Hackers are holding HBO to ransom after a massive data breach, and have leaked the phone numbers and email addresses of “Game of Thrones” cast members. Has security firm Carbon Black been leaking customers’s sensitive files while trying to scan them? And Disney’s mobile apps are accused of spying on kids…
All this and more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by John Hawes.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
This episode of Smashing Security is supported in part by Recorded Future.
Recorded Future is the real-time threat intelligence company whose patented machine learning technology continuously analyzes technical, open, and darkweb sources to give organizations unmatched insight into emerging threats.
Sign up for free daily threat intelligence updates at recordedfuture.com/smashingsecurity. And thanks to Recorded Future for supporting the show.
Smashing Security, Episode 37: Boobs, Dragons, and Data Breaches with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Episode 37 of Smashing Security for the 10th of August, 2017.
My name is Graham Cluley, and I'm joined as always by my good buddy and co-host, Carole Theriault. Hello, Carole, how are you?
Recorded Future is the real-time threat intelligence company whose patented machine learning technology continuously analyzes technical, open, and darkweb sources to give organizations unmatched insight into emerging threats.
Sign up for free daily threat intelligence updates at recordedfuture.com/smashingsecurity. And thanks to Recorded Future for supporting the show.
Smashing Security, Episode 37: Boobs, Dragons, and Data Breaches with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Episode 37 of Smashing Security for the 10th of August, 2017.
My name is Graham Cluley, and I'm joined as always by my good buddy and co-host, Carole Theriault. Hello, Carole, how are you?
Carole?
Yeah, well, you know, I like to be a little bit exotic when I'm chatting to you. How are you doing?
I'm okay. I'm a bit miserable today. It's gross weather here in Oxford.
It's just ridiculously grey and cold, and it should be August and sunshiny and barbecue weather, and it's definitely not that.
It's just ridiculously grey and cold, and it should be August and sunshiny and barbecue weather, and it's definitely not that.
Well, it is true that the week and a half of summer in England went past us long, long ago, and now it's just rain, rain, rain.
But let's have a little sunshine in our lives because we have a very special guest, don't we?
But let's have a little sunshine in our lives because we have a very special guest, don't we?
We have a great special guest who is Mr. John Hawes from Anti-Malware Testing Standards Organization, AMSO.
Hello, it's lovely to be here.
You're not new to this podcast. I think you've been on a few times before, have you not?
I have done a few, yes.
He's made it through a few. So has anyone been doing anything fun in the last week since we were last on?
Reading the news with trepidation.
Obviously, there's the news of the imminent thermonuclear war, which is about to break out between North Korea and America. Slightly concerned.
Let's hope we manage to get the podcast out before that begins. And then there's the story of Marcus Hutchins, aka MalwareTech, who was arrested in Las Vegas, of course.
Let's hope we manage to get the podcast out before that begins. And then there's the story of Marcus Hutchins, aka MalwareTech, who was arrested in Las Vegas, of course.
Yes.
People will remember that he was the, quote, accidental hero who found the kill switch, as it were, in the WannaCry ransomware, which was ravaging the National Health Service in the UK and organizations elsewhere.
There doesn't seem to be a lot of information out on it so far.
No, but he's been arrested and charged in connection with a banking malware called Kronos, and that case continues.
It means he didn't get back from Las Vegas where he was attending the Black Hat and DEF CON conferences.
But there's been a lot of outcry from the security community and people have been raising money to aid in his defense. But we wait to see what's going to come out of that.
I think he's next to appear in court next Monday, so we'll see.
It means he didn't get back from Las Vegas where he was attending the Black Hat and DEF CON conferences.
But there's been a lot of outcry from the security community and people have been raising money to aid in his defense. But we wait to see what's going to come out of that.
I think he's next to appear in court next Monday, so we'll see.
Have you made your mind up yet? Have you got any views?
I think it's impossible to say, isn't it?
This is either a case of the FBI making the most enormous cock-up, pointing the finger at the wrong person, or someone who was considered very much a hero turning out to be a bad guy after all.
I think either way it's going to be a shock.
This is either a case of the FBI making the most enormous cock-up, pointing the finger at the wrong person, or someone who was considered very much a hero turning out to be a bad guy after all.
I think either way it's going to be a shock.
Yep, it's a popcorn, get the popcorn moment, isn't it?
It's a poor choice of nickname if you're going to go around writing malware. You don't want to go calling yourself MalwareTech.
It's kind of like being a burglar and everyone calling you Burglar Jim.
It's kind of like being a burglar and everyone calling you Burglar Jim.
Well, look, the other things which have been going on over last week, the things which have been sort of attracting our interest in the world of computer security.
That's what we're here to discuss today. And one of the stories which I've been following, and it's been developing over the last few days, is the HBO hack.
That's what we're here to discuss today. And one of the stories which I've been following, and it's been developing over the last few days, is the HBO hack.
That was a few weeks, that was a week ago or something.
Yeah, it's been sort of gathering momentum because imagine the scene, right? You know, it'd be fantastic, wouldn't it, to be famous? It'd be fantastic to be paid a small fortune.
I disagree completely. I think being famous would be the worst thing on earth. That's why I do this show.
It depends, Carole.
You could either work in some sort of chicken farming factory or something, or you could be an actress out there on some exotic beach, not even having to learn your lines, because all you have to do is go, "Skana ran, skana min, skana wan, skana harl, skana skrull," speaking in some ancient dragon dialect because you're on Game of Thrones.
How fantastic would that be?
You could either work in some sort of chicken farming factory or something, or you could be an actress out there on some exotic beach, not even having to learn your lines, because all you have to do is go, "Skana ran, skana min, skana wan, skana harl, skana skrull," speaking in some ancient dragon dialect because you're on Game of Thrones.
How fantastic would that be?
Is that the only two options? Be on Game of Thrones or chicken farming.
