The Lazarus malware attempts to trick you into believing it was written by Russians, second-hand connected cars may be easier to steal, and is your child a malicious hacker?
All this and more is discussed by cybersecurity veterans Graham Cluley, Vanja Svajcer and Carole Theriault.
Oh, and Carole makes Graham and Vanja apologise for their past mistakes.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Oh, I've got one. I've got one.
Okay.
Where's a baseball cap?
Where's a baseball cap?
Sideways.
Oh God.
Clear sign of a hacker. Smashing Security, episode 009, False Flags and Hacker Clues, with Carole Theriault, Vanja Švajcer, and Graham Cluley.
Hello everybody, and welcome to another episode of Smashing Security, episode 9 for Thursday's 23rd of February, 2017.
My name's Graham Cluley, and I'm joined by my buddies as usual. It's Carole Theriault and Vanja Švajcer. Hi, guys.
Hello everybody, and welcome to another episode of Smashing Security, episode 9 for Thursday's 23rd of February, 2017.
My name's Graham Cluley, and I'm joined by my buddies as usual. It's Carole Theriault and Vanja Švajcer. Hi, guys.
Bonjour, les amis.
Hi, Graham and Carole.
Well, have you all been having a good week since our last regular episode?
I spent most of my week in IKEA.
Vanja, you need to be careful because I've heard Sweden is a fairly dangerous place.
Oh, don't.
Oh, is it?
According to a very reliable source. It's not something I read in the mainstream media, let me tell you. No, I went above that.
Clearly you don't hear that in mainstream media.
You went to the source.
I went to a reliable source and found out Sweden very dangerous. So you've got to be careful with those IKEA trips. All right.
As usual, we are each going to tackle a topic, something which has caught our imagination or we were interested in this week in the world of computer security.
And I'm going to ask you this, guys, do you like James Bond movies?
As usual, we are each going to tackle a topic, something which has caught our imagination or we were interested in this week in the world of computer security.
And I'm going to ask you this, guys, do you like James Bond movies?
Yes.
All right? Yeah, they're all right, aren't they. Do you remember You Only Live Twice?
Mm.
With Sean Connery? And it's the one where he becomes a Japanese fisherman.
Ah.
Do you remember that film?
Yes, I remember that.
If you remember Blofeld, who's the baddie, the bald baddie, right? He's—
The guy with a cat.
He's got a cat, he's got a scar, you know, he's got it all going on. He's got a little—
Swivel chair.
Yep, Nehru jacket. You know, he's Dr. Evil, basically. It's surprising, actually, not Wayne's World, what's it called? I can't remember.
Wow, you are digressing here.
The British thingy.
The British thing, which I've forgotten the name of. Austin Powers. Exactly. Okay.
It's amazing that Austin Powers haven't sued the James Bond franchise for ripping them off with You Only Live Twice. Hard to believe that they did that.
It's amazing that Austin Powers haven't sued the James Bond franchise for ripping them off with You Only Live Twice. Hard to believe that they did that.
Yeah, yeah.
Anyway, there's this great bit in the movie where there's an American spacecraft in orbit and it gets destroyed, or so it appears. It disappears off the radar.
And then the Soviets, as it was back then, they send up a spaceship as well, and that gets destroyed.
And so the Americans are blaming the Soviets, the Soviets are blaming the Americans.
In reality, it is Blofeld who's got this great big spaceship in orbit which is gobbling up other people's spaceships and taking them hostage, right?
And then the Soviets, as it was back then, they send up a spaceship as well, and that gets destroyed.
And so the Americans are blaming the Soviets, the Soviets are blaming the Americans.
In reality, it is Blofeld who's got this great big spaceship in orbit which is gobbling up other people's spaceships and taking them hostage, right?
Yeah, yeah.
In order to create a huge war.
Yeah.
Now you might be asking, what's this got to do with computer security? Well, it's all about false flags.
It's all about pointing people in the wrong direction in order to divert their attention from what is really going on and maybe to cause a problem somewhere else.
And there is a hacking group called the Lazarus Group and they've been linked to a number of hacking activities.
