Tough luck if you’re taking an expensive laptop with you on a trip from Europe to the States, and wouldn’t dream of checking it into the airplane’s hold. You might have to stay at home.
The Daily Beast reports that the United States intends to extend its laptop ban to cover any flight coming from Europe.
“Acting on fears that terrorists can build bombs into laptops, Homeland Security has decided to expand the ban it imposed on Middle Eastern flights. Computers will now be checked as baggage.”
This feels like pure security theatre to me.
Imagine your laptop was a bomb. Is it any less dangerous in the hold than it is in the cabin?
I don’t think so. In fact, if something caught fire in the hold it’s likely that it would be a far more serious problem than it ignited somewhere people might actually notice and be able to take action against it!
And don’t try to tell me that something checked into the hold goes through tighter security screening than the items a passenger carries onboard themselves. If that’s the case then *why* isn’t the same screening being done for the cabin?
If you put your thinking cap on, it’s not hard to determine that checking your laptop into the hold…
- …increases the chances of it being stolen.
- …increases the chances of it being handled roughly or damaged. Which, by the way, might be pretty bad news for any item containing a temperamental Li-ion battery.
- …increases its chance of not turning up at the other end, but instead being sent to Athens airport instead.
Oh, and I guess that a laptop checked into the hold also increases the chances of some nefarious intelligence agency tampering with it en route – perhaps to steal information or to plant some spyware.
But hey, forget that. After all, this has little to do with real security.
In March we tackled the earlier ban on carrying electronic devices on some Middle Eastern and African flights to the United States and UK in our “Smashing Security” podcast. Check it out below.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Hey, Carole, how's things?
Hi, Graham.
You all right?
Yeah, I know, I'm just tired. I had a nightmare last night.
Nightmare? Oh my goodness.
Mm.
No, no, don't tell me. I bet it was about the dark web, wasn't it? You don't have to worry about that. I know these guys. They are the real-time threat intel experts.
They've got machine learning technology. They're analyzing the open and the dark web, offering great insight into emerging threats.
Sign up to Recorded Future's newsletter and you will get those latest insights in your inbox every morning, scaring away the nightmares. Go to recordedfuture.com/intel.
They've got machine learning technology. They're analyzing the open and the dark web, offering great insight into emerging threats.
Sign up to Recorded Future's newsletter and you will get those latest insights in your inbox every morning, scaring away the nightmares. Go to recordedfuture.com/intel.
Is there anything about vampire cats in that?
You'll have to sign up to see if that's the kind of nightmares you're having. Recordedfuture.com/intel. Probably not so much on the vampire cats though. Smashing Security, Episode 13.
Sorted with a Deadly Tweet with Carole Theriault and Graham Cluley.
Hello, hello everybody, and welcome to Smashing Security episode 13, where we'll be discussing all the interesting things which have been happening in the world of computer security in the last 7 days.
And as ever, I am joined by my good buddy Carole. Hello, Carole.
Sorted with a Deadly Tweet with Carole Theriault and Graham Cluley.
Hello, hello everybody, and welcome to Smashing Security episode 13, where we'll be discussing all the interesting things which have been happening in the world of computer security in the last 7 days.
And as ever, I am joined by my good buddy Carole. Hello, Carole.
Hello, Graham.
And we're also joined this week by a special guest.
Yes, we have dragged in a veteran of the computer security industry who's held senior positions at a long list of technology companies for many, many decades, including the likes of Malwarebytes, which I'm sure many listeners have heard of.
It is Mr. Alex Eckelberry. Hello, Alex.
Yes, we have dragged in a veteran of the computer security industry who's held senior positions at a long list of technology companies for many, many decades, including the likes of Malwarebytes, which I'm sure many listeners have heard of.
It is Mr. Alex Eckelberry. Hello, Alex.
Well, hello, Graham. Hello, Carole.
Hello.
How are things, Alex?
How are things going? Things are actually great, thank you for asking.
Well, thank you for joining us on the podcast today.
I'm glad things have been going great for you because I was just going to ask, how have things been for you since our last podcast?
Well, if you remember, last time we chatted, I was out in Kuwait doing a little gig. And I'd spotted bother on the way home, which actually caught the attention of the media.
And I thought, should I just—
I'm glad things have been going great for you because I was just going to ask, how have things been for you since our last podcast?
Well, if you remember, last time we chatted, I was out in Kuwait doing a little gig. And I'd spotted bother on the way home, which actually caught the attention of the media.
And I thought, should I just—
Understatement of the year.
Should I brush this under the carpet or should I acknowledge it on the podcast, I wondered. And I decided maybe I should come clean.
So, the question on everybody's lips is, is Graham Cluley a Nazi?
And the reason why you might be asking that is because my Twitter account posted some Nazi propaganda last week, which was pretty embarrassing for me, to be honest, although I wasn't aware initially that it occurred because I was actually flying from Kuwait to Dubai Airport.
And the first I knew of it was I got off the plane. The first thing anybody does, right, when they get off a plane is they turn on their smartphone.
And I got this message from a journalist I know at the Financial Times saying, "Would you like to comment about your Twitter account?" And I'm like, "Why does the FT want to know about my Twitter account?" Then I got another one from another British journalist saying, "What's going on with your Twitter account?" I thought, "Oh my word." So I had a look and I'd seen that it posted this message.
Now at first I thought, "Oh crikey, has my Twitter password been grabbed somehow?" But you know, I've got two-step verification enabled on my Twitter account.
So even if they got my password, right, you followed all our advice. Yeah, even if they've got my password, they shouldn't be able to get in.
But I thought maybe I'd connected to the Wi-Fi or something, you know, who knows what happened. But anyway, fortunately, it turned out that it wasn't just me had been affected.
There were hundreds of Twitter accounts which had posted the same message.
And what they all had in common was that they had connected to their Twitter account, a third-party service called TwitterCounter. And TwitterCounter had been hacked.
So, the question on everybody's lips is, is Graham Cluley a Nazi?
And the reason why you might be asking that is because my Twitter account posted some Nazi propaganda last week, which was pretty embarrassing for me, to be honest, although I wasn't aware initially that it occurred because I was actually flying from Kuwait to Dubai Airport.
