What’s happened?
Hundreds of thousands of Asus PCs may have been infected with malware installed by Asus’s own automatic Live Update tool.
Why on earth would Asus want to do such a thing?
They didn’t. According to researchers at Kaspersky, who have dubbed the attack “Operation ShadowHammer”, malicious hackers managed to plant the malware on Asus’s update servers and actually signed it with two of the company’s legitimate digital certificates.
How did hackers manage to poison Asus’s software update?
We don’t know.
How did the hackers manage to get hold of Asus’s code-signing certificates?
We don’t know.
You don’t seem to know very much. What did this malicious Asus update do?
The malicious update scans to determine the device’s network adaptor’s unique MAC address, and if matches one on a list of hashes hardcoded within the malware, downloads more malicious code down from a command and control server under the hackers’ control.
MAC? I thought we were talking about PCs?
Yes, we are talking about Asus notebook PCs running Windows. A MAC (Media Access Control) address is not something from Apple, it’s a unique identifier assigned to network interface hardware by manufacturers.
So they weren’t targeting all of the PCs that have installed the update? Only the ones which matched particular MAC addresses?
Correct. Although Kaspersky researchers say they have identified 57,000 of their users who have downloaded and installed the trojanised version of Asus Live Update (and they believe there may be over one million non-Kaspersky users similarly affected), they have only uncovered approximately 600 unique MAC addresses from the 200+ samples of the malware they have seen to date.
In other words, roughly 600 PCs were being targeted by the attackers. Kaspersky researchers have warned that there may be other examples of the malware out there including more MAC addresses.
Why would the attacker only want to install malicious code on a small subset of the compromised computers?
It’s hard to answer that question definitively, but one reason might be that they didn’t wish to draw attention to themselves and keep the operation “live” for as long as possible.
How long were Asus computers downloading the rogue update?
Kaspersky says that it was affecting a large number of users between June and November 2018. According to a report by Motherboard, Kaspersky’s team contacted Asus in January about the issue, but the manufacturer denied that its servers were compromised.
Symantec researchers also confirmed the incident, telling Kim Zetter of Motherboard that at least 13,000 computers belonging to Symantec customers were infected with the malicious software update from ASUS in 2018.
And what has Asus said?
Nothing so far.
Not a peep on its official Twitter account or corporate website.
Update: Asus has said it will issue an official statement sometime today (Tuesday 26 March 2019). Of course, they would have ideally begun investigating when first informed by Kaspersky in January rather than not take the researchers’ information seriously.
So if Asus isn’t doing anything, what am I supposed to do as a potentially affected customer?
Kaspersky has created a natty website – shadowhammer.kaspersky.com – where you can check to see if your MAC address is one the list of those targeted by the poisoned ASUS Live Update tool, and is inviting users to contact them if they have been targeted.
What could users have done to prevent themselves from being infected in the first place?
It’s a hard question to answer. We tell users to install security updates from their trusted suppliers to reduce the chances of a security incident. This update really did come from Asus’s servers, and had even been correctly digitally-signed using Asus’s software certificates.
And the way the malicious update then carefully selected its intended targets… it’s hard not to wonder if this might have been the work of state-sponsored hackers.
This isn’t the first time that vendors have been compromised to spread malware through a supply-chain attack.
For instance, in 2016 the update mechanism for the Ask toolbar was hijacked by attackers to install suspicious code.
The following year the anti-virus firm Avast distributed a digitally-signed version of CCleaner which contained a malicious backdoor that stole information from users’ PCs.
And perhaps most infamously of all, the NotPetya ransomware was initially spread via a malicious automatic update to a popular Ukrainian accounting software package.
So, supply-chain attacks are a big headache. By the way… why ShadowHammer?
I know, I know. It sounds like a villain from a superhero movie doesn’t it? Basically, this is what security vendors do these days to grab more attention for their discoveries. Just be grateful there’s not a logo for it… yet.
For more discussion of this topic, be sure to check out this episode of the “Smashing Security” podcast:
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
And they dubbed this malware because, you know, it has to have a fancy name. Operation Shadow Hammer.
That's all right. That's a lot better than most names where it's like BitZog VingDine428.
Hey, there was nothing wrong with BitZog VingDine418, girl.
I played the second version of that game back in the '80s. It was great.
Smashing Security, episode 121. Hijacked motel rooms, Asus PCs, and leaky apps with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 121.
My name is Graham Cluley.
My name is Graham Cluley.
I am Carole Theriault.
And we're joined this week by returning guest, fan favorite, Maria Varmazis. Hello, Maria.
Yay!
The crowd's gone wild! Hi everyone.
Maria, has anything wonderful happened to you in the last week? Hot sauce.
Oh, oh, I was like, that sounds a bit perverted, guys. Well, I found out that my third or fourth cousins have launched a hot sauce line in Greece. It's called Varmazis Hot Sauce.
Varmazis Hot Sauce?
Yes. I can't buy it yet. I don't think they have a distributor yet in the States, or at least outside of Europe.
Maybe it's too dangerous to ship. Maybe it's lithium batteries, you can't put it on an airplane. Might explode. It's that hot.
I have actually had hot sauce explode on my luggage when I transport it from one place to another. It is a mess to clean up. I can verify.
That happened once to me with maple syrup.
Yeah. Oh Canada.
Now tell me, did you—
Were you—
I know you're a little artiste, Maria. Did they hit you up for the logo?
Oh no, no, no, no, no. My mom was literally Googling our last name and their website came up and we went, what? Who are these people?
And we did a thing where we talked to an uncle who talked to our grandmother back the home village, and she verified that these are indeed distant relatives.
And we did a thing where we talked to an uncle who talked to our grandmother back the home village, and she verified that these are indeed distant relatives.
Yeah, a cousin two steps removed got on a donkey and went down the mountain.
It's not the Stone Age in Greece, girl.
Oh no, no, well, economically it's not. Economically it might be going back, but it's an unusual last name.
So when we saw that, we kind of went, we must be related to these people because there aren't that many of us, and it turns out we are.
So when we saw that, we kind of went, we must be related to these people because there aren't that many of us, and it turns out we are.
So yep, I'm looking forward to trying it.
Sounds pretty cool to me. Not cool, Graham.
Hot. And that's my pick of the week.
Okay, so what have we got coming up on this week's show, Carole?
I don't know.
I'm not talking about Facebook is what's happening this week.
Now, chaps, have you ever suffered from a leak? Can be pretty embarrassing, can't it? Well, there are data leaks happening all the time, aren't they?
And there's one happening right now, exposing a database of thousands of people's private intimate photographs and conversations to the whole internet. Anyone can access it.
No password required. And normally you hear about a data leak after it's been closed or when it's getting fixed. But this one is a wee bit different.
And there's one happening right now, exposing a database of thousands of people's private intimate photographs and conversations to the whole internet. Anyone can access it.
No password required. And normally you hear about a data leak after it's been closed or when it's getting fixed. But this one is a wee bit different.
Hmm.
Security researcher Kian Heasley, Smashing Security is the chap who found this exposed database on an internet server earlier this year, and he discovered two folders on this server with over 95,000 images and more than 25,000 audio recordings of phone calls.
Well, the problem with this particular database is that every day more photos and more audio recordings are being added. The leak hasn't been— would you patch a leak?
I don't know, but it hasn't been filled, right? Plugged. No, plugged.
