How do fraudsters exploit abandoned domains to steal your company’s secrets? How can you better protect your privacy when looking for love online? And who has the longest arms in the animal kingdom?
All this and more is discussed in the latest edition of the award-winning “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
There's also the issue of having this whole, you know, when I leave a job, I'm leaving behind a ton of email, right?
You're leaving behind rubble, Carole. When you leave a job, there's destruction and fire.
That's right.
Blood everywhere.
Yeah, everyone's begging me not to go.
You do the full Jerry Maguire. Smashing Security, episode 94. Smashing Security Episode 93: Abandoned Domains and Dating App Dangers with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security Episode 93. My name is Graham Cluley.
Hello, hello, and welcome to Smashing Security Episode 93. My name is Graham Cluley.
I'm Carole Theriault.
And Carole, up until about 5 minutes ago, we had a guest, didn't we? We've just lost them.
Well, we did have a guest, and he may come back on the show. I really would love to have this guest on the show.
Yes, we've never had him on before, and we were really looking forward to him.
And this was the most serious example of technical difficulties I think I've ever encountered.
It sounded like he was in a jet engine.
Do you know what? I think we should include a snippet of the audio in this podcast so people can understand.
You don't think it'd be too painful to listen to? Cover your ears, folks.
Yeah, okay. And listen to this. We'll only play it for 2 seconds just so you can understand what we just had to do.
Can you hear us, David?
He's gone. Is that any better? So that is why our wonderful guest, David Emm from Kaspersky, will join us at a later date.
I think even the best post-production wizards probably couldn't have restored that audio. And so it's just gonna be you and me, Carole, flying solo today.
Oh dear. I'm not sure how I feel about that. Your story better be good.
I'll do my best. Many of us have worked in big companies, right? And we know that it only takes one person to make a boo-boo to allow the hackers in.
Imagine running a company, hiring new staff, and worrying that one of them might bring their bad password habits into the office. Horrendous nightmare.
That's one of the reasons why businesses small and large need a password management solution like LastPass Enterprise.
LastPass brings a vast array of features for enterprise users, including company-wide policies, reporting, user groups and roles, and new support for Microsoft Active Directory.
As an administrator, you can create highly secure passwords for your new starters right from the onset. Means no snafus.
Listeners can check it out for themselves by visiting lastpass.com/smashing. No more password snafus, no more boo-boos, just LastPass.
Imagine running a company, hiring new staff, and worrying that one of them might bring their bad password habits into the office. Horrendous nightmare.
That's one of the reasons why businesses small and large need a password management solution like LastPass Enterprise.
LastPass brings a vast array of features for enterprise users, including company-wide policies, reporting, user groups and roles, and new support for Microsoft Active Directory.
As an administrator, you can create highly secure passwords for your new starters right from the onset. Means no snafus.
Listeners can check it out for themselves by visiting lastpass.com/smashing. No more password snafus, no more boo-boos, just LastPass.
MetaCompliance, the security e-learning experts. Make learning best practice engaging and fun.
Through stories, realistic scenarios, the MetaCompliance guys provide animated e-learning and even games like phishing drills to test your knowledge.
Plus, these guys get passwords, they get GDPR, they get security, and they've won awards for security awareness.
Smashing Security listeners, you guys can get 10% off by visiting smashingsecurity.com/metacompliance and entering the code SMASHING. That's smashingsecurity.com/metacompliance.
Through stories, realistic scenarios, the MetaCompliance guys provide animated e-learning and even games like phishing drills to test your knowledge.
Plus, these guys get passwords, they get GDPR, they get security, and they've won awards for security awareness.
Smashing Security listeners, you guys can get 10% off by visiting smashingsecurity.com/metacompliance and entering the code SMASHING. That's smashingsecurity.com/metacompliance.
So I want to talk today about the problem of abandoned domain names.
Ah, this is an interesting topic.
Well, actually, one of the reasons why I was thinking about it today is that David Emm is one of the very first people I ever met in the antivirus industry.
When I was a wee young thing, I went to work for a company called S&S International.
When I was a wee young thing, I went to work for a company called S&S International.
Were you ever wee?
Well, it's about the same height as I am now. But anyway, I went to work for this company called S&S International who made Dr. Solomon's Antivirus Toolkit.
And David headed up the technical support department.
Eventually the World Wide Web arrived on our doorstep and we created email addresses and we had things like, so I was , I think.
And we had a website at drsolomon.com eventually as well. And those domains were acquired by McAfee when McAfee bought our company.
And David headed up the technical support department.
Eventually the World Wide Web arrived on our doorstep and we created email addresses and we had things like, so I was , I think.
And we had a website at drsolomon.com eventually as well. And those domains were acquired by McAfee when McAfee bought our company.
Not Mr. McAfee.
No, Mr. McAfee was no longer on the scene, but McAfee Inc.
