What the NHS Test and Trace scheme could learn from banks about stopping scams

Well, holographic nano layer technology doesn't come cheap for all. I think a lot of people are just assuming... They just think... no one understands it's too complicated. It's too complicated.

Hi. I think Mark Stockley has a character beyond Naked Security.

I thought you were going to say it's Mark Stockley who happens to be naked and talking about security.

Well, well, well, welcome to the world of post-Covid.

It's very, very warm today in my defense.

And that's why we do a podcast and the sun is shining.

And you're quite a hairy man Mark and I... he's meaty, he's medium hairy. I had to do a video call thing the other day which will end up on YouTube somewhere and... take your shirt off my... no but my hair is getting quite long and uncomfortable now and I'm just wondering how Mark who normally is extremely offensively well suited... offensively well you're...

Outrageous just because you're, you know, baby skinned what like a 10 year old.

There's just a lot of it going on and I just wonder how he's coping in all this heat.

Well I'm not very good at keeping cool at the best of times. You're sweating a lot then. I think I'm definitely on the sort of Neanderthal side of the gene pool.

You said it. Carole, what's coming up on the show this week?

Thanks to this week's sponsors, Deep Instinct, Immersive Labs and LastPass. Their support help us give you this show for free. On today's show, Graham looks into how to stop kids from turning to a life of crime. Mark is looking into all the ways bad guys might hinder the UK's track and trace efforts. And I try to find out just what life-affirming frequencies and holographic nanolayer catalyzers are. All this and much more coming up on this episode of Smashing Security.

Now, chums, chums, before all that, I want to talk to you about kids. What a complete pain in the ass kids are. Right? Oh, whoa.

No, they are. I thought you were in a bad mood this morning.

You're feeding them, you're clothing them, you're bathing them, you're cleaning them, you're entertaining them, you're educating them. You're teaching them how to use Google Classroom. Mostly picking up shoes.

I've noticed that there's a tremendous amount of shoe picking up. I wasn't ready for that.

And then after some years, an inordinate number of years, they become even less adorable. Suddenly they're playing Call of Duty. They're wearing baggy trousers. They've got baseball caps on sideways. They're smelling of Lord knows what and who knows what they're up to in their bedroom.

Just because you wore MC Hammer pants back in the day, it doesn't mean that the kids of tomorrow are going to be doing that. Okay. You have to get with the times there, Clue.

Now, computer crime cops in the United Kingdom are targeting young men aged 13 to 22 years old. Because apparently that's the sweet spot. You don't want to go younger than that. You don't want to go older than that. Definitely not any women. Teenage boys apparently are the problem. Specifically, the cops are hoping to make a dent in the number of teenage males who are launching DDoS attacks and installing remote access Trojans and various shenanigans like that.

Okay, so let me just swap that sentence around. Basically, young men aged 13 and 22 are launching DDoS attacks and installing remote access Trojans.

Apparently so. And the computer crime cops are going after them. And according to the Fuzz, they say it all starts by playing games. You remember playing games? Remember video games?

I play video games. I've been playing Animal Crossing. Oh,

Animal Crossing, of course. Yes. Yeah. I should give you an update sometime. You're doing very well at that. Has Graham the hamster come to join your... No. Oh.

What is this? I don't know. You don't know Animal Crossing? No. I know the name. I have not yet had the pleasure of... Do you have a Nintendo Switch? Obviously not. I've got children. Why would I put them near a Nintendo Switch? Just start them on a life of DDoSing and... Rat installing.

Well, it all does start by playing games. I mean, obviously, we used to play games. I suspect most of us. Maybe some of us still are, but we used to play games as kids. I remember playing Pac-Man and Super Mario. And in those days, it wouldn't lead you into a life of crime, as police say it does now. The worst that would happen is, you know, maybe if you played, I don't know, Mario, you might get into plumbing.

So the premise here is you play games. You are a teenage boy. Therefore, you're getting on the wrong side of the cyber world.

Let me explain how it works, Carl. Please. Kids get really, really obsessed by games. And then they start wanting mods for the games and changing the games. Then they look for hacks, mods and modifications.

Okay, just try and lose the jargon. Okay.

Okay. And then they start falling into other things because you begin to suspect other people are sort of using aim bots against you.

What bots?

It's all lingo I've learned from my nine-year-old child.

Okay, stop showing off. Try and communicate with the rest of us so that we understand what you're saying.