Well, the problem with this particular database is that every day more photos and more audio recordings are being added. The leak hasn't been— would you patch a leak?
I don't know, but it hasn't been filled, right? Plugged. No, plugged.
Exactly. It's not a—
Oh, anyway. All right. So, well, you may be wondering, where is all this data coming from?
Well, it's coming from an app, a stalkerware app that lets you spy on other people's phone activity.
And it's primarily marketed towards parents wanting to keep an eye on their kids.
And what they might be doing online, which is understandable, although some people have ethical issues with that, obviously.
But it's safe to assume that the same app could be used to monitor anybody, right? Whether it was you looking after your kids or monitoring staff or keeping an eye on your spouse.
Well, it's coming from an app, a stalkerware app that lets you spy on other people's phone activity.
And it's primarily marketed towards parents wanting to keep an eye on their kids.
And what they might be doing online, which is understandable, although some people have ethical issues with that, obviously.
But it's safe to assume that the same app could be used to monitor anybody, right? Whether it was you looking after your kids or monitoring staff or keeping an eye on your spouse.
Right. So basically, people could be using this app for good reasons or to spy on their partner.
Yeah, it may be that you don't trust your partner, for instance, and you want to see—
Or you don't trust your dog not to eat.
I don't think dogs normally have smartphones.
No, but the owner might, and they might have the house surveilled to make sure, you know, to make sure that he doesn't steal the treats.
What are you talking about? What?
So what?
You've lost me.
Do you not understand about people putting cams in their house to make sure their pets behave as they should?
Yes. In this particular case, it's an app where you can steal photographs stored on the phone, or you can steal the conversation.
So unless your dog is taking photos with their— Yes, if you've got a pet which is taking selfies, then yes, I agree with your scenario.
I'm with you. I'm with you.
Okay. It's clearly my fault. I didn't explain it well enough. Hopefully it's clear now.
Now, Kian Heasley approached Motherboard, the technology website, with this story because they have been repeatedly trying to contact the vendor, the people who made this app, right, to alert them to the breach.
But despite multiple attempts, they've received no response. Absolutely nada.
Now, Kian Heasley approached Motherboard, the technology website, with this story because they have been repeatedly trying to contact the vendor, the people who made this app, right, to alert them to the breach.
But despite multiple attempts, they've received no response. Absolutely nada.
Well, that's, yeah, you know, I'd love to say that's so unusual, but it's not. It's not unusual.
It can often be difficult, can't it? But this is something where the leak is continuing to happen.
And with an established app, you would hope there would be an email address or a phone number, or, you know, you could tweet them or something to say, hey, can we speak to you guys?
And they've sort of hit this brick wall. They say that they've tried to ethically disclose the vulnerability to get these private images secured.
Many of which will be intimate, of course. They reached out to them through the official email address displayed on the site, no answer.
They've used the Gmail address of the site's administrator, who appears to be the company's founder, no answer. They've left voicemails, no answer.
They've looked up the WHOIS information, they're not getting any response.
And with an established app, you would hope there would be an email address or a phone number, or, you know, you could tweet them or something to say, hey, can we speak to you guys?
And they've sort of hit this brick wall. They say that they've tried to ethically disclose the vulnerability to get these private images secured.
Many of which will be intimate, of course. They reached out to them through the official email address displayed on the site, no answer.
They've used the Gmail address of the site's administrator, who appears to be the company's founder, no answer. They've left voicemails, no answer.
They've looked up the WHOIS information, they're not getting any response.
Yikes.
This app is available from official stores?
Well, here's the thing. They haven't named the app. I imagine it is available in the popular app stores, judging by the number of people who appear to be using it.
But they don't want to name the app because they are very worried that every asshole on 4chan is then going to work out where the database is and take those photos and those recordings and start posting them on the internet.
But they don't want to name the app because they are very worried that every asshole on 4chan is then going to work out where the database is and take those photos and those recordings and start posting them on the internet.
Oh, they're at it already. Yeah.
But presumably our researcher guy here, Kian, he is aware of the actual app name, right?
Yes. Yes. They've been to the website. They've tried to contact them, but they're not getting any response.
Right. I guess so what I'm getting at is why wouldn't you go to Apple or Google and take it down that way?
Well, maybe you could. I mean, maybe if you were able to convince Apple or Google, they would remove it from the App Store.
Well, pretty compelling evidence.
I think that's, well, I think that's the natural progression of things.
I think first of all, you try and contact the company and say, look, you need to fix this because Apple themselves may say, well, look, what they're doing with the data may not be our responsibility.
They may feel uncomfortable with that. They may be worried about getting into legal trouble themselves, but potentially that's something to do.
They've also tried they've tried to contact the web hosts and they name in the article who the web hosts are. It's a company called Codero.
And they've approached them multiple times for help saying, look, you are actually hosting this content.
I think first of all, you try and contact the company and say, look, you need to fix this because Apple themselves may say, well, look, what they're doing with the data may not be our responsibility.
They may feel uncomfortable with that. They may be worried about getting into legal trouble themselves, but potentially that's something to do.
They've also tried they've tried to contact the web hosts and they name in the article who the web hosts are. It's a company called Codero.
And they've approached them multiple times for help saying, look, you are actually hosting this content.
Right.
And they're not getting any response from the web server hosts either.
What on earth?
Even though Codero on its website says, the difference with Codero isn't just that we answer the phone when you call day or night, but it's like, well, they're not even doing that.
So maybe they don't care. Maybe they don't want to piss off a customer, but it's a bit of a problem.
So maybe they don't care. Maybe they don't want to piss off a customer, but it's a bit of a problem.
Well, that level of radio silence almost to me sounds like it's coordinated. I don't know.
It's just if literally nobody's getting back to you at that level, it makes me start to wonder if they've been told not to.
It's just if literally nobody's getting back to you at that level, it makes me start to wonder if they've been told not to.
Well, it really begins to put the journalists and the security researcher in this difficult dilemma, doesn't it?
Because do you protect the innocent users by getting them to stop using the app? Do you find a way to communicate this?
Unfortunately, the data itself doesn't have contact information of the people inside the database, but apparently you would be able to identify the individuals.
I don't know whether that's by distinguishing birthmarks or verbal tics or Tourette's or whatever it is, but there would be ways of saying, oh yes, I know that penis.
And they— well, not me personally. I don't have a huge database or memory bank to work from, but maybe other people— Carole, maybe other people would.
Because do you protect the innocent users by getting them to stop using the app? Do you find a way to communicate this?
Unfortunately, the data itself doesn't have contact information of the people inside the database, but apparently you would be able to identify the individuals.
I don't know whether that's by distinguishing birthmarks or verbal tics or Tourette's or whatever it is, but there would be ways of saying, oh yes, I know that penis.
And they— well, not me personally. I don't have a huge database or memory bank to work from, but maybe other people— Carole, maybe other people would.
I was waiting. I started laughing before you even said my name. I knew it was coming. Yeah, I'm listening to your story carefully. Yes.
Yes.
It seems to me this is yet another reason why if you want to be a big app store provider, you have to be a gatekeeper. And—
But can you really expect the likes of Apple and Google to—
To put it on hold and put it in quarantine because they received a complaint with sound evidence until they get in touch and say, oi, what's going on with our app?
Well, you know what?
If they were to freeze out the app for a while, wouldn't that also highlight to people there could be a problem with it and maybe send the bad guys in the direction of the database, though?
