A creepy teddybear leaks two million voicemail messages, Windows 10 pushes you into only installing vetted apps, and Boeing warns 36,000 employees their personal information could have been exposed after a worker sends a spreadsheet to his wife.
All this and more is discussed by cybersecurity veterans Graham Cluley, Vanja Svajcer and Carole Theriault.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Hey, Crowd.
Why are you talking like that?
Because the network is so slow.
Is that an IT joke?
You know, it's pretty irritating, isn't it?
Yes, you are.
No, I mean, it's irritating when the network's slow. And the thing is, it's not always actually the network's fault.
Okay.
Because it could be someone is hogging the bandwidth, or it could be that some kind of security breach is happening.
Right. Okay.
And data is being exfiltrated out of your organization.
What people need is actual visibility, isn't it? You need to be able to see all this, you know, monitor it all and be able to see it happening.
Well, yeah, but isn't that going to cost you a lot of money? Aren't you going to have to get some specialist hardware and—
No, no, no. Our friends at NetFort actually offer this great product called LanGuardian.
Unique and its deep packet inspection technology that can be downloaded and deployed on a standard physical or virtual hardware, providing complete comprehensive visibility in minutes.
Unique and its deep packet inspection technology that can be downloaded and deployed on a standard physical or virtual hardware, providing complete comprehensive visibility in minutes.
Oh, that sounds pretty neat. So you can find out what's really happening on your network.
Yes, in minutes. Plus, they are offering Smashing Security listeners a whopping, get this, 20% off any purchase.
Sorry, 20%?
Yes, 20%.
Two zero?
Two zero. A fifth! It's a lot.
It is a lot of money. And all people have to do is mention this podcast by name.
That's right. So listeners, go to netfort.com and check it out for yourself. There's a free demo, there's a trial, and they are lovely people.
I actually know them and they are great guys.
I actually know them and they are great guys.
You know what? They are lovely because they're actually sponsoring Smashing Security this week. So high five to them and on with the show. Smashing Security.
Episode 10: The Dolls Must Be Destroyed. With Carole Theriault, Vanja Švajcer, and Graham Cluley.
Hello and welcome to another episode of Smashing Security, Episode 10 for Thursday, the 2nd of March, 2017. And it's a special transatlantic edition.
Yes, we are really pushing things to the limit today because it's the first time, I think, actually, that we've all been in different countries, haven't we?
Episode 10: The Dolls Must Be Destroyed. With Carole Theriault, Vanja Švajcer, and Graham Cluley.
Hello and welcome to another episode of Smashing Security, Episode 10 for Thursday, the 2nd of March, 2017. And it's a special transatlantic edition.
Yes, we are really pushing things to the limit today because it's the first time, I think, actually, that we've all been in different countries, haven't we?
Yes.
Yep.
I'm currently in Canada. I'm currently in Canada visiting the family.
Lovely.
I'm currently in Croutonland.
The mysterious land of Croatia. And I'm in boring old Blighty today.
And well, since we last issued a regular episode of Smashing Security, there have been some big stories which unfortunately didn't quite fit into our recording schedule, so we didn't cover them.
And well, since we last issued a regular episode of Smashing Security, there have been some big stories which unfortunately didn't quite fit into our recording schedule, so we didn't cover them.
Yeah, which we obviously deliberately missed.
So in cryptography news, we had the first SHA-1 hash collision, and we had all that fuss about Cloudbleed as well.
Researcher Tavis Ormandy discovered that sometimes, quite rarely, but every now and then, a tiny chance, Cloudflare or sites which were using Cloudflare would be sharing more information than maybe they should, and so private information could actually be contained.
There's no evidence that anyone's been exploited by that, but I wanted to ask you guys, have you been changing your passwords as a consequence of this?
Researcher Tavis Ormandy discovered that sometimes, quite rarely, but every now and then, a tiny chance, Cloudflare or sites which were using Cloudflare would be sharing more information than maybe they should, and so private information could actually be contained.
There's no evidence that anyone's been exploited by that, but I wanted to ask you guys, have you been changing your passwords as a consequence of this?
Of the Cloudbleed? I think it's more concerns on the app provider side.
But yes, I think if you find out that any of your apps you're using every day is using Cloudflare, which is very likely.
But yes, I think if you find out that any of your apps you're using every day is using Cloudflare, which is very likely.
How would someone know if their software is using Cloudflare?
There are lists which have been posted up, I think on GitHub.
We'll link to it in the show notes where you can download a long, long list of the many hundreds of thousands, if not millions of sites which are using Cloudflare.
Frankly, my decision was I'm not gonna do anything. I think the chances, because this was only, it appears only a problem for a fairly short period of time.
We'll link to it in the show notes where you can download a long, long list of the many hundreds of thousands, if not millions of sites which are using Cloudflare.
Frankly, my decision was I'm not gonna do anything. I think the chances, because this was only, it appears only a problem for a fairly short period of time.
Plus it was discovered by Tavis Ormandy, which means that not many other people would actually discover this.
Yeah, quite possibly the case, yeah. We've spoken about Tavis and what a smarty pants he is in the past at finding bugs like this. No evidence that it's been exploited.
And of course, in terms of passwords, it would only be if you're actually transmitting a password during one of those very rare sessions that this would potentially be an issue.
But I just thought there are so many major websites who depend upon Cloudflare these days, it would just be, you know, I think that's more of a hassle and potentially maybe even more of a risk, me changing all of those passwords, than thinking actually, you know what, I'm not going to worry about it.
