Over the weekend, a story spread widely across social media claiming that hackers had held a hotel to ransom, after locking guests in their rooms:
One of Europe’s top hotels has admitted they had to pay thousands in Bitcoin ransom to cybercriminals who managed to hack their electronic key system, locking hundreds of guests in or out of their rooms until the money was paid.
Furious hotel managers at the Romantik Seehotel Jaegerwirt, a luxurious 4-star hotel with a beautiful lakeside setting on the Alpine Turracher Hoehe Pass in Austria, said they decided to go public with what happened to warn others of the dangers of cybercrime.
As soon as I heard the story I was suspicious.
Why would a hotel announce that they had failed so spectacularly at securing their systems, and inconvenienced hundreds of their guests? Where were the quotes from aggrieved hotel guests who were locked in their rooms? Where were the social media posts and YouTube videos of guests unable to leave their hotel rooms? Why are there no grumblings on TripAdvisor or on the hotel’s Facebook page?
It just didn’t make any sense.
Think a little deeper, and it makes even less sense.
What hotel do you know where you have to use an electronic lock to *leave* a hotel room? In your hotel room you have a manual door latch for good reason, and don’t need to find your room card to get out. Think about it, if there’s an emergency such as a fire you don’t want to be desperately trying to find your key card.
A quick trawl through the Seehotel Jaegerwirt’s website finds some standard-looking door handles on the inside of their rooms, which must be pleasing to the local fire department.
So, my conclusion is that the suggestion that guests were locked in their rooms is clearly cobblers.
Might hotel guests have been locked out of their rooms (as opposed to inside their rooms)? I think that’s unlikely.
Watch what happens when you check in at a hotel. In my experience what usually happens is this. The receptionist takes a key card, slides it into a gizmo, and programs its magnetic strip with a code which represents your room number (and potentially your check out date).
Your room’s key card lock compares the room code on the key card with one stored locally within the lock. It could check with a central computer, but that would inevitably require a lot more wiring and complexity – something you probably wouldn’t expect in a family-run hotel built over 100 years ago.
Let’s read some more:
And they said they wanted to see more done to tackle cybercriminals as this sort of activity is set to get worse. The hotel has a modern IT system which includes key cards for hotel doors, like many other hotels in the industry.
Hotel management said that they have now been hit three times by cybercriminals who this time managed to take down the entire key system. The guests could no longer get in or out of the hotel rooms and new key cards could not be programmed.
So, according to the report the hotel decided to go public to “warn others of the dangers of cybercrime” *and* admitted that they have now been hit by hackers on three occasions.
If the story is true, it’s certainly surprisingly altruistic behaviour that the hotel is displaying. After all, if they have been “hit three times by cybercriminals” I wouldn’t necessarily be hurrying to book a vacation and entrusting my credit card details with them. Clearly their grasp on computer security is as shaky as my performance on the ski slopes.
Of course, I applaud firms who go public about being victims of cybercrime, but I know only too well that many prefer to brush the story under the carpet unless they feel compelled by legislation to share details – most commonly if the personal or financial details of members of the public have been put at risk.
So, in conclusion…
Was the Romantik Seehotel Jaegerwirt hotel hit by ransomware?
I don’t know. I guess it’s possible they were.
Bleeping Computer quotes the hotel’s manager, giving a more believable description of what may have occurred:
“We were hacked, but nobody was locked in or out,” said the hotel’s Managing Director Christopher Brandstaetter. “For one day we were not able to make new keycards.”
“Since the locking system must work even in the event of power failure, the guests in the hotel almost did not notice the incident,” the manager also added. “We simply could not issue new keycards because the computers were encrypted.”
That sounds plausible to me. But not something that really warrants the widespread media coverage.
Were hotel guests locked in their rooms?
That sounds like utter balderdash. Although I wouldn’t be surprised to hear computer security firms trotting the dubious anecdote out as evidence of the danger posed by ransomware for years to come.
For further discussion of this topic, be sure to listen to this episode of the “Smashing Security” podcast:
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Smashing Security, Episode 006: A Romantic Ransomware Hotel Break with Carole Theriault, Vanja Švajcer, and Graham Cluley.
Hello everybody and welcome to Episode 6, Smashing Security, 2nd of February 2017, and I'm joined as always by my good chums Vanja Švajcer and Carole Theriault.
And you may have noticed a difference already. That's right. We have got a new theme tune on the podcast. Now, I don't want to point any fingers, but somebody, yeah, that's right.
Somebody wanted us to change the theme tune. I thought the existing theme tune was pretty good, actually.
I thought it was doing reasonably well, but it seems some people weren't as much of a fan of it.
Hello everybody and welcome to Episode 6, Smashing Security, 2nd of February 2017, and I'm joined as always by my good chums Vanja Švajcer and Carole Theriault.
And you may have noticed a difference already. That's right. We have got a new theme tune on the podcast. Now, I don't want to point any fingers, but somebody, yeah, that's right.
Somebody wanted us to change the theme tune. I thought the existing theme tune was pretty good, actually.
I thought it was doing reasonably well, but it seems some people weren't as much of a fan of it.
Is it me or Carole?
Yeah, some people might have thought that we could have made a better theme tune. So we're trying one out to see what people think.