There are already people on Twitter who claim to have worked out who it is from information, even the limited information which is available in that Motherboard article.
So, my best—
If they were to freeze out the app for a while, wouldn't that also highlight to people there could be a problem with it and maybe send the bad guys in the direction of the database, though?
There are already people on Twitter who claim to have worked out who it is from information, even the limited information which is available in that Motherboard article.
So, my best—
And coming back, this data that's up there, what kind of things is it gonna be? It's like audio, like phone calls and pictures.
Yeah, exactly. The kind of things that—
People have taken either, you know, with consent or without consent.
Who knows?
Who knows, right?
Yeah, I could see this kind of software being used by, oh, I don't know, a really controlling, potentially abusive spouse or partner trying to spy on the person that they're trying to control.
So I could see people who are already very vulnerable being further victimized by this leak.
Yeah, I could see this kind of software being used by, oh, I don't know, a really controlling, potentially abusive spouse or partner trying to spy on the person that they're trying to control.
So I could see people who are already very vulnerable being further victimized by this leak.
Well, you know what, I get— actually, that's a really good point, Rhea.
I think then what you do is you get the cops involved, get the cyber cops involved, take a listen to the data that, you know, that's being collected and make a call.
I think then what you do is you get the cops involved, get the cyber cops involved, take a listen to the data that, you know, that's being collected and make a call.
The thing that's been highlighted to me is that it can be really difficult to contact companies who are leaking data.
And if you are a company, if you were found to be accidentally leaking data, how easy would it be for someone to tell you?
We've just seen a similar situation happening with an Australian iPhone app called Family Locator, which purports to help people stay informed about the location of their loved ones.
So they've got a database, 238,000 individuals were exposed for weeks on end, unsecured MongoDB database, no password required. Same old story. TechCrunch wrote about this.
They tried to get in touch with the makers of the app, React Apps. They had no contact information on their website. Their WHOIS record was privacy protected.
And if you are a company, if you were found to be accidentally leaking data, how easy would it be for someone to tell you?
We've just seen a similar situation happening with an Australian iPhone app called Family Locator, which purports to help people stay informed about the location of their loved ones.
So they've got a database, 238,000 individuals were exposed for weeks on end, unsecured MongoDB database, no password required. Same old story. TechCrunch wrote about this.
They tried to get in touch with the makers of the app, React Apps. They had no contact information on their website. Their WHOIS record was privacy protected.
As they often are now.
As they often are these days. So there was no way to get in touch with them. Online feedback forms weren't getting answered.
Eventually they went to Microsoft and said, look, you guys run the Azure cloud server platform, which this app is using. Can you get that shut down?
Eventually they went to Microsoft and said, look, you guys run the Azure cloud server platform, which this app is using. Can you get that shut down?
And?
And they in that case were successful. So Microsoft actually shut it down.
Well, there you go. Bravo, Microsoft. Okay, good.
But Cadeiro, the server hosts in this case, aren't responding. Who knows why? So some advice for people.
If you are a company, how easy would it be to get in touch with you if there's a security issue? Look at your WHOIS privacy protection.
If you are a company or running an app, maybe it makes sense not to have privacy protection there so people can get your contact details.
If you've got an online form, you need to monitor that email address and answer it. If you—
If you are a company, how easy would it be to get in touch with you if there's a security issue? Look at your WHOIS privacy protection.
If you are a company or running an app, maybe it makes sense not to have privacy protection there so people can get your contact details.
If you've got an online form, you need to monitor that email address and answer it. If you—
Basically don't be a douchebag.
Right. Make sure your email addresses don't bounce. Make sure that phone calls don't go unanswered.
And one thing you can do is there is a standard on the internet called the security.txt file.
And one thing you can do is there is a standard on the internet called the security.txt file.
I think that was one of my picks of the week a while ago.
I think it was, yes. Yeah.
So you can read all about it at securitytxt.org, basically create a subdirectory called .well-known, and inside it you put a file called security.txt where you contain information on how to contact you.
My concern is only security-minded people are likely to do this in the first place. So these companies which don't care simply won't do that. But it's all a huge mess, isn't it?
If only people went back to the good old days of uploading their intimate private snaps to trusted services like Facebook, Maria? Something like that instead.
So you can read all about it at securitytxt.org, basically create a subdirectory called .well-known, and inside it you put a file called security.txt where you contain information on how to contact you.
My concern is only security-minded people are likely to do this in the first place. So these companies which don't care simply won't do that. But it's all a huge mess, isn't it?
If only people went back to the good old days of uploading their intimate private snaps to trusted services like Facebook, Maria? Something like that instead.
I think that word should be banned for the episode.
Sorry, yeah, I shouldn't use the F word.
You're quite right. That's the F word.
Maria, what's your story for us this week?
It's not Facebook.
Yay!
Hey!
Oh, it's not the F word?
Yay!
Exactly.
Yeah. So, story broke yesterday, which is Monday.
On Motherboard via journalist Kim Zetter that thousands, if not hundreds of thousands, of ASUS brand computers have been compromised with malware that was installed via ASUS's official automatic software updater.
On Motherboard via journalist Kim Zetter that thousands, if not hundreds of thousands, of ASUS brand computers have been compromised with malware that was installed via ASUS's official automatic software updater.
Yeah, that's a big yikes. Yuck.
Yeah. So there's still a bunch of estimates floating around about exactly how many machines have been infected because this story is only a little over a day old right now.
But conservative estimates say that it's about half a million machines infected. But Kaspersky, who actually first found this malware, said it's actually closer to a million.
So no small number of people have been affected by this, right?
So as I mentioned, Kaspersky, they discovered this back in January, and they dubbed this malware— because, you know, it has to have a fancy name— Operation Shadow Hammer.
But conservative estimates say that it's about half a million machines infected. But Kaspersky, who actually first found this malware, said it's actually closer to a million.
So no small number of people have been affected by this, right?
So as I mentioned, Kaspersky, they discovered this back in January, and they dubbed this malware— because, you know, it has to have a fancy name— Operation Shadow Hammer.
That's all right. That's a lot better than most names where it's like BitZog VingDine428.
Hey, there was nothing wrong with BitZog VingDine418, girl.
I played the second version of that game back in the '80s. It was great.
I kind of agree with the crow. I wish, you know, I loved it when there was a vulnerability called Poodle. Do you remember Poodle?
Yeah, good old Poodle.
Or, you know, there's the Avril vibe, no threat, you know, they just named it after something memorable.
Lumpy trousers. Yeah, I know, they're also macho, aren't they? Like they're Marvel supervillains.
Yeah, Operation Shadowhammer's not, right? It's definitely very, you know, subdued. No, that's a name, you know, and that means it's serious business, guys.
So just diving into what what they found a little bit.
This malware flew under the radar for a couple months because not only was the malware itself hosted on the official ASUS update servers, but it was also signed with two legitimate ASUS certificates.
So just diving into what what they found a little bit.
This malware flew under the radar for a couple months because not only was the malware itself hosted on the official ASUS update servers, but it was also signed with two legitimate ASUS certificates.
Embarrassing!
And not only that, to this day, those two certificates have not actually been revoked.
Oh, so for those people who aren't aware, software companies use digital certificates to say, yes, we really did write this code.
Yes, we approve.
If you have any uncertainty about this, let us reassure you, this is a legitimate program which you can safely run on your computer.