It's all about pointing people in the wrong direction in order to divert their attention from what is really going on and maybe to cause a problem somewhere else.
And there is a hacking group called the Lazarus Group and they've been linked to a number of hacking activities.
They've been around for years.
Well, they've been up to some mischief.
Yeah, a few years.
Yeah, a few years. So they've been linked to the theft of $81 million from a central bank in Bangladesh last year.
There've been attacks where it appears they've been abusing the SWIFT network system in order to manipulate computers and steal money from banks.
Maybe they've stolen as much as $950 million.
And some people have even linked them possibly to the attack against Sony Pictures, which of course was huge news a few years ago when that happened.
Well, they've been in the news again recently because there've been a number of malware attacks against banks in Poland and other places around.
And the guys at BAE Systems, the researchers there have been looking at some of the malware that's being used and they've come to an interesting conclusion.
They think this malware is actually pretending to come from Russia.
They think what's happening is messages have been put in the malware to make it appear at first glance to the typical Western computer security researcher, oh, this must have been written by a Russian speaker.
There've been attacks where it appears they've been abusing the SWIFT network system in order to manipulate computers and steal money from banks.
Maybe they've stolen as much as $950 million.
And some people have even linked them possibly to the attack against Sony Pictures, which of course was huge news a few years ago when that happened.
Well, they've been in the news again recently because there've been a number of malware attacks against banks in Poland and other places around.
And the guys at BAE Systems, the researchers there have been looking at some of the malware that's being used and they've come to an interesting conclusion.
They think this malware is actually pretending to come from Russia.
They think what's happening is messages have been put in the malware to make it appear at first glance to the typical Western computer security researcher, oh, this must have been written by a Russian speaker.
Yeah, which makes sense. Poland and Polish banks, who else would attack them? Russians, the usual suspects.
You know, things have changed in a decade. You remember the Love Bug? The guy, I think, actually put in his CV, didn't he?
Yeah, that was Michael Buen, a friend of the guy who wrote the Love Bug.
That's right. That's right. So, and now we have people actually trying to misguide and almost try and give people fake routes to go down.
Which makes sense. They try to deceive you, so they try to throw you off the track of trying to attribute who this malware, piece of malware, or whatever attack belongs to.
Or it's a double bluff, right?
Yes.
It's a double bluff. That's much more interesting.
Those crafty Russians.
Absolutely.
Yeah.
So imagine you've got a Russian guy who gets this thing translated in English, puts it into Google Translate, so get a weird-sounding Russian and puts it back into the code.
Boom.
Well, you're right. We don't know.
We don't know.
We don't know who's really written this thing, right?
Even if it was found that it was sending information back to Russian servers, it doesn't necessarily mean that those servers aren't under the control of someone in Belgium or North Korea or wherever.
Even if it was found that it was sending information back to Russian servers, it doesn't necessarily mean that those servers aren't under the control of someone in Belgium or North Korea or wherever.
But it's still a really interesting finding from BAE though. I think that's quite— I love that people still do actual research and go really in-depth in these things.
Oh yeah. And it does look as though the attempt to throw people off the scent— let's imagine, for instance, that it's not the Russians doing a double bluff.
It looks like it was a fairly amateur attempt because it looks like they were using online translation services to find some Russian words which were put in maybe in the wrong tense or whatever, with some elementary mistakes which native Russian speakers would say, "That's not right." Although they'd probably say it in a sort of deep Russian-style accent.
If only we had an Eastern European here who could do a convincing—
It looks like it was a fairly amateur attempt because it looks like they were using online translation services to find some Russian words which were put in maybe in the wrong tense or whatever, with some elementary mistakes which native Russian speakers would say, "That's not right." Although they'd probably say it in a sort of deep Russian-style accent.
If only we had an Eastern European here who could do a convincing—
It seems like actually being a linguistic expert these days is also one of those things that are required if you are a security researcher looking at the malware pieces.
So one of the theories I mentioned earlier that this Lazarus Group, they have been tied to the Sony Pictures hack.
And of course, it was widely reported that North Korea might have been behind the Sony Pictures hack. I don't know if that's true or not.
