Join me and fellow computer security industry veterans Vanja Svajcer and Carole Theriault on the “Smashing Security” podcast, as we have another casual chat about the world of online privacy and computer security.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Smashing Security Episode 005: Upskirt Insecurity with Carole Theriault, Vanja Švajcer, and Graham Cluley.
Hello everybody and welcome to Smashing Security Episode 5 for the 26th of January 2017. As always, I'm joined by my buddies, Carole Theriault and Vanja Švajcer.
Hi guys, how are you doing?
Hello everybody and welcome to Smashing Security Episode 5 for the 26th of January 2017. As always, I'm joined by my buddies, Carole Theriault and Vanja Švajcer.
Hi guys, how are you doing?
Hi Graham and hi Carole.
Hi Vanja. Hi Graham.
It's very jolly, Carole. Are you feeling all right?
I'm in a really good mood. I've had a rough January in terms of amount of work. I've been working a lot and I'm getting a little bit of breathing space now, so it's quite nice.
Fantastic. Fantastic.
So no work.
Well, there's no end to work, is there, when it comes to computer security and things like that. There's always new things happening and stories cropping up.
And one of the things we like to do in this podcast is look at what's happening in the news and choose a few stories you might have missed and give you our whitterings and our random comments about it.
And first out of the hat today, Vanja, what have you got for us?
And one of the things we like to do in this podcast is look at what's happening in the news and choose a few stories you might have missed and give you our whitterings and our random comments about it.
And first out of the hat today, Vanja, what have you got for us?
Well, my story for this week is around an arrest that happened in Barcelona in Spain. The alleged author of Wildtrak, a NeverQuest banking Trojan.
32-year-old Stanislav Lisov, a Russian citizen who was detained on 30th of January by the police when he was returning the rental vehicle to Barcelona airport.
The Trojan that he supposedly created is one of the banking Trojans that tries to create these— tries to basically intercept all the banking transactions and create a new fraudulent transaction and steal money from people's accounts.
As well, it steals some additional data such as logins and passwords from Facebook, Twitter, and basically has been around from 2013.
It's been quite a significant banking Trojan, and I'm guessing the guy who, Stanislav, he was the main creator of it, actually had quite a good source of income from this.
32-year-old Stanislav Lisov, a Russian citizen who was detained on 30th of January by the police when he was returning the rental vehicle to Barcelona airport.
The Trojan that he supposedly created is one of the banking Trojans that tries to create these— tries to basically intercept all the banking transactions and create a new fraudulent transaction and steal money from people's accounts.
As well, it steals some additional data such as logins and passwords from Facebook, Twitter, and basically has been around from 2013.
It's been quite a significant banking Trojan, and I'm guessing the guy who, Stanislav, he was the main creator of it, actually had quite a good source of income from this.
And if he really is the author of Vortrack, this is quite significant, isn't it?
Because it wasn't just banking accounts, as you mentioned, that it was trying to steal passwords for, but all manner of other online accounts which could have fallen into the hands of criminals because there was this piece of malware sitting in the background scooping them up from your drive and as you typed them into websites, etc.
I mean, it was quite prevalent, this one, wasn't it?
Because it wasn't just banking accounts, as you mentioned, that it was trying to steal passwords for, but all manner of other online accounts which could have fallen into the hands of criminals because there was this piece of malware sitting in the background scooping them up from your drive and as you typed them into websites, etc.
I mean, it was quite prevalent, this one, wasn't it?
Yeah, it was a well-created piece of malware that apart from stealing the data also tried to find out new sources for, or new targets to attack, like new banks.
If you were infected with this piece of malware and you visited your banking website, the malware would look for a word such as international banking number or account number or something like that.
And if it found it and it wasn't on its list of targets, then it would actually download the whole page so it can create its own, they call them web injects.
So once the next time you visited the page and the page was on the list of targeted pages, then this piece of code would be inserted to create those kind of fraudulent transactions.
So they kind of used it for collection information, but also for stealing and creating fraudulent transactions.