It's not unheard of for certificates to be faked, and they're not foolproof by any means. So this is not like a, oh my God, this never should have happened.
But the fact that these have—
But the fact that these have—
On their websites?
But oh my God, it never should have happened.
It never should have happened. It's on their servers, it's signed with actual certificates that are from them.
They weren't faked, and they're still legit as of right now during this recording.
They weren't faked, and they're still legit as of right now during this recording.
So they haven't revoked them. So somehow the hackers got in, they meddled with the update, which got pushed out to—
Correct.
Who knows how many, a large number of ASUS computers. And it was also signed with something that the hackers shouldn't have had access to.
Correct.
Not that good news, is it?
Oh, I bet there's a lot of hair on fire in the ASUS offices at the moment.
It is a wee mess. Oh, yes.
But I expect ASUS is handling this very well. I expect they're reassuring people that there's, you know, that they've got all hands on deck, right?
Oh, if they are, nobody knows because as far as we know, as of the time of this recording, they've yet to actually say anything publicly about this.
So we did— there was a story this morning through Reuters that there's been some sort of update to fix this issue on the client side.
But there's been no communication from ASUS at all. So people are tweeting at them, they're getting no response or they're being told, oh, just email our security team.
And that's about it.
So we did— there was a story this morning through Reuters that there's been some sort of update to fix this issue on the client side.
But there's been no communication from ASUS at all. So people are tweeting at them, they're getting no response or they're being told, oh, just email our security team.
And that's about it.
So this is another story of companies not responding.
Yeah. And so this story is going to—
In fairness, they're probably still trying to work out what happened. Doesn't matter.
Just say, yeah, we heard about it.
There's a fuck-up.
Just say, yes, we've heard this story. As soon as we have more to tell you, we'll get back to you. That would be something.
You'll find it's called a Facebook-up, Carole. We'll have to bleep that.
It's a Facebook-up. It's a big Facebook-up. A giant Facebook-up. Yes.
So what's a weird wrinkle about this malware is that apparently it was only designed to target around 600 machines. Specifically, the malware was looking for MAC addresses.
Basically, the malware was looking for a MAC address, one of these 600, and if it found it, it would download a second payload.
So the weird thing is this looks like it's basically highly targeted malware.
So yes, whoever's doing this was casting an extremely wide net to find these extremely targeted machines. So dun dun, who did it? Was it some sort of nation state, who knows?
But people, you know, the people are—
So what's a weird wrinkle about this malware is that apparently it was only designed to target around 600 machines. Specifically, the malware was looking for MAC addresses.
Basically, the malware was looking for a MAC address, one of these 600, and if it found it, it would download a second payload.
So the weird thing is this looks like it's basically highly targeted malware.
So yes, whoever's doing this was casting an extremely wide net to find these extremely targeted machines. So dun dun, who did it? Was it some sort of nation state, who knows?
But people, you know, the people are—
You would naturally lean in that direction, wouldn't you?
One might.
But to be clear, this MAC address, it's nothing to do with Apple Macs, is it? Because these are PCs which are getting infected.
A MAC address is just an identifier for a particular piece of hardware, which is unique.
A MAC address is just an identifier for a particular piece of hardware, which is unique.
Correct. MAC addresses are hardware-based identifiers, capital M, capital A, capital C. And these ASUS machines are specifically running Windows.
Yes.
So Linux users of the ASUS machines are not affected. It's Windows users specifically.
And it's not connected with Mac makeup or concealer or anything like that either. Gosh, I'm so in touch, aren't I? Yeah.
Yeah.
So what they've done is they've basically installed a backdoor onto maybe up to a million computers. Who knows the exact number?
Yeah. Still finding that out.
And then it will work out, oh, is this one of the computers I'm interested in? And if it is one of those 600 or so, download something else.
Last Pass, which is going to do who knows what.
Last Pass, which is going to do who knows what.
Who knows what right now. Yeah, I think we'll find that out over time.
Yeah, this is an interesting story because we've been hearing at least this year, 2019, is the year of the supply chain attack. I've read at least a handful of articles saying that.
And this is a very timely example of what that means when basically an attacker's like, we're not even gonna bother going after the user anymore through the normal phishing or trying to get them to download malware because their machines are so hardened at this point that, yeah, it could work, but it's getting a lot harder.
So let's go in the back way. Let's go in a way that people are not going to expect it through channels that people have been told to trust, like the manufacturer of your machine.
We've all been told you can trust these guys. So if they can figure out a way to compromise the manufacturer, they've got a clear in.
Yeah, this is an interesting story because we've been hearing at least this year, 2019, is the year of the supply chain attack. I've read at least a handful of articles saying that.
And this is a very timely example of what that means when basically an attacker's like, we're not even gonna bother going after the user anymore through the normal phishing or trying to get them to download malware because their machines are so hardened at this point that, yeah, it could work, but it's getting a lot harder.
So let's go in the back way. Let's go in a way that people are not going to expect it through channels that people have been told to trust, like the manufacturer of your machine.
We've all been told you can trust these guys. So if they can figure out a way to compromise the manufacturer, they've got a clear in.
And this seems to be a growing trend, doesn't it? These supply chain attacks, although they're hard to pull off, they're extremely effective.
Maybe the best recent example is the NotPetya ransomware, which was spread via a malicious update to a Ukrainian accounting software package, but then spread all around the world and hit really big companies and cost them, in some cases, hundreds of millions of dollars.
Maybe the best recent example is the NotPetya ransomware, which was spread via a malicious update to a Ukrainian accounting software package, but then spread all around the world and hit really big companies and cost them, in some cases, hundreds of millions of dollars.
Yeah, there was a Bloomberg story at end of last year that purported that a whole bunch of firms like Amazon and Apple were compromised by a hardware-level supply chain attack.
Yes, that's right.
Yes. That all of those companies then furiously denied, said this is a completely false story, but Bloomberg's still standing by it. So who knows?
But they were saying that the servers that these companies were using were all compromised at the hardware level.
Yeah, I was curious myself when I was reading this story about how long this attack had been active, because the range that we've been given, at least in the Motherboard story, is from June of last year to November of last year-ish.
And I did a little Googling, so I'm not going to pretend I researched this, but I found on the Reddit forums, the Reddit ASUS forum specifically, that users back in July were noticing some really weird behavior from their official ASUS updater.
Specifically, a critical update was coming from ASUS via a system pop-up, so sort of normal-ish.
But the file that they were being told to download was called the ASUS Force Updater with a U in the word force.
But they were saying that the servers that these companies were using were all compromised at the hardware level.
Yeah, I was curious myself when I was reading this story about how long this attack had been active, because the range that we've been given, at least in the Motherboard story, is from June of last year to November of last year-ish.
And I did a little Googling, so I'm not going to pretend I researched this, but I found on the Reddit forums, the Reddit ASUS forum specifically, that users back in July were noticing some really weird behavior from their official ASUS updater.
Specifically, a critical update was coming from ASUS via a system pop-up, so sort of normal-ish.
But the file that they were being told to download was called the ASUS Force Updater with a U in the word force.
Sorry, were you saying that in a Canadian accent?
Can you do this? Yeah, just put that on repeat. It's a great sound. It's force with a U put in it. And I'm a dumb American, but I don't think a U generally belongs in the word force.
So it's like, even though I'm used to U's not being where they're supposed to be, apparently. So yeah, that extra U set off a lot of red flags for people going, that looks weird.