Basically, there are people who are cheating in games, right? And they get bots and little bits of software and things like that to augment their powers inside the game or give them a better ability to shoot you or whatever. Eventually, this culminates in gamers trying to take down other gamers by other means, such as denial of service attacks, such as SWATs, where they call up the cops and say the cops. So the idea is get them offline to disrupt their progress in the game.

Yes, all kinds of naughtiness. And you get rivalry and you're, oh, I can't believe you did that to me on Call of Duty or whatever. Elite sniper. You're such an asshole. Right? Eat your ass. And so, and this is often apparently, according to the police, this is really commonly a way in which young people ultimately get into cybercrime. Who would have known it?

Is it send them to their rooms?

Well, no, that's the worst thing you can do, Mark. Don't send them to their rooms.

Because that's where the Bitcoin mining rig is.

Graham, you say that they don't know they're doing anything illegal. I can't imagine there's any kid alive that doesn't think a DDoS is illegal. Really? Yeah. Maybe I'm, hey, I'm in an echo chamber. I learned that last week with my cousin on the show.

I admire your faith in 13-year-old boys. Having been a 13-year-old boy, albeit a very long time ago, I can confirm that, you know, not the most together and intelligent group. Certainly not when I was one.

And if everyone else is doing it, then you kind of think it isn't that bad. I remember being at school and all the boys in school, we were on a very rickety table, right, with rickety legs. And so the custom was that you would come in each day and you'd give the leg of the table a bit of a kick, right? Because it was quite entertaining to see how far it would go.

This is when tables were the height of technology you have to understand. These newfangled tables that they got in this posh school that Graham went to.

And so I was kicking the table. And then along comes Mr. Selick, pinhead himself, and I get hauled out.

Thom Selleck? No, no, it wasn't. Oh, God. It wasn't him, I'm afraid. Sorry, you had a teacher whose nickname was Pinhead.

Yes, did you not have one of those?

I also had a teacher whose nickname was Pinhead. He probably went on to your place after ours. How peculiar. Maybe.

Anyway, the point is, kids do bad things, Carole. And even if they think they're naughty, they think they're never going to get caught. And so it's kind of all right to do it.

Yeah, no, sorry. I was thinking more in the 20 age group rather than 13. So fair point.

But also, I do think that there's a sort of game-like aspect to a bunch of this stuff anyway. You know, there's something sort of game-like about, okay, you're doing something on a computer. You're trying to overpower someone else on a computer in a game. And then you find a way that you can actually take over their computer for real. Or you can stop them being able to use their computer for real. I don't think it's a very big jump. I think there's a lot of similarities there. So I can kind of see how that happens. Well, in the past, the police, what they've done is they've gone around and knocked on your door. If they think that you've been up to no good or downloaded saying you shouldn't have, like a piece of malware, or if you've been to a DDoS stressor site or a Booter site, they may well come round, hopefully with your parents present as well, to really put the fear of whatever into you. And they'll have a little word in your ear and say, look, we know what you've been doing. Knock it off, kiddo. Exactly, exactly. Right. And hopefully stop them taking those first steps of a life in cybercrime.

So they're basically advertising. So the potential DDoSers sitting there just scrolling around on the web and keep seeing these ads.

Well, they're putting the words into the search engine specifically to try and find DDoS attack services because many of these kids, at first at least, they're not going to create a botnet themselves. They're not going to... Of course not. Actually, they're not going to manage it, but they're going to find someone else who will do that for them for just a couple of dollars.

And then what? Pull out their, yeah, I was going to say pull out their credit card. Like, how do you pay that if you're 13?

Or cryptocurrency or such. Well, yeah, they

All have Bitcoin accounts, right? Of course. Jeez. Get with the beat, Carole. You're right. Kids don't know that DDoSing is illegal, but they all have crypto accounts. Yeah.

Okay, good. No, this is good. My son's got a crypto wallet. I'm sure Mark has his children.

If my kids had a crypto wallet, I wouldn't tell them about it. It's just there on the dark web.

Waiting for them. Now, the first thing which struck me was, what kids are using search engines with the ads enabled? Why aren't they blocking the ads? Because surely that's really irritating seeing ads in a search engine. I don't use search engines and see ads because I run a little ad blocker. So I was first of all surprised at that. Certainly if these people are slightly technical anyway, if they're into computers, you would expect that. So I'm surprised from that point of view that these ads are actually being seen. But apparently, and amazingly, this approach may actually work. The University of Cambridge Cybercrime Centre, they say that a similar campaign, which ran in 2017 over six months from the NCA, caused a reduction in the growth in demand for DDoS attack services. I think they're a bit shady about it, but I think what the Cambridge Cybercrime Centre do is they have some dodgy sites which look like DDoS booting websites. And they are measuring traffic to those sites and how many people try and sign up for them in an attempt to measure how big the problem's becoming. And they have released reports over the years of this growth in interest in these kind of sites. Well,

A lot of people are sitting at home right now, sitting in front of a computer, playing probably an inordinate amount of online gaming and are isolated and bored and have YouTube as their best friend.