I see. Well, you know, I actually, I quite like it, to be honest. It's all right. I like the tinkly little bit. The ding-a-ding-a-ding-a-ding. I like that bit.
And people can come back, right? People can tell us, I hate it. I love it. Obviously, they're probably going to love it.
I think they'll be probably very concerned about it.
Yes, very concerned.
Very, very. Oh, yes. Huge amounts of concern. They'll be marching in the street about it. Have you heard what Smashing Security have done with their theme tune?
They changed the theme tune. Oh my God.
They're only 6 episodes in and already they're making these kind of fundamental changes. Don't they recognize the value of brand and how they're destroying it? They're crumbling.
They're crumbling. No wonder they're going down the charts. No wonder people aren't leaving reviews for them any longer on iTunes. By the way, you can leave reviews for us on iTunes.
I don't know if I've mentioned that. It might be a nice thing to do. Anyway, what are we going to talk about today? Oh, we've got 3 topics we're going to talk about today.
And topic number 1—
They're crumbling. No wonder they're going down the charts. No wonder people aren't leaving reviews for them any longer on iTunes. By the way, you can leave reviews for us on iTunes.
I don't know if I've mentioned that. It might be a nice thing to do. Anyway, what are we going to talk about today? Oh, we've got 3 topics we're going to talk about today.
And topic number 1—
That's yours.
It's me, is it?
Okay, well, I'm going to talk to you about something which happened over the weekend, a big story which broke about a luxury hotel in Austria, a 4-star hotel called the Romantic Sea Hotel Jägerwirt.
Apologies for my bad Austrian accent, which apparently is in a beautiful setting up in the Alps, and they got hit by ransomware. Well, big flipping deal.
You know, lots of organizations getting hit by ransomware all the time, but, the headlines in this particular case said that the ransomware had affected the hotel system so badly that 180 guests were locked in their hotel rooms.
Okay, well, I'm going to talk to you about something which happened over the weekend, a big story which broke about a luxury hotel in Austria, a 4-star hotel called the Romantic Sea Hotel Jägerwirt.
Apologies for my bad Austrian accent, which apparently is in a beautiful setting up in the Alps, and they got hit by ransomware. Well, big flipping deal.
You know, lots of organizations getting hit by ransomware all the time, but, the headlines in this particular case said that the ransomware had affected the hotel system so badly that 180 guests were locked in their hotel rooms.
God, that would be so scary. I think I would jump into, you know, claustrophobia mode if that happened to me. I would be clawing at the windows.
And lots of hotels don't even have windows that open anymore.
And lots of hotels don't even have windows that open anymore.
No, no, they don't. They don't. That's right. I think that's partly to get back all the smokers, isn't it?
They don't let you open the windows so that you have to trudge along all the way downstairs and out the building.
They don't let you open the windows so that you have to trudge along all the way downstairs and out the building.
I thought it was for jumpers. I thought it was for jumpers.
Oh, how cheery you are, Carole Theriault.
I'm sorry. I'm sorry, Graham.
I suppose you die either way, don't you? You die if you— actually, we're all dying. Let's face it. We've all got a terminal illness. None of us are going to live to be 130 years old.
Anyway, you digress.
Well, I do digress. That's part of the call.
Speak for yourself, Graham.
Vanja, you are getting very close, as we know, ever since your 62nd birthday the other week. You are getting— you're going to be— don't worry about it. You're going to be fine.
Anyway, the point is, all these headlines were saying that people have been locked into their hotel rooms. Well, that is absolute nonsense.
Anyway, the point is, all these headlines were saying that people have been locked into their hotel rooms. Well, that is absolute nonsense.
Well, it sounds pretty plausible to me, but obviously, you know, if you say it's not true, then—
Of course it's not plausible, Vanja, and I'll explain why, right? Fire regulations, first of all. OK, they're always going to panic about hotels.
If you've got hundreds of people in a hotel, you've all seen the Towering Inferno, right? It's an absolute disaster when one of these things sets fire.
You need an easy way of getting out.
And if you have to, if it's 3 o'clock in the morning when the fire alarm goes off, you don't want to have to be scrabbling around looking for your little key card in order to get out of your room.
And that's why when you're in a hotel room, you'll see there's actually a proper normal analogue, sort of physical handle there, right? And you can just open it.
So it may be a little bit trickier getting in, but it's always really, really easy to get out. So that's one reason why I instantly thought— That sounds—
If you've got hundreds of people in a hotel, you've all seen the Towering Inferno, right? It's an absolute disaster when one of these things sets fire.
You need an easy way of getting out.
And if you have to, if it's 3 o'clock in the morning when the fire alarm goes off, you don't want to have to be scrabbling around looking for your little key card in order to get out of your room.
And that's why when you're in a hotel room, you'll see there's actually a proper normal analogue, sort of physical handle there, right? And you can just open it.
So it may be a little bit trickier getting in, but it's always really, really easy to get out. So that's one reason why I instantly thought— That sounds—
You know what? I'm gonna take point. I don't think it's always easy to get out. I think if you're in a very modern hotel, it is.
But I've been in hotels where it's a kind of, you know, the kind of key you put in and you have to keep track of the key and you don't hand it into the desk. You can lose your key.
So I don't know. Oh, I suppose it'd be easy to get out in that case, wouldn't it?