And the first I knew of it was I got off the plane. The first thing anybody does, right, when they get off a plane is they turn on their smartphone.
And I got this message from a journalist I know at the Financial Times saying, "Would you like to comment about your Twitter account?" And I'm like, "Why does the FT want to know about my Twitter account?" Then I got another one from another British journalist saying, "What's going on with your Twitter account?" I thought, "Oh my word." So I had a look and I'd seen that it posted this message.
Now at first I thought, "Oh crikey, has my Twitter password been grabbed somehow?" But you know, I've got two-step verification enabled on my Twitter account.
So even if they got my password, right, you followed all our advice. Yeah, even if they've got my password, they shouldn't be able to get in.
But I thought maybe I'd connected to the Wi-Fi or something, you know, who knows what happened. But anyway, fortunately, it turned out that it wasn't just me had been affected.
There were hundreds of Twitter accounts which had posted the same message.
And what they all had in common was that they had connected to their Twitter account, a third-party service called TwitterCounter. And TwitterCounter had been hacked.
And what does TwitterCounter do? So TwitterCounter, no, no, tell me, tell me.
It's not a vanity thing, is it?
Yeah, it's just—
So it counts the number of fans you have, the number of followers? You are so narcissistic.
It's not just counting them, it's just sort of putting them into a nice graph.
So you can see, and you know, I had connected this to my Twitter account, I think about three years ago or something.
So you can see, and you know, I had connected this to my Twitter account, I think about three years ago or something.
And you completely forgot about it, never used it. You used it.
And I'd forgotten about it. And of course it says, oh, we want both read and write access to your account.
The reason why it wants write access is so it can, if you want it to, tweet out, hey, I've used TwitterCounter and it found out that I've got this many followers, whatever, you know.
And I've obviously never allowed it to do that because that would be stupid. But it just sat there lurking. And then of course, it posted this Nazi message.
And all the journalists, of course, I don't blame them. What a great story. So-called security expert has his account pwned.
So they never got my password, but they did manage to post some Nazi spam from my account, which obviously I deleted. And I revoked TwitterCounter's access to my account.
The reason why it wants write access is so it can, if you want it to, tweet out, hey, I've used TwitterCounter and it found out that I've got this many followers, whatever, you know.
And I've obviously never allowed it to do that because that would be stupid. But it just sat there lurking. And then of course, it posted this Nazi message.
And all the journalists, of course, I don't blame them. What a great story. So-called security expert has his account pwned.
So they never got my password, but they did manage to post some Nazi spam from my account, which obviously I deleted. And I revoked TwitterCounter's access to my account.
And that's something which I'd recommend everybody do is you should regularly check your Twitter account, look at all the third-party apps.
And if it's a vanity app and not an app that you absolutely need, think twice before hooking it up to one of your lifelines online.
And if it's a vanity app and not an app that you absolutely need, think twice before hooking it up to one of your lifelines online.
Exactly. Well, let's also just say that, as we all know, misery loves company. Not only Graham was hacked, but also Justin Bieber, Forbes, and I'm kind of terrified—
The cybersecurity czar, Justin Bieber.
The Beebs, the Beebster.
Yeah, so it's— yeah, but now of course I'm terrified because you mentioned this and I immediately go to TwitterCounter, which I think I've used in the past, but I can't actually remember.
And I'm signing in and guess what? It could not connect to Twitter. So now I'm really nervous.
And I'm signing in and guess what? It could not connect to Twitter. So now I'm really nervous.
So I think TwitterCounter for now has gone down the plug hole. Their website seems to have gone down.
I think they decided they just— they didn't need to pull the plug, basically, because they clearly have a problem.
Turns out they were actually hacked round about 4 or 5 months ago as well. And that affected less accounts. And I wish really that I'd acted then because I should have done.
It can happen to any of us.
I think they decided they just— they didn't need to pull the plug, basically, because they clearly have a problem.
Turns out they were actually hacked round about 4 or 5 months ago as well. And that affected less accounts. And I wish really that I'd acted then because I should have done.
It can happen to any of us.
Do you think it's a problem though, that there's these kind of tiny little companies that offer tiny little services, but in order for you to use them, you do have to often give them read and write access, sometimes to your contacts or to your photos or to your microphone?
And, you know, often I don't think we think enough about that. And then if we stop using it, we don't disconnect them.
And, you know, often I don't think we think enough about that. And then if we stop using it, we don't disconnect them.
And I think it's not just a problem with the likes of Twitter, of course. It's also a problem when you install apps on your mobile phone.
So if you're installing, for instance, an Android flashlight application, here's a classic example, it doesn't need access to your contacts and your address list, doesn't need to know where you are in the world.
If it's asking for things like that, chances are it's trying to monetise you in some fashion by displaying adverts, for instance.
And so we all do need to be very careful about these things.
I certainly, certainly 3 or 4 years ago when I attached TwitterCounter to my Twitter account, I thought it was a legitimate service.
I still believe it was meant to be a legitimate service. Unfortunately, they were a bit rubbish at security, and as a result, it was my name which was pulled through the mud.
So if you're installing, for instance, an Android flashlight application, here's a classic example, it doesn't need access to your contacts and your address list, doesn't need to know where you are in the world.
If it's asking for things like that, chances are it's trying to monetise you in some fashion by displaying adverts, for instance.
And so we all do need to be very careful about these things.
I certainly, certainly 3 or 4 years ago when I attached TwitterCounter to my Twitter account, I thought it was a legitimate service.
I still believe it was meant to be a legitimate service. Unfortunately, they were a bit rubbish at security, and as a result, it was my name which was pulled through the mud.
Yeah, and that's, of course, the problem is we leave so much in others' hands and that becomes this third-party problem that we deal with in security.
I'm sorry, that's, that's, I think that's the White House calling me about my new cybersecurity job as cybersecurity czar, which—
I'm sorry, that's, that's, I think that's the White House calling me about my new cybersecurity job as cybersecurity czar, which—
I can't believe you're using this podcast to advertise your availability for the post.
