, Maria? They don't say whinge bags.

We don't say whinge. We say whine, exactly. Oh, maybe I wrote it down. Oh! Smashing Security, episode 117. Swats on a plane, with Carole Theriault and Graham Cluley. And I'm Carole Theriault.

Hello, Carole.

Hello. Hello. Can I grab the microphone for a second?

Yes, if you wish.

Now, before we introduce our amazing guests, I made a bit of a boo-boo last week. I was talking about Mondelez, the food giant. Oh, yes. And we were talking about cybersecurity insurance, but they actually didn't have cybersecurity insurance. They had property insurance.

Oh, so they had insurance, but not cyber insurance. So some of the machines, of course, got damaged by the NotPetya virus. Yeah. And they are trying to claim that on their property insurance. Thank you for that. And we'll look forward to that at the end of the show.

Hello. Oh, Maria. Now we can smile. Now that the bad stuff's out of the way. I'm happy to follow the errata.

Do you have anything to apologise for, Maria?

Oh, don't even get me started. It's a whole other podcast. I claimed last week that rugby was in Yorkshire, which got me a little bit of hate mail, and apparently it's in Warwickshire.

Shame on you.

Probably on similar kind of level as the whole insurance thing, I would think.

Much, much worse.

What have we got coming up on the show this week?

Oh, we have a fun one this week. How could you not have a fun one with Maria, the queen of comedy on the show?

What?

Now, Graham, you're hitting Tampa, Florida and delving into hacked Twitter accounts. Maria's going to talk us through her month off Facebook. Did she actually make it in the end? Don't tell us to the very end of your story. And I'm talking about a sneaky, nasty scam lurking on LinkedIn. All this and more coming up on Smashing Security.

So chaps, I have a strange story and the further I looked into it the weirder and more bizarre it became. The story begins last week. Bob Buckhorn is the mayor of Tampa Florida, okay, and he was away on a hunting trip in South Carolina out of reach of the internet, unable even to get a cell phone signal. He was enjoying the wilds. And why shouldn't he be? Because he actually is aware that his term as mayor of Tampa is coming to an end and there will soon be elections for a brand new mayor. So he doesn't have much to worry about, does he?

Okay. I guess not. I guess he's going to think about putting his feet up and play some golf.

Well, no, you're wrong, Carole. He does have a lot to worry about because his Twitter account got hacked while he was out on that hunting trip around about four o'clock in the morning local time.

Every hunter's worst nightmare right there. Is your advice going to be never leave your Twitter account ever?

I can see where this is going. That is the policy I've been taking for a while.

I know. Sustainable.

When his account got hacked, the juvenile miscreant who hacked his account changed his Twitter name from Bob Buckhorn to, can you guess, changed one of the letters.

Robert?

No. He changed it to Bob Cuckhorn. Could have been worse, of course.

Are you trying to be polite?

No, it wasn't Fob Buckhorn. It was Bob Cuckhorn is what his name got changed to. And his profile was replaced by one which said, City of Tampa's mayor, white supremacist, hater of, and his avatar was switched to a version of the alt-right meme pepe the frog.

Oh, you're on side exactly, exactly.

Now this is of course when his Twitter account began to spew a series of racist, sexist and oh my goodness, disturbing messages. For instance, the Twitter account tweeted to Tampa Airport saying, I've hidden a bomb in a package somewhere. Looking forward to seeing some minorities die.

Yeah. That's awful. I know, but part of me is thinking as soon as you saw that coming from the mayor's Twitter account, you would know he was hacked. No?

Well, you never know nowadays. I can see where you're coming from, Carole. You're thinking why would a political figure in the United States use Twitter to spread some sexist, misogynist, or racist, or just truly bizarre bile? No one would dream of doing it. No one would dream of using Twitter in that way.

It's not a dig on Tampa, because you're going to get some hate mail from Tampans. And that's probably not the right word. Another message came along saying, emergency alert, ballistic missile thread. I think they meant threat, rather than a thread, inbound to Tampa Bay area. Seek immediate shelter. This is not a drill. Whinge bags? Are they not American? Americans, we don't say whinge.