If you were infected with this piece of malware and you visited your banking website, the malware would look for a word such as international banking number or account number or something like that.
And if it found it and it wasn't on its list of targets, then it would actually download the whole page so it can create its own, they call them web injects.
So once the next time you visited the page and the page was on the list of targeted pages, then this piece of code would be inserted to create those kind of fraudulent transactions.
So they kind of used it for collection information, but also for stealing and creating fraudulent transactions.
And do we know how this guy got caught? So what, he was going on the— he was in his car, returning the car to the airport in Barcelona?
Yeah, well, basically, it was pretty interesting.
It seems that the actual investigation started sometimes in 2014, and his arrest was actually requested by FBI, and the international arrest warrant was issued by Interpol.
So it seems there is quite a good cooperation between FBI and Interpol.
Of course, some of the Russian organizations are saying that the Russian Federation and the legal entities there shouldn't be warned before the arrest happened.
So they don't really call it a kidnapping, but it's interesting, this sort of dynamics between East and West.
It seems that the actual investigation started sometimes in 2014, and his arrest was actually requested by FBI, and the international arrest warrant was issued by Interpol.
So it seems there is quite a good cooperation between FBI and Interpol.
Of course, some of the Russian organizations are saying that the Russian Federation and the legal entities there shouldn't be warned before the arrest happened.
So they don't really call it a kidnapping, but it's interesting, this sort of dynamics between East and West.
Wow.
As usual.
So I read in between the lines, one has to wonder whether the authorities in the West might have thought that Russia wasn't doing enough to apprehend this guy if Western authorities knew his identity and wanted to speak to him about this particular piece of malware.
Especially because we heard that the Russian secret service is recruiting hackers and malware writers, so it could have been connected with this increased activity that we heard over hacking of Democratic National Convention and some of the other Western organizations, allegedly by the Russian secret service.
Oh, Vanja, are you going to perpetuate this myth that the Russians might have had an interest in affecting the U.S.
election and would have been hacking political parties rather than some 14-year-old?
Are you seriously going to suggest the Russians, those lovely Russians, would do something like that?
election and would have been hacking political parties rather than some 14-year-old?
Are you seriously going to suggest the Russians, those lovely Russians, would do something like that?
I agree it's highly unlikely, Graham.
Well, talking about accounts being hacked and broken into, one thing which caught my— I mean, I don't know why this isn't the top story this week, quite frankly.
Carole, I don't know how closely you've been following international news, but did you hear that Vladimir Putin, right, who's the main— he's the head honcho, the big cheese in the Kremlin.
Carole, I don't know how closely you've been following international news, but did you hear that Vladimir Putin, right, who's the main— he's the head honcho, the big cheese in the Kremlin.
We've heard about him.
Yeah, I've heard. News has broken that he is planning a missile strike on the United States. Did you hear?
Well, and this news broke in all places on the New York Times video Twitter feed.
Not many other media outlets have picked it up, in fact, but the breaking news appeared on the New York Times video Twitter feed.
Now, of course, what actually happened was this particular Twitter account, which comes under the New York Times family of Twitter accounts, had been hacked.
It'd been hacked by the OurMine hacking gang. They're an unusual bunch, aren't they?
They hack into companies and social media accounts and people like Mark Zuckerberg's online account sometimes, and then they try and sell you consultancy.
They say, oh, maybe you want to better protect your social media presence in future? We can give you some tips.
Well, and this news broke in all places on the New York Times video Twitter feed.
Not many other media outlets have picked it up, in fact, but the breaking news appeared on the New York Times video Twitter feed.
Now, of course, what actually happened was this particular Twitter account, which comes under the New York Times family of Twitter accounts, had been hacked.
It'd been hacked by the OurMine hacking gang. They're an unusual bunch, aren't they?
They hack into companies and social media accounts and people like Mark Zuckerberg's online account sometimes, and then they try and sell you consultancy.
They say, oh, maybe you want to better protect your social media presence in future? We can give you some tips.