Oh, yes. These kids would normally be down the park with a hula hoop, wouldn't they? No, they'd be at school. That's what they'd be doing.

Kicking a table leg. Yeah, exactly. Doing really fun things.

So let me see if I have this correct. So you go around using the web, and as you go around using the web and looking for search terms, Google builds this enormous profile of you so that it can do demographic marketing, including the ability to classify you as a 13-year-old child. And then as that 13-year-old child uses Google, they do a Google search, and Google goes, ah, we know all about you. You're 13 and those people over there have bought some adverts which they only want to target 13-year-old males. And here's one that's going to stop you from doing DDoS attacks on people because you're going to read this article. But if they don't click on that one, they might click on another one which takes them to a fake stressor site, which is essentially a phishing site, to count how many 13-year-old boys are doing DDoS. Yes. These are the tactics we're using in 2020.

There is, of course, another category of ad which may appear, because Google isn't just accepting ads from the police or the Cambridge Cybercrime Centre. They're also displaying ads which have been bought by criminals who are running booter and stress sites. So they are competing.

Because they also want to target the 13 to 18 demographics.

Of course. Well, Google's ad policies, they say they prohibit ads that enable dishonest behaviour or anything which might cause harm to users. But history has shown that they're not very good about vetting these things, especially when it comes to booter sites and DDoS attack sites and stressor sites.

Well, as long as they're not lying about what they are.

Well, obviously there are some things which hopefully they wouldn't accept ads for, but they will accept ads for these things, and it tends to rely upon the public to report these before they get taken down or for the press to make a great big stink about it. So Google's doing great out of all this, right? They're displaying ads from these guys, ads from those guys, ads from the researchers as well. Getting paid from both ends. Getting paid from everywhere. It reminds me a little bit about what goes on in Cloudflare as well. And lots of people love Cloudflare and think Cloudflare does a great job. But of course, a lot of the cybercrime websites and some of the things which are deeply, deeply disturbing are also protecting themselves using Cloudflare as well. And Cloudflare tends to turn a bit of a blind eye to these things, doesn't it?

That's very interesting. I'm guessing Cloudflare is going to come up again in this podcast. Oh, really? Yes.

Anyway, the ads apparently are working. They found that in less than 30 days, they had over 5 million impressions, more than 57,000 clicks. 5 million impressions. What the hell does that mean? Well, that means people scrolled past it.

Well, perhaps. Well, that's what they paid for. So that just shows you how much money they spent. That's not an indicator of anything.

You know what? You old fuddy-duddies may have a problem with this, but I think if it does...

I understand online advertising. I want to know the numbers. The impressions don't interest me at all. The clicks don't really interest me. I want to know how many people read it and change their lives. That's what interests me.

Well, according to the boffins in Cambridge, they have seen a reduction in the number of people interested in launching DDoS attacks.

Oh, maybe the ads are so boring. They just stop Googling those words.

I reckon I know what's going on here. I reckon people are so used to only clicking the first link in Google. What's happened here is they've just essentially bought the first link. So I mean, it's an ad. It's not the first link, but it's the first thing you see because they've just got the number. They've spent a load of money, so they've crowded out that number one slot and loads of people are just hitting that and nothing else, so they never go further.

You're just very cynical, all of you, aren't you? I'm just trying to be a bit positive. There's a bloody pandemic going on, you know. Just trying to cheer everybody up with some good news.

I do actually think this is great. I think this is the kind of... Oh, right. 20 minutes into the podcast now. Thank you very much.

Mark, what's your topic for us this week?

Right. Well, getting away from the pandemic, I thought we could talk a bit about the pandemic. Sorry, folks. I've got a question for you. I want to know, what is the English Test and Trace website address, please? Oh, for God's sake. Hands off keyboards. I'm not

Looking. From memory. It's something NHS-tracing.phe.gov.uk.

Okay, but can I counter question? Can you get to it from gov.uk slash coronavirus?