So I'm not panicking about that particular one. I just thought it was, I put it in the too difficult box. Whether that will come back to bite me, I'm not sure.
And of course, in terms of passwords, it would only be if you're actually transmitting a password during one of those very rare sessions that this would potentially be an issue.
But I just thought there are so many major websites who depend upon Cloudflare these days, it would just be, you know, I think that's more of a hassle and potentially maybe even more of a risk, me changing all of those passwords, than thinking actually, you know what, I'm not going to worry about it.
So I'm not panicking about that particular one. I just thought it was, I put it in the too difficult box. Whether that will come back to bite me, I'm not sure.
I'm ignoring it for the moment as well.
Yeah.
I'm on holiday.
Nothing bad happens on holidays, as we know.
Do you know, do you know, I'm on holiday and I'm yet, I'm still here for this podcast.
So that's how dedicated you are.
That's a commitment.
Dedication.
That's unbelievable, Carole. That's fantastic.
Wow.
You do that.
Yes, yes, it is amazing.
So despite being on holiday, you are joining us today for a regular episode where we're going to talk about some of the other stories which we've seen in the last week, which got our interest.
Now, one thing I wanted to ask you, do you remember last year when VTech got hacked? Yeah, they're the electronic learning toy company and millions of families. Yeah, exactly.
It's the things you sell to kids like these sort of calculators and sort of things which help you learn how to spell and things like that.
And I've got a young child, and so we might have one or two of their toys lurking around in here.
Millions of families had their personal information exposed because of a serious security breach which took place last year.
Database access contained information about customers and their children. That was one failure of the Internet of Things when it came to toys.
And earlier this month, a German privacy watchdog told parents to destroy an internet-enabled toy doll called My Friend Cayla.
Now, one thing I wanted to ask you, do you remember last year when VTech got hacked? Yeah, they're the electronic learning toy company and millions of families. Yeah, exactly.
It's the things you sell to kids like these sort of calculators and sort of things which help you learn how to spell and things like that.
And I've got a young child, and so we might have one or two of their toys lurking around in here.
Millions of families had their personal information exposed because of a serious security breach which took place last year.
Database access contained information about customers and their children. That was one failure of the Internet of Things when it came to toys.
And earlier this month, a German privacy watchdog told parents to destroy an internet-enabled toy doll called My Friend Cayla.
I'm just picturing parents ripping heads off of toys.
Yes, of Cayla.
Yeah.
Exactly. You were getting your bow and arrow out and sort of harpooning these toys as they came lurching towards you like Chucky the homicidal terror doll.
Because My Friend Cayla could be used too easily to eavesdrop and even talk to children without knowledge or consent.
Because My Friend Cayla could be used too easily to eavesdrop and even talk to children without knowledge or consent.
But is it basically made for parents to eavesdrop on their children? So the German privacy watchdog told children to destroy toys and dolls so that parents cannot eavesdrop on them.
I think the concern was that maybe it could be done by others without permission as well. But yeah, certainly concerns keep on coming up about these sort of IoT toys.
And the latest one which is raising concern are some internet-connected stuffed animal toys called Cloud Pets from a company called Spiral Toys.
And these are toys which allow you people, children, family members to send voicemail messages to each other.
Now, rather than me try and describe what these do, I should actually just play you the advert, so I'm going to show you the YouTube video of this wonderful toy.
And the latest one which is raising concern are some internet-connected stuffed animal toys called Cloud Pets from a company called Spiral Toys.
And these are toys which allow you people, children, family members to send voicemail messages to each other.
Now, rather than me try and describe what these do, I should actually just play you the advert, so I'm going to show you the YouTube video of this wonderful toy.
Do we really want to see that?
Yeah, I'm sure you do. Here it is.
Now staying in touch is easy and fun with CloudPets. Just record a message.
Hope you had a good day at school.
I miss you.
And send to the cloud. In just seconds, it floats down to the app on your smart device, allowing you to send the message to the CloudPet.
I hope you had a good day at school.
I miss you.
It's a message you can hug. Now squeeze Puppy's paw to send one back. Night, Daddy, I love you. CloudPets makes you feel like the ones you love are always near. See you real soon.
The CloudPets app uses Bluetooth technology to send your messages. Hi, this is Grandma. See you real soon.
The CloudPets app uses Bluetooth technology to send your messages. Hi, this is Grandma. See you real soon.
Hi, Grandma. Hi, Grandma!
Whether you're all the way on the other side of the world.
I'll be home soon. I miss you guys.
I'll be home soon. Oh, don't you want to go out and get one of those?
Oh, I can't stand the voice of the woman who's speaking in this ad.
Is that awful? She's so horribly happy.
No, falsely cheery. To the point where she's, you know—
She has this rictus-like smile. Hey! And there's also this, hey, Grandma! Smashing security ransomware and, hey, I'm out in the Gulf, just sending a message to you kids.
They haven't spent too much money on this.
It is bizarre, isn't it? That isn't the greatest acting in the world. We'll put the link in the show notes if you want to see the video as well as listen to it.
But the problem is this. Turns out CloudPets, oh dear, there's been a breach in Teddy Town because they have leaked MongoDB, their MongoDB database.
We've talked about MongoDB before and how people have poorly configured it.
And as a consequence, potentially 2 million voice recordings of children and parents, email addresses, password data for more than 800,000 accounts have been exposed.
Because when you use these toys to spread messages to each other, of course, those voice recordings go up into the cloud.
But the problem is this. Turns out CloudPets, oh dear, there's been a breach in Teddy Town because they have leaked MongoDB, their MongoDB database.
We've talked about MongoDB before and how people have poorly configured it.