But I've been in hotels where it's a kind of, you know, the kind of key you put in and you have to keep track of the key and you don't hand it into the desk. You can lose your key.
So I don't know. Oh, I suppose it'd be easy to get out in that case, wouldn't it?
Yes. I'm sorry. Yes.
I guess—
Is it one of those locks on a chain crawl, which has baffled you? You know, where you sort of hook it on? It's like, oh, oh, I can't open the door all the way.
I can't open it all the way. Is that what's— Is that what you're struggling with?
I can't open it all the way. Is that what's— Is that what you're struggling with?
Nice, nice, nice.
Well, it's difficult sometimes. You know, you close yourself in a loo and it's very difficult to get out. I freak out.
Oh, oh, bless you, Vanja. Really. Anyway, what else would have happened if this had been true?
Wouldn't you have expected all of those hotel guests— okay, they're stuck in their hotel rooms. I've done a search on the hotel's website. They did have Wi-Fi.
Wouldn't all these people have gone on Instagram and Twitter and indeed TripAdvisor and left very negative reviews.
Said, "I'd love to say something nice about this hotel, but unfortunately I've been locked in my room." Wouldn't people be doing that?
Wouldn't people be live streaming on YouTube saying, "Oh, I'm stuck in my hotel room." But there was none of that going on at all.
Wouldn't you have expected all of those hotel guests— okay, they're stuck in their hotel rooms. I've done a search on the hotel's website. They did have Wi-Fi.
Wouldn't all these people have gone on Instagram and Twitter and indeed TripAdvisor and left very negative reviews.
Said, "I'd love to say something nice about this hotel, but unfortunately I've been locked in my room." Wouldn't people be doing that?
Wouldn't people be live streaming on YouTube saying, "Oh, I'm stuck in my hotel room." But there was none of that going on at all.
So what we're saying here is that this wasn't true and people reported it anyway because no one did the research. Is that the story?
So this is what appears to have happened.
It looks like there was a ransomware incident at this particular hotel, as there are organizations all over the world, of course, people are always getting hit by ransomware.
But what it did was it hit the key card system, which meant that the hotel reception desk weren't able to create new key cards for people.
You know, so as people were coming in and that obviously would be a bit of a pain. And the system was down for a day or so while they were recovering and bringing it back.
It looks like they did eventually pay the ransom, but nobody got locked in their hotel rooms.
And in fact, if you look at the actual quotes from the hotel staff, they say that everybody was actually out on the ski slopes at the time anyway. So it was no big deal.
But you're right, Carole, people love stories like this. People love to share this kind of— because what a fantastic anecdote if it had been true.
People locked in their hotel rooms because of a malware attack. Not a targeted attack, but just one which happened to hit this hotel.
And you can bet your bottom dollar that there will be security firms out there and salespeople who will carry on trotting out this story as though it were true way into the future.
And it will be there in presentations and it will become an accepted truth, even though it never really happened.
It looks like there was a ransomware incident at this particular hotel, as there are organizations all over the world, of course, people are always getting hit by ransomware.
But what it did was it hit the key card system, which meant that the hotel reception desk weren't able to create new key cards for people.
You know, so as people were coming in and that obviously would be a bit of a pain. And the system was down for a day or so while they were recovering and bringing it back.
It looks like they did eventually pay the ransom, but nobody got locked in their hotel rooms.
And in fact, if you look at the actual quotes from the hotel staff, they say that everybody was actually out on the ski slopes at the time anyway. So it was no big deal.
But you're right, Carole, people love stories like this. People love to share this kind of— because what a fantastic anecdote if it had been true.
People locked in their hotel rooms because of a malware attack. Not a targeted attack, but just one which happened to hit this hotel.
And you can bet your bottom dollar that there will be security firms out there and salespeople who will carry on trotting out this story as though it were true way into the future.
And it will be there in presentations and it will become an accepted truth, even though it never really happened.
If you repeat it enough, if you repeat it enough, it becomes truth. I mean, people wouldn't question it.
You hear so many different stories in sales presentations and a lot of them are probably not true anyway.
You hear so many different stories in sales presentations and a lot of them are probably not true anyway.
Yeah. And people love to repeat these.
It's sometimes you hear this quote from security company presentations saying that cybercrime makes more money than the drugs trade is the claim, which you'll often see trotted out.
It's really?
It's sometimes you hear this quote from security company presentations saying that cybercrime makes more money than the drugs trade is the claim, which you'll often see trotted out.
It's really?
But it's kind of an urban myth though. There's millions and millions of urban myths. So that's—
Well, any number connected to cybercrime is really kind of a bit bogus.
Yeah, everyone's making it up on the back of a cigarette packet, aren't they?
Albeit a cigarette packet which they can't actually use inside their hotel room because of the ransomware. There you go. All right. Well, okay. We've busted that myth at least.
So well done to us for that. Let's go on. Topic 2.
Albeit a cigarette packet which they can't actually use inside their hotel room because of the ransomware. There you go. All right. Well, okay. We've busted that myth at least.
So well done to us for that. Let's go on. Topic 2.
I guess that's mine. So this week, a topic that's not necessarily in the news, but it kind of rears its ugly head again.
It's about the question whether we should use third-party antivirus software, whether we should use no antivirus software at all, or whether we should rely on Microsoft built-in Windows Defender antivirus software.