Oh, this is interesting. Can I just say, this is very good for my pick of the week. Note. Breaking news, breaking news.

What are you on to here, Maria? They don't say whinge bags?

We don't say whinge. We say whine. Exactly.

Oh, maybe I wrote it down.

I was going to say that's straight up fake news. Fake news from Smashing Security. Fake news. I declare fake news. Another error to Graham. You're two to one.

I hope the rest of it, I've got it right. It continues saying, "Time you fuckers were brought down a peg or two, it'll be sweet victory when I bring my AK into your offices later today. Hashtag be warned."

So can I ask, how far apart are these messages?

Well, these messages were being posted over the course of a few hours before anyone in Tampa woke up in some position of authority. And the mayor, of course, he didn't have any internet connection. He didn't even have a cell phone signal. Does he have a secretary? Or what's going on? Well, even if he did, Carole, there he is in the outback or whatever it's called. You know, hunting wildebeest or whatever people do when they go hunting.

That clears his name of doing it himself out of range.

What are you suggesting?

Well, I'm just saying if people are obviously confused that this could be actually him at the time by receiving it, I'm just thinking as soon as you saw that, you'd say, okay, he's got hacked. Yeah, of course they would. But that doesn't mean that the threat is necessarily non-existent. And it could be some, you know, some sort of Christian Slater style bad guy in a movie, right, who's hacked into an account and he's using it as a platform to spread the message and spread concern. You sounded very comfortable with them. Concerningly so. Now, some of those tweets tagged other Twitter users. For instance, PewDiePie. Oh, for goodness sake. Again with the PewDiePie. Yes, but I don't know why I know him, but I know that name.

Well, he's no stranger to controversy. Back in April 2017, he was permanently banned from Twitch, for instance, after he was swatted while actually on an American Airlines plane in Phoenix.

Did you say swatted, not spotted?

Yes, that's right. He was swatted. So swatting. Swatted on a plane. Yes, is when someone contacts the authorities and claims there's some madman in your house. They give the police your address and the police go around with weapons. Because they assume it's going to be an incident. They have to err on the side of caution.

That's not a boring day. And they arrest you. This sort of thing has happened to people like the founder of Mumsnet. It's happened to Brian Krebs. "I've had enough of these motherfucking swats on this motherfucking plane," said the movie Samuel L. Jackson. Swats on a plane. Swats on a plane. Thank you. That's the episode title. Now, Ice Poseidon, he got banned from Twitch because he was giving out his real address all the time, making it too easy for folks to swat him. He is getting probably more followers as this happens, which is why he may be making it easy to be swatted.

Perhaps. It's a peculiar thing, though. And what do you think was happening as Mayor Bob Buckhorn's Twitter account was being hacked? Ice Poseidon was being swatted again. So he was being tagged in the messages and he was being swatted. Now, in response to this, he's made his Reddit community private. He's very active on Reddit. And you now have to ask to be allowed in. Presumably he's keen for things to cool down a little bit. But it seemed strange coincidence that all these things were going on. And it's like that someone has a vendetta against him. But anyway, anyway, anyway.

So you now have an itch and you're hoping our listeners are going to scratch it for you.

Maybe, or maybe I just don't want to know at all. I'm not sure. Sometimes that happens with an itch as well, doesn't it? What? You're on your own on that one. Well, some dude got swatted and a politician got his Twitter account hacked as well. The mayor's election is due to take place on Tuesday, March the 5th. Next Tuesday as we record this. used that with clients before, and it's great.

Right, without having to share a password with other people. Good advice. So I'll put a link in the show notes because I really think there's probably a lot of organizations which aren't using this, and it's going to be a better way to protect your Twitter account, whether it be from YouTubers or 14-year-old boys or swatters or whatever. Properly defend yourself, get strong passwords, get 2FA, and don't ignore these things just because you're trying to get multiple people to run your Twitter account. Yeah, I really doubt that Mayor had anybody running his account but him, though. I really doubt it. Maria, what's your story for us this week?