But then you read the comments— this is from 9 months ago— people are going, well, I ran it through, I didn't execute this, I downloaded it and put it, I sent it to my AV, I checked the certs, everything's coming back clean.
So I guess this is legit, but it's setting off a— my gut's telling me something's wrong.
So it's like, even though I'm used to U's not being where they're supposed to be, apparently. So yeah, that extra U set off a lot of red flags for people going, that looks weird.
But then you read the comments— this is from 9 months ago— people are going, well, I ran it through, I didn't execute this, I downloaded it and put it, I sent it to my AV, I checked the certs, everything's coming back clean.
So I guess this is legit, but it's setting off a— my gut's telling me something's wrong.
Oh my goodness. Yeah, spider sense wins even when the digital certificate tells you, oh yeah, this is really from ASUS.
Yeah, and back then, did ASUS say anything? Did they own up? Did they apologize?
No, no. I mean, and I just want to be clear, I have no way of knowing if this is actually the malware in question.
I'm going to be crystal clear, but the timeline— I'm willing to make a guess that this is probably related.
And I'm just thinking the fact that they did all the checks, they went above and beyond what most people would do. I'm speculating. It's speculation. I'll put it out there.
But the timing and also that little red flag makes me think that's probably related.
Just, it's just kind of heartbreaking to see people going, I'm doing all the things I'm supposed to be doing and more, and yet it's coming back as legit.
And Kaspersky themselves, and actually Symantec also backed this up, they were only recently able to detect this two months ago.
So it was going past everybody's detection systems because nobody knew how to find the thing. So yeah, interesting.
I'm going to be crystal clear, but the timeline— I'm willing to make a guess that this is probably related.
And I'm just thinking the fact that they did all the checks, they went above and beyond what most people would do. I'm speculating. It's speculation. I'll put it out there.
But the timing and also that little red flag makes me think that's probably related.
Just, it's just kind of heartbreaking to see people going, I'm doing all the things I'm supposed to be doing and more, and yet it's coming back as legit.
And Kaspersky themselves, and actually Symantec also backed this up, they were only recently able to detect this two months ago.
So it was going past everybody's detection systems because nobody knew how to find the thing. So yeah, interesting.
If people are worried though, that they may have been affected by it, if they've got ASUS computers, is there anything they can do?
Get a sledgehammer.
You can go to Kaspersky's fancy website, shadowhammer.kaspersky.com, and they have a thing where you can input your MAC address and they'll actually walk you through how to find your MAC address, because I realize not everyone might know how to do that.
And it'll tell you if you're one of the 600 machines that have been targeted.
And/or they have a tool that you can download and run on your machine that will automagically clean up all the mess for you.
And it'll tell you if you're one of the 600 machines that have been targeted.
And/or they have a tool that you can download and run on your machine that will automagically clean up all the mess for you.
That's digitally signed by Kaspersky.
That I'm sure is totally trustworthy. So if you're feeling lucky, you could do that.
But if you find out that you've been targeted, I would just nuke your machine from orbit, frankly. Just kidding.
But if you find out that you've been targeted, I would just nuke your machine from orbit, frankly. Just kidding.
Presumably all the major antivirus vendors are adding detection for this dodgy update to their database or have done already.
I would assume so. I would hope so.
Yeah.
So hopefully that will give people a warning as well.
So your question, Carole, has ASUS acknowledged this? No, they have not.
As we mentioned a little earlier, they haven't put any kind of public comment out, at least as the time of this recording. But apparently Reuters says there's a fix in place.
Has ASUS gotten trouble for security issues in the past? Yes, they have.
So in 2016, ASUS settled a lawsuit with the US Federal Trade Commission, the FTC, where the FTC basically sued ASUS for lack of security practice regarding their routers.
The FTC said ASUS had not, quote, taken reasonable steps to secure the software on its routers.
So part of their agreement in the settlement with the FTC was that ASUS had to establish and maintain a comprehensive security program subject to independent audits for the next 20 years.
As we mentioned a little earlier, they haven't put any kind of public comment out, at least as the time of this recording. But apparently Reuters says there's a fix in place.
Has ASUS gotten trouble for security issues in the past? Yes, they have.
So in 2016, ASUS settled a lawsuit with the US Federal Trade Commission, the FTC, where the FTC basically sued ASUS for lack of security practice regarding their routers.
The FTC said ASUS had not, quote, taken reasonable steps to secure the software on its routers.
So part of their agreement in the settlement with the FTC was that ASUS had to establish and maintain a comprehensive security program subject to independent audits for the next 20 years.
Where were these auditors?
We will see. I'm very curious to see how that comes up in the context of this. The story's still so fresh. It's still steaming new.
Something's steaming.
It's a big steaming pile of story, so we're going to find out exactly how this all plays out.
Now we interrupt our regular programming for a news update.
So what you've been listening to about the Shadow Hammer attack and about the data leak at the mystery stalking app company was all recorded on Tuesday.
Since then, there have been developments, and rather than issue this podcast as is without mentioning them, we thought we'd inject a little bit of me in here.
So firstly, ASUS has now responded to the Shadow Hammer reports—links in the show notes—and has confirmed it has issued a fix in the form of an actual security update that you can download using its live update software tool.
Yes, the irony of that isn't lost on any of us. Presumably they've digitally signed it as well.
Meanwhile, Motherboard and Kian Heasley have finally succeeded in getting a response from Cadero, the company which was hosting Mobispy's leaky server.
Yes, they are now confirming the name of the app as well. So that sensitive data is no longer accessible for the world to peruse without a password.
So what you've been listening to about the Shadow Hammer attack and about the data leak at the mystery stalking app company was all recorded on Tuesday.
Since then, there have been developments, and rather than issue this podcast as is without mentioning them, we thought we'd inject a little bit of me in here.
So firstly, ASUS has now responded to the Shadow Hammer reports—links in the show notes—and has confirmed it has issued a fix in the form of an actual security update that you can download using its live update software tool.
Yes, the irony of that isn't lost on any of us. Presumably they've digitally signed it as well.
Meanwhile, Motherboard and Kian Heasley have finally succeeded in getting a response from Cadero, the company which was hosting Mobispy's leaky server.
Yes, they are now confirming the name of the app as well. So that sensitive data is no longer accessible for the world to peruse without a password.
Phew.
Right. Well, let's return to our regular programming. Carole, what's your story for us this week?
Well, a lot of us are facing the end of the financial year this week.
Many a boss is going apeshit, cracking the proverbial whip to force their underlings to finalize projects or close deals before the annual tax bell bing-bongs.
I've actually been in touch with several mates this week who seem at their wit's end, pulling their hair out trying to juggle all the responsibilities being foisted on them.
The upshot: these peeps are desperate for a break. I mean, I've been there. It's stressful, right?
Many a boss is going apeshit, cracking the proverbial whip to force their underlings to finalize projects or close deals before the annual tax bell bing-bongs.
I've actually been in touch with several mates this week who seem at their wit's end, pulling their hair out trying to juggle all the responsibilities being foisted on them.
The upshot: these peeps are desperate for a break. I mean, I've been there. It's stressful, right?
Yes.
Pulling my hair out.
But don't you remember when we were working in the big corps, everyone was freaking out, you know, in March?
Yes. Sell, sell, sell. Stop spending money.
Yeah, totally, totally.