I don't think he's been on the planet for ages. Very true.
Well, this was before he'd gone the full McAfee, as it were.
But yes, so they acquired the domain names and of course they wanted any customers who are looking for information about those products to find out about McAfee and its solutions instead.
Now I went to those domain names this morning. And if you go to sans.co.uk, you don't see the old website of S&S International or even of McAfee.
Instead, you get to a web page which says, "SANS, are you looking for sandy beaches?" And it's all about beaches for some reason. And drsolomon.com is even sadder. That is now Dr.
Solomon's Casino Blog, where they are promoting online casinos. So clearly McAfee did not renew these domains, and they've fallen into the hands of other people. Now that—
But yes, so they acquired the domain names and of course they wanted any customers who are looking for information about those products to find out about McAfee and its solutions instead.
Now I went to those domain names this morning. And if you go to sans.co.uk, you don't see the old website of S&S International or even of McAfee.
Instead, you get to a web page which says, "SANS, are you looking for sandy beaches?" And it's all about beaches for some reason. And drsolomon.com is even sadder. That is now Dr.
Solomon's Casino Blog, where they are promoting online casinos. So clearly McAfee did not renew these domains, and they've fallen into the hands of other people. Now that—
They might have donated them as well.
You think they donated them to a beach website or to a casino blog?
Well, okay, no, I don't think they donated them. They may have just dropped them because they didn't need them anymore.
Well, I am going to give you some good arguments why perhaps you should keep your old domain names indefinitely if you are a company, because there is some new research done by a guy called Gabor Szathmari of the anti-phishing firm IronBastion.
Why are all computer names so masculine and hard and Iron Bastion.
I know that it's never little fluffy little cute rabbits, isn't it? Or Twinkle D Security or something like that.
Yes, that'd be nice.
It would be so much nicer, but no, this is Iron Bastion.
And anyway, Gabor Szathmari and some of his colleagues decided to acquire 6 abandoned domain names, some of them formerly owned by Australian law firms.
He's based down in Australia.
And anyway, Gabor Szathmari and some of his colleagues decided to acquire 6 abandoned domain names, some of them formerly owned by Australian law firms.
He's based down in Australia.
Uh-oh.
Now, I don't know if you're aware about this, Carole, but you can actually sign up to lists of domain names that are about to expire and become freely available.
So when companies have chosen or simply forgotten to renew them, and you can say, oh, that one looks interesting, I'll have that. I'll put down my $3.
So when companies have chosen or simply forgotten to renew them, and you can say, oh, that one looks interesting, I'll have that. I'll put down my $3.
That makes sense. If you know they're coming up for sale, you would like to have a heads up.
Yeah. There's normally a sort of grace period. It may be up to 30 days or so for the company who may have forgotten to renew it to go and grab it before someone else.
But quite often, you know, people just simply allow domains to die. Well, that can be a problem.
And what Gabor and his colleagues focused on were legal practices, because they figured it like this: legal practices, you know, they're established and wound up just like any other business happening all the time.
But what makes them unusual is that they frequently merge with each other or are acquired, and that often coincides with a name or a brand change.
But quite often, you know, people just simply allow domains to die. Well, that can be a problem.
And what Gabor and his colleagues focused on were legal practices, because they figured it like this: legal practices, you know, they're established and wound up just like any other business happening all the time.
But what makes them unusual is that they frequently merge with each other or are acquired, and that often coincides with a name or a brand change.
They may have just dropped them because they didn't need them anymore.
Well, I am going to give you some good arguments why perhaps you should keep your old domain names indefinitely if you are a company.
Because there is some new research done by a guy called Gabor Szathmari of the anti-phishing firm Iron Bastion.
Why are all computer names Hacking Humans, one of those sort of outfits. And suddenly we don't become cluleterio.com anymore.
We become cluleteriocyberwire.com or something like that.
Because there is some new research done by a guy called Gabor Szathmari of the anti-phishing firm Iron Bastion.
Why are all computer names Hacking Humans, one of those sort of outfits. And suddenly we don't become cluleterio.com anymore.
We become cluleteriocyberwire.com or something like that.
Why is it Cluleterio?
Oh, just alphabetical. No other reason. It's just, I just think it sounds—
Oh, sorry. No, no. Yeah. Just for arrogance.
But so that means the old domain name, cluleterio.com, is surplus to requirements. And maybe after a while we simply don't renew it, right?
We forget about it because we've forgotten about it. Yeah. We have a new spiffy brand.
Well, bad guys can register that abandoned domain name and take control of its email services, and that's what Szathmari did as well.
He grabbed some domains, set up the MX records, the mail server records, to forward any email using a catch-all system, sent the domains to him, and waited for sensitive information to begin to pour in.
Okay, sounds like a cunning plan, doesn't it?
We forget about it because we've forgotten about it. Yeah. We have a new spiffy brand.