I love this business model, and it's one of those things when we were in antivirus industry, when you come and talk to people, they go, oh yes, of course.
So you create malware first and then you sell us the cure. Well, these guys are actually doing exactly the same thing.
Obviously we never done that ever, but you know, these guys are doing it.
So you create malware first and then you sell us the cure. Well, these guys are actually doing exactly the same thing.
Obviously we never done that ever, but you know, these guys are doing it.
It's kind of the next step after ransomware, right? Why not expand that and use it other ways to extort money out of companies?
Is it ransomware because you have these penetration testing— obviously penetration tests are authorized, but sometimes penetration testers go and do some initial—
Gray hacking?
Yeah, let's say so, and then they can warn the company, hey, you guys have been insecure, you're insecure configuration of your website or whatever, and if you want to tell us, if you want to know more, then perhaps you can employ us.
So I don't want to condone obviously this hack in any way because I don't think you should hack into things without people's permission, but I can kind of understand it in a way.
I mean, if we take your point a little bit further, I think if you were trying to get a company's attention that you believed that they were acting insecurely or they've been sloppy with their passwords or they're reusing passwords or something like that, and maybe you are hitting a brick wall when you try and communicate with them.
What better way to do it than go in, post a fairly harmless tweet, to be honest, although actually in this case, maybe saying Putin was planning a missile strike is not so harmless, quite honestly, particularly who might be in charge of the other missiles these days.
But, you know, and then you've really got their attention, haven't you?
And then you follow it up with, oh, if you want to better protect your account, then maybe you should talk to us. I don't like it as a business model.
I mean, if we take your point a little bit further, I think if you were trying to get a company's attention that you believed that they were acting insecurely or they've been sloppy with their passwords or they're reusing passwords or something like that, and maybe you are hitting a brick wall when you try and communicate with them.
What better way to do it than go in, post a fairly harmless tweet, to be honest, although actually in this case, maybe saying Putin was planning a missile strike is not so harmless, quite honestly, particularly who might be in charge of the other missiles these days.
But, you know, and then you've really got their attention, haven't you?
And then you follow it up with, oh, if you want to better protect your account, then maybe you should talk to us. I don't like it as a business model.
It's kind of like with vulnerability disclosures and some companies, including Google, have this 90-day policy when they actually inform people they have vulnerability.
If they don't respond by 90 days, they kind of disclose all the details, all the technical details about the vulnerability.
So it's kind of— I know it's not the same, but it's a similar kind of model.
If they don't respond by 90 days, they kind of disclose all the details, all the technical details about the vulnerability.
So it's kind of— I know it's not the same, but it's a similar kind of model.
Now, the New York Times isn't the only Twitter account which is claiming they had some unauthorized usage in the last few days.
There was the Badlands National Park Service who started tweeting facts about climate change, which got a lot of attention up on Twitter the other day until it was mysteriously silenced.
And then there was the tweets got deleted.
And there was a claim made that a former employee— I'm not sure if they were now former or former at the time— claiming that they had used the account and they weren't authorized to tweet those messages.
There was the Badlands National Park Service who started tweeting facts about climate change, which got a lot of attention up on Twitter the other day until it was mysteriously silenced.
And then there was the tweets got deleted.
And there was a claim made that a former employee— I'm not sure if they were now former or former at the time— claiming that they had used the account and they weren't authorized to tweet those messages.
So were these both password jobs?
Well, certainly I would imagine in the case of the New York Times Twitter account issue, then it would have been password reuse or maybe password phishing which took place.
And so enabling something like login verification, some sort of two-step verification, would have better protected that account.
And training staff, of course, to be aware of phishing attacks and things like that. In the case of Badlands, however, it's a little bit more murky.
You have to imagine there was maybe a junior employee who was in charge of the social media account tweeting things that they believed in about climate change, which maybe the new administration in the White House isn't so comfortable with.
And so enabling something like login verification, some sort of two-step verification, would have better protected that account.
And training staff, of course, to be aware of phishing attacks and things like that. In the case of Badlands, however, it's a little bit more murky.