Those are potentially the open positions. Millions of people being glued to your antics every week on television. But you said, Carole, there are some drawbacks, aren't there?
There are some drawbacks.
And in particular for the cast of Game of Thrones, there's a drawback right now because HBO got hacked and the bad guys got into the email account of HBO's VP for film programming, a guy called Leslie Cohen.
And they stole his email archive, and allegedly they stole 1.5 terabytes.
There are some drawbacks.
And in particular for the cast of Game of Thrones, there's a drawback right now because HBO got hacked and the bad guys got into the email account of HBO's VP for film programming, a guy called Leslie Cohen.
And they stole his email archive, and allegedly they stole 1.5 terabytes.
Oh my God.
Yeah, try getting that on a USB stick. Of content, including, of course, the latest episodes of Game of Thrones, including ones which hadn't been broadcast yet.
And they released them onto the internet late last week prior to transmission.
And they released them onto the internet late last week prior to transmission.
And do you know, not even 5 years ago, that would have just taken forever to download, wouldn't it?
It would take quite a while now.
Yeah, it would take a fair while, but I imagine just for one episode, maybe not so long if you're on fiber or something that. But I don't actually watch Game of Thrones.
I watched the first series. Do you guys watch it at all?
I watched the first series. Do you guys watch it at all?
Yes.
I've watched. Yeah, I've watched. It's a bit rude.
It is a bit pervy, isn't it? It is a bit boobs and dragons.
Yeah, I find that I wish there'd be less of that. I just find that's a bit too much. But I do kind of the story, the backstory. I kind of that.
I think HBO has always been a little bit saucier than some of the other channels, hasn't it, in America?
It's not being against sauciness. It's just that type of sauciness.
All right. Okay.
The boobs and dragons type.
Did you say tits and dragons?
I said boobs. You're the one who said.
Yes.
So anyway, so the hackers stole this and they released the actual footage or, you know, the episode onto the internet.
And then they sent a video ransom message to HBO CEO demanding something in the region of between $6 and $7 million worth of bitcoin.
And then they sent a video ransom message to HBO CEO demanding something in the region of between $6 and $7 million worth of bitcoin.
Geez, greedy, greedy.
Isn't it? Well, let's take a look at their video ransom message right now because it was published up on the Mashable website and you can go and enjoy it there.
Let's take a look at it.
Let's take a look at it.
Okay. Ooh, it's you know, so it's a letter just scrolling, Star Wars giving you the intro to the first Star Wars film.
So we've seen some white text on a black background. There's an awful lot of text here, isn't there?
Yes, it's like a legal letter.
It is like the terms and conditions. Frankly, I think the hackers should have themselves gone to film school.
Oh, it does say, we confess that HBO was one of our difficult targets to deal with, but we succeeded. It took about 6 months.
And this is rather poorly portentous music as well, isn't it? Now, I don't know if that's something which Mashable added or whether the hackers added that themselves.
I doubt it. This looks pretty low-tech.
It's not great, is it?
Who is Richard Plepler?
He is the CEO of HBO, and so the message is being specifically sent to him. And it's saying things like, "Leakage will be your worst nightmare.
Your competitors will know about your current and future strategies." 'Your inner circle inside HBO and senior staff will be thrown into chaos. Muahaha!
There'll be downfall in the stocks.
As you're in the business from decades, you yourselves will be full aware'— I'm sorry about the poor grammar— 'of catastrophic consequences, so make a wise decision,' they say.
Your competitors will know about your current and future strategies." 'Your inner circle inside HBO and senior staff will be thrown into chaos. Muahaha!
There'll be downfall in the stocks.
As you're in the business from decades, you yourselves will be full aware'— I'm sorry about the poor grammar— 'of catastrophic consequences, so make a wise decision,' they say.
Do you think people could— some expert could tell from the grammar where this person came from? Because it seems to be very specific patterns of strange usage.
I was wondering that as well. Certainly there'd be sort of circumstantial, you know, maybe links which could be made.
They're not very good at putting in commas, and they're making some grammatical mistakes. And so there might be some clues there.
I don't know if it'd be enough to identify them unless we've already identified the hacker and then say, well, there's a good chance you did write this.
But they've got this message.
They're not very good at putting in commas, and they're making some grammatical mistakes. And so there might be some clues there.
I don't know if it'd be enough to identify them unless we've already identified the hacker and then say, well, there's a good chance you did write this.
But they've got this message.
Just FYI for our listeners, it's still scrolling.
Yeah, like this is how long it goes on and on, and it's not in huge print, is it? I mean, it's— no.
Oh, well, did you find it exhausting?
It was too long for me. If you make it to you'll finally get this message and it says, here are two mottos. Which one is remembered?
Winter is coming, HBO is falling, or winter is coming, HBO is standing and everlasting.
Winter is coming, HBO is falling, or winter is coming, HBO is standing and everlasting.
So basically they pay up and they can continue standing is what they're saying.
Yeah, but you know, they've leaked so much information now.
And the latest thing which they've leaked is a document containing the email addresses of some Game of Thrones stars, including the, that little guy, Peter Dinklage.
And the latest thing which they've leaked is a document containing the email addresses of some Game of Thrones stars, including the, that little guy, Peter Dinklage.
That little guy.
Well, he is a little guy. And, the blonde woman, Emilia Clarke, who is, I've written this down, Daenerys Targaryen.
The blonde dragon hottie.
So now you've got not only their email address, but you've also got their personal phone numbers, which have been posted up there. So you can call your celebrity crush.
If you want to. You can imagine what Game of Thrones fans are like.
If you want to. You can imagine what Game of Thrones fans are like.
They're going, "Yes, I'd like to call her." I just saw the words FBI fat-ass agent scroll by. Jeez. It's still scrolling.
Still scrolling. Well, German IT consultant Markus Uberall tweeted saying, "Seriously, who cares?" Should I do it in a German accent?