So a former developer of Firefox Mozilla, Robert O'Callaghan, has wrote in his blog, and that was picked up by some news outlets, and the discussion kind of ensued from there on.
So his claim is that AV software should not be used apart from the Microsoft perhaps because it introduces new attack surface and slows the system down.
So it kind of brings more harm than good into your system. So that's a kind of a difficult question and difficult statement to test, right?
I can just say that thinking of the history, the AV integrated with browsers just because browsers were not that great in the past and their users have required them to basically block bad content, and the only way to do it is to hack inside the Windows operating system and inside the browsers.
And now the developers of browsers are saying, you know, no, the way to do it is to rely on your secure browsers, and the browsers cannot be secured because there are so many pieces of AV software there that introduces additional insecurities into the browsers.
So it's kind of a weird thing.
It's about the question whether we should use third-party antivirus software, whether we should use no antivirus software at all, or whether we should rely on Microsoft built-in Windows Defender antivirus software.
So a former developer of Firefox Mozilla, Robert O'Callaghan, has wrote in his blog, and that was picked up by some news outlets, and the discussion kind of ensued from there on.
So his claim is that AV software should not be used apart from the Microsoft perhaps because it introduces new attack surface and slows the system down.
So it kind of brings more harm than good into your system. So that's a kind of a difficult question and difficult statement to test, right?
I can just say that thinking of the history, the AV integrated with browsers just because browsers were not that great in the past and their users have required them to basically block bad content, and the only way to do it is to hack inside the Windows operating system and inside the browsers.
And now the developers of browsers are saying, you know, no, the way to do it is to rely on your secure browsers, and the browsers cannot be secured because there are so many pieces of AV software there that introduces additional insecurities into the browsers.
So it's kind of a weird thing.
So basically they're coming to the game late saying, you guys did it all wrong.
Basically, you know, I think they have a valid point to a point.
I think now the state is that the browsers are a little bit better, or I mean better than they, much better than they used to be.
And AV probably stay pretty much the same, except also AV, when we say AV today, many people think that AV is pretty simple scanning of content, but now there are so many different additional kind of technologies that are included that actually, it's not just about AV.
A lot of the security guys just think about AV of something that can block only the content they've seen before, so the known threats.
But now it evolved so much that it can actually block a large amount of new and unknown threats as well.
I think now the state is that the browsers are a little bit better, or I mean better than they, much better than they used to be.
And AV probably stay pretty much the same, except also AV, when we say AV today, many people think that AV is pretty simple scanning of content, but now there are so many different additional kind of technologies that are included that actually, it's not just about AV.
A lot of the security guys just think about AV of something that can block only the content they've seen before, so the known threats.
But now it evolved so much that it can actually block a large amount of new and unknown threats as well.
So this feels to me often a bit of a religious debate, and it does crop up from time to time, doesn't it?
There is a group of people in the security community who really have a low regard for antivirus.
And what they often will say, I mean, amongst other things, is that antivirus— if you run an antivirus program on your computer or on your email server or somewhere on your systems, you're increasing your attack surface because there may be vulnerabilities in that antivirus software which hackers could potentially exploit in order to infect you.
And yes, that's possible. And indeed, vulnerabilities have been found in many of the major antivirus products from time to time which can be exploited.
But if you're talking about exposure, the attack surface, there is no bigger exposure than the typical computer user going on the internet through a browser with no antivirus measure in place.
If you don't have any security running on your computer, you're just opening yourself up for trouble.
And I'm very skeptical of this suggestion by this blogger that only Microsoft are doing it right.
Well, maybe he had a good experience with Microsoft in terms of integrating with his browser, but if everybody used the same antivirus software, that would be disastrous.
There is a group of people in the security community who really have a low regard for antivirus.
And what they often will say, I mean, amongst other things, is that antivirus— if you run an antivirus program on your computer or on your email server or somewhere on your systems, you're increasing your attack surface because there may be vulnerabilities in that antivirus software which hackers could potentially exploit in order to infect you.
And yes, that's possible. And indeed, vulnerabilities have been found in many of the major antivirus products from time to time which can be exploited.
But if you're talking about exposure, the attack surface, there is no bigger exposure than the typical computer user going on the internet through a browser with no antivirus measure in place.
If you don't have any security running on your computer, you're just opening yourself up for trouble.
And I'm very skeptical of this suggestion by this blogger that only Microsoft are doing it right.
Well, maybe he had a good experience with Microsoft in terms of integrating with his browser, but if everybody used the same antivirus software, that would be disastrous.
Well, we actually had that situation in the good old DOS times when Microsoft AV had its first attempt of protecting DOS, right?
So everybody knew how to work around the way that Microsoft for DOS protected the system.
So now you would have the similar kind of situation where you have Windows Defender everywhere and malware writers had to only simply go around that, except, you know, apart from the other kind of tools that are there to protect your systems.
So everybody knew how to work around the way that Microsoft for DOS protected the system.
So now you would have the similar kind of situation where you have Windows Defender everywhere and malware writers had to only simply go around that, except, you know, apart from the other kind of tools that are there to protect your systems.
Yeah, exactly. You don't want to have a homogenic environment where everyone's using the same defense.