And as a consequence, potentially 2 million voice recordings of children and parents, email addresses, password data for more than 800,000 accounts have been exposed.
Because when you use these toys to spread messages to each other, of course, those voice recordings go up into the cloud.
But can I ask that question? Why would you preserve all those recordings? Why wouldn't you, Snapchat, just expire them after some time?
A very sensible thing to do.
But obviously the people who are making these devices aren't thinking of security in mind, just like VTech weren't, just like the other devices that my friend Kayla— they aren't thinking about the potential privacy and security issues.
And as a consequence, breaches this keep on happening.
And it's not just that anybody was able to access this database without a password, you know, no firewall, no passwords in place, you know, publicly accessible, but same old story, which we've talked about before with MongoDB databases and other database formats as well.
The hackers gain access, they wipe the information, and then they begin to demand ransom.
But obviously the people who are making these devices aren't thinking of security in mind, just like VTech weren't, just like the other devices that my friend Kayla— they aren't thinking about the potential privacy and security issues.
And as a consequence, breaches this keep on happening.
And it's not just that anybody was able to access this database without a password, you know, no firewall, no passwords in place, you know, publicly accessible, but same old story, which we've talked about before with MongoDB databases and other database formats as well.
The hackers gain access, they wipe the information, and then they begin to demand ransom.
Do you know what? Vanja makes a really good point. I think they're keeping that information. Why wouldn't they delete it?
And I think it's probably big data dreams, greedy big data dreams that they might be able to use that information for a later purpose. And you know, fuck big data.
And I think it's probably big data dreams, greedy big data dreams that they might be able to use that information for a later purpose. And you know, fuck big data.
I love your cynical question in mind, but when I see that video advert, I cannot believe that they've got two brain cells to rub together to actually conceive how other ways they can make money off it.
Yeah, I wonder how much resources did they actually have? Like, is there just essentially this is just enough?
They seem to have enough data storage.
Oh, but data storage is quite cheap, right? I mean, even if it's millions of recordings, it is.
Yeah, but we can't afford to encrypt it though. Just, yeah.
Well, it's another thing to do.
It's only $39.99.
Yes.
Yeah, if you want an encrypted voicemail service for your teddy bear, Carole, and your stuffed animal collection, I think you're going to have to spend upwards of $50, I'm afraid.
Yeah, that's the kind of decision which consumers need to make.
Yeah, that's the kind of decision which consumers need to make.
Give me a big vat of molten lead and I'll take care of CloudPets IoT teddy bear.
Well, once again, it looks like production data was being used on testing and staging servers, which of course is a cardinal sin too often.
They obviously haven't listened to our podcast.
No, they—
Well, maybe we should send them an email. Send it over to them.
You know what? A number of people have been emailing them.
In fact, this is half the problem is that this problem was discovered and people kept telling them, saying, guys, your database, anyone can access it. And they didn't respond.
Multiple occasions people were getting in touch with them.
In fact, this is half the problem is that this problem was discovered and people kept telling them, saying, guys, your database, anyone can access it. And they didn't respond.
Multiple occasions people were getting in touch with them.
You're kidding me.
Nothing was happening. Even the blackmailers, they kept, different blackmailers kept on coming in and wiping the data and leaving different ransom demands.
And the company, CloudPets, weren't paying, you know, Spiral Toys weren't paying any attention at all.
And the company, CloudPets, weren't paying, you know, Spiral Toys weren't paying any attention at all.
Do you know what this reminds me of? Do you remember that time we had a party in a hotel room in Vancouver? And we kept being called saying, get out of the room, stop the party.
And we weren't really responding very well.
And we weren't really responding very well.
We were making a little bit too much noise, I suppose.
And then they knocked on the door and we opened it and they had a bottle, they had champagne glasses and a bucket and we thought, oh, someone ordered champagne and it was just a ruse to get us all out.
Yeah, it was security, wasn't it? They came in pretending to give us champagne. They didn't even bring champagne. They just brought champagne glasses. That was enough to trick us.
That's right. And it was my room and I was even kicked out of my own room for half an hour to cool down.
Serves you well.
Serves me right.
You did have a lot of people from the anti-malware industry in your room, which let's face it, isn't necessarily entirely healthy.
All the crazy party maniacs.
It will go down in history as quite a memorable party.
It was a good party. Maybe that's for another podcast. We'll go into the details on that. So anyway, another disaster with the Internet of Things.
I wanted to share some advice, which is if you do have one of these CloudPets, log in if you can, delete your account, make sure you're not using the same password anywhere else.
One of the problems with CloudPets was that even though they were storing passwords as a bcrypt hash, which is considered quite hard to crack, there was no password strength rules in place at all, as Troy Hunt reported.
You could literally have a 1-character password of A or X. That would be enough.
And in the video where they described setting a password, they just use a 3-character password as well.
I wanted to share some advice, which is if you do have one of these CloudPets, log in if you can, delete your account, make sure you're not using the same password anywhere else.
One of the problems with CloudPets was that even though they were storing passwords as a bcrypt hash, which is considered quite hard to crack, there was no password strength rules in place at all, as Troy Hunt reported.
You could literally have a 1-character password of A or X. That would be enough.
And in the video where they described setting a password, they just use a 3-character password as well.
Well, it's for kids, so.
Yeah, pooch.
And Troy discovered that there were plenty of people using passwords like 123456, cloudpetspassword, dumb things like that.
Yeah, and if you're very young, you know, if you're— in fact, I was with my nephew, who is 8, and he has this kind of cipher lock.