Or spend all that budget. Otherwise you don't get it next year.
Yeah. Buy donuts.
Yeah, that's just me.
I always wanted to be in that team where it's, here's more money. You have two weeks to spend it. Go nuts. But if you look ahead just a few weeks, we can glimpse a ray of hope.
Easter is just around the corner, which means holiday time for a lot of us. Work pressures have eased because the financial year is over.
Offices and schools close for a few days, at least in the EU and UK. I don't know about the States actually. Do you guys close around Easter?
Easter is just around the corner, which means holiday time for a lot of us. Work pressures have eased because the financial year is over.
Offices and schools close for a few days, at least in the EU and UK. I don't know about the States actually. Do you guys close around Easter?
Depends on where you live. Oh really? Towns by towns, at least around here, some towns close more for Passover or holidays. It really depends on where you live.
It's kind of complicated. Yeah.
It's kind of complicated. Yeah.
So it's kind of time to take a breather and maybe book a hotel somewhere different, somewhere where you can soak up some rays or drink in some culture.
Who knows, even maybe indulge in a little romance.
Who knows, even maybe indulge in a little romance.
Steady.
Let's talk about romance and hotels for a second.
So, all right.
Okay, segue.
I'm up for this. Let's talk about it.
Amy Muise, she's from the psych department.
Amy Weeze? Muise.
M-U-I-S-E.
M-U-I-S-E.
Sorry.
M-U-I-S-E.
Okay.
I wasn't sure if she had asthma or whether she had her own data leak. Okay. So Amy Muise.
Amy Muise from the psych department at York University suggests that the new adventures we seek out away from the home routines actually help make adventures in the bedroom a little more exciting.
What podcast am I on again?
I don't know, but I like it.
And I didn't know that, but in the drink biz, the concept of this is called self-expansion.
Of course it is.
Okay, steady on, steady on. Now, Louise maintains that couples may be more likely to experience this happening on vacation because trips often have that element built in.
You're in a new place, you're eating new foods, you may be trying new activities, new positions.
You're in a new place, you're eating new foods, you may be trying new activities, new positions.
What is going on?
I don't understand. Where are we going? We were just talking about malware.
Aren't you glad I'm here? Oh my Lord. You guys should stop judging and just go with it, baby.
Okay, so here we are. We're on holiday. We're in a hotel room and we're thinking, let's get a little bit.
And I guess actually motels, are motels and hotels very different?
Yes, they are.
Well, there's a letter different. Motels you go to in a car and hotels you go to in a car.
You don't have to go through reception.
Oh, that's true. Yes, that's what it is. Yes, you have your own door. Yes.
And they're often probably cheaper as well. And motels in many countries such as South Korea, you can rent by the hour. And I'm guessing that—
You don't need that long.
That hour is rarely being used for a bit of shut-eye, more a bit of slap and tickle.
Keep talking, Carole.
So these two guys in South Korea thought they might make a buck or two by taking advantage of the seedier stuff that might go on behind a motel door, right?
By spying on the guests as they were doing what they were doing in the motel room.
By spying on the guests as they were doing what they were doing in the motel room.
Who would actually want to do that? Really?
What do you mean, spy on them?
Yes. Well, isn't there enough of that kind of stuff on the internet anyway? You don't have to make your own with poor lighting and—
Well, maybe if you want a bit of the money.
Amateurs. You want a bit of the tingling? Okay, all right. Okay.
So the way they did this is they dressed— see, this is the other interesting thing that they chose motels over hotels, because they dressed up as employees and installed hidden cameras.
In 42 rooms across 30 different motels.
In 42 rooms across 30 different motels.
Wow.
So because you don't have to go through reception, right? You could just knock on the door and say, "Hey, maintenance." Oh, I see. Right?
Right.
They apparently were able to record a whopping 1,600 guests doing whatever they were doing in those rooms. Cameras were hidden in televisions, sockets, hair dryer holders.
Do you know what the guys did with the footage? What do you think they did with it?
Do you know what the guys did with the footage? What do you think they did with it?
I think they securely erased it. They recanted. They realised that they were very naughty people.
And really?
What?
No. I was going to say blackmail, probably.
See, that's what I thought too. It seems to me perfect ransomware.
Yeah, they'll be selling it to someone.
Yeah. They broadcasted live on the internet.
Oh, that's terrible.
It was the first case in South Korea. And the kicker, the kicker in all this, do you know how much these boys made by invading all these people's privacy?
$10,000?
Less.
Less than— well, $6,000. $5,000.
Did that even cover the cost of their equipment at that point?
And the uniforms?
Yeah, I worked it out. I worked it out, and it's 30p for each pair of butt cheeks.
Oh, fuck you! Hang on, are you counting each butt cheek twice, or is that— that's for a pair?
I worded that very, very carefully. It's 30p for each pair of pumping cheeks.
We're very precise here in Smashing Security. I just want everyone to know and appreciate the level of precision that goes into this.
There's so much math, so much math, so much math.
There's so much math, so much math, so much math.
So the good news here is that the two douchebags have been arrested.
He's still wheezing.
I know some unfortunate person said on Twitter that they loved his wheeze. Oh my God. Now he just turns it on. He's just someone—
Yeah, everyone can have a fetish. It's all right if they— if that's what they like.
The law in South Korea was apparently amended last November to toughen penalties for illegal filming and distributing images without consent.
So punishments for the convicted include a 5-year jail term, or up to 5 years in jail, or fines of up to 30 million won. That's about $30,000.
So they could effectively, based on the money they brought home, be— find themselves 24,000 smackaroos out of pocket if the judge maxes out the financial punishment.
So punishments for the convicted include a 5-year jail term, or up to 5 years in jail, or fines of up to 30 million won. That's about $30,000.
So they could effectively, based on the money they brought home, be— find themselves 24,000 smackaroos out of pocket if the judge maxes out the financial punishment.
They've got to get jail time as well, haven't they? Surely. That's such a terrible thing to do.
And the thing is, okay, so while it's great that they've arrested these guys and these guys are going to be facing their punishment.
The problem is all those people whose personal privacy has been invaded, what do they get? They probably don't even know that they've been filmed.
The problem is all those people whose personal privacy has been invaded, what do they get? They probably don't even know that they've been filmed.
You know what they should get? They should get a free subscription to the webcam in their prison cells to watch those two as they're shuffling around under their duvets at night.
That's entertaining.
Well, it may— no, but it's justice.
That doesn't sound very empathetic either, Graham.
I was empathetic. Last week, not been empathetic this week, but done that.
So advice, okay? Because the whole story here is that we all use hotels or motels or Airbnbs or whatever, stay at places other than home.
And some of us might be concerned that they might be being spied on. And so there's a few things you can do.
And some of us might be concerned that they might be being spied on. And so there's a few things you can do.
Okay.
And these—
All right. Okay. Let's say we are.
All right. Okay.
All right.
So number one, conduct a physical search of the room. You want to listen for a hiss or buzzing because shittier equipment emits this kind of low buzz hum sound.
So you want to use your Britneys to search the room.
So you want to use your Britneys to search the room.
Sorry, Britneys?
Britneys.
Cockney English. Britney Spears ears.
Oh, jeez.
Good. It could equally be the minibar or something though, couldn't it? Just humming away.
Of course. I think if you find that it's the minibar, you move on, don't you?
I never move on from the minibar. I'm there for a while. Table around.