Well, last time I was on the podcast, if you want to do the flashback sound. Yeah, well, let's go back. Let's listen to what happened.

Yeah, just deactivate and see how long it takes you before you activate again. I am sure it is so slippery to reactivate. I'm sure all you could do is go to the pages. No Facebook February. Make a commitment. Interesting. Yeah. I could try that. I could give that a shot.

So last time I was on the podcast, you put a challenge to me to not use Facebook for a month and see what would happen. And I know, Carole, in the intro for this episode, you said I would reveal it at the end of my segment. But it's kind of impossible for me to talk about it without revealing it up front. But still, any guesses on how it went from the two of you? You lasted three hours. No Facebook February.

That, yeah.

Actually, Graham, you're pretty much right on the money for that. So congratulations. So my hope for the month was that by the end of the month, I'd be completely extricated. Like my account would be deleted. I'd be done. I'd finally freed myself from this stupid site I can't seem to exit. And I actually did pretty well for myself. I didn't post a single update the whole month. Good. Not even a meme shit post, as per my use. Long ago, I deleted the Facebook app off my phone. So that wasn't hard. I didn't have any phone app to check and didn't reinstall it or anything. That's

a fantastic first step. I remember when we first talked about how to quit Facebook. That was one of your recommendations. Get it off the phones. Good way to wean yourself off the habit, isn't it? Honestly, that was probably the bigger step than trying no Facebook fab. That was much bigger. And this was practically a piece of cake. swapping clothing might be something which actually draws me back to Facebook if I could get involved in a group like that. Oh, yeah, there's a lot. Who are you planning to invite to that clothes swap, Graham? I think particularly when, I mean, Maria, you've got a young child. And I remember that was something which actually brought me back to Facebook for a while, was I had a kid go into school and I had to sort of know the other parents and things. So I wouldn't blank them all the time and not know whose kid was whose.

Yeah. Good thing. Tell everyone.

I had to transport some children. I didn't know which child was which. One ended up in the car. He was a little bit enthusiastic. I was driving down the highway and it turned out his parent was expecting to pick him up. in the deposition. Yes. I can't believe you're an adult. No, he

said to me, you're taking me back to your house. And I said, oh, okay, come on then. You took the word of a five-year-old.

Didn't think of checking in with mom. No question. They don't lie at five, right? Never. No. No. I didn't eat any cookies. No. But anyway, that was one of the reasons why I was briefly back on Facebook. I'm not on Facebook any longer. But it is difficult. And I think particularly for young parents who are exhausted anyway and trying to have a life outside of their four walls, Facebook is a bit of a lifeline in a way because everybody's there. in some of these groups? Is this you pretending to be

empathetic? I'm trying to be empathetic to Maria, yes. Oh, I appreciate that. When I was reflecting on how badly my month went, I was thinking, yeah, the time of my life right now is not helping. And you wake up one morning, there's a bulldozer in your front garden about to smash your house down because you've missed out what the local development team is going to do.

On the council meetings and the plans were very clearly posted. Guys, guys, guys. Are we doing this? Because I'm totally in front. I'm doing this. Guys. Let me go get my towel. In the laboratory. I've got to go get my towel. Beware of the leopard. Maria, isn't there another option though? Couldn't you just kind of wean them, educate them on the problems with Facebook? It's not like these people aren't reading a paper and you can get them set up on something else.

So I was actually at a meeting last Wednesday and it was we were talking about how to RSVP to events. And when somebody said, how are we going to organize for this next event? Everybody got really quiet. Everybody looked at each other. Someone else said, Facebook and the whole room groaned. Everyone went, oh, God, I hate Facebook. I really wish I wasn't on that stupid thing. But what's our alternative? Yeah, I know. I mean, it was literally this whole conversation. And this is a bunch of artists, by the way, people who are not usually thinking about security stuff. They all hate it, too. And everybody feels the same way. We're freaking stuck with this thing. What's the better option? We could try to do email. Yes, that is a thing. But then somebody has to maintain an email list and nobody wants that responsibility.