So we set it all up for him, and he went around to everyone and told them, everyone, the password: 1, 2, 3, 4, 5, skull. There you are.
So we set it all up for him, and he went around to everyone and told them, everyone, the password: 1, 2, 3, 4, 5, skull. There you are.
Skull.
Yeah, and he thinks it's a great password because he's 8.
So delete your account at CloudPets, change your password anywhere else on the net, and then take the toy, cover it in molten lead as Carole said, take out the batteries, chuck it in the bin.
You know, that's the end of CloudPets as far as I'm concerned. And vote with your wallet.
You know, that's the end of CloudPets as far as I'm concerned. And vote with your wallet.
Make sure you have some ice cream or something on hand to deal with the tears that might ensue.
Oh God, I didn't even think of that.
Yeah.
They'll be disappointed by this podcast. Give them some hope, guys.
Yeah, make sure no kid finds the evidence of the destroyed pet.
Hey, Carole, do you remember when we used to, we had that squeaky doll of you?
Yes. It wasn't a blow-up doll or anything, just to make that clear to anyone listening.
I can't remember why you had it, but it was a very lifelike doll of you. It was a Muppet, wasn't it?
It was a boss that bought it for me because she thought I spoke often and it had quite a large mouth. It was a puppet that you'd, yeah, a hand puppet.
I think we'll leave it there and move on to Vanja's story of the week.
Good idea.
Yeah, my story is, it appeared last month, but this week it was updated with the latest news and it concerns the latest insider's preview of Windows 10.
Apparently a new version of Windows 10 called Creator's Update or whatever it's going to be called by April when it's supposed to be released.
Can run only applications from Windows Store, so-called UWP or Universal Windows Platform applications.
So it seems that Microsoft may release a new version of Windows 10 called Windows 10 Cloud, which will compete with Chrome OS.
So in the latest leak, this feature with Universal Windows Platform apps that can only be run is extended. And so you can also run other Windows applications.
Applications that are installed from Windows Store. So these are not your typical Win32 applications we used to know.
They have to be converted so they're compatible with the new user interface.
Apparently a new version of Windows 10 called Creator's Update or whatever it's going to be called by April when it's supposed to be released.
Can run only applications from Windows Store, so-called UWP or Universal Windows Platform applications.
So it seems that Microsoft may release a new version of Windows 10 called Windows 10 Cloud, which will compete with Chrome OS.
So in the latest leak, this feature with Universal Windows Platform apps that can only be run is extended. And so you can also run other Windows applications.
Applications that are installed from Windows Store. So these are not your typical Win32 applications we used to know.
They have to be converted so they're compatible with the new user interface.
Okay.
And they work only for Windows 10.
So it seems that Microsoft is pushing for all the Windows developers to slowly cross to this new model because there are quite a few advantages to developers.
For example, if you create a UWP, you can run the same app without any change on different devices on your Xbox or phone on tablets or whatsoever.
So it seems that Microsoft is pushing for all the Windows developers to slowly cross to this new model because there are quite a few advantages to developers.
For example, if you create a UWP, you can run the same app without any change on different devices on your Xbox or phone on tablets or whatsoever.
Yeah. Yeah. Yeah.
There are some kind of rumours that also Android and iOS apps will be able to run on those platforms. So it's quite an interesting move from Microsoft.
But what concerns us, of course, is what does it bring from the security point of view? So there are a lot of the advantages of this new format.
And one of the advantages is that the app, when you install it, it cannot chain install other applications.
But what concerns us, of course, is what does it bring from the security point of view? So there are a lot of the advantages of this new format.
And one of the advantages is that the app, when you install it, it cannot chain install other applications.
So you can't have adware included. Today, when you download the desktop application, often you get many other applications installed without you knowing.
So that's one of the security benefits of this. The second one is an obvious Apple-like control and vetting of applications by Microsoft.
So that's one of the security benefits of this. The second one is an obvious Apple-like control and vetting of applications by Microsoft.
The walled garden sort of effect.
The walled garden, but this time walled garden of Microsoft rather than Apple.
It seems these apps, they have no access to the Windows file system, to the operating system or the registry. And so they are very much isolated one from each other.
And you really, it's much more difficult for malicious app to appear.
It seems these apps, they have no access to the Windows file system, to the operating system or the registry. And so they are very much isolated one from each other.
And you really, it's much more difficult for malicious app to appear.
I would certainly think you probably would still need antivirus software because of course not all malware infections come from apps.
For instance, you will get malware inside Word documents and macro malware and scripting malware and things like that, which wouldn't be programs which you would download from this store or anywhere else on the net.
For instance, you will get malware inside Word documents and macro malware and scripting malware and things like that, which wouldn't be programs which you would download from this store or anywhere else on the net.
But you know, that's interesting.
But if let's say Office or a browser is a UWP app or a new platform universal it doesn't have access to other apps or any other files that would actually be required for any kind of malicious behaviour.
But if let's say Office or a browser is a UWP app or a new platform universal it doesn't have access to other apps or any other files that would actually be required for any kind of malicious behaviour.
Okay, let's back up for a second for me for a sec.
So you're saying, so if I'm using Windows 10, I'm on the internet, I want to download some app that's not within their walled garden, what are you saying will happen?
So you're saying, so if I'm using Windows 10, I'm on the internet, I want to download some app that's not within their walled garden, what are you saying will happen?
Well, you have basically 3 options in the new release that's about to be released to the public in April, you can either say, well, I only want applications that are from Windows Store.
That's the first one. And no other apps will be run.
Your second option is to say, warn me if any application that's not from Windows Store wants to be installed or is trying to be installed. So you have this sort of similar as today.
