Join me and fellow computer security industry veterans Vanja Svajcer and Carole Theriault as we have another casual chat about whatever is on our minds. You can either watch the video, or listen to the podcast.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Smashing Security, Episode 004: You Don't Mess with Brian Krebs, with Carole Theriault, Vanja Švajcer, and Graham Cluley.
Hello, hello, hello, and welcome to another Smashing Security. It's the 19th of January 2017. This is episode 4 of, what did I call it? Smashing Security.
Did I call it something different just then?
Hello, hello, hello, and welcome to another Smashing Security. It's the 19th of January 2017. This is episode 4 of, what did I call it? Smashing Security.
Did I call it something different just then?
I'm not really sure. Yeah, I'm not sure why you can't remember it's 4. It's not like it's 480, is it?
I was thinking for a second when you come—
When you reach certain age, it's a bit difficult to remember. 3, 4.
Funny that you should say that, Vanja, because a little birdie told me that you've got maybe a special day of the year coming up very, very soon.
I won't comment anything.
No, there is a birthday that's around this time, and Vanja, I have your birthday present here.
No.
Yes, look! And I'm thinking I should maybe open it on air.
Could you just try it?
Uh-oh.
For those people who are listening rather than watching.
No, no, no, no, no, no.
Give us a commentary.
Yes, but we haven't opened it yet, right? So, Vanja, we could open it on air. Come on. So we're gonna do this, okay? I'm gonna do it on your behalf.
I'm putting my hands in your hand, okay? Opening. Now, I haven't seen— I ordered this for you in person and they sent it to me by mail, okay? Okay, the t-shirt. And I'm unfolding.
I'm putting my hands in your hand, okay? Opening. Now, I haven't seen— I ordered this for you in person and they sent it to me by mail, okay? Okay, the t-shirt. And I'm unfolding.
It's a dark gray and it has a yellow—
Oh, the ghost!
It's gorgeous, isn't it? I got one for me too, but mine's in red.
Yep, it goes well with my, whatever zodiac sign of zodiac.
Oh, does it?
Yeah.
Anyway, there you are. I will send that to you. Happy birthday.
Thank you very much. It's great. I love it.
How old are you now? Like 50?
Let's say below 70. All right, pretty obvious.
Well, well done, guys. Nice one, Carole, and congratulations to our own Graybeard, who is celebrating his birthday of indeterminate age, roundabout maybe around now.
We're not going to be specific because this is a security podcast, of course.
And number one topic that we're going to discuss with you today is to do, of course, with security, and it's to do with a piece of ransomware called Spora, which has been spotted by computer security researchers, which is doing something rather different from the traditional ransomware.
It's not just asking you to pay so many bitcoins to get all of your files back. It's giving you other options as well.
In fact, the guys over at Bleeping Computer, they described it as one of the most sophisticated payment sites they'd ever seen ransomware authors use.
And that's because it gives you different options. So yes, you can restore your files. If you want to decrypt all of your files, it works out roundabout at the moment to about $79.
But maybe you want reassurance that they're capable of decrypting your files. We can get two files returned to you for free.
If you just want one particular file, that's gonna cost you $30. But then it gets really interesting because you can buy immunity, it says.
If you want to avoid being infected by any future version of the Spora ransomware, they are prepared to sell you that for $50. It's quite a neat little setup, really.
I think it feels the ransomware authors have thought about all the different possibilities and permutations.
And maybe what's happening now is they're thinking more and more, well, we know people are beginning to back up their systems and some people do have ways of recovering, but it's such an inconvenience, isn't it?
Sometimes maybe people might think, oh, such a palaver restoring from my backup or my backup's two weeks old or whatever the problem is.
Maybe there is still a way to crowbar money even out of those guys and maybe avoid infections in the future as well.
Of course, if you purchase immunity for this piece of ransomware, it's no guarantee it's going to protect you from other ransomware going into the future as well.
We're not going to be specific because this is a security podcast, of course.
And number one topic that we're going to discuss with you today is to do, of course, with security, and it's to do with a piece of ransomware called Spora, which has been spotted by computer security researchers, which is doing something rather different from the traditional ransomware.
It's not just asking you to pay so many bitcoins to get all of your files back. It's giving you other options as well.
In fact, the guys over at Bleeping Computer, they described it as one of the most sophisticated payment sites they'd ever seen ransomware authors use.
And that's because it gives you different options. So yes, you can restore your files. If you want to decrypt all of your files, it works out roundabout at the moment to about $79.
But maybe you want reassurance that they're capable of decrypting your files. We can get two files returned to you for free.
If you just want one particular file, that's gonna cost you $30. But then it gets really interesting because you can buy immunity, it says.
If you want to avoid being infected by any future version of the Spora ransomware, they are prepared to sell you that for $50. It's quite a neat little setup, really.