Well, bad guys can register that abandoned domain name and take control of its email services, and that's what Szathmari did as well.
He grabbed some domains, set up the MX records, the mail server records, to forward any email using a catch-all system, sent the domains to him, and waited for sensitive information to begin to pour in.
Okay, sounds like a cunning plan, doesn't it?
I don't understand why sensitive information would start pouring in.
Well, some of your clients and business associates may still have your old email address in their address books.
They may have it as an autocomplete when they're typing in addresses to send to. They may not have heard that you've rebranded, for instance.
Or maybe you signed up to websites which are providing you with information, and you simply forgot to update those websites and web services with your brand spanking new email address.
They may have it as an autocomplete when they're typing in addresses to send to. They may not have heard that you've rebranded, for instance.
Or maybe you signed up to websites which are providing you with information, and you simply forgot to update those websites and web services with your brand spanking new email address.
Mm-hmm.
So the old email address is getting information. Now, the first problem they suffered with is spam. Lots and lots and lots of it.
This is Szathmari suffering.
That's right. So the researchers—
He's buried underneath the pile. Huge piles of it.
Huge piles of it. And they quickly realized we're going to have to put a serious anti-spam filter in.
But once they'd waded through all that, they did find email correspondence which was sensitive.
And they realized that they were able to use the email accounts which they now controlled Carole Theriault at clueletheriault.com, for instance.
But once they'd waded through all that, they did find email correspondence which was sensitive.
And they realized that they were able to use the email accounts which they now controlled Carole Theriault at clueletheriault.com, for instance.
I'm not working there, just letting you know.
To reset passwords to online services. Right?
Okay.
Because an email address is all you need to initiate a password reset on many online services.
Yes.
Which means you can then change the password for your business or for the staff used to work there.
And so it'd be possible to reset passwords on your G Suite from Google or Office 365 and access the archives of old email, which the company used to be receiving.
And so it'd be possible to reset passwords on your G Suite from Google or Office 365 and access the archives of old email, which the company used to be receiving.
This is a confidentiality nightmare.
Isn't it horrendous?
So if people can access your old email, that could be a real godsend for business email compromise and fraud and things like that, because it's they've hacked in.
Well, they have hacked into your email in a way, haven't they?
So if people can access your old email, that could be a real godsend for business email compromise and fraud and things like that, because it's they've hacked in.
Well, they have hacked into your email in a way, haven't they?
Mm-hmm. Absolutely. Yeah.
And then there are staff who use their business email addresses on online accounts for various online services.
Now you can work out where people might have had accounts by using services like haveibeenpwned.com, okay?
An email administrator for an organization, so basically , can go to Have I Been Pwned, say, "Hey, I basically run the email for this organization," and you can confirm it by receiving an email.
"Let me know about any data breaches involving staff who have the same domain name as me."
Now you can work out where people might have had accounts by using services like haveibeenpwned.com, okay?
An email administrator for an organization, so basically , can go to Have I Been Pwned, say, "Hey, I basically run the email for this organization," and you can confirm it by receiving an email.
"Let me know about any data breaches involving staff who have the same domain name as me."
Ouchie ouch.
Now that's really handy. That's a good service Have I Been Pwned offers you. I do it for my own domain name, right? Graham Cluley dot com.
It's only me working here really, but you know, I've got different email addresses and I want to know if any of them appear in a data breach.
And that's a real shortcut for any criminals. Now it gets even worse. There is a rival service to Have I Been Pwned called SpyCloud.
And SpyCloud does something which I'm rather less comfortable with, which Have I Been Pwned doesn't do, which is it doesn't just tell you the email addresses which are in different data breaches, it also tells you the passwords.
So if you run that domain, it will say, "Oh yes, Fred at your domain had an account on LinkedIn and this is the password that has been breached."
It's only me working here really, but you know, I've got different email addresses and I want to know if any of them appear in a data breach.
And that's a real shortcut for any criminals. Now it gets even worse. There is a rival service to Have I Been Pwned called SpyCloud.
And SpyCloud does something which I'm rather less comfortable with, which Have I Been Pwned doesn't do, which is it doesn't just tell you the email addresses which are in different data breaches, it also tells you the passwords.
So if you run that domain, it will say, "Oh yes, Fred at your domain had an account on LinkedIn and this is the password that has been breached."
But presumably SpyCloud's trying to ensure that you are the administrator of said account.
That's correct. But the fraudsters have acquired the domain username, so they look like they are the administrator of that particular mail server.
Mm-hmm.
So now the bad guys don't even need to reset the password. They've been given it. And so people can log in.
And as Zaf Murray, the researcher who was looking into this, he says that the results he got showed that many legal eagles were using very weak passwords, were reusing passwords constantly, and are likely to be using the same passwords in their new job or at the new domain where they're working.
Or in their private life as well. It's pretty serious stuff, isn't it? Do you want to hear some worse? Because it goes on.