You have the user account control where you say, well, okay, you know, I pretty much know what this is, so I will allow it to run.
And the third one, which basically is the same as more or less as today, you don't have any kind of warning, so you are free to install any kind of app.
So it's going to be interesting to see how Microsoft will push this feature forwards.
That's the first one. And no other apps will be run.
Your second option is to say, warn me if any application that's not from Windows Store wants to be installed or is trying to be installed. So you have this sort of similar as today.
You have the user account control where you say, well, okay, you know, I pretty much know what this is, so I will allow it to run.
And the third one, which basically is the same as more or less as today, you don't have any kind of warning, so you are free to install any kind of app.
So it's going to be interesting to see how Microsoft will push this feature forwards.
So of course, Apple has kind of gone through this process already with the Mac App Store.
Where you get apps which have been vetted by Apple and they have tight control over what those apps can do. A lot of low-level stuff the apps aren't allowed to do.
Where you get apps which have been vetted by Apple and they have tight control over what those apps can do. A lot of low-level stuff the apps aren't allowed to do.
Including AV, of course.
Including antivirus, of course. But there has been resistance from that, from some of the developers.
One of the issues has been, of course, that Apple, and I don't know what Microsoft is planning to do with this, but Apple takes a chunk of the change.
So they will take some of the money for the cost of your apps. They will earn that as commission.
And that's one of the way in which they rake in money, just like they do with the iOS App Store.
One of the issues has been, of course, that Apple, and I don't know what Microsoft is planning to do with this, but Apple takes a chunk of the change.
So they will take some of the money for the cost of your apps. They will earn that as commission.
And that's one of the way in which they rake in money, just like they do with the iOS App Store.
I would be very surprised if Microsoft wouldn't do the same. Yeah, because they kind of try to advertise it as it provides additional services apart from security.
Actually, automated updating is included and your user management through this central store.
Actually, automated updating is included and your user management through this central store.
But more than that, there are other restrictions as well.
Suddenly, some of the apps which I run on the Macs which I own, I have a choice of either buying them from the App Store or buying them directly from the developer.
And quite often you will find there are additional features in the version which is available from the developer because they weren't able to get it past the App Store guidelines.
They were doing things—
Suddenly, some of the apps which I run on the Macs which I own, I have a choice of either buying them from the App Store or buying them directly from the developer.
And quite often you will find there are additional features in the version which is available from the developer because they weren't able to get it past the App Store guidelines.
They were doing things—
But you're quite an advanced user, Graham, right?
Some of these tools, Carole, aren't doing things which appear advanced to me as a user. It just works, you know? It's doing what I require.
It's not like I'm trying to do something nerdy on my computer. But the versions in the App Store, it's just like, oh, sorry, we can't do that because of Apple's restrictions.
It's not like I'm trying to do something nerdy on my computer. But the versions in the App Store, it's just like, oh, sorry, we can't do that because of Apple's restrictions.
Well, there are certainly restrictions in Microsoft as well.
But here's my other concern is I do hear from Apple Mac developers that there can be quite a lag between sending an app to Apple for approval and it being available and it ending up in the App Store.
So if there is a vulnerability, if there's a flaw, if there's an urgent bug fix, quite often you will get that bug fix much quicker if you've got the software directly from the developer.
And that would make me nervous about these Microsoft programs as well.
So if there is a vulnerability, if there's a flaw, if there's an urgent bug fix, quite often you will get that bug fix much quicker if you've got the software directly from the developer.
And that would make me nervous about these Microsoft programs as well.
But for users that are not as au fait with technology, I always recommend using the app stores.
I get all these, I get the drawbacks, but I prefer to have that extra sense of, this app has been vetted before I would get my Auntie Hilda, for example, to go and download something.
I get all these, I get the drawbacks, but I prefer to have that extra sense of, this app has been vetted before I would get my Auntie Hilda, for example, to go and download something.
Yeah. So basically Windows is moving closer to iOS and Android in the model. So which for me, again, begs the question of why we use Windows and macOS, right?
I mean, there was a comparative advantage of Windows was that it was open to developers that you can actually use some of the system stuff that you can have drivers and so on.
There are obviously security drawbacks to that, but you know, as a very powerful system, I don't know, it worked in the past.
It's going to be interesting to see how the users and how the developers will react to this.
I mean, there was a comparative advantage of Windows was that it was open to developers that you can actually use some of the system stuff that you can have drivers and so on.
There are obviously security drawbacks to that, but you know, as a very powerful system, I don't know, it worked in the past.
It's going to be interesting to see how the users and how the developers will react to this.
It's an interesting trend, and only time will tell where we end up and how much further along this slope we go. Well, thanks for telling us about that, Vanja Švajcer.
Carole, what have you got?
Carole, what have you got?
So my story is about personal identifiable information, or PII, and how easy it is for someone to unintentionally cause a massive security headache inside a corporation.
So let me set the scene for you guys.
So November 21st last year, a Boeing employee sent a work spreadsheet to his wife, who does not work at Boeing, to get help with a formatting issue.
The employee's wife, it seems, was a bit of a whiz at the old Excel spreadsheet stuff. I bet you it was a pivot table, don't you? It's totally a pivot table.
So let me set the scene for you guys.
So November 21st last year, a Boeing employee sent a work spreadsheet to his wife, who does not work at Boeing, to get help with a formatting issue.
The employee's wife, it seems, was a bit of a whiz at the old Excel spreadsheet stuff. I bet you it was a pivot table, don't you? It's totally a pivot table.