You then begin to speculate if it is North Korea who's attacking all these banks, which has stolen or attempted to steal something like $950 million from banks.
That's kind of a big story, isn't it? I wonder, is it plausible that North Korea might want some foreign currency?
And of course, it was widely reported that North Korea might have been behind the Sony Pictures hack. I don't know if that's true or not.
You then begin to speculate if it is North Korea who's attacking all these banks, which has stolen or attempted to steal something like $950 million from banks.
That's kind of a big story, isn't it? I wonder, is it plausible that North Korea might want some foreign currency?
Are they running out of money for their nuclear experiments?
Who knows? Hard to say for certain, but it's interesting.
And I think the one takeaway we can take away from this is that it's very difficult to reliably attribute an attack to anybody.
In the current climate, there's lots of accusations being made about Russian hacking, of course, against America.
We shouldn't— and I'm sure there is Russian hacking going on left, right, and center.
And I think the one takeaway we can take away from this is that it's very difficult to reliably attribute an attack to anybody.
In the current climate, there's lots of accusations being made about Russian hacking, of course, against America.
We shouldn't— and I'm sure there is Russian hacking going on left, right, and center.
But there's also hacking from US and other countries around the world. Exactly.
Yes.
Well, that's rarely mentioned. Yes. But everybody's hacking, essentially.
Everybody is hacking. And it can be very, very difficult to work out who is hacking who.
Or in other words, hackers live everywhere. Yeah. You know, hackers are not just based in one country.
It's just some people call it hackers or attackers, and some people are defending, but they're defending in an offensive way.
Yeah. Offensive defense.
Yeah.
All right. Okay. Well, let's move on. Vanja, what have you got for us?
Well, I found this topic for this week, which is pretty relevant to me because I recently bought a car. I bought a used car. Pretty new still.
So I noticed that this week, well, as a part of the RSA conference, one of the researchers of IBM X-Force, his name is Charles Henderson, and he presented work, he did a similar thing.
He bought a car and as you probably know, a lot of these new cars are so-called connected cars. They are part of the Internet of Things.
And it seems that with the car, you can get all sorts of additional features, such as a smartphone app where you can actually connect to your car.
And you can look at the status of the engine. You can see some of the systems.
Among other things, if you lose your car on the parking lot, you can honk the horn so you can see where your car is. But you can also lock and unlock the car using the phone.
But Charles discovered that when he sold his car, as a security researcher, he essentially reset all the stuff.
So I noticed that this week, well, as a part of the RSA conference, one of the researchers of IBM X-Force, his name is Charles Henderson, and he presented work, he did a similar thing.
He bought a car and as you probably know, a lot of these new cars are so-called connected cars. They are part of the Internet of Things.
And it seems that with the car, you can get all sorts of additional features, such as a smartphone app where you can actually connect to your car.
And you can look at the status of the engine. You can see some of the systems.
Among other things, if you lose your car on the parking lot, you can honk the horn so you can see where your car is. But you can also lock and unlock the car using the phone.
But Charles discovered that when he sold his car, as a security researcher, he essentially reset all the stuff.
Disconnected himself, tried to disconnect himself from the car.
Sensible fellow. If only everybody did that.
Exactly. Of course, as you would, as you would.
Yes.
It turns out that his app on the phone was still connected with the car. So there was no way for him to remove himself as a previous owner from his car.
So it turns out he could still connect to the car and he could still unlock the car regardless of the new owner.
So it turns out he could still connect to the car and he could still unlock the car regardless of the new owner.
See, that's really interesting because I was just talking to someone about this today, that if you have apps, for example, on your phone, you know, so an app you don't need anymore, perhaps this app you're talking about, and you delete that app, that doesn't necessarily mean the account that you have on that app is deleted.
Absolutely.
Right.
Often when you reinstall the app, the app just—
Remembers you.
Yeah, pulls all the data for you. And this is the similar thing. There was a central repository, the manufacturer database, which connected the phone or the app with the car.
They were paired. But it seems that there was no way for the owner either the new or the old owner to reset that value.