And as Zaf Murray, the researcher who was looking into this, he says that the results he got showed that many legal eagles were using very weak passwords, were reusing passwords constantly, and are likely to be using the same passwords in their new job or at the new domain where they're working.
Or in their private life as well. It's pretty serious stuff, isn't it? Do you want to hear some worse? Because it goes on.
Do you want to hear something worse?
Because there's social media.
Many people have got their past work email addresses associated with their LinkedIn profile and they forget to remove them when they no longer work there or if the company is rebranded.
Because what do you care if you don't get an email from LinkedIn anymore? You know, it's like a bonus, isn't it?
Many people have got their past work email addresses associated with their LinkedIn profile and they forget to remove them when they no longer work there or if the company is rebranded.
Because what do you care if you don't get an email from LinkedIn anymore? You know, it's like a bonus, isn't it?
But there's a number of issues here. One is the issue of people reusing passwords.
But there's also the issue of having this whole, you know, when I leave a job, I'm leaving behind a ton of email.
But there's also the issue of having this whole, you know, when I leave a job, I'm leaving behind a ton of email.
You're leaving behind rubble, Carole. When you leave a job, there's destruction and fire.
That's right.
Blood everywhere. You know, it's pretty dramatic.
Everyone's begging me not to go.
You do the full Jerry Maguire, right? When you're going.
But all those emails, you know, the thousands of emails that I'd sent, some may be personal, some, you know, sensitive to work issues.
And I'm trusting that company to either delete those or archive them in a, or encrypt them in a safe way.
And I'm trusting that company to either delete those or archive them in a, or encrypt them in a safe way.
Yeah. In this particular case, it may not be that you even left the job. It's maybe that your company has been acquired or merged or changed brands.
Changed brand. Yeah.
And suddenly you no longer have control over that old email address, as it were, but it still has access to so much information.
People are using that email address, maybe for their Dropbox account, where there could be confidential information or PayPal or Gabor Szafmari also found that it was possible to access court portals used by Australia's federal court system and access legal info.
All kinds of bad stuff going on.
People are using that email address, maybe for their Dropbox account, where there could be confidential information or PayPal or Gabor Szafmari also found that it was possible to access court portals used by Australia's federal court system and access legal info.
All kinds of bad stuff going on.
Really interesting research.
So plenty of ways to commit fraud by various methods by using this technique. I think what we need to do is we need to give some advice at the end of all this, right?
Because I'm sure this will be sending shivers down many a spine.
One thing I'd recommend is if you're a company and your domain name changes or you get acquired or something, don't let the old domain name wither and die.
It doesn't cost you very much. It'll only cost you maybe $10 a year or something.
Because I'm sure this will be sending shivers down many a spine.
One thing I'd recommend is if you're a company and your domain name changes or you get acquired or something, don't let the old domain name wither and die.
It doesn't cost you very much. It'll only cost you maybe $10 a year or something.
But that's your only option, isn't it? There's no way that you can safely retire.
It's probably the easiest option is to keep renewing the domain name or register it for 10 years and put a note in your calendar or whoever, of course, who's going to take over your job to make sure that you renew it.
There's something—
There's something—
But I don't mean to be devil's advocate here, but you know, if I've got a great domain name, you know, if I, like you, Sands, for example, that would be a very valuable domain name now.
It's nice and short, right? Sands.co.uk. It's a great little name. I'm sure lots of people would want that. And of course, you'd probably get a pretty penny for it as well.
So what you're saying is even though someone's not using it, you just got to cling to it forever.
It's nice and short, right? Sands.co.uk. It's a great little name. I'm sure lots of people would want that. And of course, you'd probably get a pretty penny for it as well.
So what you're saying is even though someone's not using it, you just got to cling to it forever.
Well, the other option is that you can close user accounts that were registered with the business email address, but you're then going to be rather reliant upon your users to take heed of your advice and say, hey, anyone who's set up a Dropbox account using their old work address, court portals, PayPal, or who knows what else, you need to go in and wipe it.
Your dating profile.
Yeah, or LinkedIn or Facebook. They even encountered email notifications that had really sensitive information, like text-to-email services.
So I've actually got this set up on my phone, for instance. People leave me a voicemail, I actually get an email with a transcript of what they've said.
So I don't have to listen to the message, right? I get that emailed to me. Now, if that was going to my old domain email address, that could be embarrassing, couldn't it?
So I've actually got this set up on my phone, for instance. People leave me a voicemail, I actually get an email with a transcript of what they've said.
So I don't have to listen to the message, right? I get that emailed to me. Now, if that was going to my old domain email address, that could be embarrassing, couldn't it?
Well, I don't know. I don't know what you write.
So other things, use unique and complex passwords, obviously. And the other really great piece of advice, multifactor authentication.