Yeah, please. At least you told them what it was going to be. Go ahead.
Who cares about these stars? Give us the names, addresses, phone numbers of their body doubles, which is a fair enough point, isn't it?
I suppose if you're going to perv over these people, you might as well perv over the right bodies.
I suppose if you're going to perv over these people, you might as well perv over the right bodies.
Well, if you're just going to phone them up, that's not really going to help, is it?
Yeah, but it's maybe to start a relationship, John.
You send them a message, you know, you pretend to be the CEO of HBO, dropping them a line from your personal email account saying, would you like to appear in next series?
You send them a message, you know, you pretend to be the CEO of HBO, dropping them a line from your personal email account saying, would you like to appear in next series?
I hear you look like Peter Dinklage. Do you want to come around for tea?
Peter Dinklage? Now, the problem is here, right, is that if you're a star, you're not the only one who's responsible for guarding your privacy.
You're also putting your trust in other people and organizations to keep your personal details out of the public gaze.
But they need to lock down their security, and it's interesting that this HBO senior exec's email was accessed because I certainly know that the stars of Game of Thrones have in the past been told to lock down their accounts with two-step verification to make it more difficult for people to hack inside.
So I wonder whether those HBO execs were actually doing what they were getting their stars to do. Maybe they weren't.
You're also putting your trust in other people and organizations to keep your personal details out of the public gaze.
But they need to lock down their security, and it's interesting that this HBO senior exec's email was accessed because I certainly know that the stars of Game of Thrones have in the past been told to lock down their accounts with two-step verification to make it more difficult for people to hack inside.
So I wonder whether those HBO execs were actually doing what they were getting their stars to do. Maybe they weren't.
It seems to happen a lot to, you mentioned Sony, so TV and movie people.
Is that just because they're of particular interest to the kind of people that like to go around hacking people?
Is that just because they're of particular interest to the kind of people that like to go around hacking people?
Well, we also saw the release of episodes of Orange Is the New Black where the hackers had got in as well. And I think there is a bit of a trend for this at the moment.
And I think that some criminals are thinking, here is an opportunity maybe to make some money by stealing this digital content.
May not even be directly from the studio, it may be from partner companies.
And I think that some criminals are thinking, here is an opportunity maybe to make some money by stealing this digital content.
May not even be directly from the studio, it may be from partner companies.
The other thing is it gets a lot of eyeballs quickly, right?
If you're talking Game of Thrones, they did say it took 6 months, but that is something that you would just work at and work at to get that information, be it if you were trying to leak it because it's such big news, everyone's covering it.
If you're talking Game of Thrones, they did say it took 6 months, but that is something that you would just work at and work at to get that information, be it if you were trying to leak it because it's such big news, everyone's covering it.
I suspect that there's still more to come out.
You know, if they really have stolen 1.5 terabytes of data, there may be more information out there and there may be further embarrassments for HBO, but I'm not sure if HBO's likely to pay any ransom.
You know, if they really have stolen 1.5 terabytes of data, there may be more information out there and there may be further embarrassments for HBO, but I'm not sure if HBO's likely to pay any ransom.
The thing that's weird about asking for ransom is actually they've put out all the information, you know, not all of it, but they put out a lot of it.
So what's the ransom gonna pay for?
So what's the ransom gonna pay for?
Yeah.
I'm sure maybe it was one in paragraph 86 of their ransom letter, but I didn't see it.
It's still scrolling.
No, it just finished. It just finished on me. Yeah, yeah, just finished.
Okay, John, what have you got for us this week?
So apparently there's a company called Direct Defense, which is some kind of security research company, and they put out a blog post about some investigations they've been doing into files that they found on a multi-scanning service.
So it's one of these— I mean, VirusTotal is the obese gorilla in the room here, but there's lots of these services where you basically, you can upload a file and it gets scanned by multiple antivirus products to say whether or not they think it's a good thing or a bad thing.
And this research firm has been looking at the files and they've managed to connect some files that they found to a particular security company which is called Carbon Black, used to be known as Bit9 apparently.
They're quite well known.
Yeah, so part of their process for dealing with files that they find on their customers' machines, if they don't recognize them, they upload them to a multi-scanning service.
So it's one of these— I mean, VirusTotal is the obese gorilla in the room here, but there's lots of these services where you basically, you can upload a file and it gets scanned by multiple antivirus products to say whether or not they think it's a good thing or a bad thing.
And this research firm has been looking at the files and they've managed to connect some files that they found to a particular security company which is called Carbon Black, used to be known as Bit9 apparently.
They're quite well known.
Yeah, so part of their process for dealing with files that they find on their customers' machines, if they don't recognize them, they upload them to a multi-scanning service.
Hang on, John, let's just rewind as to exactly what they're doing here.
So if they don't detect something as being malware on your computer they take the executable file from your computer and they put it through a process whereby it gets scanned by lots of other security products, right?
So if they don't detect something as being malware on your computer they take the executable file from your computer and they put it through a process whereby it gets scanned by lots of other security products, right?
Yes. So I imagine this is probably a fairly standard thing these days.
So pretty much any security product that you have on your machine has access to cloud-based resources back at the home base.
So it'll look at a given file and maybe make a judgment based on local data, maybe say, "Oh, I don't have enough information here to make a call, so I'll call home and see if they have more data." And if the headquarters doesn't know what it is, they might send the file up to their cloud for further analysis, which could be automated in some kind of sandbox system.
It could eventually end up being a person looking at it.
But in this particular product, and I would assume quite a lot of other products as well, it's being then farmed out to a third-party So the concern is then that if you—
So pretty much any security product that you have on your machine has access to cloud-based resources back at the home base.