So the only way to do it was through a registered kind of dealers through a garage, a dealer who had the ability to do it.
But imagine the dealer, what if you send it to sell your car to a private owner, privately, and then how would the next guy know that your old phone of the previous owner is still connected to the dealer?
They were paired. But it seems that there was no way for the owner either the new or the old owner to reset that value.
So the only way to do it was through a registered kind of dealers through a garage, a dealer who had the ability to do it.
But imagine the dealer, what if you send it to sell your car to a private owner, privately, and then how would the next guy know that your old phone of the previous owner is still connected to the dealer?
Right. So the new owner doesn't realize that the old owner can still track that car, find out where it is.
They could even unlock it using the app, and they could potentially steal it or steal something from inside the car.
They could even unlock it using the app, and they could potentially steal it or steal something from inside the car.
Or worse, or worse, change the seat settings. You know, that's annoying. Change the mirror.
Aha. The worst possible thing that could happen. Ah, the mirror has changed.
It's funny that you say that, Carole, because of course you have a very tall partner.
So, his seat settings are particularly uncomfortable in my experience when I've got in the car after he's been in it.
So, his seat settings are particularly uncomfortable in my experience when I've got in the car after he's been in it.
So the question is what can we do? You know, there's an obvious problem. The new cars are coming. The older cars, the used cars, the secondhand cars will become older and older.
And it's not the fact that he discovered this connection between the app and the car still exists.
But the fact is that the older cars will have similar issues and that manufacturers would unlikely be— they wouldn't be motivated to do that because they're driven by the sales of the new cars, not by the sales of used cars.
And it's not the fact that he discovered this connection between the app and the car still exists.
But the fact is that the older cars will have similar issues and that manufacturers would unlikely be— they wouldn't be motivated to do that because they're driven by the sales of the new cars, not by the sales of used cars.
Because I don't know about— I don't know anything about cars, right?
If I was on an episode of Crimewatch, if I was on a show where they were asking me to be a witness to a crime and report what kind of car the villain was driving off in, I'd be able to tell them the colour of the car, maybe, if it wasn't too dark.
If I was on an episode of Crimewatch, if I was on a show where they were asking me to be a witness to a crime and report what kind of car the villain was driving off in, I'd be able to tell them the colour of the car, maybe, if it wasn't too dark.
You've got very small eyes, Graham. I'm not even sure you could get that.
It's bloody rude. And I'd also be able to tell them the number of wheels on the car, right? I wouldn't be able to tell them the make of the car or something.
So when I choose a car, I know nothing about engine performance and things, but I'd say, oh, well, the seat is quite comfortable and the radio's nice, you know, and oh, I can plug in my phone or something.
It's these bells and whistles which actually matter to me.
And I'm sure many people will be more swayed these days by the sat nav and all the gadgetry and maybe the cameras on the corners of the car and things which help you park and stuff, rather than other elements of the car.
And the manufacturers know this, so they're all desperate to integrate this kind of technology or have an app for their car.
So when I choose a car, I know nothing about engine performance and things, but I'd say, oh, well, the seat is quite comfortable and the radio's nice, you know, and oh, I can plug in my phone or something.
It's these bells and whistles which actually matter to me.
And I'm sure many people will be more swayed these days by the sat nav and all the gadgetry and maybe the cameras on the corners of the car and things which help you park and stuff, rather than other elements of the car.
And the manufacturers know this, so they're all desperate to integrate this kind of technology or have an app for their car.
Yeah, that's the thing. The people are asking, is your car connected? Can I connect to internet? What does it do with an app or whatever? And in fact, I'm completely opposite of you.
For me, it's mostly, you know, the engine, if I see something super modern, I go, uh, that's going to be so old in two years' time.
For me, it's mostly, you know, the engine, if I see something super modern, I go, uh, that's going to be so old in two years' time.
I'd like to make a prediction. I'd like to make a prediction that it's going to— the same thing's going to happen.
We've just seen that the Nokia is releasing its 3310 again due to high demand for a kind of safe phone, you know?
So maybe we need the same thing here, is we're going to be in demand for a car that gets you from A to B without all the smart gizmos. It'll just be back to basics, the KISS rule.