This is an official announcement.
Just to fill all the listeners in, before we started, I said, wouldn't it be a funny joke to apply to the Trump administration?
Because, you know, they have something like 17,000 positions open. And just apply to become the cybersecurity czar as a gag.
Then I thought, well, then for the rest of my life I will be associated as Trump's cybersecurity czar. Probably not good positioning, but I thought it'd be just a gag.
Anyway, yeah, so I apologise for my phone ringing in the background, but we have very important things that go on here at my home office.
People calling me constantly with offers for my lawn service and other things, which great relevancy to this podcast.
Because, you know, they have something like 17,000 positions open. And just apply to become the cybersecurity czar as a gag.
Then I thought, well, then for the rest of my life I will be associated as Trump's cybersecurity czar. Probably not good positioning, but I thought it'd be just a gag.
Anyway, yeah, so I apologise for my phone ringing in the background, but we have very important things that go on here at my home office.
People calling me constantly with offers for my lawn service and other things, which great relevancy to this podcast.
Any road, let's move on. I wanted to bring to your attention another story from the Twittersphere, assault with a deadly tweet. Well, I'll tell you what initially happened.
There is a Newsweek political journalist, his name is Kurt Eichenwald, and he appears on the news from time to time, and he appeared actually on Fox News.
He's claimed in the past that the then president-elect Donald Trump, friend of the show, had spent some time in a mental institution. I don't know if that's true or not.
But anyway, he went on Fox News and he was discussing this, and it was a fairly rambunctious conversation which he was having with the anchorman on Fox News.
And it obviously riled up some of the audience.
And what happened was one of the viewers tweeted the journalist, Kurt Eichenwald, and they sent him an animated GIF, an animated GIF of a strobing light alongside a message which said, "You deserve a seizure for your posts."
There is a Newsweek political journalist, his name is Kurt Eichenwald, and he appears on the news from time to time, and he appeared actually on Fox News.
He's claimed in the past that the then president-elect Donald Trump, friend of the show, had spent some time in a mental institution. I don't know if that's true or not.
But anyway, he went on Fox News and he was discussing this, and it was a fairly rambunctious conversation which he was having with the anchorman on Fox News.
And it obviously riled up some of the audience.
And what happened was one of the viewers tweeted the journalist, Kurt Eichenwald, and they sent him an animated GIF, an animated GIF of a strobing light alongside a message which said, "You deserve a seizure for your posts."
A seizure?
Yeah, because—
Seizure.
A seizure. Sorry. What's wrong with how I'm saying seizure?
I wouldn't have known what you meant.
Hail Caesar!
Yeah, just for those who speak English, seizure. Seizure again. Okay, carry on.
You deserve a seizure for your post. Now, Eichenwald has previously talked about how he suffers from photosensitive epilepsy.
Gosh.
And when he viewed the flashing image—
No!
So the animated GIF, he suffered a seizure.
A seizure.
Okay. Isn't that what I'm saying? Seizure. Now, his wife— this happened at his home. His wife came across him, pieced together what had happened. She called the police.
And this week, agents in Maryland have arrested a 29-year-old who's thought to have sent the tweet.
And the guy they've arrested, they believe he sent a number of other messages to Twitter users, sort of direct messages saying, "Hey, I hope this sends him into a seizure." And, "I spammed this out.
Let's see if he dies." And, "I know he has epilepsy." In fact, the police went into his iCloud account, and they claim that they found a screenshot of the victim's Wikipedia page showing a fake obituary with his date of death being the one when the tweet was sent.
And also screenshots from epilepsy.com.
And this week, agents in Maryland have arrested a 29-year-old who's thought to have sent the tweet.
And the guy they've arrested, they believe he sent a number of other messages to Twitter users, sort of direct messages saying, "Hey, I hope this sends him into a seizure." And, "I spammed this out.
Let's see if he dies." And, "I know he has epilepsy." In fact, the police went into his iCloud account, and they claim that they found a screenshot of the victim's Wikipedia page showing a fake obituary with his date of death being the one when the tweet was sent.
And also screenshots from epilepsy.com.
So I don't know this journalist. So he must be pretty politically— does he have a strong political point of view that—
Oh, in particular? Wild? Well, he's particularly anti-Trump. And you can go on YouTube, and maybe we'll include some links.
We could even include a link to the actual interview in question, which happened on this day, which maybe spurred this particular attack.
But clearly, he's not going to be on Donald Trump's Christmas card list. Let's put it that way. And his supporters, as we know, want to defend the commander-in-chief.
And some of them may well take things into their own hands, which clearly is the wrong thing to do.
We could even include a link to the actual interview in question, which happened on this day, which maybe spurred this particular attack.
But clearly, he's not going to be on Donald Trump's Christmas card list. Let's put it that way. And his supporters, as we know, want to defend the commander-in-chief.
And some of them may well take things into their own hands, which clearly is the wrong thing to do.
But I— Thank you, Papa Cluley.
Yeah, but I've never really considered before.
I mean, I'm lucky enough I don't suffer from epilepsy, but I've never really considered before that, of course, you could have an attack from an animated GIF.
I mean, I'm lucky enough I don't suffer from epilepsy, but I've never really considered before that, of course, you could have an attack from an animated GIF.
Yeah.
And in fact, when I was researching this story, I discovered that there have been attacks a bit like this in the past.
In fact, in 2008, the Epilepsy Foundation's website was defaced by hackers who planted rapidly flashing images on the site, which were then displayed to site visitors.
It's real sort of 4chan activity, isn't it? It's a real sort of troll-like thing to do. But this sort of thing happens.
And since the attack happened on Eichenwald, more than 40 other people sent strobing images to his Twitter account, knowing that they could trigger seizures.
And the details of those he's passed on to the FBI and told people obviously that they may well be investigated as well. So what should be done about this? That's what I'm wondering.
What can be done?
In fact, in 2008, the Epilepsy Foundation's website was defaced by hackers who planted rapidly flashing images on the site, which were then displayed to site visitors.
It's real sort of 4chan activity, isn't it? It's a real sort of troll-like thing to do. But this sort of thing happens.