Oh. That's a very good question. Which is the homepage. Although your question is interesting, my question was, what is the English Test and Trace website address? We don't know. We don't know. So to be clear, this is the place that you're going to go if you've got a positive test for COVID-19 so the government can find out who you've been in contact with. And the address is... So, Graham, drumroll, please. I was close, wasn't I? No. HTTPS colon slash slash contact-tracing.phe.gov.uk. And the reason I'm asking is because I am actually a little bit worried about scammers targeting the UK's freshly minted track and trace systems. And I think I've good reason to be worried. So since the start of the coronavirus, there has been an enormous surge in scams and malware piggybacking off the back of all the disruption and the uncertainty and the fear that has come with this.

Unsurprisingly, I might argue, from my being a veteran of the industry. I mean, it's a worldwide global event. Everyone's thinking and wanting to know more about this. So we're all easy targets right now.

It's disruption and change, isn't it? You know, whole businesses are moving from office buildings to working from home and there's all this new infrastructure to set up and there's a load of, you know, some people are doing it in a hurry and there are vulnerabilities that come with that. I did a quick review of the stats from Sophos Labs before I came on, just to give you a flavour of what's happening. So since the start of the outbreak, we have seen coronavirus themed sextortion scams. So those scams that say, we've got video of you enjoying yourself at adult websites. Zooming. We've seen World Health Organisation fundraising scams. There's been a surge in spam, including at the beginning, there was a coronavirus-themed email spreading TrickBot. And if you know anything about malware, TrickBot is probably in your top three things you don't want to get on your computer. There have been scams offering to sell you PPE and thousands and thousands and thousands of domains and SSL certificates with the words COVID, corona or coronavirus in them.

Is there anything with track and tracing in it yet?

Oh, it's a good question. I

Don't know. I would love to know the answer to that.

I certainly know Richard DeVere, who is also known as the anti-social engineer. He registered the domain name phe-gov.uk when he saw the official test and trace website. And he was amazed that someone in a position of power hadn't already registered that domain. So he's demonstrated just how easy it would be to create a phishing website. But the

Thing is, and obviously the reason I asked you what the address was at the beginning, is that neither of you got really any idea. So registering and misspelling allows you to be very clever, but you probably don't even need to get close. And I think the evidence of phishing scams even now is that you can host a phishing scam on somebody else's website with a totally incongruous domain. People will still click on it. We should probably explain exactly how it works because we have an international audience, Mark. So what's happened in England in the last week is that the manual track and trace system has started, and the manual track and trace system does not rely on an app. There are 25,000 contact tracers now and anyone in England with coronavirus symptoms can now get a test, basically. And if your test is positive, then you'll get contacted by text, email or phone and asked to log in to the NHS test and trace website that you don't know the URL for. So you should expect an email. If you have a test, you should expect an email with a link to a website that you don't know, telling you there is a matter of utmost importance that you need to deal with. And if that script sounds familiar to you, then that just means you've seen lots of phishing scams. When you go to that website, you can expect to be asked for the following PII. You'll be asked for your name, date of birth and postcode, who you live with, the places you visited recently, and the names and contact details of people you've been in close contact with in the 48 hours before your symptoms started. Now, I did a little back of the envelope calculation. So this is the first part of the system. This is what happens if you have a test. So the UK is currently conducting around, I think it's upwards of 120,000 tests a day. And there's about 50 million adults in the UK. So let's say there's 700,000 tests a week. If you sent an email to any random UK adult, that gives you roughly one in 70 chance of hitting someone who's had a coronavirus test in the last week.

But it's not just those people who've taken a test who are at risk here, is it? Because of course, the other thing which these tracers will be doing is there'll be contacts and other people saying, we think you may have come into contact with someone who had the symptoms or who has tested positive. So let's walk through that, because you're right. So part one is if you have a test, there's an opportunity where you're going to be contacted, but part two could target anyone. I'm afraid you're infected as well, Mark.

Well, you know, let's... Is it because I'm naked? So, Carole, you're going to be contacted now by the contact tracing team. And unless you've spoken to Graham, you don't know that that's going to happen. So instead of there being 700,000 potential scam victims, there are 50 million potential scam victims in the UK. Because anybody can be expected to be contacted out of the blue at any time.

This would annoy me already because I would want Graham to call me, right? Graham gets the disease. We've seen each other. I want him to call me up and go, hey, dude, sorry. I don't want him to give my personal information to a third party.

Yeah, but I'm very forgetful, Carole. And it's just a lot of hassle, you know, calling everybody up and telling them. It's a group email.