That's it. There's a dark art. That's a dark art, pivot table.
A hidden column.
Yeah.
Yeah. Well, you know what? Wait on that. So that's exactly— so the problem, the spreadsheet held personal info of 36,000 employees.
Now, these days, with all the breaches we hear, that's not a huge number. That's employees.
Now the information that was in the spreadsheet that you could see, that the employee could see was first and last names, place of birth, their ID, employee ID, and accounting department codes.
But there were hidden columns, Vanja, exactly as you said, Social Security numbers and date of birth were in the hidden columns.
Now, these days, with all the breaches we hear, that's not a huge number. That's employees.
Now the information that was in the spreadsheet that you could see, that the employee could see was first and last names, place of birth, their ID, employee ID, and accounting department codes.
But there were hidden columns, Vanja, exactly as you said, Social Security numbers and date of birth were in the hidden columns.
They were super securely stored and hidden.
Just hidden. Yeah, I know. See, it's interesting that whole idea.
Anyway, so I couldn't find any information on how Boeing actually became aware of the infringement because I imagine the employee sent this to his wife, his wife fixed whatever issue was going on, sent it back, everyone's happy, no one's the wiser.
But I suspect there are probably some—
Anyway, so I couldn't find any information on how Boeing actually became aware of the infringement because I imagine the employee sent this to his wife, his wife fixed whatever issue was going on, sent it back, everyone's happy, no one's the wiser.
But I suspect there are probably some—
The wife reported him.
Maybe, maybe. But I suspect probably it was probably more deep packet inspection software, something similar that raised the alarm.
So looking at this, I was thinking, actually, I think Boeing seems to have done everything right.
And I'll just walk through these and you tell me if they've missed anything because you guys know this stuff a little bit better than I do.
So Boeing obviously had the tools in place to uncover the unintended infraction, right? It was able to find out what happened, if my assumption is correct.
Boeing also seems to have gotten to the bottom of the problem and has not publicly named and shamed the employee publicly from anywhere I've seen.
So looking at this, I was thinking, actually, I think Boeing seems to have done everything right.
And I'll just walk through these and you tell me if they've missed anything because you guys know this stuff a little bit better than I do.
So Boeing obviously had the tools in place to uncover the unintended infraction, right? It was able to find out what happened, if my assumption is correct.
Boeing also seems to have gotten to the bottom of the problem and has not publicly named and shamed the employee publicly from anywhere I've seen.
He's still employed?
We don't know. There's no information.
You can imagine he would be quite scapegoated, you know. There wouldn't be any good to come from naming him, really.
We have seen companies do that, though. We have seen companies name the employees that have caused problems. So I'm a big fan of not doing that.
Now, Boeing have also performed forensic analysis both on the employee's computer and the wife's computer to ensure that all the information is properly destroyed.
And they have confirmation from the couple that neither forwarded the information to anyone else.
Now, this is pretty standard these days, but the company is also offering employees two years access to free identity theft protection services.
I'm not sure why it's just two years. I'm not sure why that isn't just a standard across for any employee that works at company.
Why wouldn't you just offer it as part of the package?
Now, Boeing have also performed forensic analysis both on the employee's computer and the wife's computer to ensure that all the information is properly destroyed.
And they have confirmation from the couple that neither forwarded the information to anyone else.
Now, this is pretty standard these days, but the company is also offering employees two years access to free identity theft protection services.
I'm not sure why it's just two years. I'm not sure why that isn't just a standard across for any employee that works at company.
Why wouldn't you just offer it as part of the package?
So sorry, this was sent by email. So there must be an email server as well that was used by the—
Exactly. Has it turned up in her webmail account or something like that? And did anyone else have access to that? Was that being properly secured?
Do they know if someone else accessed that account?
Do they know if someone else accessed that account?
These are all good questions that I don't have the answers to yet, but if we find out, I'll update on the next podcast if anything else comes out of this.
So now of course, now this all comes through, the Boeing is now, Deputy Chief Privacy Officer Marie Olson is in the process of officially informing the attorney generals of each of the affected states about the infringement, which is by law.
I think 47 states, if I remember correctly, now require by law that you declare, you know, if people, if they've been, if they've—their information has been leaked in a way.
But the thing is, you can see how easy this happened. And it reminded me of this time when I remember trying to send an email to a colleague whose name was Eve.
Can you guess what happened? It autocorrected to everybody. And that's not just everybody that was in the particular building I was working.
That was everyone in the organization globally.
So now of course, now this all comes through, the Boeing is now, Deputy Chief Privacy Officer Marie Olson is in the process of officially informing the attorney generals of each of the affected states about the infringement, which is by law.
I think 47 states, if I remember correctly, now require by law that you declare, you know, if people, if they've been, if they've—their information has been leaked in a way.
But the thing is, you can see how easy this happened. And it reminded me of this time when I remember trying to send an email to a colleague whose name was Eve.
Can you guess what happened? It autocorrected to everybody. And that's not just everybody that was in the particular building I was working.
That was everyone in the organization globally.
Oh my goodness.
Yeah.
And don't you just love the Gmail feature of undoing the send for those, when they, it waits for 10 seconds or a few seconds before it actually sends it.
Do you know what I did though? I yanked the cord out of the back of my computer when I realized.
That was my emergency automatic response, although I was too late and everyone received it.
Now, all I can say is, thank God I didn't write anything in there that impacted privacy or confidentiality.
But, you know, these things can happen, and I think they can happen to anyone.
That was my emergency automatic response, although I was too late and everyone received it.