The other thing that people who are mostly vulnerability researchers, from Google Project Zero, hate in every software is that apparently every software approaches the task of protecting the systems get malicious software in a wrong way.
So apart from, you know, instead of blacklisting software, the right way to do it, as they say, is only to allow the good software to run and allow nothing else, which to me just seems to be the different side of the same coin, right?
It's you can never know all the malicious software. You can't always say, well, you can never know all the good software that can run. So to me, it's kind of, it's really tricky.
What about all the scripts? What about all the kind of documents that can also contain some code. So it's kind of a very difficult thing. I think it's about the same.
It's doomed to fail one way or another.
So apart from, you know, instead of blacklisting software, the right way to do it, as they say, is only to allow the good software to run and allow nothing else, which to me just seems to be the different side of the same coin, right?
It's you can never know all the malicious software. You can't always say, well, you can never know all the good software that can run. So to me, it's kind of, it's really tricky.
What about all the scripts? What about all the kind of documents that can also contain some code. So it's kind of a very difficult thing. I think it's about the same.
It's doomed to fail one way or another.
And it's really, it is interesting that, isn't it? Is this whole idea of whitelisting the applications.
I can imagine some corporate environments in very specialist cases or particular departments where that may work, where you may be able to say, these are the only programs which you can run.
These are the ones which you're authorized to run. Anything else, we're not going to allow it to run.
But in a home user market, for instance, my Auntie Hilda or somebody like that, you can't do that with her. You can't take that kind of approach.
She just needs something really simple, which isn't gonna require any maintenance by her, doesn't require any setting up or any configuration.
That's what 99% of people require is just to run a program, which hopefully will find most of the malware attacks which are thrown against them.
Nobody's saying antivirus is perfect. It isn't perfect, okay? There's no such thing as a perfect antivirus. But some antivirus is better than nothing.
And using a different antivirus, as you said, Carole, avoiding that sort of monoculture has to be a good thing to do as well, because otherwise it's going to be so easy for the attackers to take advantage.
Rather than testing their malware against 25 different antivirus products from McAfee, Symantec, F-Secure, ESET, Bitdefender, they have to just beat Microsoft.
You know, that's really putting us in a dangerous place, I think.
I can imagine some corporate environments in very specialist cases or particular departments where that may work, where you may be able to say, these are the only programs which you can run.
These are the ones which you're authorized to run. Anything else, we're not going to allow it to run.
But in a home user market, for instance, my Auntie Hilda or somebody like that, you can't do that with her. You can't take that kind of approach.
She just needs something really simple, which isn't gonna require any maintenance by her, doesn't require any setting up or any configuration.
That's what 99% of people require is just to run a program, which hopefully will find most of the malware attacks which are thrown against them.
Nobody's saying antivirus is perfect. It isn't perfect, okay? There's no such thing as a perfect antivirus. But some antivirus is better than nothing.
And using a different antivirus, as you said, Carole, avoiding that sort of monoculture has to be a good thing to do as well, because otherwise it's going to be so easy for the attackers to take advantage.
Rather than testing their malware against 25 different antivirus products from McAfee, Symantec, F-Secure, ESET, Bitdefender, they have to just beat Microsoft.
You know, that's really putting us in a dangerous place, I think.
Absolutely.
And there was an interesting thread on Twitter as well of that, you know, Vesselin Bontchev, one of the kind of most well-known and the oldest kind of researchers in the AV world, kind of tried to defend the AV side saying that AV after all brings more good than harm.
And then he was kind of critical of the Google security researcher, Tavis Ormandy.
And he said that Tavis basically knows as much about as a shop window-breaking hooligan knows about the art of shop window arrangement, which was a pretty entertaining quote.
And there was an interesting thread on Twitter as well of that, you know, Vesselin Bontchev, one of the kind of most well-known and the oldest kind of researchers in the AV world, kind of tried to defend the AV side saying that AV after all brings more good than harm.
And then he was kind of critical of the Google security researcher, Tavis Ormandy.
And he said that Tavis basically knows as much about as a shop window-breaking hooligan knows about the art of shop window arrangement, which was a pretty entertaining quote.
Vesselin is funny, isn't he?
The thing that's really interesting here, you know, is how this advice is very good for potentially experts, right? Robert O'Callaghan is not your typical user, right?
And maybe his point is much better suited for people that have a much more intimate understanding of security and can secure themselves using different security products other than AV.
And maybe his point is much better suited for people that have a much more intimate understanding of security and can secure themselves using different security products other than AV.
I think this is one of the things which the likes of Tavis Ormandy from Google haven't really appreciated. I mean, Tavis is bloody clever, right?
He's a genius when it comes to these things.
But he imagines that everyone is just as skilled as him at disassembling every single program which comes onto their computer and be able to analyze and work out whether it's malicious or not.
So maybe Tavis Ormandy from Google doesn't need to run an antivirus, but he's not like other people. And actually, neither is Vesselin Bontchev.
They're probably closer than they imagine to each other in their personalities.
He's a genius when it comes to these things.
But he imagines that everyone is just as skilled as him at disassembling every single program which comes onto their computer and be able to analyze and work out whether it's malicious or not.
So maybe Tavis Ormandy from Google doesn't need to run an antivirus, but he's not like other people. And actually, neither is Vesselin Bontchev.