You have to imagine there was maybe a junior employee who was in charge of the social media account tweeting things that they believed in about climate change, which maybe the new administration in the White House isn't so comfortable with.
Are they the former employee or have they kind of gone from the organization and then tweeted or have they actually tweeted and then have to—
We don't know.
The official statement is very ambiguous. They're certainly a former employee now. And my guess is, you know, maybe this is what caused them to become a former employee.
One piece of good news, though, for the Badlands National Park Service is their Twitter follower account has zoomed up.
It was only 7,000 on Monday, and now it's well over 100,000 people are now following that account, following all the furore over it.
But there is some feeling that maybe the White House applied a little bit of pressure.
One piece of good news, though, for the Badlands National Park Service is their Twitter follower account has zoomed up.
It was only 7,000 on Monday, and now it's well over 100,000 people are now following that account, following all the furore over it.
But there is some feeling that maybe the White House applied a little bit of pressure.
Well, if they were truly former employees that did something kind of deliberately, I think one of the good practices is never to share accounts if both—
Ah, but you know what, I bet you a lot of companies do that because they're probably buying one account for a single user if they're a small business and they're sharing it amongst, you know, the maybe 5, 10 employees within the company.
Yeah, I think we even, even at some of my previous work, we actually had administrator accounts that we shared.
We need a password, but it actually doesn't make sense because then you can't really track, you can't audit, you don't know who did what.
Yeah, if we think of the story we talked about, so it's better to have administrator Vanja Švajcer as separate accounts with the same kind of authority to change things.
But at least when something is changed that you know who did it.
We need a password, but it actually doesn't make sense because then you can't really track, you can't audit, you don't know who did what.
Yeah, if we think of the story we talked about, so it's better to have administrator Vanja Švajcer as separate accounts with the same kind of authority to change things.
But at least when something is changed that you know who did it.
And Twitter doesn't really handle this quite as well as it should.
I don't think it's really embraced this sort of the requirement of brands to use Twitter as a communications mechanism and making it easy for multiple staff to update and yet maintain security.
And this, I mean, joking aside, I mean, this is actually quite an important issue.
We have someone now who's in charge of the United States who is an avid Twitter user, but he is not the only one using his Twitter account. There are other people tweeting as well.
You can tell the difference quite easily between the tweets.
And if just one of those people had— were compromised in some way, if their computer was compromised, potentially there is a message which people might find difficult to work out whether it was posted by the Donald or by a hacker.
I don't think it's really embraced this sort of the requirement of brands to use Twitter as a communications mechanism and making it easy for multiple staff to update and yet maintain security.
And this, I mean, joking aside, I mean, this is actually quite an important issue.
We have someone now who's in charge of the United States who is an avid Twitter user, but he is not the only one using his Twitter account. There are other people tweeting as well.
You can tell the difference quite easily between the tweets.
And if just one of those people had— were compromised in some way, if their computer was compromised, potentially there is a message which people might find difficult to work out whether it was posted by the Donald or by a hacker.
Yeah, absolutely. And Twitter should do something about it because it really is a way of, you know, there could be one account and there can be many people behind those accounts.
You know what, I'm going to predict right now that that's going to happen in the next 4 years. I'm just going to lay it out there.
Well, Donald Trump has been Twitter hacked before.
But not since he's been in, you know.
No, no, no, he's been in power now for a few days and he's doing jolly well.
Obviously his password policy is sound.
Moving on. Moving on. Carole, what have you got?
Okay, so do you guys know the term upskirting? Because this was not a term I was familiar with at all. Okay, so this is a data leak story and it involves a porn site.
So it was kind of a test to see where you guys hang out in your off hours. It's a porn site called Candid Board, and it was the story published in the International Business Times.
So basically, this is a subscription-based porn site where people share naughty pics of unsuspecting, quote unquote, women. So women sunbathing, climbing stairs, that sort of thing.
So what's upskirting?
So it was kind of a test to see where you guys hang out in your off hours. It's a porn site called Candid Board, and it was the story published in the International Business Times.