We've just seen that the Nokia is releasing its 3310 again due to high demand for a kind of safe phone, you know?
So maybe we need the same thing here, is we're going to be in demand for a car that gets you from A to B without all the smart gizmos. It'll just be back to basics, the KISS rule.
Well, I'm sure that will appeal to some people, but there'll be other people. I mean, my car, so I've just sold my old car. You know Audrey, right?
Yes. Pre-family car.
A kind of pre-family car. And I finally, rather belatedly, got round to actually selling it. So it's now gone.
It's out the window. Lovely metrosexual car.
I'm sorry. Yeah, lovely metrosexual car. It's very masculine. And it's now out of my life.
Hairdresser car. Hairdresser.
It's not a hairdresser car. Anyway, it's out of my life now. And that, of course, was a car which didn't have all of these gizmos.
My regular car, which I use for work, does have an app which I can put on my smartphone. And I can, I believe, even run Twitter and Facebook on my car.
Now, I've never wanted to because, ugh, exactly.
My regular car, which I use for work, does have an app which I can put on my smartphone. And I can, I believe, even run Twitter and Facebook on my car.
Now, I've never wanted to because, ugh, exactly.
Now, your car, though, you've driven me places before in your car, and it is the most annoying car in the world.
The amount of information it tells you, you can't do anything without it blinking and beeping at you and being smart. Smart for you.
The amount of information it tells you, you can't do anything without it blinking and beeping at you and being smart. Smart for you.
I think the best simple features is that it can actually show what's on the screen.
You can mirror your screen of your phone, so you can actually use any of the apps you have on the phone. So you're not necessarily connected with the tech in the car.
It can't go easily out of date. You simply have a screen.
You can mirror your screen of your phone, so you can actually use any of the apps you have on the phone. So you're not necessarily connected with the tech in the car.
It can't go easily out of date. You simply have a screen.
Yeah, I think that's a sensible idea. I'm glad that my phone can't remotely unlock my car, that it can't do a geographical lookup to find out where I parked it.
Those sort of things would worry me because I'd worry about the app security as well as the car security as well.
This story that you've just shared with us, Vanja, as well, and we'll put some links in the show notes, that worries me too.
And I think there are too many manufacturers who are rushing to integrate this kind of technology and aren't thinking properly of the security considerations.
'Cause like you said, sounds like even if you were to trade it into a regular dealer, they may well not actually disconnect your account from the car, which is a risk to the next person.
Those sort of things would worry me because I'd worry about the app security as well as the car security as well.
This story that you've just shared with us, Vanja, as well, and we'll put some links in the show notes, that worries me too.
And I think there are too many manufacturers who are rushing to integrate this kind of technology and aren't thinking properly of the security considerations.
'Cause like you said, sounds like even if you were to trade it into a regular dealer, they may well not actually disconnect your account from the car, which is a risk to the next person.
Well, yeah, knowing your regular dealers, you know, would they actually spend time doing that because it doesn't bring them any money.
You know what? It'd be really good to hear from people who work within cybersecurity in the car industry to tell us about how they're dealing with this problem.
Yeah, I think a reasonable thing would be similar to iCloud with iPhones.
You can actually reset the phone through the iCloud, make sure that nothing that you owned was now part of the car. So that app is not connected.
It should be possible for the new owner to reset all the previous owners.
You can actually reset the phone through the iCloud, make sure that nothing that you owned was now part of the car. So that app is not connected.
It should be possible for the new owner to reset all the previous owners.
Mm.
Yeah. Sensible advice. Okay. Carole, what have you got for us?
Okay. Topic 3. So I wanted to talk about this thing I saw, which I found a little bit shocking, and I wanted to see what you guys thought.
So this is about a Liverpool group called YouthFed, and they've created a program called Hackers to Heroes.
So the mission of this program is to encourage kids into computer, that are into computers, into lucrative careers in cybersecurity rather than to cybercrime. Okay, so good enough.
I think that's great.
Now, as part of the project, they've included this list of 16 hacker indicators with the idea of helping parents recognize the signs of, this, my son or my daughter's a hacker early in the process.