Turn off all the lights and look for a glimmer of an LED light source.
And apparently, this is a cute tip, use your phone's camera because it's better at catching light and detecting light than the human eye.
So you can scan the room through your actual phone screen.
And apparently, this is a cute tip, use your phone's camera because it's better at catching light and detecting light than the human eye.
So you can scan the room through your actual phone screen.
But wouldn't they have covered up any LED on the camera so it didn't go blink, blink, blink, you're on camera?
Say, for example, there was a little device inside the fire alarm gizmo in the room.
And you might turn off light and you might see two little LEDs blinking there and you might go, that's weird.
And you might go up and look closer and one you see attached to a hidden device and you go, aha. Now this is one of my favorites.
I've never actually been in a room where I thought the mirror might be two-way. But what do you do if you think it might be two-way?
So you turn off all the lights and you put a flashlight directly onto the glass.
And you might turn off light and you might see two little LEDs blinking there and you might go, that's weird.
And you might go up and look closer and one you see attached to a hidden device and you go, aha. Now this is one of my favorites.
I've never actually been in a room where I thought the mirror might be two-way. But what do you do if you think it might be two-way?
So you turn off all the lights and you put a flashlight directly onto the glass.
Oh, come on, Carole.
What?
You've been too paranoid here. This is too much to do.
People do it.
Do they?
Yeah.
I think if people are concerned about this thing, if people are sitting somewhere and they got their spidey sense going, this doesn't feel right, just on all these people in motel rooms, they might have helped them not expose their you-know-whats to you-know-whos.
So I've watched Dexter, right? The serial killer guy. You know, I've watched that show.
The TV show?
Yeah, the TV show. Yes.
Not an actual one.
And what he does is he sets up his little murder room and he puts the polythene up over all of the walls, all right, so he doesn't leave any blood traces anywhere, right, for the cops to find him and catch him.
If you're really that worried about a hotel room and it's going to be so difficult to work out where these tiny devices might be, maybe you should just take some sheets of polythene with you and just polythene the whole room, and then you live inside the polythene thing.
Couldn't you do that?
If you're really that worried about a hotel room and it's going to be so difficult to work out where these tiny devices might be, maybe you should just take some sheets of polythene with you and just polythene the whole room, and then you live inside the polythene thing.
Couldn't you do that?
Can you say polythene one more time?
Sorry, polythene.
Yeah.
Okay.
Am I saying polythene incorrectly?
No, I just enjoy it. What?
I said it like a Canadian.
It sounds funny to my ears for some reason.
I don't know.
Okay.
I'm going to carry on with my very—
Oh, please do. Please do. What else have you got?
You want to— obviously the good one, keep off the Wi-Fi if you don't trust it or use a secure VPN. VPN if you're going to do that. And note that many cameras are wired in.
Pay special attention to sockets, fire alarms, anything with a plug, right? You want to see— and if you look for wires that are going into weird places.
The other good one is they often put these cameras to the action locations, right? The bed, facing the bed, or the shower or something like that.
So you want to look for out-of-place decorations. Is there something facing the bed oddly? A pot plant, for example?
Pay special attention to sockets, fire alarms, anything with a plug, right? You want to see— and if you look for wires that are going into weird places.
The other good one is they often put these cameras to the action locations, right? The bed, facing the bed, or the shower or something like that.
So you want to look for out-of-place decorations. Is there something facing the bed oddly? A pot plant, for example?
Or only ever have sex up against the door of the hotel door, right? If you did it there where people aren't expecting it.
I think that's what you're actually advocating is having sex in unusual places in the hotel room where you're not going to be videoed.
I think that's what you're actually advocating is having sex in unusual places in the hotel room where you're not going to be videoed.
Actually, coming back to your suggestion, Graham, maybe you could just get yourself a polythene, almost like body bag that you can get yourself into, right?
With no air holes.
Or just make a little tent.
Make a little—
You should try it out first. You should try it out first. Make sure it's just all zipped up.
Some people do do that, don't they? They zip themselves up in their luggage for fun.
Where is this podcast going this time?
My God.
We're not recommending that, folks.
So there's of course RF radio frequency detectors. So you can scan a room and look for frequencies being emitted.
Seriously, if you're this paranoid, just stay at home. You know, I'm never going to leave the house if I'm worried about all that.
Okay. This story was about two guys who filmed 16,000 people across 30 hotels, motels in South Korea. It happens.
So if people are nervous about this and go, I don't know what to do, I am telling them things they can do.
So if people are nervous about this and go, I don't know what to do, I am telling them things they can do.
Right. And I'm saying just stay at home. Because if you're that worried, for goodness sake, you can't live your entire life in fear, Carole.
Just throw a sheet over. They can't see anything.
Yes. Excellent idea. So just do it under the duvet. Right?
I do agree with Graham though, that if you do get a spidey sense, you feel like you're being watched, yeah, just leave, you know.
Trusting your gut is almost always the best advice.
Or just do something really incredibly dull and nothing else, like maybe just play a game of chess for hours or something.
Now that I'd subscribe to.
You've been spying on Graham then, is what I'm—
Oh yeah, I don't spend enough time with him during this podcast.
Hey, don't bash Bitdefender, right? Human error is at the root of 95% of all security breaches. It's all too easy for any of us to make a mistake that lets hackers win.
Download a free cybersecurity awareness training kit from Mimecast, which will help your staff learn about threats like data leaks, ransomware, business email compromise, phishing, and much, much more.
Grab it for yourself at smashingsecurity.com. And thanks to Mimecast for supporting the show. And welcome back. Can you join us on our favourite part of the show?
The part of the show that we like to call Pick of the Week.
Download a free cybersecurity awareness training kit from Mimecast, which will help your staff learn about threats like data leaks, ransomware, business email compromise, phishing, and much, much more.
Grab it for yourself at smashingsecurity.com. And thanks to Mimecast for supporting the show. And welcome back. Can you join us on our favourite part of the show?
The part of the show that we like to call Pick of the Week.
Pick of the Week.
Pick of the Week is the— Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever you wish.
It doesn't have to be security-related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever you wish.
It doesn't have to be security-related necessarily.
Should not be.
Well, my pick of the week this week comes courtesy of our Reddit community. One of our listeners who goes by the user ID PaleSkinnySwede.
What if it's descriptive?
You think he's actually a vegetable? He has nominated a pick of the week for us and I checked it out and I thought, oh, that's quite good. That's quite fun.
So he has recommended a chap on YouTube, 29-year-old Zach King, who is a personality on the video service who makes short digital sleight-of-hand videos, like sort of magic-y, but there's a bit of editing and jiggery-pokery and crafty editing, and they're jolly clever, and kids will love them, and it will amuse you as well.
So I've put in a link in the show notes. He makes things disappear, he does tricks with perspective, and I thought, you know what, that's very good.
Well done you, sir, for making videos like that. They're like little Vine videos. They're 6, 10 seconds. They're very cute and wonderful. And I thought very creative and good for him.
And so my recommendation, my very quick pick of the week this week is Zach King. And thank you, Pale Skinny Swede, for recommending it.
So he has recommended a chap on YouTube, 29-year-old Zach King, who is a personality on the video service who makes short digital sleight-of-hand videos, like sort of magic-y, but there's a bit of editing and jiggery-pokery and crafty editing, and they're jolly clever, and kids will love them, and it will amuse you as well.