So basically, this is a subscription-based porn site where people share naughty pics of unsuspecting, quote unquote, women. So women sunbathing, climbing stairs, that sort of thing.
So what's upskirting?
Sorry, climbing stairs?
Well, so if a woman is, for example, is wearing a skirt and climbing stairs, you may want to grab it.
Well, clearly you take one of those selfie sticks and you don't use them just to take selfies.
Well, quite.
So you put mirrors on the end of your hobnail boots. That's the other way I've heard it.
You would do something like that, Graham.
When I was researching this story, I think I saw, okay, anyway, so there's been a data breach, right?
So the data breach is the result of an alleged misconfigured database, which was reportedly managed by a US hosting provider called WebAir. That problem apparently now is solved.
The data was taken back in September 2015. Now, 170,000 to 180,000 members, okay, their data was snarfed up and spat out on the internet.
So it was found on the internet and handed over to the International Business Times.
The data stolen, email addresses, usernames, hashed passwords, date of birth, IP addresses, logs showing join date, last post date, reputation, etc.
So, you know, quite a lot of information to show how you've interacted on this site.
So the whole thing about this is the real people that are suffering against this are obviously the members. Really, the members, it's really got it. Remember the Ashley Madison case?
I mean, two suicides, two suicides resulted that I know of after that that I read about.
So the data breach is the result of an alleged misconfigured database, which was reportedly managed by a US hosting provider called WebAir. That problem apparently now is solved.
The data was taken back in September 2015. Now, 170,000 to 180,000 members, okay, their data was snarfed up and spat out on the internet.
So it was found on the internet and handed over to the International Business Times.
The data stolen, email addresses, usernames, hashed passwords, date of birth, IP addresses, logs showing join date, last post date, reputation, etc.
So, you know, quite a lot of information to show how you've interacted on this site.
So the whole thing about this is the real people that are suffering against this are obviously the members. Really, the members, it's really got it. Remember the Ashley Madison case?
I mean, two suicides, two suicides resulted that I know of after that that I read about.
So it's interesting that people are actually using their kind of real, real names and real addresses as well as some people are actually using work email addresses.
Oh my goodness.
Completely weird. And we had kind of a little bit of an investigation at some of my jobs.
Oh, right.
Okay.
Yeah.
Because there was actual government and military email addresses, which is shocking that people would not all, you know, not only use their everyday email address, but their work email address.
I mean, I agree it's crazy not to use basically a burner email address, right, for these sort of sites.
But I wonder whether some people would use a work email address because they're less worried about their bosses finding out that they're members of these sites than their partner.
But I wonder whether some people would use a work email address because they're less worried about their bosses finding out that they're members of these sites than their partner.
Yeah, maybe.
But surely your email at work is name.surname or something along those lines. Yeah.
I mean, it's, did you say 180,000 members were on this? Yeah. And how much do they pay every month for being—
$20 a month. To have their data published online, it seems.
$20? Yeah.
Well, actually, that's a good point. You know what? You're making a good point because we're in the wrong business, guys. You have to provide the right information.
No financial data was stolen, but you probably need to have a, you know, a very legitimate, bona fide email address that you regularly check.
No financial data was stolen, but you probably need to have a, you know, a very legitimate, bona fide email address that you regularly check.
Sorry, the people—
Credit cards.
Sorry, I'm moving away from security for a moment because I'm fascinated by this. They're making millions.
Whoever runs this site, obviously there'll be server charges and things like that. They're making millions every month.
Whoever runs this site, obviously there'll be server charges and things like that. They're making millions every month.
Yeah.
Well, again, we don't know if this is all active members now.
Okay. Okay.
All right.
I don't know that. But still, yeah.
Okay.
You know, doing the math certainly suggests a lot of ka-ching.
My goodness. Just for seeing pictures of women walking upstairs.
So this story about unsuspecting women, is there an unsuspecting man as well? Because it reminds me of a story that you, Graham, had.