And since the attack happened on Eichenwald, more than 40 other people sent strobing images to his Twitter account, knowing that they could trigger seizures.
And the details of those he's passed on to the FBI and told people obviously that they may well be investigated as well. So what should be done about this? That's what I'm wondering.
What can be done?
Well, there's kind of a balance here.
I mean, we're trying to, you know, maybe responsible and people do have this issue, but are we going to start getting too politically correct if we start to filter GIFs on Twitter?
I mean, we're trying to, you know, maybe responsible and people do have this issue, but are we going to start getting too politically correct if we start to filter GIFs on Twitter?
But if they're impacting physical health, I mean, you know, and the tweets are being sent with deliberate intent.
It's difficult, isn't it? Because obviously these are the sort of things which people will encounter in their normal everyday life.
You know, you will find yourself in a situation where there might be strobing lights.
You're watching television, and quite often these days you will be warned if there's a lot of flashlight photography or if there are images.
They will tell you before that part of the program is shown.
I did find out that in some browsers, Firefox for instance and Internet Explorer, though disappointingly not Microsoft Edge or Chrome as far as I could see, you can turn off image animation, which I believe will prevent the animated GIF from working.
There's even an option inside Twitter.
If you go into settings, you can go to your account section, scroll down to content and uncheck video autoplay, which will also, I believe, prevent animated GIFs from happening as well.
You know, you will find yourself in a situation where there might be strobing lights.
You're watching television, and quite often these days you will be warned if there's a lot of flashlight photography or if there are images.
They will tell you before that part of the program is shown.
I did find out that in some browsers, Firefox for instance and Internet Explorer, though disappointingly not Microsoft Edge or Chrome as far as I could see, you can turn off image animation, which I believe will prevent the animated GIF from working.
There's even an option inside Twitter.
If you go into settings, you can go to your account section, scroll down to content and uncheck video autoplay, which will also, I believe, prevent animated GIFs from happening as well.
Alex, what are your thoughts on animated GIFs?
Well, first of all, I'm thankful that we're past March 15th, so we don't have to worry about The Ides of March for a Caesar. Oh, that was so bad.
I can't even believe I actually said that. Look, I mean, the internet will fail if we don't allow animated GIFs. I mean, I use animated GIFs all the time.
It's gonna collapse the internet. The internet will be over.
I can't even believe I actually said that. Look, I mean, the internet will fail if we don't allow animated GIFs. I mean, I use animated GIFs all the time.
It's gonna collapse the internet. The internet will be over.
Alex, you've said it 3 times now. I know Carole is thinking the same. Are you seriously gonna call them GIFs and criticize me for my pronunciation?
I was being polite because he's our guest.
I know, I was trying to be polite, but now I just feel like it's become an issue. Listeners are going to be screaming at their iPhones saying, how come he's saying GIF?
Because in my day, that's what you called them.
Oh yeah, everyone, he's 98.
I think I did read somewhere that the inventor of the GIF file format did originally intend them to be pronounced GIF. Maybe we can link to that in the show notes as well.
But it does seem to have been the accepted wisdom now that it's a GIF. I think you're deliberately being a bit of a hipster and a fogey, aren't you?
But it does seem to have been the accepted wisdom now that it's a GIF. I think you're deliberately being a bit of a hipster and a fogey, aren't you?
I'm not that old.
So all I'm saying is you can make changes to some browsers. You can change Twitter settings as well. But clearly, don't be an arse.
You know, don't send images like this deliberately designed to cause seizures.
You know, don't send images like this deliberately designed to cause seizures.
You know, I think people that send these know this. I don't think they're unaware that it's annoying and potentially dangerous. I think they're doing it in spite of that.
I mean, it is potentially fatal. I mean, that's the serious— I mean, joking aside, right? This is potentially going to kill people.
Yeah. It's the same with people messing with medical devices, you know, and IoT and medical devices and trying to infect those.
It's just, it's really surprising and kind of, I don't know, I don't understand it at all.
It's just, it's really surprising and kind of, I don't know, I don't understand it at all.
Yeah. Well, it's absolutely revolting what this guy did. No matter your political beliefs, it's absolutely revolting, and I'm glad he got arrested.
And I think that, you know, but we do have to take a reasonable approach.
I'm very empathetic and sympathetic to those who suffer from this disorder, but, you know, they can turn these images off or turn the animated graphical interchange format files off.
See, are you happy with that?
And I think that, you know, but we do have to take a reasonable approach.
I'm very empathetic and sympathetic to those who suffer from this disorder, but, you know, they can turn these images off or turn the animated graphical interchange format files off.
See, are you happy with that?
Very good.
He just researched it. I heard him.
No, I wasn't. I didn't research it, but I'm going to mute everything from now on. I think we can just— we can go too far.
Alex, let's move on. What have you— what's piqued your interest this week? What do you want to talk to us about?
I'm on a personal sort of thing about spear phishing and phishing in general.
So a company that I know of, actually one of our neighbors in our building, who was in a total panic because they'd gotten some ransomware.
And now fortunately it didn't infect— it only infected one server, but the fact that the ransomware got in there was pretty disturbing.
Of course, a lot of this comes through social engineering. It comes through an email, click here. Now, when you look at the problem of phishing, we go, okay, well, phishing's bad.
But actually, you know, we don't talk about the fact that the biggest problem in security is 3 inches back of the forehead. It is the problem of 3 inches.
So a company that I know of, actually one of our neighbors in our building, who was in a total panic because they'd gotten some ransomware.
And now fortunately it didn't infect— it only infected one server, but the fact that the ransomware got in there was pretty disturbing.
Of course, a lot of this comes through social engineering. It comes through an email, click here. Now, when you look at the problem of phishing, we go, okay, well, phishing's bad.
But actually, you know, we don't talk about the fact that the biggest problem in security is 3 inches back of the forehead. It is the problem of 3 inches.
3 inches.
Well, I don't know, whatever. It's wherever you define the presence of the mind. I don't know. But the point is, people make the mistakes.