They're probably closer than they imagine to each other in their personalities.
Neither are you, Graham. Neither are you.
Yeah, Graham.
I'm no Tavis Ormandy or Vesselin Bontchev. More is the pity. Those guys, very smart cookies indeed. Yeah. Oh, I like how you agreed with me there, Carole. Thanks very much.
Topic number 3. That must be you, Carole.
Topic number 3. That must be you, Carole.
Yes, I wanted to talk about blocking ad blockers. Now this is a hot topic in the old security industry. So people go out of their way to install ad blockers, don't they?
I certainly do. And why do I do it? Ads are often annoying.
They've become more annoying over time in terms of their placements and what you need to do to get rid of them to actually get to the content you're trying to get to.
I don't like being tracked by ads, you know, and followed around the internet to different sites I go. And of course, ads can serve up malware, which we all know very well.
Now, the news this week is a company called PageFair.
Now, these guys are people that say— this is how they put it on their site— PageFair ads serve advertising in a manner that ad blockers are unable to circumvent and solves the speed, privacy, and UX issues that cause ad blocking in the first place.
So they certainly— they put out a report to say ad blocking is getting more popular amongst users, especially in emerging markets.
And, you know, they're trying to put the fear of God, I think, into people who create content. So some of their stats include 11% of the internet population now use ad blockers.
That's, I don't know, 1 in 10. That seems probably about right to me, although the internet population is obviously very large indeed. But what do you guys think?
Does that sound about right in terms of experience?
I certainly do. And why do I do it? Ads are often annoying.
They've become more annoying over time in terms of their placements and what you need to do to get rid of them to actually get to the content you're trying to get to.
I don't like being tracked by ads, you know, and followed around the internet to different sites I go. And of course, ads can serve up malware, which we all know very well.
Now, the news this week is a company called PageFair.
Now, these guys are people that say— this is how they put it on their site— PageFair ads serve advertising in a manner that ad blockers are unable to circumvent and solves the speed, privacy, and UX issues that cause ad blocking in the first place.
So they certainly— they put out a report to say ad blocking is getting more popular amongst users, especially in emerging markets.
And, you know, they're trying to put the fear of God, I think, into people who create content. So some of their stats include 11% of the internet population now use ad blockers.
That's, I don't know, 1 in 10. That seems probably about right to me, although the internet population is obviously very large indeed. But what do you guys think?
Does that sound about right in terms of experience?
It sounds plausible to me. And certainly most people who ask me, can you have a look at my computer, aren't running an ad blocker. And it's always fascinating, isn't it?
Using a computer which isn't running ad blocker because the internet looks so much different. It's like, oh my goodness, how do you put up with this? All of these ads everywhere.
Using a computer which isn't running ad blocker because the internet looks so much different. It's like, oh my goodness, how do you put up with this? All of these ads everywhere.
I have to admit that I don't use ad blocker because I think it's kind of, it's a price that you, you know, have to pay if you want to continue using some of those news sites and stuff.
But I agree that there's a huge amount of risk. I'm kind of using, well, not using Windows, let's say. So hopefully I'm a little bit more protected against some of the stuff.
But I agree that there's a huge amount of risk. I'm kind of using, well, not using Windows, let's say. So hopefully I'm a little bit more protected against some of the stuff.
Security through obscurity from Mr. Švajcer there about which operating system he uses.
I know, but you listen, I use ad blockers, but I don't use them on one of my devices, right? So on my tablet.
So I go to some sites and I can't, I cannot even use to get to the content because I don't even think the ads have been designed for that medium very well on lots of sites.
So I go to some sites and I can't, I cannot even use to get to the content because I don't even think the ads have been designed for that medium very well on lots of sites.
Well, certainly the mobile site adverts are super annoying because, you know, those are the ones that are displayed after 3 or 4 seconds delay when you start reading and start scrolling.
As soon as you start scrolling, the advert appears and you have to click on it. And they probably think, oh, such a great click-through rate.
As soon as you start scrolling, the advert appears and you have to click on it. And they probably think, oh, such a great click-through rate.
Now they do say— so they say ad blocking is growing. So 62% of people using, you know, it's on mobile devices now, right? So 650 million devices are running ad blockers, okay?
And 62% on mobile devices. And they're also saying that it's grown 30% year on year.
Now what I don't get in all this is surely this is just telling us people are not liking or trusting or wanting the way ads work today.
Yeah, it seems pretty clear to me if people are actually going out of their way to— it's almost like, you know, it's anti-dandruff shampoo, right?
You have to go out, you have to go buy it. So you have to go get these ad blockers and to turn them on and configure them.
And you're doing that 'cause you have a pain that you want to get rid of.
And 62% on mobile devices. And they're also saying that it's grown 30% year on year.
Now what I don't get in all this is surely this is just telling us people are not liking or trusting or wanting the way ads work today.
Yeah, it seems pretty clear to me if people are actually going out of their way to— it's almost like, you know, it's anti-dandruff shampoo, right?
You have to go out, you have to go buy it. So you have to go get these ad blockers and to turn them on and configure them.
And you're doing that 'cause you have a pain that you want to get rid of.
Yeah, certainly some of the ads are not doing a very good job. They're not really relevant to what your interests are. So I don't think there's a value.
I never, well, I certainly never clicked on any of the adverts except by chance.