Google Plus. Google Plus. Oh, yeah. So I can't completely deplatform myself, even though I've actually actively tried, unless I want to cut myself out of real world communities that I'm a part of.

Not in my house. Not in my house. Yeah. I'm just throwing that one out there. I think you're right though. Because it's somebody has to answer the phone, right? I don't want to do it, but somebody's got to do it. Otherwise the phone's going to keep ringing. No.

How do I put this? People who are looking for a safe place for their seedy interests have found a haven by making their own say Mastodon instance so I saw one of the top Mastodon instances which over 10k users had something to do with baby bottles and diapers. And I thought maybe it was a new parent group, but it wasn't. I'll just leave it there. And I really left that one quick. So I don't think I'm going to be recommending that one to the PTA parents. You know, years ago, I ran a personal website where I had a little photo gallery and there was a picture of me as a young boy eating an ice cream on a beach. And I had sort of ice cream smeared all over my face. Ice cream eating children. Oh, my God. I remember this. Why do I remember this?

I'm sorry. I brought it back to you now.

I think I've seen the photo in question, actually.

Well, yes. I'll post it up on Twitter. Why not? Let someone else...

Let's just do that. Twitter can pay for the bandwidth this time. Oh, my God. I'm so glad I opened that door. I'm so glad I brought that back up. Yeah. So TLDR, really frustrating month. Really frustrating. I'm still enmeshed. If I had deleted my account, I would have had to just re-up it within like a week anyway. I don't think Facebook would even get rid of my data if I told them to delete it. I've noticed a lot of people I know similarly deplatforming. I'm using that badly, but sort of backing away from it, not posting updates, just on occasion logging in saying, hey, it's been a month that I've been on Facebook. I'm just checking and I'm going back to not being on Facebook. That's sort of how a lot of folks I know are using it now, which is great. But we're not deleting our accounts, which is not so great.

Meanwhile, you're creating a little world on Second Life where you're gonna encourage all of these people.

I can't wait to see your avatar. You know Second Life is still around, right? It's still going strong. Okay, because the furries love Second Life. It's a thing. How do you know that, Maria? Oh, it's a well-known thing. I'm not a furry. Let me quash that one right now. I'm not a furry. My husband's a furry. I'm not a furry. Well, he's not a furry. He's just furry. He's very furry, yes. Okay. Doesn't need an outfit. That's all I'm saying. All right. Well, I couldn't conclude my segment without defending myself or having a rotten time and no Facebook Feb. So there's a link, if you guys went through the show notes, by reporter Kashmir Hill, who tried to live at least a day, if not several weeks, without Amazon, Facebook, Google, Microsoft, and Apple products. And she says of the experience, and they quote, it was hell. So maybe we could do a no civilization September for a future segment if we want to try and replicate that. But I don't know, it's really damn hard to do this kind of thing. Who knows, maybe you'll try again next year, Maria, and get yourself wean off with just a little bit more if there's a stronger, if there's an alternative that people are willing to use. If people are saying you know what, I'm willing to go back to email, what about AOL? Is AOL still going? Are they still sending those CDs? CompuServe. MySpace. Yeah, I feel like going backwards is not the solution here.

Carole, what's your story for us? Well, this segues beautifully from Maria's story. Oh, it's like I planned it. Yeah. Thanks very much. Yeah. I don't say you went last and you get to choose a bigger number. In my defense, I'm an introvert. So I hate people. Me too. Fuck off. I'd be quite wary. Did you say it's Loretta Bobbitt who'd sent me this request?

Bobbitt. I put down Bob, but I thought it should be a girl. And I thought, Bobbitt. Yeah. Okay. Now, I think, Graham, you would also say connect, wouldn't you? Because I think you famously told me many times, I just connect with everybody on LinkedIn. Just connect, connect.

I do these days. Now I work for myself. Yes, I will just accept absolutely anybody.