So it'll look at a given file and maybe make a judgment based on local data, maybe say, "Oh, I don't have enough information here to make a call, so I'll call home and see if they have more data." And if the headquarters doesn't know what it is, they might send the file up to their cloud for further analysis, which could be automated in some kind of sandbox system.
It could eventually end up being a person looking at it.
But in this particular product, and I would assume quite a lot of other products as well, it's being then farmed out to a third-party So the concern is then that if you—
If that file was to ultimately end up at somewhere like VirusTotal, one of those scanning services up in the cloud via this particular vendor, then those files might be shared with other companies who use VirusTotal.
And so your file, unknownst to you, could end up in all sorts of places.
And so your file, unknownst to you, could end up in all sorts of places.
Whoa.
Exactly. Yes. They do tend to keep these things reasonably private.
I know VirusTotal has a very strict privacy policy, and they say they only share with other security industry players for the purposes of security.
But I wouldn't be at all surprised if I was the security operative in a major corporation, I might be able to get access to VirusTotal and claiming it's for research purposes.
But then I might also be able to troll through other stuff that I find in their feed, looking for interesting information on rival companies, for example, which I think is the point that Direct Defense is trying to make here.
I know VirusTotal has a very strict privacy policy, and they say they only share with other security industry players for the purposes of security.
But I wouldn't be at all surprised if I was the security operative in a major corporation, I might be able to get access to VirusTotal and claiming it's for research purposes.
But then I might also be able to troll through other stuff that I find in their feed, looking for interesting information on rival companies, for example, which I think is the point that Direct Defense is trying to make here.
But Direct Defense are— so they're saying that they've come across these executable files, but these aren't Word documents or spreadsheets or something.
They've looked at things like JAR files, so Android applications and things like that, which you can just read through.
And they found things like keys to cloud services like Amazon AWS, Azure, Google Compute, which you could use to then access the cloud resources of that company.
They found App Store keys for Google Play, for the Apple App Store. They found internal usernames and passwords, information about the layout of people's networks.
And they found things like keys to cloud services like Amazon AWS, Azure, Google Compute, which you could use to then access the cloud resources of that company.
They found App Store keys for Google Play, for the Apple App Store. They found internal usernames and passwords, information about the layout of people's networks.
Gosh.
Wow.
And of course, the end user, the business that is employing antivirus company that's maybe using one of these services is none the wiser.
Well, yes, that's the thing. Do you know what happens to stuff that your antivirus product finds? Have you read the EULA in that depth?
And if you're an admin in a big company, have you told everyone in your company what's going to happen to the files on their machines if they look interesting to an antivirus product?
And if you're an admin in a big company, have you told everyone in your company what's going to happen to the files on their machines if they look interesting to an antivirus product?
So you're reliant on your security firm. First of all, you're reliant on knowing what your security firm is actually doing in terms of cloud-style protection for you, right?
And whether they are grabbing your non-detected files for further analysis and whether they're sending them off to one of these services.
But you're also reliant on these cloud scanning services being very careful as to who they allow in the club. And this isn't very good, John, is it?
Okay, so Bitdefender/Carbon Black, how are they responding to this? Have they made any sort of public statement, do we know?
And whether they are grabbing your non-detected files for further analysis and whether they're sending them off to one of these services.
But you're also reliant on these cloud scanning services being very careful as to who they allow in the club. And this isn't very good, John, is it?
Okay, so Bitdefender/Carbon Black, how are they responding to this? Have they made any sort of public statement, do we know?
Can you imagine? They must be running around.
Yeah, but chances are that they may not be the only ones who are doing this.
Oh, totally. But they're the ones who are being named and shamed right now, right?
So that's a hard place to be because responding, saying, "Well, we're not alone," doesn't really fly with the media who are going to be contacting them, wanting a comment.
So that's a hard place to be because responding, saying, "Well, we're not alone," doesn't really fly with the media who are going to be contacting them, wanting a comment.
I wonder as well whether Direct Defense reached out to Carbon Black in advance as well and said, "Hey, we're about to throw this enormous rock into your pond.
You might want some advance warning of this to protect your customers." You know, reading the blog post, it sounds like they've actually reached out to some of Carbon Black's customers to tell them about it, stirring up things a little bit.
I wonder what the reaction will be from some of these malware scanning services online as well as to whether this is a legitimate use of their services.
You might want some advance warning of this to protect your customers." You know, reading the blog post, it sounds like they've actually reached out to some of Carbon Black's customers to tell them about it, stirring up things a little bit.
I wonder what the reaction will be from some of these malware scanning services online as well as to whether this is a legitimate use of their services.
I actually assumed that they contacted them directly to tell them beforehand. I actually assumed that they did proper disclosure that way with this finding.
They're not saying that they have, so I think we maybe should assume that they haven't.
Well, it sounds like there's going to be a bit of a bunfight in the security industry yet again.
Well, it sounds like there's going to be a bit of a bunfight in the security industry yet again.
Well, the other thing is also to think about if you're writing a program, to think about the data that you're putting in there and what use it could be put to if someone else got hold of that program.
No, but you can't win. You know, you're sitting in your own office working on something and you're trying to protect yourself.
So you have AV and anti-malware running and unbeknownst to you, it's being leaked out as you work on your dev product or on your application you're working on.
I think it sucks for the end user. That's what I think.
So you have AV and anti-malware running and unbeknownst to you, it's being leaked out as you work on your dev product or on your application you're working on.
I think it sucks for the end user. That's what I think.
If only there was some sort of independent industry organization which could sort of put together some sort of thought leadership, some standards, John, which maybe could show us the light of how the industry should be working.
I don't know if you know anything like that.
I don't know if you know anything like that.
Maybe chicken farming is the future.
It's down to you.
Well, we will keep our eyes peeled to see what happens next with this one.
Sounds like an interesting story, and certainly if you are a user of one of those products which is behaving in this fashion, you may want to speak to your vendor and see what guidance they have as well as to how you might be able to better protect your privacy.