Oh, you're not going to, you can't get me to talk about that, Vanja. This is a serious security podcast. And now I'm going to have to talk about it. I know what yours is.
Don't you remember? I'm not sure yet. Many years ago, I was at a rather swanky restaurant in Boston, Massachusetts.
Don't you remember? I'm not sure yet. Many years ago, I was at a rather swanky restaurant in Boston, Massachusetts.
Okay.
And I went to the lavatory, or as it's known in America, the restroom.
Okay.
And I decided to sit down. I won't, you know, that's the kind of guy I am. Sort of metrosexual. So I sat down and I was doing whatever it is that I do.
And American toilet cubicles are disturbing at the best of times because they have no concept of privacy because they have those huge gaps at the bottom, at the top, and at the sides.
It's just what is going on?
Here is a country which is trying to build a massive wall between it and Mexico, and yet it can't actually build proper toilet cubicles which are properly secured.
But anyway, so there I was sitting down doing my business, having a poo, and a camera comes underneath the door pointing at me, a video camera. And this wasn't recently, right?
It wasn't an iPhone. This was a flipping great big old old-school 2002-style camera coming underneath and filming.
And American toilet cubicles are disturbing at the best of times because they have no concept of privacy because they have those huge gaps at the bottom, at the top, and at the sides.
It's just what is going on?
Here is a country which is trying to build a massive wall between it and Mexico, and yet it can't actually build proper toilet cubicles which are properly secured.
But anyway, so there I was sitting down doing my business, having a poo, and a camera comes underneath the door pointing at me, a video camera. And this wasn't recently, right?
It wasn't an iPhone. This was a flipping great big old old-school 2002-style camera coming underneath and filming.
You may want to check out the site. You may be on—
You've been upskirted, Graham.
You've been upskirted. You may be on Candid Board. I haven't actually had a chance to look at Candid Board myself, so I don't know if they actually search.
I don't know if they service men as well as women.
I don't know if they service men as well as women.
I think maybe none of us really want to check this out, but the concern is if there are real government and military email addresses in here, and if they actually verified those email addresses, which of course Ashley Madison didn't bother to do.
But if those are accurate email addresses, there's the potential for blackmail here, isn't there?
But if those are accurate email addresses, there's the potential for blackmail here, isn't there?
And if people use the same passwords. So anyone, you know, this is a good reminder, don't use the same passwords in different places.
And for people that are running infrastructure and databases, especially for, well, all databases really, get a risk assessment, do a pen test, find your vulnerabilities.
And for people that are running infrastructure and databases, especially for, well, all databases really, get a risk assessment, do a pen test, find your vulnerabilities.
It's not they're not making any money.
Smashing Security?
You know, 180,000 members. I use the word with reason and $20 a month. My goodness.
Yeah, 180,000 is a lot. But can you imagine all the other kind of data breaches that happened in the last year or so? All the LinkedIn and Yahoo.
Obviously, you know, there are millions of email addresses and potentially passwords that were leaked.
Obviously, you know, there are millions of email addresses and potentially passwords that were leaked.
So one thing I can advise people, if you are worried that your details may have been leaked in one of these big breaches, there's a great website run by a security researcher called Troy Hunt.
Go to his website, it's haveibeenpwned.com. You can enter your email address and it'll tell you if any of your details have been leaked.
And it's a good reminder to use different passwords in different places. Cool. Boy oh boy. Well, thanks for raising the tone there, Carole Theriault.
Go to his website, it's haveibeenpwned.com. You can enter your email address and it'll tell you if any of your details have been leaked.
And it's a good reminder to use different passwords in different places. Cool. Boy oh boy. Well, thanks for raising the tone there, Carole Theriault.
You can always count on me.
Well, we're heading towards the end of the show, but before that, we do have some feedback on previous episodes.
If you missed the last episode, Episode 4, we chatted about Brian Krebs possibly uncovering the identity of the bad guys behind the Mirai botnet.
We also talked about the Spora ransomware, which was trying to make money in unusual ways, and also discussing how we should be more careful about that guy in the IT department and make sure he isn't the only one who knows the company's passwords.