So even if they've got your password, when they try and log in, it's going to ask them for an additional authentication.
So even if they've got your password, when they try and log in, it's going to ask them for an additional authentication.
But that's the real point here. This really drives home the importance of using unique and complex passwords, but also the two-factor component.
Mm-hmm.
That's, yeah, I think that's the one thing that as a user, not as a business, but a user can do.
Yeah. And, you know, I think we're always banging the drum, aren't we, about multifactor authentication and its value in securing our accounts. Not enough people are doing it.
You know, always remember the three main authentication factors. What can be easily guessed, which might be your password, what can be left in a cab and what can be chopped off?
Think about those factors. Use those to better protect your online account.
You know, always remember the three main authentication factors. What can be easily guessed, which might be your password, what can be left in a cab and what can be chopped off?
Think about those factors. Use those to better protect your online account.
This is like Lorena Bobbitt's piece now. What's her name? Lorena? What's her name?
I think Loretta Bobbitt. I think it's actually her husband's piece is what you're talking about rather than hers. Oh, that's right.
Sorry. Of course. Thank God. That would be much easier to do, I suppose. Over to David.
Can you hear us, David?
Okay, stop that. Stop that. Let's go to a real— we'll get him on for real one day.
Krow, what have you got for us this week?
Well, I want to rap about online dating.
Rap?
I know, but I got to tell you, you know, I listen to these stories of friends who use apps like Tinder, Plenty of Fish, OKCupid, Match. There's a million of these things.
Yeah.
And I don't even feel a smidge of jealousy. There's all these issues of ghosting and penis pics and meeting people who look very different from their profile pics.
And it's just, ugh. These apps though are seriously big business. Tinder alone claims to be responsible for over 20 billion matches. Can you believe that?
Tinder and Bumble are amongst the top earners in the Apple App Store as well. And according to Statista, 1 in 5 US internet users have used dating websites or apps.
And it's just, ugh. These apps though are seriously big business. Tinder alone claims to be responsible for over 20 billion matches. Can you believe that?
Tinder and Bumble are amongst the top earners in the Apple App Store as well. And according to Statista, 1 in 5 US internet users have used dating websites or apps.
Yeah, I can well believe it.
Yeah, I believe it too. Big, big, big money.
Now, yes, I do actually know a few success stories, you know, people that have met, people whose paths would never have crossed had they not used one of these dating apps, right?
And now they fall in love, they marry, they start a family, and it's all bliss, bliss, bliss.
Now, yes, I do actually know a few success stories, you know, people that have met, people whose paths would never have crossed had they not used one of these dating apps, right?
And now they fall in love, they marry, they start a family, and it's all bliss, bliss, bliss.
Yeah.
But there's also some really yucky stories out there. So less than a month ago, a man known as Clements— he's the bad guy in this, okay?
He's from Atlanta, and he scared the shit out of a potential date he was meeting via the dating app Jack'd.
All right, so he invited the victim, aka date, over, and when the date showed up at the house, Clements demanded $100 from him.
When the victim said he had no cash, Clements apparently ran outside jumped into his own car, honked the horn repeatedly saying he had friends inside with guns.
He's from Atlanta, and he scared the shit out of a potential date he was meeting via the dating app Jack'd.
All right, so he invited the victim, aka date, over, and when the date showed up at the house, Clements demanded $100 from him.
When the victim said he had no cash, Clements apparently ran outside jumped into his own car, honked the horn repeatedly saying he had friends inside with guns.
Oh, crumbs.
Clements told him to get in the car and they drove off to a cash point so that Clements could rob him.
That's horrific.
But there's worse than this story. The New York Times have been covering this story about a Connecticut man named Drayton.
Now cops are accusing Drayton of using dating apps to prey on women. Earlier this year, Drayton was arrested on charges that he choked an ex-girlfriend in Nassau County, New York.
Now Drayton had a list of violence against women as long as a gibbon's arm. I say gibbons because I looked it up and they have the longest arms relative to body size.
Now cops are accusing Drayton of using dating apps to prey on women. Earlier this year, Drayton was arrested on charges that he choked an ex-girlfriend in Nassau County, New York.
Now Drayton had a list of violence against women as long as a gibbon's arm. I say gibbons because I looked it up and they have the longest arms relative to body size.
So a little tip for you, never let it be said that Carole doesn't do research.
Never let it be said. Exactly. So it should have been a no-brainer, right, to get this guy to face up to the consequences for his many crimes.
However, due to some clerical error, his out-of-state criminal activity against women was missing from the court file.
So last month, the judge waived bail and let him out on his own recognizance to await trial.
And two weeks later, the cops say Drayton used Tinder to find his next female victim, a young nurse from Queens he met on the app. Drayton is now accused of her rape and murder.
This guy seems to be the definition of a monster.
So when the cops located this guy in an LA hotel room The cops say Drayton was holding another woman captive that he had just raped.