And I remember a stat years ago, you know, 80% of all malware attacks occur because of social engineering.
And I remember a stat years ago, you know, 80% of all malware attacks occur because of social engineering.
Yeah.
And if you look at it, I mean, how are you going to hack someone's account? How are you going to do it?
You're not going to be able to go in and do a dictionary attack where you just keep throwing different passwords at Gmail. It won't let you.
What you're going to have to do if you wanted to grab someone's Gmail account, for example, or do something nefarious, is you're going to want to get control of that account.
And the only way to really get control of that account is by social engineering. You know, we saw this happen last year with John Podesta, who was the advisor to Hillary Clinton.
And, you know, he got an email that said, hey, you know, you need to reset your password. Well, he ended up by clicking that, and it was a very, very convincing email.
I mean, I saw it, and many of us would probably be fooled, although I'm extremely cautious about this stuff.
But the normal person, John Podesta, not a cybersecurity expert, clicked on the link, reset his password, and immediately gave control of that Gmail box to the hackers.
We presume those hackers are Russians, and there went all that data to WikiLeaks.
And of course, we have this recent news item where a single spear phishing click caused this massive Yahoo data breach.
This stuff is serious, and I think that the security awareness training field, of which I admit that I have a bit of a bias, I'm on the board of one of the security awareness training companies, but I'm not talking about this company, I'm talking about the general field in general.
When I see the statistics of how many people click on these emails, you know, security awareness training companies send out fake emails to employees.
They're run by the IT department. They click on these emails. I think you've had even a sponsor on previously that was doing this. It's a great service.
They click on these emails and then they get a little training video or some sort of message that, hey, you clicked on something bad and here's why you shouldn't do that.
And I've seen numbers into the teens, 12, 14, 15% of the employees will click on these things, but after they run these campaigns for a while, the number goes dramatically down.
I'm a huge fan of this. We actually did it internally at my company that I'm at now, and it was fantastic.
I had an employee come up to me and say, "You know, now I really understand why I shouldn't click on these links." But the average person doesn't.
I'm sure the subscribers of these podcasts do, but the rest of the world doesn't.
You're not going to be able to go in and do a dictionary attack where you just keep throwing different passwords at Gmail. It won't let you.
What you're going to have to do if you wanted to grab someone's Gmail account, for example, or do something nefarious, is you're going to want to get control of that account.
And the only way to really get control of that account is by social engineering. You know, we saw this happen last year with John Podesta, who was the advisor to Hillary Clinton.
And, you know, he got an email that said, hey, you know, you need to reset your password. Well, he ended up by clicking that, and it was a very, very convincing email.
I mean, I saw it, and many of us would probably be fooled, although I'm extremely cautious about this stuff.
But the normal person, John Podesta, not a cybersecurity expert, clicked on the link, reset his password, and immediately gave control of that Gmail box to the hackers.
We presume those hackers are Russians, and there went all that data to WikiLeaks.
And of course, we have this recent news item where a single spear phishing click caused this massive Yahoo data breach.
This stuff is serious, and I think that the security awareness training field, of which I admit that I have a bit of a bias, I'm on the board of one of the security awareness training companies, but I'm not talking about this company, I'm talking about the general field in general.
When I see the statistics of how many people click on these emails, you know, security awareness training companies send out fake emails to employees.
They're run by the IT department. They click on these emails. I think you've had even a sponsor on previously that was doing this. It's a great service.
They click on these emails and then they get a little training video or some sort of message that, hey, you clicked on something bad and here's why you shouldn't do that.
And I've seen numbers into the teens, 12, 14, 15% of the employees will click on these things, but after they run these campaigns for a while, the number goes dramatically down.
I'm a huge fan of this. We actually did it internally at my company that I'm at now, and it was fantastic.
I had an employee come up to me and say, "You know, now I really understand why I shouldn't click on these links." But the average person doesn't.
I'm sure the subscribers of these podcasts do, but the rest of the world doesn't.
Because, and I think the Podesta example is a classic example of this, quite often chances are you're not going to be targeted by a state-sponsored attack.
It's not going to involve zero-day vulnerabilities. It's not going to be all that really nerdy stuff.
The way in which the attacker is going to get your password is simply by asking for it. And if they use the right social engineering, they will trick someone.
It's not going to involve zero-day vulnerabilities. It's not going to be all that really nerdy stuff.
The way in which the attacker is going to get your password is simply by asking for it. And if they use the right social engineering, they will trick someone.
Yeah, they might, for example, call you up saying, "Hi, I'm from the IT desk. We need your password because there's a flaw in your machine."
Yeah, send you a link and you're logging in and you don't tell the difference between the real Google login page and the fake one.
Yeah, exactly. And oh, by the way, Graham, I just, to help you with this little Nazi thing you had going on on Twitter, can I get your password?
Just, I'm just going to check on something.
Just, I'm just going to check on something.
Identity papers, bitte, I believe is the phrase. We've just lost our German audience.
Yeah, well, exactly. So I don't know, I think if there's a discussion to be had, it's the fact that the vast, vast, vast majority of people don't even realize.
I mean, okay, there's the obvious: enlarge your body parts, or click on this bank link, or come to Nigeria, or whatever. Those are the obvious ones.
But the not-so-obvious ones are, hey, this is Jill from accounting, can you update your payroll records? And those are the ones that scare the bejesus out of them.
I mean, okay, there's the obvious: enlarge your body parts, or click on this bank link, or come to Nigeria, or whatever. Those are the obvious ones.
But the not-so-obvious ones are, hey, this is Jill from accounting, can you update your payroll records? And those are the ones that scare the bejesus out of them.
And there is so much information that the attacker may have already gleaned about your company, whether it be from LinkedIn or whether it be from a data breach at another organization.
Where, you know, they may have details about you, they may know where you live, they may know what your job role is inside the company.
And so they can forge the email to look so convincing.
Where, you know, they may have details about you, they may know where you live, they may know what your job role is inside the company.
And so they can forge the email to look so convincing.
But the poor listener, right? Which is basically FUD, FUD, FUD, fear and doubt. It's scary, it's hard to see them.