So, Carole, do you think it's out of the question that if Graham had a serious communicable disease that he might not phone you? No, I don't. I think it's very unlikely that he would not phone me even just to show off or to get sympathy. No, he definitely, definitely called. There is no way he wouldn't call. So to go back to my thought experiment, let's imagine for a second that Graham doesn't tell you because he's a gregarious guy. He's met loads of people in the last few weeks.

Oh, yeah, I'm out and about having so much fun right now.

Too many for him to remember and to call. So you get a call from the contact tracing team and you'll know that it's from the contact tracing team and not a scammer because it will come from England's official contact tracing number. So for the benefit of your listeners, could you just tell us all what that number is?

Well, I know that the number would be 0300, but I also know that that number can be spoofed.

Is it just 0300 or is there more?

No, it's 0300, blah, blah, blah, blah, blah, blah, blah. Oh, yeah, details, details. Maybe it spells coronavirus. That would be very clever.

So I'd just point out it's a zero at the beginning as well. It's one of my pet peeves.

Oh, 300? Zero, 300. Well, sorry, it's not your podcast. Wow, Mark.

Talk about that. So the number is 0300-0135-000. Now, tracers will only be calling you from that number, and they won't use any other numbers, which is better than using lots of different ones. But obviously, unfortunately, they may not be the only people calling you from that number because as you correctly said, Carole, spoofing of phone numbers is actually a matter of routine for scammers. And even if it weren't, you aren't going to remember that number. None of us are going to remember that number. So it probably doesn't matter anyway.

Yeah, because we know that phone calls can be spoofed, emails can be spoofed, SMSs can be spoofed. Now, luckily, there is another line of defence. As a recent government press conference, Dr Jenny Harries OBE, who is the Deputy Chief Medical Officer for England, reassured us that it will be very evident when somebody rings you that these are professional individuals.

So she's saying the legitimate people calling you up, the people who are genuine testers and tracers, they will sound very professional, and because of that, you will be able to tell that they are not a scammer. Yeah, wow.

That's great. But obviously she was not briefed for that question. She had no idea how to handle it. And I kind of feel bad for her because she is being ripped to shreds about it. And she's a medical officer.

She's a deputy medical officer of God knows what, though. She's quite high up. If you don't know the answer to that, you should say, you know what? I don't know the answer, but there's some real boffins at NCSC who can maybe answer that question.

I mean, she's not wrong that they're going to sound professional. It would be quite bad if they weren't going to sound professional. But I think what we're all getting at is that there are two fairly sizable assumptions at work there. And the first one is that people will know what the contact tracers are supposed to sound like. It only matters if they sound professional if you know what they're supposed to sound like. If you get called out of the blue by someone who isn't a contact tracer, you aren't gonna know what they're supposed to sound like.

Don't worry, the Daily Mail actually published the entire form that the contact tracer people are gonna use when they call you. So that's now in the public domain. So thank you so much, Daily Mail. So that'll make it even more likely to fool people. Now, I have a scenario for you, Mark. I was thinking about this morning. Let's use the Graham and Carole scenario here, right? I don't have the virus. Graham and I are going for the same job, say, at company X. I don't want Graham to get the job, so I report on the form that I've been tested, it's positive, and these are the people I've been around. So he gets a legitimate call from a trace worker who's doing her job or his job, and you're told, I'm sorry, you can't go out because you saw someone. And you go, who? Well, who? I can't tell you that. Where? I can't tell you that.

Certainly there are opportunities for abuse here, aren't there? And just mischief making. It's not just scammers and phishers, but also if you wanted to get your own back against someone, if you had a rival on the podcast, something that. This would be an opportunity and avenue for doing it.

Do you know what I think though? What are people to do right? What are people to do under the current situation? The only thing I came up with when I was thinking about this is recording the call. So, and telling them that you want to record it. So saying, you know, thank you for calling me. Before you say anything, I just to make sure I've got this all on record so I can share it with my close ones. So I'm going to be recording this call. And presumably a tracer would be okay with that.

But I think you're a very special person.

Well, maybe everyone who's listened to the podcast with a mind me. There are many.

I think what they need is a jingle, a jingle for the number. So I think let's all join in. Oh three zero zero, zero one three five, zero zero zero. Sorry, I did ohs, didn't I? You probably didn't that.

I'm not joining in your jingle unless that's a zero at the beginning and not an oh.

It's not an oh, it's a zero. It's a number. Carole, what's your story for us this week?