I think it feels the ransomware authors have thought about all the different possibilities and permutations.
And maybe what's happening now is they're thinking more and more, well, we know people are beginning to back up their systems and some people do have ways of recovering, but it's such an inconvenience, isn't it?
Sometimes maybe people might think, oh, such a palaver restoring from my backup or my backup's two weeks old or whatever the problem is.
Maybe there is still a way to crowbar money even out of those guys and maybe avoid infections in the future as well.
Of course, if you purchase immunity for this piece of ransomware, it's no guarantee it's going to protect you from other ransomware going into the future as well.
Do you want to take a breath?
Of course. I mean, any restore is pretty difficult. There are a couple of other interesting things about this particular ransomware.
One is that as it encrypts your drive, it basically records how many different file types have been encrypted.
And based on that, it seems that it actually offers how much money you need to pay to restore your files, which seems to be if you have a lot of documents, you'll have to pay more.
If you have a smaller number of documents, you have to pay less, which is great.
One is that as it encrypts your drive, it basically records how many different file types have been encrypted.
And based on that, it seems that it actually offers how much money you need to pay to restore your files, which seems to be if you have a lot of documents, you'll have to pay more.
If you have a smaller number of documents, you have to pay less, which is great.
It's not by file type though.
Well, it looks at the certain file types and then it sends a particular string when you send, because the way it works, it doesn't really require a command and control server to be online.
You don't need to be connected to internet to actually encrypt the whole drive, but it creates a file with a .key extension.
And within that file, basically there's some additional information about what happened when the drive was encrypted.
And when you upload that to decrypt your files, then the guys can actually decide, there can be a script on the server side that says, well, if you had 100 documents, then it's $50.
If you had 200 more.
You don't need to be connected to internet to actually encrypt the whole drive, but it creates a file with a .key extension.
And within that file, basically there's some additional information about what happened when the drive was encrypted.
And when you upload that to decrypt your files, then the guys can actually decide, there can be a script on the server side that says, well, if you had 100 documents, then it's $50.
If you had 200 more.
I'm wondering though, I mean, I'm guessing most companies particularly, and even users would have a lot more than 100 files, right?
Oh yeah, definitely.
You know, the next step is probably to see what are the file names and then based on the keywords in the file names, or maybe even the code, you go with, oh, this might be very important, therefore people will be willing to pay more for having their files decrypted.
You know, the next step is probably to see what are the file names and then based on the keywords in the file names, or maybe even the code, you go with, oh, this might be very important, therefore people will be willing to pay more for having their files decrypted.
And the fact of the matter is there's no point asking a home user for $10,000 for the restoration of files, right?
But if they managed to encrypt a large number of files, chances are that could be a corporation, for instance, could be that they've infected, and those are people you can ask that money for.
The other interesting thing I thought about this Sporo ransomware is the way in which it spreads, 'cause it has worm-like characteristics.
It can spread via USB sticks, for instance.
But if they managed to encrypt a large number of files, chances are that could be a corporation, for instance, could be that they've infected, and those are people you can ask that money for.
The other interesting thing I thought about this Sporo ransomware is the way in which it spreads, 'cause it has worm-like characteristics.
It can spread via USB sticks, for instance.
Mm-hmm.
And, you know, it seems like a real determined effort here to infect as many computers as possible, but not necessarily using the traditional techniques to do it.
And it's interesting, the whole restore two files for free, that must be in response to a number of pieces of ransomware last year that basically, you know, locked your files but then actually didn't decrypt them or didn't have the facilities to decrypt them even after they received payment from the victim.
Right, so if you've been disappointed by previous ransomware infections where you didn't get your money's worth, you didn't get your files back. Exactly.
Don't worry, we're the professionals. We can get your files back this way.
Don't worry, we're the professionals. We can get your files back this way.
I think it's quite common that they allow you to upload one or two files to show that they can actually decrypt the files.
Right.
Yeah.
But also this whole buying immunity feels a bit like Mafioso protection money a bit, doesn't it?
Yeah. Yes.
Yeah.
Give us money. Otherwise we're going to be back with the baseball bats.
I'm so embarrassed being North American hearing you do that.
That wasn't North American. That was Welsh.
With viruses and with malware, the typical scenario is actually completely different. They don't— you don't pay.
I mean, most of the malware is trying to remove all the other malware families from the computer only to make sure they have the access to the system.
While this is a completely different thing. If you pay, so there's obviously value in, well, not being infected by any piece of malware.
I mean, most of the malware is trying to remove all the other malware families from the computer only to make sure they have the access to the system.
While this is a completely different thing. If you pay, so there's obviously value in, well, not being infected by any piece of malware.
But it's interesting how ransomware is evolving though. They are using different tricks to try and maximize the amount of money.