Now, all I can say is, thank God I didn't write anything in there that impacted privacy or confidentiality.
But, you know, these things can happen, and I think they can happen to anyone.
Absolutely. Oh, totally can. So, I mean, a lesson to learn here is don't employ anyone called Eve. Don't employ anyone called Al.
Either, but—
But do you know what? I got changed.
When that happened, I actually wrote to the CIO and said, look, we need to have this mechanism in place to say, are you sure you want to email everybody in the company?
And they actually implemented it. So these kind of things can help to go, oh no, I just wanted to email Eve.
When that happened, I actually wrote to the CIO and said, look, we need to have this mechanism in place to say, are you sure you want to email everybody in the company?
And they actually implemented it. So these kind of things can help to go, oh no, I just wanted to email Eve.
Although that one wouldn't have helped with this particular breach because he was intentionally sending it to his wife because she was an Excel whiz.
You know what? Boeing should hire her.
Oh yeah, I mean, clearly the employees need some training about how to handle properly personal information, but maybe they also need some training on how to use Excel.
You know, sorry, I didn't mention that. They are going to offer extra training as well, they've said.
They're going to offer extra training on how to deal with—but again, if the employee didn't know that there was PII in there because it was in hidden columns.
They're going to offer extra training on how to deal with—but again, if the employee didn't know that there was PII in there because it was in hidden columns.
Yeah. Well, the thing is, you really shouldn't send any company work-related documents to anybody outside of the company system.
Hand on heart, hand on heart, Vanja, who has not done that?
Well, that's what I'm saying.
I know that most of the people did and most of the people would use Gmail or whatever for something that, you know, just quickly to send because I'm not able to connect to the company system at the moment.
I know that most of the people did and most of the people would use Gmail or whatever for something that, you know, just quickly to send because I'm not able to connect to the company system at the moment.
The thing which gets me was this wasn't an accidental data leak.
I mean, he didn't know the data was there or maybe he didn't realize the seriousness of the data which was contained, 'cause some of it was hidden.
But it was an intentional sending of it. So I was thinking of how would I fix this? And the story you've just told, Carole, of yanking out the cable, I have a similar problem, right?
I send an email, I hit send, and only then do I go, "Ooh, I shouldn't have said that." So I actually have a system in place with my email client where it goes into limbo for about 90 seconds.
And it goes into that limbo folder before it really sends it.
I mean, he didn't know the data was there or maybe he didn't realize the seriousness of the data which was contained, 'cause some of it was hidden.
But it was an intentional sending of it. So I was thinking of how would I fix this? And the story you've just told, Carole, of yanking out the cable, I have a similar problem, right?
I send an email, I hit send, and only then do I go, "Ooh, I shouldn't have said that." So I actually have a system in place with my email client where it goes into limbo for about 90 seconds.
And it goes into that limbo folder before it really sends it.
The Graham's own walled garden.
My own little walled garden.
And every day I'm going into that limbo box before it gets sent and quickly editing things, maybe to make myself sound a little bit friendlier and less blunt, or, you know, thinking maybe that joke was a little bit off-color.
And every day I'm going into that limbo box before it gets sent and quickly editing things, maybe to make myself sound a little bit friendlier and less blunt, or, you know, thinking maybe that joke was a little bit off-color.
Yeah, you told me about that about a year ago, and I think that's a lifesaver. It's a great, great feature.
It really is. But it wouldn't have helped with this. It sounds like— I think you're right to give Boeing some credit here.
Not only have they handled this properly, but it sounds like they had the tools in place to actually notice that the sensitive information had leaked out of the company.
So, I mean, kudos to them for handling it.
Not only have they handled this properly, but it sounds like they had the tools in place to actually notice that the sensitive information had leaked out of the company.
So, I mean, kudos to them for handling it.
There must be some DLP functionality there.
Yeah. And it kind of builds a bit of trust in the company that they've kind of done this in this way. Like, they've followed the rules, they've been open about it.
And I think rather than hiding everything under the carpet and hoping no one finds out, it kind of makes me think, okay, good on you, Boeing.
And I think rather than hiding everything under the carpet and hoping no one finds out, it kind of makes me think, okay, good on you, Boeing.
Yeah. Considering that they are a huge manufacturer of military weapons, military airplanes, as well as the public, the standard ones.
And some of this information would have been valuable, you know, absolutely. You know, Social Security numbers, date of birth. This is the kind of information about employees.
And it was, do you say 36,000 workers were included in this? That's right.
So that would have definitely been valuable to some of the criminals at the moment who are targeting big firms like Boeing through things like CEO fraud or business email compromise.
Potentially, it could have been bad.
And it was, do you say 36,000 workers were included in this? That's right.
So that would have definitely been valuable to some of the criminals at the moment who are targeting big firms like Boeing through things like CEO fraud or business email compromise.
Potentially, it could have been bad.
Criminals and nation states too, because it's a very important company.
Yes.
Yes. Okay, so put yourself in the situation if you're in the company and you get the email from the CIO saying, look, this happened.
Do you think you would— how concerned would you be about your information in this case if you were an employee at Boeing?
Do you think you would— how concerned would you be about your information in this case if you were an employee at Boeing?
I wouldn't feel too bothered.
Me neither.
Because it's a guy sending it to his wife, and presumably they get on, and presumably she isn't a Russian spy.
And they've all been forensically checked. The machines have, they've made official statements. So I think—
I'd feel pretty reassured. And I'd actually feel comforted by the notification because I think, hey, you know, they're looking for this kind of thing.
And maybe it'd also make me an awful lot more careful.
And maybe it'd also make me an awful lot more careful.