The problem is, of course, you may be able to better protect your privacy, but at the same time you may be lessening your security because there's no doubt that sometimes these things actually will help you find more malware by using these services as well.
So turning off some of those cloud facilities may actually work to your disadvantage. Carole, what have you got for us?
Sounds like an interesting story, and certainly if you are a user of one of those products which is behaving in this fashion, you may want to speak to your vendor and see what guidance they have as well as to how you might be able to better protect your privacy.
The problem is, of course, you may be able to better protect your privacy, but at the same time you may be lessening your security because there's no doubt that sometimes these things actually will help you find more malware by using these services as well.
So turning off some of those cloud facilities may actually work to your disadvantage. Carole, what have you got for us?
Well, I'm on the privacy bandwagon again. So last week, a San Francisco-based mom filed a lawsuit against Disney on behalf of her kid.
And I wanted to talk a little bit about the subject. So let me just give you a bit of background.
So this mom's name is Amanda Rushing, and she's suing Disney for allegedly tracking children via its gaming apps for the purpose of future commercial exploitation.
And they're doing this, according to the lawsuit, all without parental consent.
She is suing on behalf of herself and all parents whose kids play Disney Princess Palace Pets and 42 other Disney-branded games that allegedly fail to comply with the Children's Online Privacy Protection Act, or better known as COPPA.
And I wanted to talk a little bit about the subject. So let me just give you a bit of background.
So this mom's name is Amanda Rushing, and she's suing Disney for allegedly tracking children via its gaming apps for the purpose of future commercial exploitation.
And they're doing this, according to the lawsuit, all without parental consent.
She is suing on behalf of herself and all parents whose kids play Disney Princess Palace Pets and 42 other Disney-branded games that allegedly fail to comply with the Children's Online Privacy Protection Act, or better known as COPPA.
Hang on a moment. I'm just uninstalling Disney Princess Palace Pets from my iPhone right now.
I was just going to ask if you were a big fan of it.
So good. I'll tell you, as a Disney princess myself, the pets in my palace are just getting out of control. But I didn't know they were also putting my privacy at risk.
I'm just going to delete them.
I'm just going to delete them.
Now, for those that don't know, COPPA is an FTC regulation, and it's pretty strict about how and when internet companies can collect data about children under 13.
Basically, the gist is to halt developers and third-party advertisers from snooping on and profiting from kids, right? So it all makes sense.
Now, this lawsuit is seeking an injunction to bar companies from collecting and disclosing the data without parental consent.
In other words, parents should okay whether they're happy for their kids to be tracked or not.
Basically, the gist is to halt developers and third-party advertisers from snooping on and profiting from kids, right? So it all makes sense.
Now, this lawsuit is seeking an injunction to bar companies from collecting and disclosing the data without parental consent.
In other words, parents should okay whether they're happy for their kids to be tracked or not.
Please do.
Yes, yes, please track my children. Fantastic. Yes, please monetize my child's, my kid's childhood.
So let me just— I just want to kind of give an idea to everyone out there what's actually going on.
Okay, so basically the lawsuit is accusing Disney of embedding advertising-specific SDKs within their apps.
Advertising-specific SDKs are kind of blocks of code which operate to collect a user's personal information and then track online behavior in order to facilitate behavioral advertising or marketing analysis.
So this means that Disney's apps and its ad partners who it works with can track your kids' behavior while they play these online games.
And they can collect critical pieces of data from the mobile device.
Now, rather than using names or going after things email addresses, they often rely on things called persistent identifiers.
So this is kind of a unique number that's linked to a specific device or player.
And these persistent identifiers allow SDK providers to detect a child's activity across multiple apps and platforms on the internet, across different devices, and effectively providing a full chronology of the kids' actions across devices and apps over a month.
Okay, so basically the lawsuit is accusing Disney of embedding advertising-specific SDKs within their apps.
Advertising-specific SDKs are kind of blocks of code which operate to collect a user's personal information and then track online behavior in order to facilitate behavioral advertising or marketing analysis.
So this means that Disney's apps and its ad partners who it works with can track your kids' behavior while they play these online games.
And they can collect critical pieces of data from the mobile device.
Now, rather than using names or going after things email addresses, they often rely on things called persistent identifiers.
So this is kind of a unique number that's linked to a specific device or player.
And these persistent identifiers allow SDK providers to detect a child's activity across multiple apps and platforms on the internet, across different devices, and effectively providing a full chronology of the kids' actions across devices and apps over a month.
Okay, okay, so they're collecting lots of data about our kids through their use of these mobile apps. But what's, you know, how are they going to exploit this? What's gonna happen?
Well, the idea is that then you'd sell it to a third party, a third-party ad company, who would then use that to advertise to your kids.
Let's say, for instance, that we agree that Disney is indeed collecting data, and that's found to be the case. Okay.
This whole idea of this anonymized ID number as opposed to identifying the actual identity of the kid is where I think things are going to get a bit sticky.
So Disney is probably going to argue that it's not compromising the child's identity and therefore does not need to worry about COPPA.
The other thing that's interesting is I wonder whether Disney's collating and parsing this data now and not planning to make use of it until the child turns 13. Right?
Because instead of starting from zero, once they're of age, they can have this glut of user information that they've collected while they were younger, not used, and then kickstart the behavioral ads as soon as they turn of age.
Let's say, for instance, that we agree that Disney is indeed collecting data, and that's found to be the case. Okay.
This whole idea of this anonymized ID number as opposed to identifying the actual identity of the kid is where I think things are going to get a bit sticky.
So Disney is probably going to argue that it's not compromising the child's identity and therefore does not need to worry about COPPA.
The other thing that's interesting is I wonder whether Disney's collating and parsing this data now and not planning to make use of it until the child turns 13. Right?