We saw, for instance, last month the Popcorn Time ransomware, which says, yes, you can pay normal sort of let's do business that way.
But it also says we can be a bit nasty if you spread some affiliate links for us and manage to infect other people.
And get them to pay up, of course, then you can get your files decrypted for free. So you've been recruited into the ransomware gang.
We've seen this ransomware as a service and affiliate schemes before, but now they're sort of offering it in a way to the victims.
We saw, for instance, last month the Popcorn Time ransomware, which says, yes, you can pay normal sort of let's do business that way.
But it also says we can be a bit nasty if you spread some affiliate links for us and manage to infect other people.
And get them to pay up, of course, then you can get your files decrypted for free. So you've been recruited into the ransomware gang.
We've seen this ransomware as a service and affiliate schemes before, but now they're sort of offering it in a way to the victims.
Crowdsourcing ransomware.
It's astonishing. I wonder where this is going to end.
And of course, last week we talked about databases being potentially encrypted.
And I actually read this week that not just MongoDB, but CouchDB and Hadoop and some other database management system typically used for big data products or big data projects have been affected in a similar way.
And I actually read this week that not just MongoDB, but CouchDB and Hadoop and some other database management system typically used for big data products or big data projects have been affected in a similar way.
So, right.
And if a corporate database is hijacked, if you haven't got a proper recovery mechanism for getting that data back, you may well be prepared to pay a large, large amount of money in order to get your business back up and running again.
So watch out for Spora, people. And there's some good articles from the likes of GData and Bleeping Computer if you want to know more about that. Daniel, what's caught your eye?
And if a corporate database is hijacked, if you haven't got a proper recovery mechanism for getting that data back, you may well be prepared to pay a large, large amount of money in order to get your business back up and running again.
So watch out for Spora, people. And there's some good articles from the likes of GData and Bleeping Computer if you want to know more about that. Daniel, what's caught your eye?
Well, I think for me at least, the most interesting story of this week was done by Brian Krebs, which he did another great piece on Mirai botnet and who stands, who's the real identity of the person who stands behind the Mirai botnet.
So just to kind of remind everybody, Mirai botnet became pretty famous in September when it launched a huge denial of service attack on Brian Krebs's website.
And about a month after that, they also started a big denial of service attack on a DNS provider called Dyn. And Dyn was also used by many sites like PayPal, Spotify.
There are actually quite a lot of services on US East Coast which were affected. So the interesting thing about the Mirai botnet is it's one of those Internet of Things botnets.
It tries to find vulnerable personal, video cameras and routers and infects it. And then, you know, it's used to launch denial of service attacks on any kind of service.
So the story that was published is by Brian Krebs today, I think, or the day before, maybe it was yesterday, is around who was the creator.
So just to kind of remind everybody, Mirai botnet became pretty famous in September when it launched a huge denial of service attack on Brian Krebs's website.
And about a month after that, they also started a big denial of service attack on a DNS provider called Dyn. And Dyn was also used by many sites like PayPal, Spotify.
There are actually quite a lot of services on US East Coast which were affected. So the interesting thing about the Mirai botnet is it's one of those Internet of Things botnets.
It tries to find vulnerable personal, video cameras and routers and infects it. And then, you know, it's used to launch denial of service attacks on any kind of service.
So the story that was published is by Brian Krebs today, I think, or the day before, maybe it was yesterday, is around who was the creator.
Right.
And it turns out, it turns out that the creators of the botnet actually owned a company that's an anti-denial-of-service attack company. And it's kind of, kind of very weird.
No way.
Two young guys who are obviously pretty skillful in doing what they're doing. They started as many kids do, they set up their own Minecraft server.
But it's often that when you set up your own Minecraft server, that the server comes under denial of service attacks, and they saw there is a niche and they started providing protection against the denial of service attacks for Minecraft servers.
So they started doing DDoS attacks on other servers so that they can start basically using their own protection, which is kind of—
But it's often that when you set up your own Minecraft server, that the server comes under denial of service attacks, and they saw there is a niche and they started providing protection against the denial of service attacks for Minecraft servers.
So they started doing DDoS attacks on other servers so that they can start basically using their own protection, which is kind of—
Wow. And it's extraordinary reading Brian's report.
And Brian Krebs has always been an incredible reporter on the cybercrime front, and everyone should follow his blog and see what he's talking about.
He clearly put an enormous amount of effort over many months investigating this particular group, especially after he himself was attacked. I'd really recommend you go and read it.
But it was extraordinary to me just how much money these Minecraft servers are bringing in. It is tens of thousands of dollars, every week.
And Brian Krebs has always been an incredible reporter on the cybercrime front, and everyone should follow his blog and see what he's talking about.
He clearly put an enormous amount of effort over many months investigating this particular group, especially after he himself was attacked. I'd really recommend you go and read it.