He nabbed this one after convincing her to share an Uber.
However, due to some clerical error, his out-of-state criminal activity against women was missing from the court file.
So last month, the judge waived bail and let him out on his own recognizance to await trial.
And two weeks later, the cops say Drayton used Tinder to find his next female victim, a young nurse from Queens he met on the app. Drayton is now accused of her rape and murder.
This guy seems to be the definition of a monster.
So when the cops located this guy in an LA hotel room The cops say Drayton was holding another woman captive that he had just raped.
He nabbed this one after convincing her to share an Uber.
Goodness.
I know. So you look at all this and you just think, God, with so many people using these dating apps and using it for kind of fun and socialization—
I mean, this is obviously all horrendous. I mean, it's absolutely horrific. But you can't blame this on the dating apps, can you?
No, no, no, I'm not trying to blame it on the dating apps, but I think what is important is that we think about how we can use these apps a little more safely.
And the interconnectivity of all these apps and social accounts happens a lot under the hood. Not a lot of people kind of see how they all interconnect.
So I have a few points here, a few tips that might help keep people a little safer while they're out there trying to look for love.
And the interconnectivity of all these apps and social accounts happens a lot under the hood. Not a lot of people kind of see how they all interconnect.
So I have a few points here, a few tips that might help keep people a little safer while they're out there trying to look for love.
Okay. Some top tips.
Yes, top tips. Okay. So number one, never share your full name, address, or phone number. That's a pretty obvious one, right? To use an anonymous username whenever possible.
And in fact, use a different handle than you do on other social apps and accounts, right? So people can find you by searching for particular handles.
So use a unique handle for each app that you're using.
And in fact, use a different handle than you do on other social apps and accounts, right? So people can find you by searching for particular handles.
So use a unique handle for each app that you're using.
Okay. Yeah. All right.
The other thing is think about the photo. Use a unique primary photo.
It's not hard for people to be able to kind of find you on Facebook, for example, and be able to go, yep, same picture being used. Excellent.
It's not hard for people to be able to kind of find you on Facebook, for example, and be able to go, yep, same picture being used. Excellent.
Even more than that, there's reverse image searching on Google, for instance. So—
Absolutely. Good point. Yeah.
So make sure it's a picture which just simply is not on the internet, full stop.
Yeah. Maybe just of your baby, your pinky finger or something. That should be enough to get them interested.
That's how I would choose a date. Yeah.
Now avoid linking to social accounts like Instagram, right? Instagram profiles can give away a lot more information about your favorite places and your favorite activities.
And it can also give access to not only your photos, but photos and comments made by your friends. Avoid putting in your workplace or school.
It is super easy to find someone on Facebook by filtering the school name or the workplace. Right? Because that makes this kind of a small network.
And it can also give access to not only your photos, but photos and comments made by your friends. Avoid putting in your workplace or school.
It is super easy to find someone on Facebook by filtering the school name or the workplace. Right? Because that makes this kind of a small network.
Okay, yes. So the search is of, yeah, less people.
Yeah, yeah, it makes the haystack much, much smaller.
And one of the things is be cool with blocking people, you know, if you get any kind of creepy vibe or weirded out vibe, just block them.
There's tons of people out there, there's no need to kind of put up with any stuff like that.
And think about what you post, you know, oversharing and giving away location or identity-based info, that's what you want to avoid, especially until trust is, you know, established.
Think about using a burner number or the equivalent of a burner number.
So at this year's DEF CON, Lauren Rucker advised that dates set up a Google Voice number and maybe even have a video chat using this Google Voice number or burner number before you meet in person.
Now, Google Voice is only available in the US, I think, still. I don't think they've rolled it out further than that. But for non-US, you may want to look at apps like Switch.
That's S-W-Y-T-C-H. This is because people like Graham have kept all the names to themselves. This is an app that detaches the number from the SIM card and hosts it in the cloud.
So according to the Next Web, Switch lets you use up to 5 burner UK phone numbers from a single device. And that might be a cool way to get around that.
And one of the things is be cool with blocking people, you know, if you get any kind of creepy vibe or weirded out vibe, just block them.
There's tons of people out there, there's no need to kind of put up with any stuff like that.
And think about what you post, you know, oversharing and giving away location or identity-based info, that's what you want to avoid, especially until trust is, you know, established.
Think about using a burner number or the equivalent of a burner number.
So at this year's DEF CON, Lauren Rucker advised that dates set up a Google Voice number and maybe even have a video chat using this Google Voice number or burner number before you meet in person.
Now, Google Voice is only available in the US, I think, still. I don't think they've rolled it out further than that. But for non-US, you may want to look at apps like Switch.
That's S-W-Y-T-C-H. This is because people like Graham have kept all the names to themselves. This is an app that detaches the number from the SIM card and hosts it in the cloud.