Because instead of starting from zero, once they're of age, they can have this glut of user information that they've collected while they were younger, not used, and then kickstart the behavioral ads as soon as they turn of age.
Although, how helpful is it going to be having information about what a 6-year-old likes when they're 13?
Yes, I hear you used to be into Cabbage Patch Kids. Do you want some now?
But it might target me later on saying, you used to love Cabbage Patch Kids. Don't you want to buy one for your child now?
Oh, I see. I see. You think now they're going to wait until you're 35 or something that.
I do kind of think all this tracking, the whole point of it is to kind of build profiles for people over a long period of time. I absolutely do think that.
Now look, okay, look, I'm a kid from the '80s, right?
And basically every single TV show that I probably watched around the age of 10 was basically an ad targeted at kids so that I'd beg my parents for merch in the form of action heroes or plastic vehicles or terrains or costumes or books or whatever.
So we all know that kids are big business for corporations like Disney. But I bring this all back to, aren't you shocked that this might be happening without parental consent?
Like, it's kind of, I can't believe that ads would not request parents saying, are you okay for this?
Now look, okay, look, I'm a kid from the '80s, right?
And basically every single TV show that I probably watched around the age of 10 was basically an ad targeted at kids so that I'd beg my parents for merch in the form of action heroes or plastic vehicles or terrains or costumes or books or whatever.
So we all know that kids are big business for corporations like Disney. But I bring this all back to, aren't you shocked that this might be happening without parental consent?
Like, it's kind of, I can't believe that ads would not request parents saying, are you okay for this?
Oh, but come on. If you've got a game and you're starting a game and it goes blah, blah, blah, blah, blah, okay, people click on okay.
And the kid will be getting their sticky little jam-infested fingers going click, click, click, 'cause they want to go and play Robot Wars, right?
The advertisers can say, "Hey, we did ask and someone gave consent." I think the problem here is that there are apps being made for kids, which are just plugging in advertising SDKs, just bog-standard advertising SDKs, right?
And those advertising SDKs as standard collecting a huge amount of information about you. What I would like to see are far more games where you can actually buy them properly.
You can spend your dollar or $2 or however much they are, and they don't come with any ads at all because the ads are irritating.
The ads are tracking, you know, they're getting in the way of the fun. And frankly, for a couple of dollars, who cares? Let's pay the money.
And the kid will be getting their sticky little jam-infested fingers going click, click, click, 'cause they want to go and play Robot Wars, right?
The advertisers can say, "Hey, we did ask and someone gave consent." I think the problem here is that there are apps being made for kids, which are just plugging in advertising SDKs, just bog-standard advertising SDKs, right?
And those advertising SDKs as standard collecting a huge amount of information about you. What I would like to see are far more games where you can actually buy them properly.
You can spend your dollar or $2 or however much they are, and they don't come with any ads at all because the ads are irritating.
The ads are tracking, you know, they're getting in the way of the fun. And frankly, for a couple of dollars, who cares? Let's pay the money.
You know what?
You make a really good point because I think a lot of people think, oh, well, what's annoying about, you know, the reason to get a free one is to avoid getting the annoying ads, not about the tracking of information.
So people aren't thinking about that. And I think that's right.
I think I'd like to see rather than just parental consent, you know, in a long form and have it be item 65 amongst a whole list, is it has to be explicit.
And, you know, we did the whole GDPR podcast a while ago. But that's all about explicit consent. And I think that's what I would like to see here as well.
You make a really good point because I think a lot of people think, oh, well, what's annoying about, you know, the reason to get a free one is to avoid getting the annoying ads, not about the tracking of information.
So people aren't thinking about that. And I think that's right.
I think I'd like to see rather than just parental consent, you know, in a long form and have it be item 65 amongst a whole list, is it has to be explicit.
And, you know, we did the whole GDPR podcast a while ago. But that's all about explicit consent. And I think that's what I would like to see here as well.
But how are you going to make it? So a 10-year-old can't give consent, right? Because they're under 13. Is that the case?
Yeah.
Yeah. So they're too young. So it needs to be something which comes up and says, hey kids, you need to go and get a parent now to approve this.
Well, presumably your Apple ID is tied to a credit card. And the Apple ID, so that's what, maybe that's how they're getting around it.
The kid has access to the Apple ID and is allowed to buy things, you know, with just using, well, put your fingerprint here, it's free.
The kid has access to the Apple ID and is allowed to buy things, you know, with just using, well, put your fingerprint here, it's free.
There are already parental controls on, in that case, iPhone devices, you know, where you can control whether your users can download, you know, whether your kids can download apps and things like that and what apps they can install.
Maybe that just needs to be policed a little bit more.
Maybe that just needs to be policed a little bit more.
Yeah, if they just have a little slider in there to say they can download apps, but as long as they're not packed with nasty ads stuff.
Not packed with ads, yeah.
Yeah, I can just hear all the parents out there going, do you know how hard it would be, right, for my kid to come up and go, hey dad, can I have this game?
And you have to go, no, sorry son, you can't have that game because it's going to track you.
And you have to go, no, sorry son, you can't have that game because it's going to track you.
Yes. Do kids even care these days?
I'm not sure they would care. And I have to say, that's not an argument I've yet used with my child. So there's an ad in there, which I don't think that would wash with him.
I don't know. And what the— I guess the sad thing for me was looking at comments on this story from different media sources. Most people are like, what a surprise they're tracking.
Like, so people are so apathetic about the fact that kids are being tracked as well, which just feels a bit gross. I don't think we want our kids to be exploited through ads.
I just think it should be completely banned on apps.
Like, so people are so apathetic about the fact that kids are being tracked as well, which just feels a bit gross. I don't think we want our kids to be exploited through ads.
I just think it should be completely banned on apps.
But so in summary, thank you very much, Walt Disney.
Yes. Yes. Thank you. Thank you for—
Nice one. Thank you, advertising SDK provider.