Oh, you're going to regret saying that. Well, wrong, you guys, wrong answer. You know what you just did? You just opened the door to a wily little fisher hell-bent on infecting your device with the More Eggs malware. What? More on that in a second. But this is how the fishers get their foot in the door. They basically need to become part of your network connection. Okay, that's step one. But you don't know this yet, right? You're kind of sitting there going, oh, I'm really excited to hear about this job. A few days go by and you don't hear anything. And you're a little disappointed because you're kind of looking forward to it. But a week later, you get a message from your new connection. And they say, hey, here's a link to the cool job description I was talking about. And when you click, of course, the URL is a malicious one and it tries to initiate a download of, get this, a Microsoft Word file that requires macros. Macros! It's the 90s again. Just like shoulder pads and sports flacks. It's coming back to haunt us.

In my defense, I accept a LinkedIn invitation from anyone, but it doesn't mean that I read any of their messages whatsoever because I do get a lot of junky messages. They just go straight in the trash can. If someone in an InfoSec role opens up that link and goes, oh yeah I'm gonna enable macros they should get instantly declined from that job. The recruiter should go nah. Yes okay and I understand that but they're not just focusing on the security guys okay. But, I mean, obviously, they could deliver it in ways other than through a poisoned Word document using macros. There's other tricks they could use.

Yeah, there's different ways for sure. But I think the reason they're using macros is because maybe it's just fallen out of the press, right? And if you're, you know, I don't know, if you were 25, 30, you may not even know what a macro was. You may not even have to. Wait, what? Right, Maria?

As a 25-year-old, I take offense. Okay.

Human error is at the root of 95% of all security breaches. It's all too easy for any of us to make a mistake that lets hackers win. Download a free cybersecurity awareness training kit from Mimecast, which will help your staff learn about threats like data leaks, ransomware, business email compromise, phishing, and much, much more. Grab it for yourself at smashingsecurity.com slash Mimecast. And thanks to Mimecast for supporting the show.

Hey, what's your password for your email? Do you even know it? I don't. I trust LastPass Enterprise to remember it for me because it's so long, so complex, and so unique. I couldn't possibly remember all my passwords for all my accounts. Let LastPass Enterprise do the hard work for you because they take security seriously and they're really responsive. Check out LastPass Enterprise at lastpass.com slash smashing.

And welcome back to our favourite part of the show Pick of the Week Pick of the Week.

Pick of the Week Pick

of the Week is the part of the show where everyone chooses something they like could be a funny story a book that they've read a TV show, a movie a record, a podcast, a website or an app, whatever they wish, doesn't have to be security related necessarily. Definitely not this week. Well, mine definitely isn't security related this week. My pick of the week is something called Perfect Night In. Netflix and chill? It is. Amazon Prime and sexy time.

I've never heard that one. Ice cream and beer, just the essentials. Easily pleased. Is that a euphemism? No, ice cream and beer literally are just the essentials as far as I'm concerned.

If you go to perfectnightin.tv, you will discover a podcast and a kind of video as well run by a guy called Neil Perryman. Now, Neil Perryman is a bit of a Doctor Who fan. That's how I know him. He had a fantastic blog and series of books called Adventures with the Wife in Space, where he took Sue, his long-suffering wife, on a long odyssey through every single episode of Doctor Who from 1963 onwards. Oh, good Lord.

Really? Are they still married?

Yeah. Yes, yes. They've gone on to Blake 7 even. Bless her. Wow. She loves me. And they would write about each and every episode. And I used to religiously follow this blog, and it's now for Sirius Books. Anyway, Neil's latest project is a podcast and kind of video called Perfect Night In, where they interview somebody about their ideal night of television, which often revolves around old 1970s British TV shows like Coldits or The Tripods or Sandbaggers.

You could have just said to me,

Yeah, I was like, that sounds like fake TV names to me. Like names that you put as a placeholder for like real names will go here later. You've heard of Fawlty Towers. I have heard of Fawlty Towers, yes.

So that would be an example of a show which someone chose. Or someone chose Hockey Night from Canada and things like that, right?

Hockey Night from Canada.

Generic Hockey Night. Way to be racist, Graham, against Canadians.