Okay, six months ago, the UK's Glastonbury Town Council set up a 5G advisory committee to explore the safety of this 5G technology. Surprised me. Really? Glastonbury set that up? You wouldn't trust a national one? But whatever, they do. And last month, the local paper reported their findings. And the gist is they've agreed to oppose the rollout of 5G until further information is made available on the safety or otherwise of the technology. And many respected media houses have said that the following statement is in this recommended measures report, of which there's a link, but I can't access it. But if anyone wants to, it's on page 31. And apparently, it's listed that 5G BioShield — we use this device and find it helpful. 5G BioShield? Yeah, 5G BioShield. Use this device and find it helpful, as a recommended measures report from the committee in Glastonbury.

When they're talking about the safety of 5G, presumably they mean the danger of you being burned by a flaming 5G mast.

Mark, I'm worried that you're getting a bit grizzled and grumpy.

Sorry, sorry. I'll just let you. You need to chill out. I bet the committee in Glastonbury is going to be made up of druids and people who never quite got out of the 70s, isn't it? Wearing wellies.

So reading that, I'm thinking, what is 5G BioShield? Right? So you go to the main website. Yeah, okay. I would invite you guys to go to this website, actually, if you would, 5G BioShield. 5GBioShield.com. And look at who clears you through to the website as you go through, Graham.

It's not HTTPS, first of all. It's okay. So it's our friends at Cloudflare. Yeah. And we are here. And there's a big picture of a lion and a USB stick. And a young woman in some sort of, oh, she's in a version of the Eden Project. She's got some sort of a magical bubble around her, protecting her.

Oh, here it is, right? So let's read this. The 5G BioShield USB key with the nano layer is a quantum holographic catalyzer technology for the balance and harmonization of the harmful effects of imbalanced electric radiation.

I can't stand it when electric radiation is imbalanced.

I'm sold. I can get three of them for £800.

You can get three of them for £800. It's a USB key. It's a USB key. So what it says, its advertising model here is 5G BioShield, which is the name, USB key. Right? But then there's all this gobbledygook. What's this text say? What does this mean? The active key operating diameter shields and harmonizes a complete family home. So there's an FAQ. And you go to the FAQ hoping for a bit more information. What is it? Why am I paying 300 quid for a USB?

Well, it's so much more. I think this inducts life forces, doesn't it? It creates a cardiac coherence. Sorry, Carole, do you not understand about plasmic support and interactive? No, no, I don't understand. Help me understand.

What it is, right, is it's not a regular nano-layer catalyzer. No, no, no. It's a holographic nano-layer catalyzer. And it can be worn or placed near to a smartphone.

Do you know, there are probably a number of people that listen to this show that actually think we are not talking any differently from the way we normally do, because we all use industry jargon.

The point is, this is going to protect you from 5G, right?

Well, where does it say that anywhere?

Oh, well, it says provides protection for your home and family. Against what? Is it scammers? You wear it or place it near a smartphone or other electrical radiation or EMF-emitting device. So then I check out the testimonials page. Right? And Dr. D, finally, some medical credibility. Dr. D claims to be a medical doctor and says they put one USB device under my pillow expecting nothing to happen. But later, Dr. D reported feeling a strange tingling feeling. I suspect the USB device has in some way normalized my energy to be as it should and not negative or harmful. This is the emblem you're describing, which is on it.

Yeah, the emblem on the actual USB. Anyway, they ripped through the USB. They found it to be basically a generic USB without any additional anything that should cost an estimated few quid. But it has a pretty sticker. And they write, whether or not the sticker provides 300 pounds worth of quantum holographic catalyzer technology we'll leave you to decide.

I can't believe they didn't test that. They probably don't have the tech. It's so advanced. So then I'm thinking, who is behind all this? Where is this registered? What company is this? What country? So in Companies House, there are two directors of BioShield distribution. Both of them appear to have been involved previously in a business called Immortalis, which sold dietary supplements called Clotho Formula. So already a bit dodgy.

Well, holographic nanolayer technology doesn't come cheap, Carole. I think a lot of people are just assuming... Unknown Guest. They just think... No one understands it's too complicated. It's too complicated. People are