Thank you to everyone who's been giving us feedback on the social media and in the different places. Fantastic.
Alan Rolfe, for instance, on YouTube said, "Vanja's very secretive about his birthday." Oh yes, we celebrated your birthday last week, didn't we, Vanja?
And he said, "Well, was it last week or was it at the beginning of this week?" Oh well, Alan goes on, "How important is it to keep this sort of data secret for security reasons.
How important is it to keep your birthday a secret?
If you missed the last episode, Episode 4, we chatted about Brian Krebs possibly uncovering the identity of the bad guys behind the Mirai botnet.
We also talked about the Spora ransomware, which was trying to make money in unusual ways, and also discussing how we should be more careful about that guy in the IT department and make sure he isn't the only one who knows the company's passwords.
Thank you to everyone who's been giving us feedback on the social media and in the different places. Fantastic.
Alan Rolfe, for instance, on YouTube said, "Vanja's very secretive about his birthday." Oh yes, we celebrated your birthday last week, didn't we, Vanja?
And he said, "Well, was it last week or was it at the beginning of this week?" Oh well, Alan goes on, "How important is it to keep this sort of data secret for security reasons.
How important is it to keep your birthday a secret?
Well, we often talk about stolen identities and things like that, and date of birth is one of the information that's sometimes being asked by the banks or various institutions to identify yourself.
So I think keeping the date of birth relatively secret, though obviously plus minus, it's very easy to find out now.
Now that we know it's either this week or the week before, there's not that many possibilities.
So I think keeping the date of birth relatively secret, though obviously plus minus, it's very easy to find out now.
Now that we know it's either this week or the week before, there's not that many possibilities.
Yeah.
And everyone knows now that you're 52.
So yeah, exactly. That's the one. So yeah, I mean, it's important to keep it a secret, but you know, healthy paranoia is good, but not too— no, I'm not trying to be too paranoid.
Yeah.
On its own, probably not that damaging, but it is a potential piece of the jigsaw and obviously, if there are sites or services which are verifying you by your date of birth, then that is a matter of public record.
And if someone gets their hands on it, they could potentially abuse it.
On its own, probably not that damaging, but it is a potential piece of the jigsaw and obviously, if there are sites or services which are verifying you by your date of birth, then that is a matter of public record.
And if someone gets their hands on it, they could potentially abuse it.
You've got a great one here. This is from your— is this from your— it says from Graham's dad.
What?
So it says, Graham, I've listened to you and your colleagues whittering on in a seemingly unstructured way.
Oh my goodness.
Still, I gave you the mandatory 5-star review. I had to sign up for an Apple ID to do this. This was rather against my better judgment, as I am not an Apple fan.
No, he's not an Apple fan. It is true to say that I was nagging quite a lot of my family last weekend saying, are you, for goodness sake, are you going to leave a review?
Are you going to rate the podcast or not? Are you even, do you even know what a podcast is?
Are you going to rate the podcast or not? Are you even, do you even know what a podcast is?
I had no trouble. Everyone who I'd show the podcast to loved it and jumped to review it.
You guys are just so much more tech savvy in your families clearly than mine. But yeah, there you are, my good old dad. Thank you, Dad.
And I'm whittering on in a seemingly unstructured way.
And I'm whittering on in a seemingly unstructured way.
He did a great, you know, it was a pretty good review. I loved it.
Yeah.
We have another one as well from Martin Overton, who we know for years.
Yes.
He says, your Twitter name is very apt without the G in it as you're helping to smash in security of products. I love it, guys.
I don't get it. I don't get it.
Smash in security. You smash in security. You smash, you smash, you smash.
Yes, smash.
Smashing security. Smash insecurity.
Sorry, Carole, we're giving you away. That's very good, Martin.
All right then.
Very good. Thank you, Martin, for that. Well, folks, we are now an audio podcast. We did do some video ones.
We've had a little bit of trouble recording the video this week, so we're just going audio only for this occasion.