Anyway. We're unaffected. Apart from the Canadian hockey thing, I find it really quite nostalgic and rather charming. The video is like a slideshow sometimes, so it will come up with different... So it's not a proper video. It's really a podcast with a video format as well. It's really enjoyable. And I like it. And I wanted to give it a little bit of airtime. And that is why my recommendation is Perfect Night In.

Listeners, don't rush at the same time. We don't want to bring down the site. Hey, bitchy.

Why is that bitchy? It'll stay up. It'll be all right.

We have a lot of listeners, Graham. I don't think you've checked the numbers recently. Smashing security, DDoS. We are popular.

Maria, what's your pick of the week?

Well, my pick of the week is a game I have not been able to stop playing, and it's going to sound very familiar to hopefully everybody. It's Tetris.

Oh, I love Tetris. You're talking now my language.

Yes, and it's Tetris with a twist. So the game is actually... The game is called Tetris 99. It just came out a week or two ago. It's for the Nintendo Switch platform, and if you are a subscriber to the Switch online service it is free because it requires... it requires, sorry I'm going right now

you finish off the podcast without me I sold Graham on it

already yeah so for anyone who hasn't heard about it run don't walk to your Switch basically I agree with Graham it's online co-op Tetris and it's super easy you literally just play Tetris but when you eliminate lines they kind of get blasted to other players and they build them up from the bottom.

Cool idea. So, yes, it's super, the concept is very simple. If you know how to play Tetris, you can play this game. It is phenomenally fun. I've been playing it nonstop since it came out. And like all of us who grew up on Tetris, which is so many of us, it's like we've been waiting our whole lives for a game like this. I don't have a Switch. That is a problem.

You need to get a Switch. Graham. You really do.

Graham, you're my great bud, right?

It's not your birthday for a while.

Well, you were wrong about the LinkedIn approach, so you might want to say sorry. And I know a way you could do it. Just saying.

You should get a switch. I can't believe your husband hasn't played Breath of the Wild yet.

Well, he may have played it. I don't know. It's not at my house all the time. It's like 100 plus hours to play Breath of the Wild. You can't go over to a friend's house and play it in the afternoon. It's not the 90s anymore, girl.

Oh, bring it back. So why is it called Tetris 99, do you think?

99 of you. Oh.

Yeah, it's super fun. I can't recommend it enough. It's a great little time waster. It takes no time to play. And I'm addicted to it. Love it.

Seriously, could we hurry up? Because I want to finish the podcast and go and download it.

Graham, can I have an invite, maybe, to come play? FaceTime?

Sure. If you're on the Switch, presumably, we could play against each other.

Well, I could come over and play it first and decide, you see.

I showed you Bertram Fiddle I can't believe that wasn't enough to get you to buy a Switch but

I played it at my brother's and I played the whole game there I don't think there's a versus mode for Tetris 99 it's a group of 99 people whoever are online and that's it I don't think you can say I want to specifically kill Carole although that would be funny I totally want to play against you two if that happens that would be super fun I pick his ass I'm good at Tetris

That would be Smashing Security plays Tetris. It'd be great.

We could take on the cyber wire at Tetris.

It'd be so fun. I'm really good at T-Spins now. So, you know, it's the thing. T-Spins. See, she has the lingo and everything. T-Spins. I only understand about 95% of what Maria says anyway. Graham, have you got a pick of the week?

She's way more. Yes, I do have a great pick of the week. And I made it into a game. Oh, my goodness. Oh, no.

Yes. Is that cockwomble?

Hold, hold. Cockwomble? No. Cockwomble. Graham, I haven't forgotten you. There are 150 words on the list. These include general swear words, words linked to race, ethnicity, gender, sexuality, body parts, health conditions, religious insults, and sexual references. It's like how we rate peppers in the States. Yes. Now there were 150 words that were provided to the British public. This won't take long. Oh, my God. I'm sweating.

The second thing you need to do is you have to say whether it's mild, medium, strong or strongest. So one to four. Scale of one to four with one being mild, four being strongest.

I'm at a distinct disadvantage here.

That's why I said it was gonna be educational for you.

Oh, fuck. You're going to learn the words we use.