So according to the Next Web, Switch lets you use up to 5 burner UK phone numbers from a single device. And that might be a cool way to get around that.
Okay.
And be careful, of course, with location features. Location, location, location.
Just for example, if you're checking in on an app and you're always checking in from home and you're always checking in at work, it can be pretty easy for someone to kind of get an idea of what your schedule is, your vicinity, and where you're going to be at what particular time.
Just for example, if you're checking in on an app and you're always checking in from home and you're always checking in at work, it can be pretty easy for someone to kind of get an idea of what your schedule is, your vicinity, and where you're going to be at what particular time.
There's a lot to think about, isn't there, if you're out there doing dating online?
There's too much to think about, isn't there? It's too much.
And also, I mean, although this is all great advice and I think people should follow it, in the two cases, the two examples you gave, this wouldn't actually have helped them because the risk there was when they actually met the person that something bad happened.
So there's even more advice I imagine out there as to what to do when you actually go on the date, you know.
So there's even more advice I imagine out there as to what to do when you actually go on the date, you know.
Tune in next week. You know, it is scary.
And the other thing that's interesting about this though is if you put all these things into action, so say I was on these dating sites and I'm looking for someone, if someone did all these things—
And the other thing that's interesting about this though is if you put all these things into action, so say I was on these dating sites and I'm looking for someone, if someone did all these things—
Like you're not, like you're not crazy.
Oprah. Yeah, my husband loves me on those.
He doesn't listen to the podcast, right? You're totally safe here. You're amongst friends. You can share with everybody.
I think I started this whole thing by saying I am not wanting to be on any of these at all. No interest.
But the thing is, if someone were acting in this way, that might give me— be weird for me because I'd be like, I can't find them anywhere online. So there's a catch-22 here.
There's a catch-22.
But the thing is, if someone were acting in this way, that might give me— be weird for me because I'd be like, I can't find them anywhere online. So there's a catch-22 here.
There's a catch-22.
When I first asked my, well, she's now my wife, out on a date, she told me that before we actually went on the first date, she Googled me to try and find out information.
Apparently, this was perfectly normal. And this is 15, 16, 17 years ago.
Apparently, this was perfectly normal. And this is 15, 16, 17 years ago.
She still went out on a date with you?
So it's way, way back then, but she did that and it was perfectly normal. She said her and her friends would do that, would search on the internet.
And, well, she did find out about some Graham Cluley, but she didn't believe I was likely to be the computer security one.
She thought I was just someone with an equally unfortunate name, although it turned out I was that guy.
And, well, she did find out about some Graham Cluley, but she didn't believe I was likely to be the computer security one.
She thought I was just someone with an equally unfortunate name, although it turned out I was that guy.
Yeah, so it's a difficult one. And, you know, again, these horror stories don't happen every day to every single person.
But I think it's about keeping your wits about you and maybe look at this list of advice and see which ones are appropriate for you to do, and especially for women, right?
But I think it's about keeping your wits about you and maybe look at this list of advice and see which ones are appropriate for you to do, and especially for women, right?
All kinds of weirdos out there, which we need to protect ourselves against. And most people are nice. But yeah, you've got to stay safe, haven't you?
All this to say, you're responsible for your own safety. Be aware that apps share information.
Check the privacy information within the app to see what they're sharing and consider which of these tips are good for you to implement and won't get in the way of finding the love of your life.
Check the privacy information within the app to see what they're sharing and consider which of these tips are good for you to implement and won't get in the way of finding the love of your life.
The ultimate question to find out if someone's a weirdo or not is to ask them what computer security podcasts they listen to.
Yes, that is definitely the first question I would ask.
And if they say, what are podcasts? Or I don't listen to podcasts, kick them to the curb.
Run! Run for your life!
Kick them to the curb.
Hey, Clue.
Hey, Carole.
Did you listen to my little bit about MetaCompliance and their e-learning?
Oh yeah, I heard that earlier in the show. Yeah, nice. Yeah.
Okay. Well, have you signed up yet?
Well, no, I've been doing the podcast, Carole. I haven't had time to sign up for it, have I?
Well, women know how to multitask. Surely you can get a move on and sign up. We get 10% off. Just go to smashingsecurity.com. You should know that website.
Slash MetaCompliance and enter the code smashing with a G.
Slash MetaCompliance and enter the code smashing with a G.
Smashingsecurity.com/MetaCompliance. Enter the code smashing. Terrific.
With a G. Cool. Hey, Graham. Hey, Kyrill, I have a question for you about these password manager things you keep talking about.
All right, go on then, shoot.
What happens if you forget your master password? What are you going to do about that?
Oh, you think you're really clever, don't you?
Yeah.
You think if you've forgotten your master password, you can't access any of your other passwords anymore.
Well, piff, paff, poof, Carole, because if you're running LastPass Enterprise, you can integrate your password manager with Microsoft Active Directory.