So I've put in a link in the show notes. He makes things disappear, he does tricks with perspective, and I thought, you know what, that's very good.
Well done you, sir, for making videos like that. They're like little Vine videos. They're 6, 10 seconds. They're very cute and wonderful. And I thought very creative and good for him.
And so my recommendation, my very quick pick of the week this week is Zach King. And thank you, Pale Skinny Swede, for recommending it.
Yeah, rock on, brother.
Yeah, it's good fun.
Sister.
Maria, what is your pick of the week?
Well, as a fellow pale skinny Swede, I wanted to give my own recommendation. And it wasn't just the VerMozzaz hot sauce, although that was sort of mine for this week.
God, advertise, we have to charge.
Yeah, I know, they're gonna be like, what, so much traffic to our site all of a sudden?
So my actual pick of the week is killedbygoogle.com, which is, as the name may suggest, a website that lists all the things that Google has killed.
Yeah, so not people who have been murdered by the Google Street Maps car or anything like that, not that, although I'd be really interested if that is a thing. Please, somebody—
So my actual pick of the week is killedbygoogle.com, which is, as the name may suggest, a website that lists all the things that Google has killed.
Yeah, so not people who have been murdered by the Google Street Maps car or anything like that, not that, although I'd be really interested if that is a thing. Please, somebody—
Sergey Brin hasn't been sniping at people off the top of the Google building. Again, we're not suggesting there's been any actual deaths.
I'm sure that list exists somewhere on the darkweb though.
It's the death of dreams.
It's the death of dreams. So if you want to be really mad about Google Reader with me, you can scroll down on this and then shake your fist.
But yeah, it's just— when you get past the Google Reader and then let your rage subside a little bit, you can see all the other projects that they've killed over the time, many of which deserve to go.
But yeah, it's just— when you get past the Google Reader and then let your rage subside a little bit, you can see all the other projects that they've killed over the time, many of which deserve to go.
But some, yeah, yeah, I was gonna say some of them is like, sayonara.
Odd fuck.
Yeah, but it's an interesting trip through time if you go all the way back. The first one on the list is Google DeskBar, which I have fond memories of using.
But yeah, it outlasted its purpose.
But it's an interesting open source project, so you can actually contribute to it if they're missing something, and it's just a simple but really good concept time waster, and I recommend it.
But yeah, it outlasted its purpose.
But it's an interesting open source project, so you can actually contribute to it if they're missing something, and it's just a simple but really good concept time waster, and I recommend it.
Very cool.
But it also sends an important message, because they've killed almost 150 products. I mean, a huge number of them.
I mean, the one we all care about, as you've already mentioned, is Google Reader, which was just spiteful that they got rid of that. It was used by so many people.
I mean, the one we all care about, as you've already mentioned, is Google Reader, which was just spiteful that they got rid of that. It was used by so many people.
What about Google Circles? Wasn't that amazing?
Toss them out.
What about Google Glass? Actually, a legitimate one that I'm not sure why they killed it was Google Flu Trends. That was really interesting.
Oh, yes.
Yeah. I'm not sure why they killed that one, but yeah.
But the important message here is if you rely on something from a company like Google, they have the ability because you're not a paying customer to just zap it anytime they want.
And you may be up the creek without a paddle. Glad you agree.
And you may be up the creek without a paddle. Glad you agree.
I wasn't sure how to respond to that.
Yes. Yes. Yes, Graham.
Yes. Yes.
You would be up the creek.
Yes, so wise.
Guru. Carole, what's your pick of the week?
VPN is not exciting, funny, or quirky, but it's flipping useful, particularly for people like us who spend a ton of time reading online news articles.
But one of the things that kind of annoys me when I'm reading these sites is that everyone first displays their news in a different way, different fonts, different sizes, different locations.
It's full of images, often ads, all the crap.
But one of the things that kind of annoys me when I'm reading these sites is that everyone first displays their news in a different way, different fonts, different sizes, different locations.
It's full of images, often ads, all the crap.
Do you accept cookies and—
Yeah, different size fonts and all kinds of stuff. All kinds of, ugh, it just drives me nuts. So outline.com is a resource for people that want to just get the news, right?
So what I'd normally do is cut and paste the story into a reader, text editor, to actually read it that way. That's how I would normally read a story so I could get around all that.
But often a lot of extraneous information gets copied over as well. So outline.com takes all the trouble out of that.
You don't have to cut and paste, you don't have to sign up, you do not have to download an app.
You just go to a web page and you enter the URL for the article you're trying to read, and presto, a nice clean copy is presented to you.
So what I'd normally do is cut and paste the story into a reader, text editor, to actually read it that way. That's how I would normally read a story so I could get around all that.
But often a lot of extraneous information gets copied over as well. So outline.com takes all the trouble out of that.
You don't have to cut and paste, you don't have to sign up, you do not have to download an app.
You just go to a web page and you enter the URL for the article you're trying to read, and presto, a nice clean copy is presented to you.
And is it— it's very— I've used this a few times.
It's very pretty.
It's very pretty. It's sort of clutter-free presentation of an article.
Yeah, it's like Steve Jobs was there going, no, remove that, remove that, unnecessary.
And this is a free service, isn't it?
It is a free service.
Is it free?
Well, I'm using it for free.
Well, yeah, we're using it for free, but is there anything— what, why, why are they— see, you've made me, you've made me all cynical now. Why are they doing it?
I have not made you cynical.
Yeah, you were pretty cynical to start. Let's be real, come on.
Stop blaming everybody for your shortcomings.
What's their angle? Where's the— follow the money. Yeah, I know, I know, I'm wondering that too. Try it out.
It's a lovely website. All you're doing is cutting and pasting from articles you'd like to read.
Yeah, and just the link, isn't it?
Yeah. You can take out the trackers before you put the link in if you want to be absolutely 100% sure. And voilà.
Yeah.
Check it out.
Outline.com. It's a good pick of the week, don't listen to Graham.
No, no, I've used it. I think it's quite handy and quite nice, like it. Yeah, all right.
Missed that.
Well, that just about wraps it up for this week. Now, Maria, I'm sure lots of people would love to follow you online. What's the best way for folks to do that?
You can follow me on Twitter @mvarmazis, or if you're on infosec.exchange, my handle there is @maria.
So, which is a Mastodon instance.
It is, yes. Trying to get better at using that.
Well, we're on Twitter as well. You can follow us on Twitter @smashingsecurity, no G. Twitter wouldn't allow us to have a G. And we have an active community as well on Reddit.
Quickest way to find us up there is to go to smashingsecurity.com/reddit.
Quickest way to find us up there is to go to smashingsecurity.com/reddit.
And huge thanks to this week's Smashing Security sponsor, Mimecast.
Cast.
It's support like this that helps us give you this show for free. And thank you to all our glorious listeners.
If you like what you hear and you want to help us grow, tell some friends about the show or leave us a review. It really helps.
If you like what you hear and you want to help us grow, tell some friends about the show or leave us a review. It really helps.
Until next time, cheerio, bye-bye, later, bye. Marvelous, marvelous.
Nicely done.
Weekend, week out.
Asus makes computers for a few operating systems, I'm assuming, since you didn't specify, you mean windows machines. Does this also target Chromebooks?
It's just Windows.
There's been an update from Asus, which you can read about here: https://www.tripwire.com/state-of-security/featured/asus-security-update-live-update-tool-hacked/