Yeah.
And I go back to my advice from earlier. If you can, buy an app and cut out all the ads.
Yeah.
You know, frankly, you get enough enjoyment out of them that you'll probably get even more if you just spend $2 and don't get irritated by any ads any longer.
And the other advantage is your kids won't be tempted to download other games, which are constantly being advertised midway through the game they are playing.
And the other advantage is your kids won't be tempted to download other games, which are constantly being advertised midway through the game they are playing.
Yeah, just because a game is free doesn't make it safe and good.
All right. Thanks very much, Carole. Let's find out who's sponsoring the show this week, shall we?
And a big shout out to Recorded Future, our sponsors this week. You can sign up to their Cyber Daily newsletter and get their latest insights at recordedfuture.com/intel.
Isn't it time for Pick of the Week?
Isn't it time for Pick of the Week?
It is. It's time for Pick of the Week. Pick of the Week. Pick of the Week. I've got my pick of the week. Here it is, not security related this week. It is a movie.
It's a movie called Adult Life Skills. Now, as you know, I am a bit— I'm a tiny, tiny, tiny, tiny, tiny bit of a Doctor Who fan, and I'm slightly excited.
I know I have never mentioned it before on the show. I'm a little bit excited that they've named the next Doctor Who and that it is a woman. Who can imagine that?
And it's Jodie Whittaker. And of course, like every other Whovian out there, I'm now desperate to find out if she's any good or not.
And so I've been sort of scouring the internet for things that she's been in before in the run-up to regeneration. And she's in this movie, it's called Adult Life Skills.
It's an offbeat British independent movie. It's northern, it's set in Yorkshire, it's sad. It's got lots of scenes in a garden shed. I mean, what more could you want?
It's a little bit depressing in places, but I like a bit of depression, frankly. And her life is going nowhere and there's some death in the family.
But anyway, other than that and terminal illness—
It's a movie called Adult Life Skills. Now, as you know, I am a bit— I'm a tiny, tiny, tiny, tiny, tiny bit of a Doctor Who fan, and I'm slightly excited.
I know I have never mentioned it before on the show. I'm a little bit excited that they've named the next Doctor Who and that it is a woman. Who can imagine that?
And it's Jodie Whittaker. And of course, like every other Whovian out there, I'm now desperate to find out if she's any good or not.
And so I've been sort of scouring the internet for things that she's been in before in the run-up to regeneration. And she's in this movie, it's called Adult Life Skills.
It's an offbeat British independent movie. It's northern, it's set in Yorkshire, it's sad. It's got lots of scenes in a garden shed. I mean, what more could you want?
It's a little bit depressing in places, but I like a bit of depression, frankly. And her life is going nowhere and there's some death in the family.
But anyway, other than that and terminal illness—
Yeah, you're a good salesman for that.
No, it's heartwarming. Listen to me. It's wonderful. I saw it on Amazon Prime, and maybe it's on other streaming services as well.
I think it came out last year, and it's called Adult Life Skills, and I enjoyed it. It's not as good as Fleabag, though.
Starring Phoebe Waller-Bridge, who possibly should have been Doctor Who instead of Jodie Whittaker.
I think it came out last year, and it's called Adult Life Skills, and I enjoyed it. It's not as good as Fleabag, though.
Starring Phoebe Waller-Bridge, who possibly should have been Doctor Who instead of Jodie Whittaker.
That's what I was just going to ask you. I was just going to ask.
No, Fleabag is better because it's even more depressing and sad and wonderful and yeah, all that kind of stuff. So anyway, Adult Life Skills is my pick of the week.
Sounds delightful.
John, what's your pick of the week?
So I've been watching a Canadian TV series the last couple of weeks. It's actually—
Canadian?
It's not brand new. It's actually about 10 years old, but I think it's just appeared on Netflix or something and it's rather fun. It's called Intelligence.
Of course it is.
And it's a kind of cops and gangsters type show. It's a pretty standard formula.
Our hero is a good at heart gangster guy running his business out of a seedy strip club, as all good criminals do.
Our hero is a good at heart gangster guy running his business out of a seedy strip club, as all good criminals do.
Love it.
And he's up against a hard as nails undercover cop lady who's running lots of informants, things like that.
And there's a lot of the politics of both the cops and the gangsters and how they kind of scheme against each other and things like that.
But it's, for me, it's mainly fun for the Canadian-ness.
And there's a lot of the politics of both the cops and the gangsters and how they kind of scheme against each other and things like that.
But it's, for me, it's mainly fun for the Canadian-ness.
I bet Canadians can be. Did you know Canadians can be fun? I've always wondered.
I mean, a lot of it's set in Vancouver and a lot of American shows are filmed in Vancouver, movies as well.
But this one is kind of explicitly, it's all very Vancouver-y and they, pretty much every scene features someone walking past a beer tap serving Molson Canadian or wearing a Canada cap or something like that.
And it's also quite fun.
But this one is kind of explicitly, it's all very Vancouver-y and they, pretty much every scene features someone walking past a beer tap serving Molson Canadian or wearing a Canada cap or something like that.
And it's also quite fun.
Make Canada great again, that sort of thing.
Exactly.
Reminding viewers at every opportunity that this is not a US-made show.
We're in Canada, eh?
Pretty much. Yeah, they say, oh, I better report that back to Ottawa.
I love it.
And it's— but it's also fun because they're selling the marijuana, you know, American—
Sorry, what are they selling?
The weed. Oh, right. Marijuana.
The American cop shows, it's always, you know, it's heroin and cocaine. And you can get quite a lot of monetary values worth of those in quite a small space.
You know, you get a holdall, you get a couple of kilos, you're laughing.
You know, you get a holdall, you get a couple of kilos, you're laughing.
But I've got a pommet of magic mushrooms here if you like these.