Ready? Number one. Yes. Bint. Oh, I love that word. Bint. Is it on the list? Yes, it is on the list. It is on the list. It is on the list. Graham, you get a point.

But it's a one. It's a one. It's not a fantastic.

I agree. It's a one. You're wrong. It's a number two. Medium.

We have more I disagree with the British public. We're getting a sense of their scale now.

Number two is feck. Is this SMEG? Is that sort of Red Dwarf?

It is on the list. I don't think it's on the list. Is that really real?

It is on the list. Where is it? One, two, three or four?

I would say well it's three. It is not strong. It is medium number two, just Bint. I don't think that's a real swear. No, it is. Well, it's not a swear.

Can you explain it to her? Graham, I don't know if I really understand what it is. Yes, please. Please explain the sinigram. I want to hear this. Go for it, man.

It's a sort of portmanteau word, isn't it?

More ways than one. I can guess the second part of the portmanteau, but what's the first? The G.

Gut. Gut is the first bit, I believe.

Gut. Gut. That's gross. Not offensive, but imaginative gross. A swamp thingy.

I think that's got to be at least a three. That's a three, yeah. Definitely a three. It's not in the list. You got us! Oh, it's Shakespearean, isn't it? Nonce would be on the list. Probably a one, though.

It's ruder than bint. Is it? Do you think?

Yeah, I would say so.

School kids use that word all the time around here because we hear it when we study Shakespeare in high school and just think it sounds dunce. So nobody knows what it means.

Well, maybe they don't know what it means. Yeah, maybe we don't know what it means. Well, nonce is on the list, and it is a one. I got a point. I'm just noting that. Yeah, you're doing great. I hope someone's keeping score. Oh, now I understand. H.R. Giger?

No? No, we're not doing that.

So things David Caruso, Sarah Ferguson kind of thing.

What? Someone with red hair. I know. I know what that is. Not the spice. Not the spice. A one?

Yes. You knew it was gonna be on the list. You really assumed it was gonna be on the list. Oh, yeah. I assumed it was gonna be on the list. Yeah. Two more. Two more. Excellent work, guys. Two more. Right. Right. I don't think that's on the list. That's a great. This isn't on the. This is you, Carole. You've added this.

This is on the list. And I'm now gonna prove it to you by giving you the link.

Don't tell me it's a four.

It's not. It's a three.

Are you serious? Come on. Gunt isn't on there. That was a plant.

Gunt, even. I've just given you the list. You guys can go take a quick look at the full list, but beef curtains is there as a new entry at number three in 2016. Let's see. Strongest.

I agree with those. Yep. Oh, yeah. The strongest ones are quite strong.

Some of these only - are you shocked that beef curtains is there?

Yes.

I was shocked. And then I had my final one, Graham, which was cockwomble. Your favourite word. Is that on the list? No. No, it's totally charming. It's used as an endearment.

Well, I wouldn't go that far, but yeah. Carole. So I was talking about Mondelez and I was talking about cybersecurity insurance and I was putting into question whether or not the Zurich insurance should have paid out. I was assuming, of course, that it was a cyber insurance policy. But I was wrong, wasn't I? Martin. Well, all the details I have is that it was a property policy, which means normally buildings. Yeah. And those they don't have what we call affirmative cover for cyber as a rule unless they're put in in the terms of conditions. So what normally happens is that, you know, let's say somebody's building burns down. They're covered. Yeah. Now, if somebody's hit by a cyber attack there, it depends on their policy details. If it's a property policy, they're probably not going to be covered, especially if it's seen as an act of war, which is what Zurich is saying. Carole. Exactly. So they're saying it's an act of war and therefore they don't need to pay out on the property insurance. And that's something that we've seen many times before. Martin. Indeed, yes. And so if it was like a terrorist act or an act of war, it wouldn't normally be covered. We've seen examples with that with the aviation industry where planes have been crashed. And sometimes they haven't paid out because they said, well, it was a terrorist on board or an act of war. That's quite normal. So the trouble is with a lot of policies out there at the moment, companies believe they're covered under their property or their casualty policies because it's what we call silent cyber. So they assume there's some cyber coverage there. Now, it may or may not be there written as an extension to that particular policy. But really, the only way you're going to get paid out normally on most of these policies is if you have a dedicated cyber policy. Right. I work for a large cyber insurer myself or a large insurer actually helping customers with cyber insurance. And everyone I've actually been involved with, we've seen massive payouts. So, you know, even with the likes of WannaCry, NotPetya or other malware attacks or insider misuse or malware attacks, other types of hacks, they've all been paid out. Carole. Right. So from your point of view, the payouts are happening. What I guess makes this case interesting is two things that I see. One is that Mondelez are using a property policy and they're trying to crowbar in a cyber incident, which normally wouldn't happen. But because NotPetya actually created physical damage to machines, they feel like they can put that in and they have a fight on their hands. They have something to fight for. On the other hand, Zurich Insurance are saying, hey, look, it was an act of war. Sorry that your stuff, your property got damaged, but we don't have to cover that.