But it was extraordinary to me just how much money these Minecraft servers are bringing in. It is tens of thousands of dollars, every week.
It's astonishing.
Absolutely astonishing. So no wonder that there's such strong competition between these servers and that some of them might actually be launching attacks against each other.
It's mind-boggling to me that this crazy incredible phenomena, which is Minecraft, you know, these 8-bit sort of blocky graphics and all the rest of it.
I understand it because I've got a 5-year-old son who's obsessed with watching Minecraft videos.
It's astonishing to me just how obsessive people get about it and just how much money there is behind this game and the sort of companies which are springing up in order to support the players of this game, anti-DDoS servers.
It's mind-boggling to me that this crazy incredible phenomena, which is Minecraft, you know, these 8-bit sort of blocky graphics and all the rest of it.
I understand it because I've got a 5-year-old son who's obsessed with watching Minecraft videos.
It's astonishing to me just how obsessive people get about it and just how much money there is behind this game and the sort of companies which are springing up in order to support the players of this game, anti-DDoS servers.
Okay, okay, but can we just go off piste here for a second? So my niece, who's 8, loves Minecraft as well, you know, and we often play together. I really don't get it. I don't get it.
I try to get it, but I really don't understand, thinking of how amazing graphics are today, why this simple— how does it work? It boggles the mind.
I try to get it, but I really don't understand, thinking of how amazing graphics are today, why this simple— how does it work? It boggles the mind.
I don't get it, but then I don't get Teletubbies either, so—
But isn't it, Carole, isn't it like Lego? Right? Lego is a game which has been around for, I don't know, a toy which has been around for maybe 50 years, I'm not sure.
But Lego is sort of—
But Lego is sort of—
For those of you out there who haven't heard about Lego, Graham's going to—
I'm not going to explain what Lego is. But I'm going to tell you it's bloody brilliant, right?
And I think Minecraft is basically Lego because you have that ability to build buildings and incredible worlds in Minecraft and then go exploring them.
And I think Minecraft is basically Lego because you have that ability to build buildings and incredible worlds in Minecraft and then go exploring them.
But he doesn't like Lego. Just saying. Doesn't like Lego. Her brother does. She doesn't like it.
Well, maybe she doesn't like it because her brother likes it.
Oh, okay. Yeah, maybe, maybe, maybe.
Yeah, right. Anyway, okay, great research and yeah, well worth the read.
Yeah, agree.
Fascinating story. And allegedly the guy who's behind it is now, he ran away from the law enforcement agencies and he's hiding somewhere in some unknown country.
So he obviously realized that his real identity was discovered.
So he obviously realized that his real identity was discovered.
You don't mess with Brian Krebs. No one should know that. And also be very careful— That's the title.
That's our title of our show.
Oh yeah, okay. But you know, also you've got to be really careful about the information which you leave about yourself online.
One of the things which has helped piece together this story has been the reuse of usernames and interest in anime and things like that. Sorry, did I say anime? Anime?
But it's things like that which begin to piece together personalities and you can say, oh, okay, interesting that he's described his interest in programming languages here and it's identical to this guy here.
And the pieces of the jigsaw begin to go together a bit like Lego.
One of the things which has helped piece together this story has been the reuse of usernames and interest in anime and things like that. Sorry, did I say anime? Anime?
But it's things like that which begin to piece together personalities and you can say, oh, okay, interesting that he's described his interest in programming languages here and it's identical to this guy here.
And the pieces of the jigsaw begin to go together a bit like Lego.
The article shows just how difficult it is to connect all the dots and actually find out. And it's also very difficult to hide. I mean, in the end.
Yeah.
If you produce things on the internet, sooner or later people will connect the dots and there are tools and, you know, there are ways of doing it.
Mm-hmm.
So Carole, what caught your eye?
So, you know, let's think for a second about all the services we depend upon at work, you know, so you've got your, or even at school, right?
You've got your email, your data storage, websites, forums, all these kinds of services that you have available that you depend on.
And most companies or organizations are gonna block or protect them from outside attack. Okay, that we take that for granted.
The question is whether people are protecting these services from inside attacks. So this, I take the story I saw, I saw the story on The Register this morning.
So this is about an IT admin named Triana Williams who was fired from a US-based online college called the American College of Education or ACE.
Now what led to his dismissal is kind of complicated and there's complaints and lawsuits on both sides.
So I would recommend if you guys wanna read about it, Google his name, you'll find it. There's a number of articles in The Register, NBC News, USA Today, et cetera.
The upshot that I wanted to focus on though is that Mr. Williams left his job and he was not happy about being forced to leave his job.
So as he leaves, he basically ends up taking the keys to the college's Google email kingdom, okay?
So basically it's an online college, people have accounts on this Google service and email account, 2,000 students.