So, you know, and it's hard to tell people how to avoid them because they are so sneaky.
So, you know, and it's hard to tell people how to avoid them because they are so sneaky.
Well, the thing that we do is if you get an email that asks you to log into your payroll service or something that you're— just email the person back and say, did you send this?
I even know of a security company, the CEO got an email from the CFO saying, hey, can you go ahead and approve this bank wire.
That was a spoofed address, meaning they put the person's name.
So, you can go to LinkedIn, you can go to any company and find out who the CFO is and who the CEO is, and you just get that name and you spoof it.
Because the mail transfer protocol service, SMTP, allows spoofing. It's trivial. And then you can just send that email as the CFO. I'm not divulging any great secret here.
Any hacker knows these tricks. And the point is, email back or email the person and say, did you send this?
I even know of a security company, the CEO got an email from the CFO saying, hey, can you go ahead and approve this bank wire.
That was a spoofed address, meaning they put the person's name.
So, you can go to LinkedIn, you can go to any company and find out who the CFO is and who the CEO is, and you just get that name and you spoof it.
Because the mail transfer protocol service, SMTP, allows spoofing. It's trivial. And then you can just send that email as the CFO. I'm not divulging any great secret here.
Any hacker knows these tricks. And the point is, email back or email the person and say, did you send this?
Are you sure? Or maybe even phone them, you know, because if you are emailing a fake address, maybe it's slightly different.
Maybe there's a 1 instead of an L or something that, so it's hard to tell the difference in the font.
If you phone them, especially if it's an unusual request, then you can perhaps confirm whether it is them or not.
Because, and the other possibility, of course, is that their real email account may have been hacked. So that's why I'm saying maybe phoning is a good idea too.
Maybe there's a 1 instead of an L or something that, so it's hard to tell the difference in the font.
If you phone them, especially if it's an unusual request, then you can perhaps confirm whether it is them or not.
Because, and the other possibility, of course, is that their real email account may have been hacked. So that's why I'm saying maybe phoning is a good idea too.
Absolutely.
Or using your links that you have bookmarked, not using the link inside the email.
And having— yes, that's good— and having two-step verification turned on on accounts.
So even if hackers do ever manage to get your passwords, they will be more limited as to the damage which they can do with it.
So even if hackers do ever manage to get your passwords, they will be more limited as to the damage which they can do with it.
Yeah, yeah, exactly. You know, and so we talk about social engineering from an electronic standpoint, but there's also social engineering from a physical standpoint.
And I sit on the board with a fellow by the name of Kevin Mitnick, who— he's terrifying to be in a board meeting with.
I mean, I will be in the board meeting, I'll lean over to my laptop, and I'll start to type something, and then he seems to perk up, and I'm always very nervous because is he running Wireshark on the network?
And I sit on the board with a fellow by the name of Kevin Mitnick, who— he's terrifying to be in a board meeting with.
I mean, I will be in the board meeting, I'll lean over to my laptop, and I'll start to type something, and then he seems to perk up, and I'm always very nervous because is he running Wireshark on the network?
He has a certain history, doesn't he?
The guy, he's a fascinating— of course I'm being facetious. He's a very ethical hacker. He's a fascinating individual.
But the physical security stuff, and let's just start with a simple thing.
There's a USB drive out now, I'm sorry, a USB stick, that will overload the capacitors in the machine and kill the machine.
So you've probably heard this story, you may have even covered it before.
And it's unfortunately common, of course, these studies have been done, I mean, they were done quite a while ago, but where, you know, some researchers would just go ahead and throw a bunch of USB sticks out in a parking lot and people pick them up and they grab them.
Well, that could have malware in it, it could have all kinds of junk, or it could have something that blows the capacitors and destroys your machine.
There's tricks to— all kinds of physical access tricks that can be used.
So, you know, it's just— it's not to— again, I don't want to scare people, and I always hate the fact that in security we end up scaring people to death because the world is actually generally safe out there, and security has gotten a lot better.
But just a bit of education goes a tremendously long way, and it's just general caution.
But the physical security stuff, and let's just start with a simple thing.
There's a USB drive out now, I'm sorry, a USB stick, that will overload the capacitors in the machine and kill the machine.
So you've probably heard this story, you may have even covered it before.
And it's unfortunately common, of course, these studies have been done, I mean, they were done quite a while ago, but where, you know, some researchers would just go ahead and throw a bunch of USB sticks out in a parking lot and people pick them up and they grab them.
Well, that could have malware in it, it could have all kinds of junk, or it could have something that blows the capacitors and destroys your machine.
There's tricks to— all kinds of physical access tricks that can be used.
So, you know, it's just— it's not to— again, I don't want to scare people, and I always hate the fact that in security we end up scaring people to death because the world is actually generally safe out there, and security has gotten a lot better.
But just a bit of education goes a tremendously long way, and it's just general caution.
I think so.
I think we're not trying to scare, we're trying to raise awareness and educate about these threats, because actually the internet and computers bring us so much, so much positive stuff, and we want people to be able to use them in a positive way and to make their companies more successful as a result.
So we have to be aware of some of these threats.
So don't have nightmares, but be aware that some of these things go on and just be a little bit cynical and questioning sometimes, I think is a good piece of advice as well.
Okay, Carole, what have you got for us?
I think we're not trying to scare, we're trying to raise awareness and educate about these threats, because actually the internet and computers bring us so much, so much positive stuff, and we want people to be able to use them in a positive way and to make their companies more successful as a result.
So we have to be aware of some of these threats.
So don't have nightmares, but be aware that some of these things go on and just be a little bit cynical and questioning sometimes, I think is a good piece of advice as well.
Okay, Carole, what have you got for us?
So this is about the UK government.
They've just announced an in-cabin ban on laptops and tablets on direct flights to the UK from named countries, or actually, namely Turkey, Lebanon, Jordan, Egypt, Tunisia, and Saudi Arabia.
The concern that's cited is that bombs could be hidden in a series of these devices, in some of these devices.
And Downing Street has said it's necessary, effective, and proportionate, quote unquote.