What you send. It might make you careful about what you send.
You may not even be aware that all this software is available, but you know, they can, when you're on a work computer, it is, you know, you are, it is there. It's theirs.
So be careful what you send.
You may not even be aware that all this software is available, but you know, they can, when you're on a work computer, it is, you know, you are, it is there. It's theirs.
So be careful what you send.
Well, yeah. Imagine what else we are emailing our wives and partners from our work email accounts, which maybe the company could be seeing.
Something for us all to think about, right? Oh, thanks for that, Carole.
So we move on to the section of the other show, which I've put in our little template here as any other business.
Something for us all to think about, right? Oh, thanks for that, Carole.
So we move on to the section of the other show, which I've put in our little template here as any other business.
Oh, well, well, yeah.
Cue the sad music. We have an announcement.
Who's making the announcement?
I think you should, Van.
Oh, right.
No, you don't want to?
Do you not want to?
Well, I'll make it all right.
So I have, I'm very sad to say that I will be taking a break from the Smashing Security podcast because I'm changing the employer and I have to make sure that employer is happy with whatever I do.
So I'm hoping to come back, certainly, but for the moment, it's going to be a break.
So I have, I'm very sad to say that I will be taking a break from the Smashing Security podcast because I'm changing the employer and I have to make sure that employer is happy with whatever I do.
So I'm hoping to come back, certainly, but for the moment, it's going to be a break.
Can I ask anyone out there who are fans of Vanja Švajcer to write in and say how great and smart and wonderful— he's basically the one who props us up in terms of technicality.
We need him.
We need him.
Except when I make mistakes.
Yeah, like last week.
Should we crowdfund it? Should we crowdfund Vanja Švajcer to stay on the podcast?
What we should do is we should give everybody the email address of his new boss and say, contact this person. Here's the phone number.
And say, I can't believe Vanja isn't on a Smashing Security podcast anymore.
And say, I can't believe Vanja isn't on a Smashing Security podcast anymore.
He's such a help.
He's such a help.
Well, we're going to miss you.
Vanja, we are going to miss you, man. You know, it's the end of the Three Musketeers.
Maybe we can call him up occasionally at work and go, is this true? During the podcast, live on air.
Yeah, I'll have to speak to my PR people.
Oh, PR.
Well, Vanja, it's been tremendous, but I'd like to think this isn't goodbye.
No.
It's just— we'll miss you for a few episodes, but I'm sure we'll be back soon.
Anon. We'll see you anon.
We'll see you anon. And our adventures will continue, folks.
And the way to make sure that you don't miss out on our future podcast adventures is, of course, to subscribe to the podcast.
We are on iTunes and Google Play Music, Stitcher on Android, Podcast apps as well. Go and look for Smashing Security there and leave a review and say something nice about us.
We really appreciate it if you do. It makes a big, big difference. That just about wraps it up. Thanks for tuning in. And I think I should leave the final words to Vanja Švajcer.
Actually, Vanja, do you want to do the big wind-up at the end of the episode, seeing as you may not be here for a little bit longer?
And the way to make sure that you don't miss out on our future podcast adventures is, of course, to subscribe to the podcast.
We are on iTunes and Google Play Music, Stitcher on Android, Podcast apps as well. Go and look for Smashing Security there and leave a review and say something nice about us.
We really appreciate it if you do. It makes a big, big difference. That just about wraps it up. Thanks for tuning in. And I think I should leave the final words to Vanja Švajcer.
Actually, Vanja, do you want to do the big wind-up at the end of the episode, seeing as you may not be here for a little bit longer?
Well, what can I say? I hope you enjoyed the podcast and please do continue following Graham and Carole as they cover all the latest security news. I hope to be back soon.
Bye-bye. 5 stars. 5 stars.
Oh, sorry.
Vanja Švajcer. Vanja, it's not just about you, Vanja. Can you plug the Twitter account for goodness sake?
We have a Twitter account, @SmashingSecurity. That's Smashing without a G, Security.
Bye. Bye.
So unprofessional. I'm glad he's off, to be honest.
Maybe we could get him to record the wrap-up and the intro so we could still have him a little bit with us.
Do you think you'd be allowed to do that?
Probably not.
No. Hmm. Yeah.
What?
Hey, Graham, you still there?
Yeah, yeah, I'm here. Vanja's gone though.
Oh, he's dead too. To me. Yeah, but Netfort is not. Just reminding our listeners, there's 20% off Netfort LangGuardian for listeners of Smashing Security. Check it out at netfort.com.
That's N-E-T-F-O-R-T.
That's N-E-T-F-O-R-T.
Thanks, Netfort.
You guys rock.
Show notes:
- Announcing the first SHA1 collision
- Tavis Ormandy: Cloudflare Reverse Proxies are Dumping Uninitialized Memory
- Incident report on memory leak caused by Cloudflare parser bug
- List of Sites possibly affected by Cloudflare’s #Cloudbleed HTTPS Traffic Leak
- Quantifying the impact of “CloudBleed”
- CloudPets commercial
- Data from connected CloudPets teddy bears leaked and ransomed, exposing kids’ voice messages
- Microsoft slaps Apple Gatekeeper-like controls on Windows 10: Install only apps from store
- Boeing Notifies 36,000 Employees Following Breach
Thanks to NetFort – https://www.netfort.com/ – for sponsoring this episode of Smashing Security.
Hope you enjoy the show, and tell us what you think. You can follow the Smashing Security team on Bluesky.
Remember: Subscribe on iTunes to catch all of the episodes as they go live and thanks for listening!