Turns out the laptop is the only place that the password was auto-saved. Whether he knew the actual password or not is up for debate.
According to what I've read, you know, there's evidence on both sides. But that was the only place. Now, so he's dismissed. You have someone who's come in and been the administrator.
He is using Google, everything's working fine. And then Google says, put in your password, please. And they attempt a password and it blocks them.
They try again and they eventually get locked out of Google. So what do they do? They contact Google. Google says, sorry, can't help you. This is in Mr.
Williams' personal email address. That's the admin for this Google account. So, right? Right?
Now I think, so, okay, so first thing is, you know, do, how many companies are actually exposed to this?
And I think we could basically admit, at least me and one person on this, on this podcast, admit to using personal addresses for work accounts simply because it's easier.
You know, when, so I have done that in the past, but I've never actually been an IT admin responsible for all of email. So I don't know, are you surprised by this, guys?
Do you think it's surprising that he would have ended up using his personal email address as the admin for the Google, or that he didn't get caught, that no one at the school knew?
You've got your email, your data storage, websites, forums, all these kinds of services that you have available that you depend on.
And most companies or organizations are gonna block or protect them from outside attack. Okay, that we take that for granted.
The question is whether people are protecting these services from inside attacks. So this, I take the story I saw, I saw the story on The Register this morning.
So this is about an IT admin named Triana Williams who was fired from a US-based online college called the American College of Education or ACE.
Now what led to his dismissal is kind of complicated and there's complaints and lawsuits on both sides.
So I would recommend if you guys wanna read about it, Google his name, you'll find it. There's a number of articles in The Register, NBC News, USA Today, et cetera.
The upshot that I wanted to focus on though is that Mr. Williams left his job and he was not happy about being forced to leave his job.
So as he leaves, he basically ends up taking the keys to the college's Google email kingdom, okay?
So basically it's an online college, people have accounts on this Google service and email account, 2,000 students.
Turns out the laptop is the only place that the password was auto-saved. Whether he knew the actual password or not is up for debate.
According to what I've read, you know, there's evidence on both sides. But that was the only place. Now, so he's dismissed. You have someone who's come in and been the administrator.
He is using Google, everything's working fine. And then Google says, put in your password, please. And they attempt a password and it blocks them.
They try again and they eventually get locked out of Google. So what do they do? They contact Google. Google says, sorry, can't help you. This is in Mr.
Williams' personal email address. That's the admin for this Google account. So, right? Right?
Now I think, so, okay, so first thing is, you know, do, how many companies are actually exposed to this?
And I think we could basically admit, at least me and one person on this, on this podcast, admit to using personal addresses for work accounts simply because it's easier.
You know, when, so I have done that in the past, but I've never actually been an IT admin responsible for all of email. So I don't know, are you surprised by this, guys?
Do you think it's surprising that he would have ended up using his personal email address as the admin for the Google, or that he didn't get caught, that no one at the school knew?
I don't think it's surprising.
I'm sure this goes on all the time, and I think typically schools and colleges don't have an enormous amount of resource in terms of IT security, and there's not going to be an awful lot of oversight.
If he was a— he, I mean, he was in the IT department, I imagine there may not have been very many people above him, and so, you know, he was just doing his job, wasn't he, as far as he's concerned, and using his— So he used his personal email address to set up basically the corporation, the organizations?
I'm sure this goes on all the time, and I think typically schools and colleges don't have an enormous amount of resource in terms of IT security, and there's not going to be an awful lot of oversight.
If he was a— he, I mean, he was in the IT department, I imagine there may not have been very many people above him, and so, you know, he was just doing his job, wasn't he, as far as he's concerned, and using his— So he used his personal email address to set up basically the corporation, the organizations?
I don't think he set up. I think, yes, but he— yes, he basically was— basically assigned the admin, the password.
And what's even more interesting is that, of course, after they failed with Google, that Google wouldn't give them access, they contacted Mr. Williams.
But of course, I don't think they were on the best of terms.
And he said he'd be happy— this is a quote from Richard— he'd be happy to unlock the Google email account if, if they, if the, you know, the ACE gave him $200K to settle his dispute over the termination of his employment.
So that is really the reason why I chose the story, because is that a kind of insider ransomware attack, basically holding the keys to the kingdom for ransom?
And what's even more interesting is that, of course, after they failed with Google, that Google wouldn't give them access, they contacted Mr. Williams.
But of course, I don't think they were on the best of terms.
And he said he'd be happy— this is a quote from Richard— he'd be happy to unlock the Google email account if, if they, if the, you know, the ACE gave him $200K to settle his dispute over the termination of his employment.
So that is really the reason why I chose the story, because is that a kind of insider ransomware attack, basically holding the keys to the kingdom for ransom?