So this basically says to me what the government's saying, that is that we have a huge reason to be doing this and causing this disruption, but we can't tell you what it is.
And I guess it comes down to whether you trust government or not as to what's going on.
They've just announced an in-cabin ban on laptops and tablets on direct flights to the UK from named countries, or actually, namely Turkey, Lebanon, Jordan, Egypt, Tunisia, and Saudi Arabia.
The concern that's cited is that bombs could be hidden in a series of these devices, in some of these devices.
And Downing Street has said it's necessary, effective, and proportionate, quote unquote.
So this basically says to me what the government's saying, that is that we have a huge reason to be doing this and causing this disruption, but we can't tell you what it is.
And I guess it comes down to whether you trust government or not as to what's going on.
And it's not just the UK government, the US government's done it as well.
Now, the ruling is a kind of a little bit different because the UK one actually applies to national carriers.
So BA, EasyJet, Monarch, Thomas Cook, all those, they're impacted by this. So if they're having any direct flights from these countries to the UK, this ban is going to be in effect.
The US, however, have only named targeted airlines that operate from the affected countries as opposed to US-based carriers. What's affected? So smartphones are still allowed, right?
So travelers can travel with things as small as smartphones, game consoles, and DVD players. Seem to be okay.
But there's a big red X for devices like phablets, readers, tablets, laptops. And they're saying they have to go into the hold, right? So this raises the whole concern.
And the reason is, remember, we were talking about bombs. So this leads me to ask, don't bombs often go off remotely?
So BA, EasyJet, Monarch, Thomas Cook, all those, they're impacted by this. So if they're having any direct flights from these countries to the UK, this ban is going to be in effect.
The US, however, have only named targeted airlines that operate from the affected countries as opposed to US-based carriers. What's affected? So smartphones are still allowed, right?
So travelers can travel with things as small as smartphones, game consoles, and DVD players. Seem to be okay.
But there's a big red X for devices like phablets, readers, tablets, laptops. And they're saying they have to go into the hold, right? So this raises the whole concern.
And the reason is, remember, we were talking about bombs. So this leads me to ask, don't bombs often go off remotely?
Yeah, I mean, some of the— I mean, I'm no bomb maker. Sometimes you will get, I believe, bombs which will trigger based upon the height of the aeroplane.
You know, they'll be able to work out how high they are in the air and then trigger. And so being in the hold would, for instance, I imagine, just work just as successfully.
Or if a fire ignited in the hold, that's going to be kind of difficult to deal with, isn't it?
I think normally on a passenger aeroplane, people in the cabin can't gain access to the hold, can they?
You know, they'll be able to work out how high they are in the air and then trigger. And so being in the hold would, for instance, I imagine, just work just as successfully.
Or if a fire ignited in the hold, that's going to be kind of difficult to deal with, isn't it?
I think normally on a passenger aeroplane, people in the cabin can't gain access to the hold, can they?
No, and that's a really good point, because actually one commenter on the story on Slashdot said that this was especially weird because he's not allowed to put his laptop into checked luggage, because they don't allow lithium-ion batteries in the hold because of the fire implications.
So there's a weird, weird situation here.
So there's a weird, weird situation here.
Yeah, but who hasn't shipped their laptop at some point in the hold? I know I have. I didn't even know it was a problem.
So yeah, I hate doing it. I have all my devices with me.
Of course.
Yeah, they're expensive. You know, that's the other thing. And you don't want them getting damaged or stolen or anything that, or getting lost in transit.
What really bugs me more about this is that we keep fighting yesterday's battle.
And, you know, if people have gone to Israel and gone through the security procedures at the Israeli airports, they really see security in action.
Because the security forces in Israel are looking for patterns, behavior, intelligence. They're doing a lot more than just randomly pulling out people's water bottles and laptops.
I mean, I really begin to wonder, and you know, the failures of security have tended to be, at least for physical airport security, have tended to be intelligence failures.
And, you know, if people have gone to Israel and gone through the security procedures at the Israeli airports, they really see security in action.
Because the security forces in Israel are looking for patterns, behavior, intelligence. They're doing a lot more than just randomly pulling out people's water bottles and laptops.
I mean, I really begin to wonder, and you know, the failures of security have tended to be, at least for physical airport security, have tended to be intelligence failures.
Well, we don't know the reasons, right? We don't know why these announcements have been made at this point.
Presumably they're working on some intelligence that they believe some bad guys are going to put something explosive into an electronic device, and they're thinking, well, it's going to be bigger than an iPhone SE, for instance, but it's going to be a big fat device or a laptop or something that.
And I believe there have been incidents in the past where they've discovered sort of hard-to-detect explosives hidden inside electronic devices, which haven't been picked up.
So they've got this intelligence, maybe they're worried that the security arrangements in some countries' airports are not sufficient.
So it's not being in Israel, for instance, where they take security really darn seriously.
And so they're worried that because of lax security, people might get on board those planes and might be carrying these things. I get all that. I kind of understand all that.
What worries me is the logic of, but it's all right to put it in the hold.
And I believe there have been incidents in the past where they've discovered sort of hard-to-detect explosives hidden inside electronic devices, which haven't been picked up.
So they've got this intelligence, maybe they're worried that the security arrangements in some countries' airports are not sufficient.
So it's not being in Israel, for instance, where they take security really darn seriously.
And so they're worried that because of lax security, people might get on board those planes and might be carrying these things. I get all that. I kind of understand all that.
What worries me is the logic of, but it's all right to put it in the hold.
Right. Yeah.
It doesn't make any sense, does it there? And I mean, it makes me— because I don't want to put things into the hold that are delicate. Well, no.
Because it'll be thrown around and, you know, treated luggage gets treated.
Because it'll be thrown around and, you know, treated luggage gets treated.
And imagine you're just going for a meeting. So what all you're taking is your laptop, you're going for maybe two days and an overnight.
So now you have to check it in and you can't work on the plane whilst you're getting there. So there's going to be disruption that is going to impact everybody.
What if people, for example, don't go— you know how you go through airport security, you dump your luggage off to go into the hold, and then you go through airport security and they go, oh, you have a laptop, you can't bring that on the plane.