I never, well, I certainly never clicked on any of the adverts except by chance.
And you know, that comes back, that's the big problem here. It's malvertising, right?
So this is where an attacker uploads a malicious advert, you know, and they can be drive-by downloads as well.
What they do is actually just have a webpage serve up the malicious ad in order to redirect you to a malicious site.
There's been lots and lots of malvertising over the years, and all the big guys, you know, Daily Mail, MSN, Yahoo, BBC, New York Times, Newsweek, AOL, NFL, I could go on.
All these people were hit recently.
So this is where an attacker uploads a malicious advert, you know, and they can be drive-by downloads as well.
What they do is actually just have a webpage serve up the malicious ad in order to redirect you to a malicious site.
There's been lots and lots of malvertising over the years, and all the big guys, you know, Daily Mail, MSN, Yahoo, BBC, New York Times, Newsweek, AOL, NFL, I could go on.
All these people were hit recently.
Now, Carole, this firm which has produced this research, PageFair, you said at the beginning that they are an adblocker blocker. They're not anti-ads.
They're an ad company which tries to block ad blockers, right?
They're the people who put up that irritating message saying, before you read our content, we'd really like you to whitelist our site. That's what they're doing, aren't they?
They're an ad company which tries to block ad blockers, right?
They're the people who put up that irritating message saying, before you read our content, we'd really like you to whitelist our site. That's what they're doing, aren't they?
I'm not sure.
They're like anti-anti-malware software.
Yes.
I think it's quite— I did a bit of digging to find out exactly how they operate and how they do this, because there's loads of little ways you can get around ads, the ad blockers.
I couldn't find the secret sauce page anywhere. So if anyone does know, I would love to hear.
I couldn't find the secret sauce page anywhere. So if anyone does know, I would love to hear.
Could it be they include some code in the page, which kind of see whether something is displayed, they try to pull on from some other website.
If it doesn't display it or it doesn't pull from the website, then it says, oh, you might be running an ad blocker.
If it doesn't display it or it doesn't pull from the website, then it says, oh, you might be running an ad blocker.
Yeah. Yeah.
I think that's what it'll be.
The reason I'm hesitating is because I did see somewhere where they actually kind of talked about blocking ad blockers is not necessarily the way forward.
So that's why I'm being a bit sitting on the fence until I know more.
Anyway, what is funny though is that in late 2015, PageFair, the firm we're talking about, has put out this report who works with some 3,000 publishers at the time, was hacked and left 501 publishers' sites vulnerable to malware attacks via malvertising.
So, you know.
So that's why I'm being a bit sitting on the fence until I know more.
Anyway, what is funny though is that in late 2015, PageFair, the firm we're talking about, has put out this report who works with some 3,000 publishers at the time, was hacked and left 501 publishers' sites vulnerable to malware attacks via malvertising.
So, you know.
So what happened, if I remember correctly, was their little bit of code, which was designed to detect if you were running an ad blocker and tell you to turn your ad blocker off, that bit of code itself was serving up some malware onto people's computers.
The irony.
The irony.
That sounds like a great business model.
People wonder why, you know, they want to scan adverts for malicious stuff. Frankly, I think web advertising doesn't really work very well.
There's some companies who've done it quite well.
I think Google has done it really well because their ads aren't that obtrusive, intrusive, you know, just text links rather than those, do you remember, really irritating sort of graphical banner ads used to get everywhere?
And that sort of has begun to disappear a little in favor of the Google model. But I think all of this advertising doesn't really make an awful lot of money.
There's some companies who've done it quite well.
I think Google has done it really well because their ads aren't that obtrusive, intrusive, you know, just text links rather than those, do you remember, really irritating sort of graphical banner ads used to get everywhere?
And that sort of has begun to disappear a little in favor of the Google model. But I think all of this advertising doesn't really make an awful lot of money.
Well, it must make money because Facebook and Twitter, I think their whole value is in kind of— monetizing this sort of advertising space.
Which is somehow they never managed to, it's only a potential so far.
Which is somehow they never managed to, it's only a potential so far.
And if there wasn't money in it, I don't think malvertising would be a big problem, right?
Yeah, although malvertising can infect you just by having the advert viewed rather than you clicking on it, of course, you just have to visit the site.
Yes, and they also have, and they can also make extra money by using the malvertising vector in order to basically use ransomware malware to lock up and demand a ransom.
So there's lots of ways that can be very irritating. My advice on this is I recommend ad blockers. And that's not because I don't think content providers should be paid.
Of course they should. But I think we need a new way to make that happen. And there's a number of different ways you can do it.
You can have page sponsorship, which I think you do, Graham, on your website.
So there's lots of ways that can be very irritating. My advice on this is I recommend ad blockers. And that's not because I don't think content providers should be paid.
Of course they should. But I think we need a new way to make that happen. And there's a number of different ways you can do it.
You can have page sponsorship, which I think you do, Graham, on your website.
Yes, I do. Works very nicely.
Yeah. And then there's obviously people, you know, asking for payment, you know, in order to see the content. Now I'm guessing that doesn't work very well.
I have seen it in a few places. I have paid for content on a number of websites that, you know, where I think the content is valuable enough for it.
I have seen it in a few places. I have paid for content on a number of websites that, you know, where I think the content is valuable enough for it.