Certainly some people might think it's a little bit like extortion, mightn't they?
Right.
Even if he does have a case, and I can understand he might feel that he's miffed and maybe that he hadn't been given the compensation he was expecting when he leaves, but I heard he did— it was on his work laptop, right?
So he could have returned the work laptop.
So he could have returned the work laptop.
Yeah, right, he did return the work laptop, but he wiped it completely before he returned it. So first, that's what they wanted.
They wanted the laptop back so they could actually access the account. Turned out he returned it wiped. Now, part of me kind of thinks—
They wanted the laptop back so they could actually access the account. Turned out he returned it wiped. Now, part of me kind of thinks—
Which is one of the best security practices, right?
Of course, right?
So, but did he have knowledge, or was he doing this to be like to stir the pot? I don't know.
So the reason I want to bring this up is I suspect there's a number of organizations that are probably in this situation, whether it is someone has a kind of malicious intent or, you know, being a bit— or someone's trying to do it just because it's easier for them or because they don't know better, right?
So basically, you don't want to make— you want to make sure that no one has the keys to the kingdom. So there's a few things. This is from Cybrary IT.
It's a great free security training course. You can learn everything there if you take time. There's lots of great information.
But the three good tips I grabbed from them is introduce job rotation in the company.
So make sure that, you know, once someone has done maybe two months or four months or six months in one role, you move them to another role.
That way, it stops proprietary behavior over services or over apps or over particular projects. Mandatory vacations. This is really interesting.
You basically effectively ban people from using email, work email, or services or network whilst they're on holiday.
That way, things can bubble up if there's problems because if they're not there, you should have no person should stop everything from working.
So the reason I want to bring this up is I suspect there's a number of organizations that are probably in this situation, whether it is someone has a kind of malicious intent or, you know, being a bit— or someone's trying to do it just because it's easier for them or because they don't know better, right?
So basically, you don't want to make— you want to make sure that no one has the keys to the kingdom. So there's a few things. This is from Cybrary IT.
It's a great free security training course. You can learn everything there if you take time. There's lots of great information.
But the three good tips I grabbed from them is introduce job rotation in the company.
So make sure that, you know, once someone has done maybe two months or four months or six months in one role, you move them to another role.
That way, it stops proprietary behavior over services or over apps or over particular projects. Mandatory vacations. This is really interesting.
You basically effectively ban people from using email, work email, or services or network whilst they're on holiday.
That way, things can bubble up if there's problems because if they're not there, you should have no person should stop everything from working.
Oh, that's clever. That's a good way of— It's almost like a dress rehearsal for if you did get run over by a bus or if you did get fired by the company.
We'll find out the problem now when you're on holiday in Tenerife, but you'll be back in a week or so and then we can— That's, yeah, that's interesting.
We'll find out the problem now when you're on holiday in Tenerife, but you'll be back in a week or so and then we can— That's, yeah, that's interesting.
Yeah, cybersecurity. Yeah, so go ahead.
If you have somebody internally who's doing something illegal in the company, then it's quite possible that if you stop their access this practice will also stop.
So you'll be able to see, you know, there's some kind of anomaly or that some kind of anomaly stopped and you'll find out who is doing something, which is a good thing.
So you'll be able to see, you know, there's some kind of anomaly or that some kind of anomaly stopped and you'll find out who is doing something, which is a good thing.
The concept that was presented by the way they put it in Cybrary is basically everybody should be able to leave the office for 5 days without undue impact to the business.
So I think that makes a lot of sense. And the other thing is obviously segregating roles and duties.
So for example, if you had a super huge password that you didn't want any one individual to know, you could effectively split it between two people and, you know, one would know 10 characters, the other person would know the other 10 characters.
So there's different ways you can do that so that no one has access to the whole picture without informing or colluding with someone else in the organization.
So I think that makes a lot of sense. And the other thing is obviously segregating roles and duties.
So for example, if you had a super huge password that you didn't want any one individual to know, you could effectively split it between two people and, you know, one would know 10 characters, the other person would know the other 10 characters.
So there's different ways you can do that so that no one has access to the whole picture without informing or colluding with someone else in the organization.
Oh, it sounds a little bit like launching nukes from the south.
Yeah, nuclear missile.
Exactly. Well, I think—
Yeah, it's true. But there's something to be said if you really value something, right? If this asset is business critical, doesn't it make sense to do what you can to protect it?
Absolutely.
I'll leave you on that rhetorical question.
For smaller companies, it's much more difficult to do because for some critical roles such as IT admin, you can only have one or two people.
So you need to be able to divide all the duties between two of them, which most of the time won't be possible. In bigger companies, it's going to be easier.
So you need to be able to divide all the duties between two of them, which most of the time won't be possible. In bigger companies, it's going to be easier.
Yeah, I would agree with that. And I think maybe you're right, this is more of a medium to large business, you know.