assuming this is just a USB stick with a sticker on it. And it does so much more than that. Carole. So the London Trading Standards told the BBC that we consider this to be a scam. This is Stephen Knight of the London Trading Standards, and his team is working with the City of London Police Action Fraud Squad to crack down this scammy scummy scam. But I decided to go check out Trustpilot, right? And on Trustpilot it's quite fun at the moment because people are kind of ripping through it, you know, basically being very snide about the whole thing being a complete pile of garbage. Right, but I went back to the first Trustpilot review of it to find out when that would have been, when it all go to market, and the first one there is 29th of March and the guy says: "Total scam. Reported to Action Fraud. Contains a USB solid disk component worth a dollar from China. They have even created many fake review websites. The only thing which protects you from high frequency EFM radiation is a Faraday cage. Don't be scammed." So that's the first message in the Trustpilot. Right, and yet, are people buying this? Well, we've just published. Have— you got one? Are they sponsoring the show this week? Carole. I've ordered three on the company, on Smashing Security, because we want to check this stuff out. And you know what? If anyone out there wants to spend premium dollar for a $5 USB with a shiny sticker, this is the place to go. If you listen to our show regularly, you'll know that hackers never stop innovating. Immersive Labs gives security professionals practical and gamified content to keep pace with the latest threats. Sign up to get instant access to more than 24 hours of free labs and a new lab to try out each week, latest being their Red and Blue Team labs on the Salt Stack vulnerabilities which were in the news last week. Go check it out at immersivelabs.com/smashing. Carole. Are you having trouble remembering your plethora of passwords? Maybe it's time you look to get a password manager. LastPass by LogMeIn is a password manager both for consumers and the enterprise. In a company, you get extras like central admin oversight, controlled shared access, automated user management, and everything is protected with multi-factor authentication. Learn more at lastpass.com/smashing. Oh, and if you're a home user, LastPass is available for free. So check it out: lastpass.com/smashing. Most people agree that the most effective way to reduce the cost of an attack is to prevent it from happening in the first place. Deep Instinct strives to prevent all known and unknown threats using deep learning, making detection and response automated, fast, and effective for any threat that cannot be prevented. Check out a report by the Ponemon Institute, which studied the cost savings of adopting an efficient prevention model. Go grab it at smashingsecurity.com/deepinstinct. And thanks to Deep Instinct for sponsoring the podcast. I don't sound as... Not quite. Do you hear me? Do you hear what I'm doing? Do you hear? Boing, boing, boing. Well, possibly via a different means. I am on a different chair. I am on a chair called the Swopper Chair or the Swopper Stool, which comes from Germany. And it means I am bouncing around Zebedee from the Magic Roundabout. I'm going over here. Let me go over here. I'm going back over here now. Go in here. Left and right. Mark, what's your Pick of the Week? Mark. Well, my Pick of the Week is a book called "The Knowledge: How to Rebuild Our World from Scratch" by Lewis Dartnell. Ooh, a comedy? Mark. This will tell you exactly where I'm at at the moment. So obviously we're just coming out of lockdown at the moment, but it turns out that I've been locked down for years. And this is where my head has been. So it's a fantastic book. I've been listening to this as an audiobook. Experiencing, that's what my brother and I call it. Experiencing the book. It sounds so much more impressive if you claim to have read the book. Now I'm a little bit disposed in you, Mark. Experiencing is the— He knows how to read. My son lets me read books to him as well, and I don't actually consider that the same as him reading the books. All I can say Graham is that not only have you not read this book but you haven't had the pleasure of having this book read to you because I don't know who the guy doing the audiobook is but he is amazing. He's got the most fantastic dramatic voice. The guy who wrote the book decided to try and answer the question what knowledge would you need in order to reboot society because lots and lots of people walking around now don't know what it takes to do the things that you know. Nobody could build an iPhone from scratch, nobody knows enough to build an iPhone, nobody knows enough to build a laptop.

Right? Just no Mark. Sorry, what? Which I do. Well, you're reading it or experiencing it. Absolutely, yes. And as long as I can get to your house by foot, which I probably could, wouldn't be that, you know, I'd be there in a few hours.

I've got a very quick question for you. Is it an interesting book? Oh, it's fascinating. I'll tell you why it's interesting. I'll tell you why it's interesting, because it's not just the knowledge you need to know, it's also a bit of a history book on how did we acquire that knowledge in the first place? Because some of what you need to do is to trace the steps of the past. Cool. I did that one as a kid.

Yeah. So, yes, it's a fantastic read. And also it does equip you with all the knowledge you need for building society from scratch, which seems like a useful thing to know.

Well, you certainly make it sound interesting. Carole, what's your pick of the week?

Okay. It's a story. Two men have been hired to carry out a client's sex fantasy, so if there's kids tell them go away, of being tied up in his underwear and stroked with a broom. So okay let's we're just going to stop there.

Stroked with a broom? Can I ask which end because that would be a different kind of fantasy. Otherwise it'd be a poll.

Of course it has to be the fluffy end.

I have a follow-up question. Carry on, carry on.