Yeah, I mean, the interesting thing with this, when this goes to court, is it's actually proving attribution. I know the UK government and the US government have actually said it's definitely Russia that's behind it. However, you know, Russia has said, no, it's not us. This is a problem with cyber attacks. You know, it's very easy to sow false flags in there or make it look like the attacks come from a different attacker. So it's very, very difficult. So with the best one in the world, I think they're on a very sticky wicket here. I think they're going to find it very difficult to prove to the court's absolute certainty that it was definitely done by those. Even though we caught intelligence agencies who are clearly saying it has been, it's going to be difficult. This will have repercussions. I'm sure it will have repercussions even for cyber insurance because some of the cyber insurers out there still have fairly limited wording, which means they actually have certain restrictions in place where others actually have what we call quite broad coverage and broad wording, which is non-specific. So basically we'll cover pretty much anything with a cyber attack with certain exceptions. Normally it's around things, what we call cyber crimes. So let's say they have a business email compromise where their account details were stolen, but there was no hack involved with their infrastructure. So none of their infrastructure was actually hacked. That wouldn't be covered by a cyber policy. That would be covered by a crime policy instead. Right, right. But it may not allow them to recover the actual stolen funds. So let's say that I'm a bad guy and I've actually done a business email compromise. So I've taken over a transaction, hacked somebody's email, got somebody's email address, sent them an email saying, I'm sorry, but we changed our bank account. Please send the payment to here now because that's where we moved it to. If they do that, that wouldn't be covered under a cyber policy unless the actual infrastructure was hacked.

Right. So if you get duped, if you get duped by a social engineering tactic, no matter how advanced or not, it may fall outside the loop of their coverage.

It would normally fall outside of a cyber policy. That's from my understanding with working insurance for a number of years. It would be covered normally by a crime policy. However, it may not include the recovery or the refunding of the stolen funds.

Do you know, I've got to tell you, I think I speak for a lot of us out there when we say insurance sounds just a little complicated.

It is complicated.

All we want, I know.

And to be honest, the whole issue around silent cyber is a big one. And the Prudential Regulation Authority has recently sent out a letter to all the major insurers, basically telling them to clean up their act in this area because it is a bit of a bombshell waiting to go off, really.

So I wasn't then wrong at the end of last week's segment in saying, just read your policies very carefully, make sure it fits your model and it's covering what you expect it to cover.

Indeed, you know, make sure it's fit for purpose. It's the same with anything else you buy. You know, if you buy a car, you expect it to work a particular way. You know, let's say you buy a Mini, you don't expect to go and take it off road and use it for rallying, etc.

That's right. Or going up by the mountains or through streams. So you make sure you buy what you're supposed to.

Don't expect to have fire insurance unless it explicitly says there is fire insurance.

Got you. Martin Overton, thank you so much for first getting in touch. I'm always happy to be corrected. We're a small team and we don't have the research resources that I would love that we had so thank you very much for being one of those cool citizens out there that get in touch and came on the show just to give us a

Well thanks for running a really nice show I really enjoy actually listening to it.

Ah, boom.