Now, I took a look at this list and I was like, how the heck could you say that? I was a little bit— So, and then I thought, actually, why don't we play a little game, right?
So you two dudes were into computers in your teens, in your young teens. So why don't we imagine you guys are 15 today, right? Don't do the broken voices, please. That will be good.
But, and I'm going to read out a few of these, right? And I'd like to see if you guys would say, yep, that was me, you know?
So this is about a Liverpool group called YouthFed, and they've created a program called Hackers to Heroes.
So the mission of this program is to encourage kids into computer, that are into computers, into lucrative careers in cybersecurity rather than to cybercrime. Okay, so good enough.
I think that's great.
Now, as part of the project, they've included this list of 16 hacker indicators with the idea of helping parents recognize the signs of, this, my son or my daughter's a hacker early in the process.
Now, I took a look at this list and I was like, how the heck could you say that? I was a little bit— So, and then I thought, actually, why don't we play a little game, right?
So you two dudes were into computers in your teens, in your young teens. So why don't we imagine you guys are 15 today, right? Don't do the broken voices, please. That will be good.
But, and I'm going to read out a few of these, right? And I'd like to see if you guys would say, yep, that was me, you know?
I'll have to play devil's advocate here. And I have to kind of ask, why is it bad for kids to be hackers as long as they are kind of not doing anything too much illegal?
Well, that is a very, very good question because I think a lot of people learn about how to become a, you know, a white hacker or being able to do things like penetration testing.
Through that kind of learning, right?
Through that kind of learning, right?
Absolutely, vulnerability research, it's all very important.
But we can also see that there's obviously a cost-benefit analysis.
It's okay if they kind of look around, but they can also, we've seen a lot of kids do a lot of horrible things and they didn't realize that was gonna happen, right?
If they've released viruses, for example, you know, that make mass mailers and stuff.
It's okay if they kind of look around, but they can also, we've seen a lot of kids do a lot of horrible things and they didn't realize that was gonna happen, right?
If they've released viruses, for example, you know, that make mass mailers and stuff.
Yep.
Okay, so on with the little game here. So, okay, so there's 16 of them. I'll just name, I'll read out a few.
So exciting, so exciting.
Okay, you ready? Okay, so they spend most of their time— Did you spend most of your free time alone on a computer?
Hmm. Hmm.
Ooh, big indi— I think that's a yes on both of your sides.
Yeah, probably. Yeah.
Yeah. Okay.
TRS-80.
Very likely.
Yeah.
Okay.
They have few real friends, but talk extensively to online friends about computers.
Well, the first half is still true. Few friends.
They're both here. They're both here.
I mean, speaking online, well, we're doing that right now.
I'm an introvert and I rarely talk, as you know.
Yeah. Yeah.
Okay. And then they have multiple social media profiles and email addresses. I mean, who doesn't?
Everybody has that.
Right?
Yes. Yes, of course.
And they're online so much that it affects their sleeping habits.
I mean, if they are gamers, if they're gamers, if they're looking at, God forbid, kids be looking at porn at that age.
I mean, if they are gamers, if they're gamers, if they're looking at, God forbid, kids be looking at porn at that age.
Oh my word.
Well, oh goodness me, you'd be looking, you'd be trying to figure out how the other sex works.
Are you saying at 15 we would look at porn? Surely not. Oh, we would just play games. Doom or Wolfenstein 3D.
I was too innocent. I'll tell you a story sometime about when I was 15. Yeah, I wasn't looking at porn.
I think you carried a briefcase at 15, if I remember correctly.
Is that sharing too much?
That's for a different episode.
Yeah.
Okay.
So you can see by these now, there's another one which says that there's circumstantial evidence that suggests that children with autism and Asperger's could be more vulnerable to becoming hackers.
So all—
So you can see by these now, there's another one which says that there's circumstantial evidence that suggests that children with autism and Asperger's could be more vulnerable to becoming hackers.
So all—
We can't answer that one.
No, I know. I just think all these examples I've just given you, I think are signs that someone's into computing, really.
I don't think any of these are suggestive of someone going down a hacker route.