So it's like a VPN network administrator and you shouldn't be the same guy who monitors the logs of what happened across the network.
Exactly, exactly, exactly.
Well, some interesting food for thought there.
And if anyone else has got some ideas on how to deal with those sort of situations, maybe it's happened inside your own organizations, do leave us a comment or let us know.
You can tweet us @SmashingSecurity. That's smashing without a G security.
Well, we're heading towards the close of the show, but before we do that, we've got some feedback on our previous episode.
If you missed it, we were chatting about Alexa ordering things you might not want, how the people who were inside security companies protect us from abusive images online, and how some of them are suffering from PTSD.
Very sad story, that. And also, of course, as Daniel already mentioned, MongoDB databases being under attack. But we had some great feedback this week, which was great from people.
Thank you very much. I'll start off with one here. We've got one from Abdul Rehman, who says on YouTube, hey guys, awesome show. I'm really enjoying the content.
I was just wondering, have you thought about making the presentation more professional? More professional, Abdul? More professional than this? How dare you?
Using OBS or similar software. I've used it in the past. The Twitch, but it could definitely work for this with a nice overlay better. It could make it 10 times better.
And if anyone else has got some ideas on how to deal with those sort of situations, maybe it's happened inside your own organizations, do leave us a comment or let us know.
You can tweet us @SmashingSecurity. That's smashing without a G security.
Well, we're heading towards the close of the show, but before we do that, we've got some feedback on our previous episode.
If you missed it, we were chatting about Alexa ordering things you might not want, how the people who were inside security companies protect us from abusive images online, and how some of them are suffering from PTSD.
Very sad story, that. And also, of course, as Daniel already mentioned, MongoDB databases being under attack. But we had some great feedback this week, which was great from people.
Thank you very much. I'll start off with one here. We've got one from Abdul Rehman, who says on YouTube, hey guys, awesome show. I'm really enjoying the content.
I was just wondering, have you thought about making the presentation more professional? More professional, Abdul? More professional than this? How dare you?
Using OBS or similar software. I've used it in the past. The Twitch, but it could definitely work for this with a nice overlay better. It could make it 10 times better.
Well, maybe he doesn't mean professional. Maybe he means better quality, right? We don't want to be too professional. There's a lot of corporate people out there.
I don't think we could be too professional, Carole. I don't think we have to worry too much about that. But it would always be nice to have better video and audio quality.
And it's something we're keen to do. Regarding OBS, we did actually— do you remember in the rehearsals before Christmas, we did play around with OBS a little bit.
Although we didn't publish anything, and our computer—
And it's something we're keen to do. Regarding OBS, we did actually— do you remember in the rehearsals before Christmas, we did play around with OBS a little bit.
Although we didn't publish anything, and our computer—
It almost worked.
It so almost worked, but not quite.
And it gave the image of us attempting to be slick and failing massively, whereas maybe we're more comfortable just not even attempting to be slick.
So maybe in the future if we can work it out, if anyone's got any tips on that, we'd love to hear them. Vanja, Carole, do you want to take the next piece of feedback?
And it gave the image of us attempting to be slick and failing massively, whereas maybe we're more comfortable just not even attempting to be slick.
So maybe in the future if we can work it out, if anyone's got any tips on that, we'd love to hear them. Vanja, Carole, do you want to take the next piece of feedback?
I love the next comment, actually. Paul Mark says, another doll's house ordered. Thanks, guys. So we talked about Alexa and how you should secure it.
And obviously, as we were speaking, Paul got another dollhouse.
And obviously, as we were speaking, Paul got another dollhouse.
When you say we were speaking, Vanja, it was specifically you who ordered the doll's house during the podcast. I just want to point that out to everybody.
Well, I do apologize for that, and I hope that I'm going to be contacted by the manufacturer of the dollhouse sooner or later to thank me for the contribution to their revenue.
Maybe we can be sponsored by them. Wouldn't that be terrific?
I've got one here from AKW144 saying, love the concept, well delivered, look forward to its release every Thursday. So no pressure that we get this out every Thursday.
It's good. Actually, you know what?
So far, so good.
I'm not sure I'll be able to do it next Thursday. I'm doing a two-factor authentication talk in London. I'll try and get back in time.
Otherwise, we might have to do it on the Wednesday or Friday, but we can chat about that off air maybe instead. Steve Gilbert on Twitter says, nicely done, fun podcast.
Glad I listened to it. Thanks for putting it out there. Cheers from Seattle. Thank you, Steve. Great to know that you're listening.
And there's one more piece from NYLonzagirl, who said these three are to computer security what Top Gear is to the motoring world.
Otherwise, we might have to do it on the Wednesday or Friday, but we can chat about that off air maybe instead. Steve Gilbert on Twitter says, nicely done, fun podcast.