What do you do? Do you just throw it away like a water bottle? What's the procedure for that? So there's going to be a lot of confusion.
So leave more time for travel if you're going to these countries or coming from those countries in the near future, which you always would anyway.
So now you have to check it in and you can't work on the plane whilst you're getting there. So there's going to be disruption that is going to impact everybody.
What if people, for example, don't go— you know how you go through airport security, you dump your luggage off to go into the hold, and then you go through airport security and they go, oh, you have a laptop, you can't bring that on the plane.
What do you do? Do you just throw it away like a water bottle? What's the procedure for that? So there's going to be a lot of confusion.
So leave more time for travel if you're going to these countries or coming from those countries in the near future, which you always would anyway.
But it's just to look at the figures, I just pulled them up. It's 6.3 inches in length and 3.6 inches in width.
Sorry, what is Alex? What are you referring to? Oh, I see. Still, so you haven't—
I'm not gonna even go down that path that you just laid out for me. What is the significance of 6.3 inches in length and 3.6 inches in width?
You know what it will be.
There will be some bigwig who has a beloved smart device which he refuses to put into the hold because he needs to play solitaire or whatever it is on his flight.
And so he said, well, if it's any bigger than this. Well, I tell you, you've done these long flights.
There will be some bigwig who has a beloved smart device which he refuses to put into the hold because he needs to play solitaire or whatever it is on his flight.
And so he said, well, if it's any bigger than this. Well, I tell you, you've done these long flights.
I mean, I've gone to Dubai, you've gone to Dubai. I mean, those are long flights. I mean, wow. To not have— to just have your smartphone with you. Wow.
Yeah.
To not have— to just have your smartphone with you. Wow.
You know what I'm thinking though? What the real danger is, what no one's actually considering is kids.
Because you know what it can be like for parents with children on a long flight. And the only thing you can do is give them the opium of the iPad to entertain them.
And they are going to be going feral on the planes.
Because you know what it can be like for parents with children on a long flight. And the only thing you can do is give them the opium of the iPad to entertain them.
And they are going to be going feral on the planes.
And loads of airlines have removed now the screens on the back of the seats because everyone's traveling with laptops and video devices. So new planes don't even have them anymore.
I think if kids start traveling on these long flights without some form of distraction, it is basically going to turn into a zombie apocalypse.
It's going to be like The Walking Dead. Who was talking about fear, uncertainty, and doubt? There you go.
Well, thank you very much, Carole, and thank you as well, Alex, for joining us today on today's Smashing Security. We really appreciate it. Thank you for spending time with us.
We hope you won't be a stranger. You'll come again soon.
It's going to be like The Walking Dead. Who was talking about fear, uncertainty, and doubt? There you go.
Well, thank you very much, Carole, and thank you as well, Alex, for joining us today on today's Smashing Security. We really appreciate it. Thank you for spending time with us.
We hope you won't be a stranger. You'll come again soon.
Thank you so much, everyone.
And I hope folks listening that you enjoyed the podcast. You can subscribe to us on iTunes. You can leave a review.
You can listen to us on all kinds of different podcast services, including now iHeartRadio as well. So check us out and subscribe.
You can listen to us on all kinds of different podcast services, including now iHeartRadio as well. So check us out and subscribe.
And thank you to our sponsors, Recorded Future, who provide a cyber daily newsletter to get all the latest cyber threat insights. Go to recordedfuture.com/intel.
And who knows, they might even help you with nightmares on vampire cats.
And who knows, they might even help you with nightmares on vampire cats.
And that just about wraps it up. Thanks for tuning in. If you like the show, please tell your friends and maybe follow us on Twitter.
We are @SmashingSecurity, that's smashin without a G security. And until next time, bye bye. Toodaloo.
We are @SmashingSecurity, that's smashin without a G security. And until next time, bye bye. Toodaloo.
Bye.
Grant Theft Laptop
What is next, your 2th limb needs a 2th location..
never forget the dangers of breastimplants, remove now!
secure all shoelaces.. they might entangle reality..
and all of us into tight nuts
Or you start connecting though Toronto or Montreal. This crap stinks of security theater.
If they ban laptops on flights to the US then either this ban will spread to other international flights or passengers will need to be segregated for the entire journey between the security scan and the plane. It isn't sufficient to prohibit laptops from passengers with US boarding cards because a passenger with a European boarding card could pass the security check then hand a laptop to a different passenger.
A comprehensive ban would be more disruptive on short-haul flights because business travellers often take a day trip with only hand luggage.
I think if I was forced to put the device in my checked baggage, I would see how easy it is to remove the hard drive and carry that with me. Would not be happy if the device is stolen but at least I have my data.
actually if you think about it, it more likely they will just remove the laptop(s) for easy access to copy or insert maleware or other measures and not say anything
I look forward to the day when DHS requires that all passengers strip completely when checking in and fly naked to and from the U.S. Of course, they will also not be allowed to carry on any objects, food, pills, etc. whatsoever. Oh, and it will be necessary for all passngers to submit to cavity searches before boarding. Stupid as this sounds, it would fit right in to the mind set of the DHS turkeys who believe that perfect security is attainable, and, of course, the sheeple who fly would just sigh and go along with it.
As Mark points out above, this will be impossible o enforce without either a blanket ban on all international travellers or some sort of "laptop free" zone being set up for US-bound travellers separate from other destinations. That seems unworkable (at least in the short term) so it may mean that any terminal with US departures will have to ban all laptops in carry-ons.
I suppose non-US travellers could "check" their laptop bags at Security and have them returned at boarding (the way the US does duty-free so that killer alcohol doesn't fall into the wrong hands). They'd probably only lose or break a few laptops a day…
As far as your own data security goes, it looks like a Chromebook-style "dumb terminal" laptop may be the way to go. With flash storage capacity so large and cheap, encrypted personal files and apps can be carried on a USB stick or – even more secure from border guards – encrypted and kept on remote storage. (Although this also makes access possible by other remote users).
Who do you fear more – the $15/hr jobsworth Homeland Insecurity thug or the NSA snoopers?