Or these guys, it's like they're shipping 200 pounds at a time.
Oh, pounds in weight. I thought you meant— yes, right. Okay.
It takes up a lot of space.
It's like a truckload.
So our main chap who happens to look exactly like Willem Dafoe, that's another good thing. All the actors are the Canadian version of someone else.
There's a Canadian Ethan Hawke who looks very seedy. But yeah, our main guy is basically logistics.
He runs trucking and shipping and stuff because there's just so much space needs to be taken up to do all this stuff.
And then also that nowadays it's pretty much pointless because it's all being legalized everywhere.
There's a Canadian Ethan Hawke who looks very seedy. But yeah, our main guy is basically logistics.
He runs trucking and shipping and stuff because there's just so much space needs to be taken up to do all this stuff.
And then also that nowadays it's pretty much pointless because it's all being legalized everywhere.
So you're basically saying this is a serious show that was, you know, cops and robbers type show that has— you find a comedy.
Yes.
Oh, yes. It does take itself very seriously. But I think that's also— that's part of the fun.
Right.
OK.
So you're basically saying this is your pick of the week.
I like to think I'm laughing with them.
Well, thank you, John, for the pick of the week. What's your pick of the week, Carole?
Well, I know that many people are going to be jetting off on planes or dashing off to the cabin or heading to the in-laws during the month of August, so I thought I'd recommend some podcasts to you.
So podcast number 1 I recommend is called Secrets, Crimes, and Audio Tape. It's from Wondery. It's hosted by David "Whatavoice" Reinstrom. I swear his voice is just great for radio.
I love it, I love it, I love it. And this podcast basically dramatizes stories involving crime, politics, love, mysteries, conspiracies.
The scripts are good, the sound effects are good. It's been going for about a year, so that means there's a nice little backlog for you.
And it's all about celebrating the golden age of audio drama. So I love it, check it out. I'm sure it'll make lots of people happy. Second one is called Seriously.
It's a BBC production. It's hosted by Rhiannon Dillon. The website description of this is perfect.
It's basically a rich selection of documentaries aimed at relentlessly curious minds. So no subject is too strange, no idea too weird.
And I think that alone should entice lots of people to go listen to it. And plus, there's a huge archive there.
So podcast number 1 I recommend is called Secrets, Crimes, and Audio Tape. It's from Wondery. It's hosted by David "Whatavoice" Reinstrom. I swear his voice is just great for radio.
I love it, I love it, I love it. And this podcast basically dramatizes stories involving crime, politics, love, mysteries, conspiracies.
The scripts are good, the sound effects are good. It's been going for about a year, so that means there's a nice little backlog for you.
And it's all about celebrating the golden age of audio drama. So I love it, check it out. I'm sure it'll make lots of people happy. Second one is called Seriously.
It's a BBC production. It's hosted by Rhiannon Dillon. The website description of this is perfect.
It's basically a rich selection of documentaries aimed at relentlessly curious minds. So no subject is too strange, no idea too weird.
And I think that alone should entice lots of people to go listen to it. And plus, there's a huge archive there.
I've listened to the Seriously podcast before. Oh, yeah. It's good. You're right. It's a totally wide range of subjects in it, isn't it?
You never quite know what you're going to get, but it is interesting.
You never quite know what you're going to get, but it is interesting.
Well, I heartily recommend Secret Crimes on Audio Tape too, Graham. You should check that out. I think you'll like it, especially the political...
Thank you very much, Carole Theriault.
Thank you very much, Carole Theriault.
And that just about is all we got time for, but there's a little bit of extra business because we have opened up some new online places for you to go.
If you are on Facebook, we now have a Facebook Smashing Security group, and you can have a look for Smashing Security on Facebook, or you can go to this link: smashingsecurity.com/facebook, which will take you directly there.
If you are on Facebook, we now have a Facebook Smashing Security group, and you can have a look for Smashing Security on Facebook, or you can go to this link: smashingsecurity.com/facebook, which will take you directly there.
Graham's a huge fan of Facebook, so that's why he set that up.
We also now have an online store where you can buy things like a t-shirt for the global thermonuclear war that's about to begin.
So you can check out the merch at smashingsecurity.com/store.
We also now have an online store where you can buy things like a t-shirt for the global thermonuclear war that's about to begin.
So you can check out the merch at smashingsecurity.com/store.
Sorry, are you suggesting that if you get under one of the Smashing Security t-shirts, that will protect you from the nuclear fallout?
Yeah, the cotton is so thick. The cotton is so thick that you're going to be just fine wearing one of those.
Sophos. Do I get a free one?
I think 5 episodes. If you do 5 episodes, we'll talk.
Yeah.
If you get up to 5 and if you join our Facebook group as well, John, no pressure.
That's outrageous.
We are not doing that.
We are not doing that.
Well, look, that just about wraps it up. Thank you very much for tuning in. Thank you, John Hawes, for joining us from AMTSO. Always a pleasure to have you here.
If you like the show, tell your friends and leave us a comment on what you think. You can go to smashingsecurity.com or you can go to iTunes and leave a comment there instead.
Until next time, toodle-oo, bye-bye!
If you like the show, tell your friends and leave us a comment on what you think. You can go to smashingsecurity.com or you can go to iTunes and leave a comment there instead.
Until next time, toodle-oo, bye-bye!
Show notes:
Please check out the show notes for this episode of the podcast on the Smashing Security webpage.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
John Hawes
Thanks to our sponsor:
This episode of Smashing Security is made possible by the generous support of Recorded Future – the real-time threat intelligence company whose patented machine learning technology continuously analyzes technical, open, and dark web sources to give organizations unmatched insight into emerging threats.
Sign up for free daily threat intelligence updates at recordedfuture.com/intel
Thanks to Recorded Future for their support.
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, or visit our website for more episodes.
Remember: Subscribe on iTunes or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