Well, some great pages such as Guardian ask you to support it, not to pay for the content, but you know, if you can contribute to it, like Wikipedia, I used to do as well at some point.
Yeah.
So I think that model is a much more acceptable one to me, or maybe using it, you know, the walled garden approach. Because right now, I don't know.
I don't think we've got the answer yet.
I don't think we've got the answer yet.
Well, I think it's a problem which is going to be with us for some time to come, isn't it? Well, we are heading towards the close of the show.
Before we do, we've got a little bit of feedback on past episodes. We've got Bob has written in. He says, great podcast. I prefer audio over video so I can rest my eyes.
Before we do, we've got a little bit of feedback on past episodes. We've got Bob has written in. He says, great podcast. I prefer audio over video so I can rest my eyes.
Oh, I'm with him. I agree.
Yeah. We all quite like a bit of a snooze while we're listening to Smashing Security. Some segments at least.
The audio is many, many times— sorry about that— audio is many, many times superior compared to the first couple of videos and is extremely easy to listen to.
Well, thank you very much.
We've been trying to improve our audio and yeah, we've stopped for now doing the video version because we were having some problems with it, but maybe it'll come back in the future.
The audio is many, many times— sorry about that— audio is many, many times superior compared to the first couple of videos and is extremely easy to listen to.
Well, thank you very much.
We've been trying to improve our audio and yeah, we've stopped for now doing the video version because we were having some problems with it, but maybe it'll come back in the future.
Yeah, we have a completely opposing view from Paula Thomas.
She writes that she has a problem with audio podcasts, says I'm partially deaf and use lip reading to complement my limited hearing. So obviously there is a value in video as well.
She writes that she has a problem with audio podcasts, says I'm partially deaf and use lip reading to complement my limited hearing. So obviously there is a value in video as well.
Yeah. So I think we should see if we can bring back the video version at some point, once we can get it right.
Obviously, Paula, if you hear this, obviously there's loads of great content on the blog as well and on security news sites where you can find out more about what's going on if the audio podcast isn't working great for you.
And we'll always include good show notes so you can read more about the issues that we've been talking about too.
Obviously, Paula, if you hear this, obviously there's loads of great content on the blog as well and on security news sites where you can find out more about what's going on if the audio podcast isn't working great for you.
And we'll always include good show notes so you can read more about the issues that we've been talking about too.
And we have a comment here from Liam Glenn who says he just started listening to— he says, I have just started listening to your first podcast and Graham's laugh scared the cat, so I'll only give it 4 stars.
So Graham, you know, tone that down. Tone that down. Don't scare cats. I'm a cat fan, so, you know, how dare you? How dare you?
So Graham, you know, tone that down. Tone that down. Don't scare cats. I'm a cat fan, so, you know, how dare you? How dare you?
My laugh is a little— it has been compared on occasion to Muttley from— if you've ever seen—
Oh yeah, yeah, yeah, yeah, yeah, absolutely.
Well, you can talk, Vanja. You sound like the Count from Sesame Street. So stop criticizing me. Ladies and gents, we are now on iTunes. Please go find us on iTunes.
And if you've got something nice to say about us or leave a review or give us so many star rating, even if we have upset your cat, please do.
It really makes a big difference and helps spread the word out there as to us.
And if you've got something nice to say about us or leave a review or give us so many star rating, even if we have upset your cat, please do.
It really makes a big difference and helps spread the word out there as to us.
And thank you. And thank you for all of you that have already done it. It really helps. It really helps.
We're not just on iTunes. You can find us on numerous other podcast services as well. Just search for Smashing Security and you'll find it. That just about wraps it up for this week.
Thanks for tuning in. If you like the show, tell your friends. Follow us on Twitter. We're @Smashin— without a G— @SmashinSecurity on Twitter.
And what's left to me is to say thank you to Vanja Švajcer for joining us once again. And until next time. Bye-bye!
Thanks for tuning in. If you like the show, tell your friends. Follow us on Twitter. We're @Smashin— without a G— @SmashinSecurity on Twitter.
And what's left to me is to say thank you to Vanja Švajcer for joining us once again. And until next time. Bye-bye!
I agree with your conclusions, but it seems to me you must be wrong about the unlocking code being stored 'locally within the lock'. An important security feature is that if you lose your keycard, the receptionist can cancel its validity, otherwise if it was found by a crook they'd have access to your room. Surely all locks *have* to be connected to a central database of some sort?
It's a common misunderstanding to think that there is some complex door database system. Door locks do not have to be wired to a data base. Here is a good explanation of how it works by one hotel manager:
The only thing on the card key is a rotating code and a serial code of some sort to distinguish one key from another (i.e. two master keys will have the same key code but different serial codes.) When you check in, the clerk puts the key in an encoding machine that records onto it the next sequential code for the lock on your room. When you first enter your room the lock recognizes that the next sequential code is being used and instantly invalidates the previous key. That explains why if you get a second key later for someone else, it often messes up your key – the clerk coded a new key rather than a duplicate. The sequence change means that the previous guest can no longer get into the room.
Probably what Bleeping Computer reported is more accurate. Many people and media love to play up the fear with any story with "cyber" in the title.
How can they have been hacked many times and still do not have an instant backup available and be back in business quickly??