I don't think any of these are suggestive of someone going down a hacker route.
It just means IT enthusiast, really, isn't it?
Right. Right. And so—
But are they all the ones, or are some of the ones that you think they're actually pretty good indicators?
Eats a lot of pizza.
Yeah, that's right. Okay, no, I do. Yes. Yeah. So I did separate the list. So you're right, Vanja. So here are the other ones.
So there's, you know, they use the language of hacking, such as DDoS, doxing, bots, botnets, cracking hash. Okay. That's interesting.
So there's, you know, they use the language of hacking, such as DDoS, doxing, bots, botnets, cracking hash. Okay. That's interesting.
Oh, I've got one. I've got one.
Okay.
Wears a baseball cap.
Wears a baseball cap?
Sideways.
Oh my God.
Clear sign of a hacker, if you ask me.
Uses the word such as 'he was pawned'.
Oh, yes. Yeah, yeah. Uses leet speak, man.
Yeah.
Now, there is some interesting ones here. What do you think about if they have a web browser called Tor?
Oh.
The Onion Router. So they're using the Onion Router.
Do you think that's— Wait a second. That's not bad at all.
Right? It's just about privacy.
Absolutely.
Yeah.
They just want to keep their porn habit private.
Yeah.
And if they can connect to the Wi-Fi of nearby houses. Well, I was just thinking, well, if they don't have good security, it'd be pretty easy.
But anyway, so there are some good ones here. There's some not good.
I think what worried me about this list is if you are not in the industry and you read this list, you went, oh, my son or my daughter's in a room all the time.
She's always on the computer. She's always playing games or, you know, she must be a hacker.
But anyway, so there are some good ones here. There's some not good.
I think what worried me about this list is if you are not in the industry and you read this list, you went, oh, my son or my daughter's in a room all the time.
She's always on the computer. She's always playing games or, you know, she must be a hacker.
But it's true that some parents are actually kind of teaching their kids or making sure that their kids don't spend more than a certain amount of time with their computers or their phones.
Yeah, yeah, absolutely. It's a big problem, you know, excessive screen time. But there is a danger that people will panic and think, oh my goodness, my son's a hacker.
He's going to end up on the front page of the tabloids and be arrested at any point.
He's going to end up on the front page of the tabloids and be arrested at any point.
Well, he's just an everyday internet addict.
Yeah, well, exactly. But you can imagine a similar list being shared with parents of, is your child secretly taking drugs or something? These are the warning signs.
And unless you're into IT and technology, you may misidentify these signs. Assume your children are malicious hackers when they're not cybercriminals.
And unless you're into IT and technology, you may misidentify these signs. Assume your children are malicious hackers when they're not cybercriminals.
Imagine the chasm that you're going to create in that, you know, the intervention meeting you're going to have, you know, where you're basically accusing your kid of doing this, right?
So I think proceed carefully and make sure if you have suspicions, it's fine to go look into it. But I think, you know, don't follow this list blindly.
I find it a little bit irresponsible to have published all these things. I don't know. It doesn't seem right to me at all.
And as one commenter on The Register, where the article was covered, said, "The most competent white hats were black hats first."
So I think proceed carefully and make sure if you have suspicions, it's fine to go look into it. But I think, you know, don't follow this list blindly.
I find it a little bit irresponsible to have published all these things. I don't know. It doesn't seem right to me at all.
And as one commenter on The Register, where the article was covered, said, "The most competent white hats were black hats first."
We should talk sometime about the naughty things that we did before we joined the computer security industry.
I'll happily listen to your stories, Graham.
I never did anything wrong.
Yeah, Vanja's an angel. I don't reveal anything.
I did nothing as well. It's going to be a short episode, isn't it?
All right. Now we have a new section, don't we, coming right now?
Oh, we do.
Graham and Vanja. Graham and Vanja.
Are we really going to do this?
Yep. And I'm going to be smug during it.
If we have to.
Ladies and gentlemen, thank you for coming today for the section of the podcast which we call Sorry, We Cocked Up. I think it's important for us to apologise if we make mistakes.