The role play was arranged over Facebook, okay, by a man near Griffith, New South Wales, who provided his address to this duo, right, this hired pair. And he was willing to pay $5,000 Australian dollars if it was really good, quote unquote.

How much is that in real money? That's about 2,500 quid. My goodness, to be stroked by a broom by some strangers. Yeah. Okay.

Well, they had to make a dramatic entrance, you know, they had to make it really good. So the guys, you know, the two guys thought about it and figured out how to do it. But meanwhile, our man, our, what do we call him, client, moved house. And forgot to tell the hired people, he probably did it when he was drunk or something, forgot he even ordered it.

We've all been there, we've all done that.

No, no, no I haven't, that's why this is my pick of the week because I was just. So there's a new guy living there and he's in bed fully equipped with his sleep apnea mask and he wakes up and he sees a light on in the kitchen. He thinks, oh, that's my buddy, he comes in at six o'clock in the morning to make coffee sometimes. And then he hears a weird noise, it sounds like someone's name. So he kind of gets up from his bed, puts his light on, starts taking off his mask, and there's two guys with machetes standing over his bed. And he freaks out. And after a bit of talking, it turns out that perhaps he isn't the client, he wouldn't know the safe word.

No, I imagine the safe word in Australia is bloody crikey mate what you doing here with a broom.

Never mind the broom, I didn't see any. I was reading about this story and I kept waiting for someone to talk about the broom, no one talks about the broom, everyone's concerned about the machetes. I'm just like where's the broom? How did they get from broom to machete? No idea. But it is a staggeringly shocking entrance to make.

I suppose machetes are like a broom, they've just replaced the broom head with an axe. But the other end is...

Graham, would you rather be stroked by a broom or a machete? Yeah. In what way is a broom like a machete?

Well, think about it. There's lots of different types of brooms. You have your hard bristle outdoor cement broom. Yeah, the ones with great big stainless steel blades on the end. So, when the pair realised their error, one of them said, sorry, mate, shook the resident's hand and... Sorry, mate. You can't shake hands. There's a bloody pandemic going on. They then drove to the correct address where the client noticed that one of the men had a great big knife in his trousers and he asked him to leave the weapons in the car. The client then cooks them breakfast and that's how the police find them. Machetes in the car, sitting around the table, eating breakfast with the initial client. The judge ruled that evidence did not suggest the men's actions were intentional and said no problem. The machetes were either a prop or something to be used in a fantasy. It was unscripted. There was no discretion as to how it should be carried out. So there you go.

So the first victim, he called the police. That's why the police came and got them.

Yeah. Well, you would. Do you think? After they said sorry, mate, would that be enough for you? Well, it's going to happen.

And they said, what's going on here? and then the first thing they could think of was the story you've just told

So it was a commercial agreement to tie up and stroke a semi-naked man in his underpants with a broom okay that was all it was that is amazing

That is I hope that's the whole podcast I just cut my bit and Graham's bit just

It's a beautiful story it's all over the press BBC have done a quite a cute little one of it so I'll put a few links in the show notes that's a fantastic pick of the week. Thank you very much. I got it from an interesting human being. Someone who's into this kind of stuff. Oh,

Really? Well, that just about wraps it up for this week. Mark, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that?

I am on Instagram these days under... Poke them with a broom. Under Internet of Hens if you like bees and chickens and other things that might help you after the collapse of society, then follow me on Instagram at Internet of Hens.

And you can follow us on Twitter at Smash Insecurity, no G, Twitter wouldn't last have a G. And you can also join the Smashing Security subreddit up on Reddit. And don't forget, if you want to be sure never to miss another episode, subscribe in your favourite podcast app, such as Apple Podcasts, Spotify, or Pocket Castles. I'm really glad you don't

Sing subscribe like some people do, like, subscribe. A massive thank you for listening and supporting us people it does mean everything also big thank you to this week's Smashing Security sponsors Deep Instinct Immersive Labs and LastPass their support helps us give you this show for free check out smashingsecurity.com for past episodes sponsorship details and information how to get in touch with us until

Next time cheerio bye bye bye So he asked for a broom.

Got machetes. They brought the machetes. Ask for a broom, get machetes. Maybe it's an accent thing.

How garbled does the Australian accent have to be?

Hey, can't do it. Can't do it. Maybe there's a kind of Australian version of Cockney Snig. that has broom rhyme with machete.

You remember in Crocodile Dundee where Paul Hogan says, call that a knife? Oh,

Yeah, maybe they were doing that. Maybe they were doing that. Maybe they were dressed like

Crocodile Dundee. Call that a broom? Let me stroke you with this baby here.