So if you haven't done so already, make sure that you do subscribe to hear us as an MP3 audio podcast in future.
We're on iTunes and Google Play and Stitcher and TuneIn and Overcast and all good podcast apps and probably quite a few crummy ones as well.
If there's somewhere where you want to see us, let us know and we will make sure that we get into their directory too. But we really do appreciate when people leave a review for us.
It really makes a big difference because more people get to see us. No, they don't get to see us anymore, do they? They get to listen to us. So there you are.
I think I can't improve upon that. Thanks for listening, everybody. If you like the show, tell your friends, follow us on Twitter. We're @SmashingSecurity. Thanks, Martin, on Twitter.
That's Smashing without a G, Security. Until next time. Thanks, Vanja. Thanks, Graham Cluley.
We've had a little bit of trouble recording the video this week, so we're just going audio only for this occasion.
So if you haven't done so already, make sure that you do subscribe to hear us as an MP3 audio podcast in future.
We're on iTunes and Google Play and Stitcher and TuneIn and Overcast and all good podcast apps and probably quite a few crummy ones as well.
If there's somewhere where you want to see us, let us know and we will make sure that we get into their directory too. But we really do appreciate when people leave a review for us.
It really makes a big difference because more people get to see us. No, they don't get to see us anymore, do they? They get to listen to us. So there you are.
I think I can't improve upon that. Thanks for listening, everybody. If you like the show, tell your friends, follow us on Twitter. We're @SmashingSecurity. Thanks, Martin, on Twitter.
That's Smashing without a G, Security. Until next time. Thanks, Vanja. Thanks, Graham Cluley.
Toodle-oo.
And cheerio, everybody.
Thanks, guys. Toodle-oo. Bye.
Bye.
Blurb:
An alleged hacker finds the downside to car rental, a New York Times Twitter account announces Vladimir Putin is planning to launch a missile attack against the United States, and an “upskirt” website leaks its user data.
Oh, and Vanja forces Graham to share an embarrassing privacy-breaching lavatory anecdote.
Show notes:
- Spanish Police Arrest Suspect Behind NeverQuest Banking Trojan
- Vawtrak – International crimeware-as-a-service (PDF)
- Vawtrak version 2 (PDF)
- Twitter hack sees New York Times warn of Russian missile strike against USA
- Badlands National Park deletes tweets on climate change
- Tweet by journalist Claudia Koerner, quoting Badlands National Park Service
- ‘Upskirt’ porn website hit with massive data leak exposing 180,000 voyeurs
- HaveIBeenPwned
Hope you enjoy the show, and tell us what you think! You can follow the Smashing Security team on Bluesky.
Oh, and if you’re wondering what happened to the Smashing Security video… click here.
Great podcast! I prefer audio over video as I can rest my eyes.
What software/software are you using to create this Graham? The audio is many, many times superior compared to the first couple of videos and is extremely easy to listen to :)
Talking about Google and vulnerability disclosures, Chrome has now been updated to 56.0.2924.76 and has some very important security fixes.
https://chromereleases.googleblog.com
Thanks Bob. In previous podcasts we were recording it as a Google Hangout (which gives us a video version) and then ripping the audio out of that. Google Hangouts – understandably – doesn't give a lot of priority to audio.
For this episode we dumped Google Hangouts entirely (which I realise may have upset some people, as we didn't make a video version) and recorded the audio using Cast ( https://tryca.st/ )
Cast captures the audio locally on each remote participant's computer (Carole and I are at different locations in Oxford, and Vanja is in Croatia) and then munges them all together at the end. It's possible to do the job of Cast with other tools, but it takes some of the donkey work out of the process and reduces the chances of cockup.
Once Cast have given us a decent recording we do a little editing in GarageBand and Bob's your uncle.
It's still not perfect, and we could have tweaked more with the levels and there's some background traffic noise coming from outside where Vanja records. But I think it's a big improvement.
And thanks for reminding everyone about the new version of Chrome. Good to see them making this change (I believe Firefox has done something similar), and that users will be updated pretty much automatically)