And I need to apologise because in—
And I need to apologise because in—
God, the grandstanding. Just get on with it.
Hang on. Please, this is awkward. In episode 8, I said you couldn't remove your tag when your friends on Facebook tag you in a photo. Turns out you can.
Back in the day, people were tagging me in photographs and I hid them from my timeline and so they wouldn't appear there.
And on deeper investigation prompted by one of our listeners, I looked into it again and I can now at least remove my tag, although you have to temporarily put it back on your timeline in order to remove the tag and then completely eradicate it.
Of course, it doesn't delete the photo. Your friend has still uploaded it, but at least you're no longer tagged.
And wouldn't it be a better world— this is me not really saying sorry— wouldn't it be a better world if Facebook actually requested your permission before someone could tag you in something?
That would be the right way to do it. But regardless of that, I gave out erroneous information, so sorry about that. That's sorry from Graham.
Back in the day, people were tagging me in photographs and I hid them from my timeline and so they wouldn't appear there.
And on deeper investigation prompted by one of our listeners, I looked into it again and I can now at least remove my tag, although you have to temporarily put it back on your timeline in order to remove the tag and then completely eradicate it.
Of course, it doesn't delete the photo. Your friend has still uploaded it, but at least you're no longer tagged.
And wouldn't it be a better world— this is me not really saying sorry— wouldn't it be a better world if Facebook actually requested your permission before someone could tag you in something?
That would be the right way to do it. But regardless of that, I gave out erroneous information, so sorry about that. That's sorry from Graham.
One-minute-long apology.
Well, I stand corrected for, and I need to apologise for suggesting that Code Red was an SQL worm while it was Internet Information Services worm, and I mixed it up with SQL Slammer, which was the worm that affected SQL.
Nevertheless, it was the similar way how they operated. That was a memory-only, no file. So the example I guess still works, but I do apologise.
Nevertheless, it was the similar way how they operated. That was a memory-only, no file. So the example I guess still works, but I do apologise.
Vanja, that sounded a little bit like a sorry but.
Yeah, PR apology.
That wasn't a real apology because it was like, nevertheless, no, no, it was more or less accurate.
And let's be honest, he didn't suggest it. He said it, right?
That was an alternative explanation.
Oh my goodness.
Alternative apology.
Just say sorry.
I'm sorry. I have absolutely nothing to apologise for this week. So there you go.
Yay me.
Well done, Carole.
Well done, Carole. Well, that just about wraps it up for this week. Don't forget that we're on iTunes and available on other podcast apps as well. So go and check us out there.
Subscribe if you like, and maybe even leave a review. We'd really appreciate it. It does mean a lot to us.
So check us out on Twitter as well, where we are hanging out at @smashingsecurity, where you can leave a message, tell your friends, and all that remains is for me, on behalf of myself, Carole Theriault, and Vanja Švajcer to say cheerio.
Bye-bye.
Subscribe if you like, and maybe even leave a review. We'd really appreciate it. It does mean a lot to us.
So check us out on Twitter as well, where we are hanging out at @smashingsecurity, where you can leave a message, tell your friends, and all that remains is for me, on behalf of myself, Carole Theriault, and Vanja Švajcer to say cheerio.
Bye-bye.
Bye. Bye.
Show notes:
- You Only Live Twice – space capsule scene
- Lazarus’s false flag malware
- Hackers behind bank attack campaign use Russian as decoy
- It’s too easy to steal a second-hand connected car
- Nissan Figaro
- Is your child a hacker? Liverpudlian parents get warning signs checklist
- How do I remove a tag from a Facebook photo or post I’m tagged in?
- Code Red IIS worm
Hope you enjoy the show, and tell us what you think. You can follow the Smashing Security team on Bluesky.
Remember: Subscribe on iTunes to catch all of the episodes as they go live and thanks for listening!
Did I ever tell you abuot the time, when I was working for IWS, and we'd just taken delivery of a new HP 3000, about two months later I managed to get it to print out every single password of everyone on the system? I left the printout on the desk of the IT manager at the time for him to find the next morning, and the resulting kerfuffle was most satisfying.