Glad I listened to it. Thanks for putting it out there. Cheers from Seattle. Thank you, Steve. Great to know that you're listening.
And there's one more piece from NYLonzagirl, who said these three are to computer security what Top Gear is to the motoring world.
Oh, I haven't seen this one.
You are so Jeremy Clarkson, I don't know.
Well, I was trying to work this out, actually.
But he's not on Top Gear anymore, is he?
Is he Top Gear? No, he's now on The Grand Tour. But everyone calls it Top Gear still, don't they? Because it's basically the same show.
So if we were Top Gear, Carole, I think you would be that little hamster guy. Right?
So if we were Top Gear, Carole, I think you would be that little hamster guy. Right?
Thanks.
I think you'd be— Well, do you want to be one of the other two?
I'll be the big guy. Not the Clarkson, Jeremy. Graham, you'll be the Clarkson.
Do I have to be Clarkson?
I am very unfamiliar. All I know is that I don't even know anything about Top Gear. So there you are.
Okay, so I'm the one who Vanja has said is a little bit racist. Well, that's nice, isn't it? Well, we do have big news, everybody.
And maybe some of you already know this, but since we last issued an episode of Smashing Security, we have debuted on iTunes.
Yes, we've launched ourselves as an audio podcast, not just on iTunes but on Google Play Music, Stitcher, Overcast, other podcast apps are available.
Go searching for us if you want to hear us. Please do check us out, subscribe, and leave a review on iTunes. It really makes a huge difference.
I've been asking everybody to leave reviews. I've been cornering wife, family, dog, telling them for goodness sake. Frankly, the response has been disappointing.
I don't know how it's been for you guys. Have you been similarly haranguing people?
And maybe some of you already know this, but since we last issued an episode of Smashing Security, we have debuted on iTunes.
Yes, we've launched ourselves as an audio podcast, not just on iTunes but on Google Play Music, Stitcher, Overcast, other podcast apps are available.
Go searching for us if you want to hear us. Please do check us out, subscribe, and leave a review on iTunes. It really makes a huge difference.
I've been asking everybody to leave reviews. I've been cornering wife, family, dog, telling them for goodness sake. Frankly, the response has been disappointing.
I don't know how it's been for you guys. Have you been similarly haranguing people?
Absolutely.
Yes, yes, we have, we have. Well, we have, but I don't think we need to harass anyone. I think people are going to leave comments if they like it, and that's what matters.
Oh, you're just wonderful, Carole, aren't you? You're just so nice.
Well, I'm preparing to write a review, but I'll just say that this is a review for Graham and Carole, not of myself.
Yeah.
So, Graham and Carole say, "It was all right, but to be honest, that Vanja guy was the best." We'll be able to recognize which one you write, Vanja.
But anyway, welcome to all of our new listeners to the audio version.
If you haven't yet checked it out, smashingsecurity.com and you can find links to all the relevant places including iTunes up there. Well, that just about wraps it up.
Thanks for tuning in once again.
If you like the show, tell your friends, maybe follow us on Twitter @smashingsecurity, smashing without a G, and we will try and keep you informed as to the latest computer security news and stuff.
Any last words, Carole?
But anyway, welcome to all of our new listeners to the audio version.
If you haven't yet checked it out, smashingsecurity.com and you can find links to all the relevant places including iTunes up there. Well, that just about wraps it up.
Thanks for tuning in once again.
If you like the show, tell your friends, maybe follow us on Twitter @smashingsecurity, smashing without a G, and we will try and keep you informed as to the latest computer security news and stuff.
Any last words, Carole?
Yeah, I promise everyone out there that I will ensure that his opening and closing statements are much shorter for future podcasts. That's a solemn promise.
Well, thank you very much, Richard Hammond, for that comment. And on that bombshell, goodnight.
Bye.
This week, in Smashing Security #004: “You don’t mess with Brian Krebs”, the Spora ransomware that offers you more than just your encrypted files back, Brian Krebs busts the alleged masterminds behind the Mirai botnet, and be careful that your IT staff aren’t the only ones who know your company’s passwords.
Oh, and one member of the team gets a birthday surprise…
Recorded live: Thursday 10 January, 2017.
Hope you enjoy the show, and tell us what you think! You can follow the Smashing Security team on Bluesky.
Show notes
- Spora Ransomware Works Offline, Has the Most Sophisticated Payment Site as of Yet
- Spora – the Shortcut Worm that is also a Ransomware
- Popcorn Time ransomware invites you to get ‘nasty’ to recover your files
- Who is Anna-Senpai, the Mirai Worm Author?
- College fires IT admin, loses access to Google email, successfully sues IT admin for $250,000
- Fired IT Employee at Online Indiana College Offered to Help Unlock Google Account for $200K