Security, and that means the same password that your employees are already comfortable with using to log into your system will unlock everything.
It will unlock their passwords, it will unlock their work. Makes it super easy to bring LastPass into your enterprise.
Well, piff, paff, poof, Carole, because if you're running LastPass Enterprise, you can integrate your password manager with Microsoft Active Directory.
Security, and that means the same password that your employees are already comfortable with using to log into your system will unlock everything.
It will unlock their passwords, it will unlock their work. Makes it super easy to bring LastPass into your enterprise.
Seriously? And it's still super safe?
It's still super safe. Wow!
That's kind of cool.
It's a great way of getting new employees using passwords safer and more securely.
Rock on, LastPass, I say!
And Carole, if you or indeed our listeners want to try it for themselves, all they need to do is go to lastpass.com/smashingsecurity. And welcome back.
And you join us at our favourite time of the show, the part of the show that we like to call Pick of the Week.
And you join us at our favourite time of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week. That was David.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they like. Doesn't have to be security related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they like. Doesn't have to be security related necessarily.
Please never be security related. Mine is not this week. Is yours?
Mine is not security related either.
Woo-hoo!
My Pick of the Week is, and you're all gonna think that I'm just obsessed with video games.
Because, you know, we talked about Overcooked and Maria talked about Octopath Traveler the other week.
Because, you know, we talked about Overcooked and Maria talked about Octopath Traveler the other week.
Well, that has nothing to do with your interests.
Well, okay, don't ruin it.
Can't help it.
Well, okay, I'm just saying that, you know, the podcast has had lots of recommendations for video games and I'm going to recommend another one.
Once again for the Nintendo Switch, which is the mightiest of all the video game consoles. And it is a game called Bomb Chicken.
Once again for the Nintendo Switch, which is the mightiest of all the video game consoles. And it is a game called Bomb Chicken.
Okay, is it a bit like that one where the pigs are thrown into— what is it, pigs in the houses, the birds, Angry Birds?
No, it's nothing like Angry Birds.
Well, it has cute graphics, a bit like Angry Birds, but this is your everyday story of a chicken suffering a freak accident and becoming a bomb-laying free-range hero.
Well, it has cute graphics, a bit like Angry Birds, but this is your everyday story of a chicken suffering a freak accident and becoming a bomb-laying free-range hero.
Oh yeah, I've heard that happens every day.
Of course. And it's developed by a company called Nitrome, who made their name making lots of mobile games, and this is their first ever game for a console.
What I love about this game is it's really, really simple, very addictive, and actually very hard. It's simple in terms of what you can do.
All you can do is go left, right, or lay a bomb.
What I love about this game is it's really, really simple, very addictive, and actually very hard. It's simple in terms of what you can do.
All you can do is go left, right, or lay a bomb.
Oh, good, it's not challenging your brain too much then.
Exactly.
So the only way to go up, for instance, is to lay bombs underneath you, and you start going up on a Tetris tower of bombs which then begin to explode, and you don't want to be an exploding chicken.
But that's how you move around, and then you do a bit of left and right, and there are things— it's a bit like a platformer, and it's very entertaining. It has slightly retro—
So the only way to go up, for instance, is to lay bombs underneath you, and you start going up on a Tetris tower of bombs which then begin to explode, and you don't want to be an exploding chicken.
But that's how you move around, and then you do a bit of left and right, and there are things— it's a bit like a platformer, and it's very entertaining. It has slightly retro—
I have no idea what that means.
Oh, come on, like Jet Set Willy, Mario, right? Think of Mario, right? Jumping on things and then climbing up ladders.
Oh, is that called a platformer?
Yes, it's called a platformer game. I didn't know that. Yeah, yeah.
There you go.
What did you think it was called? A plumbing game?
No, I had never thought of it in those terms.
Anyway, it's really good fun.
Look, you learned about gibbons. I learned about platforms.
And that is why I am recommending, and I think it's a good one to recommend because it's from an independent game studio and we need to support those guys rather than just the big companies.
Especially after all the Fortnite fiasco that's been going on.
Yeah, Fortnite. They've been rather upset with Google, haven't they?
They're in the water that is seriously boiling at the moment.
Anyway, Bomb Chicken for the Nintendo Switch. Maybe it'll come out for other platforms in the future as well, is my pick of the week.
I tell you, I'm definitely going to check it out, but I'd be lying.
Well, come round to my place sometime and I will show you Bomb Chicken.
Maybe I will.
Don't consider that a date. Carole, what's your pick of the week?
The same way that you may talk about games a lot, I talk about podcasts a lot, and I have yet another podcast to recommend.
This is all thanks to me having a lot of trouble sleeping, right?
And I subscribe, I don't know, I was looking at this the other day, I subscribe to over 100 podcasts, and I listen regularly to about 12 of them.
And still, I'm always looking for new, or at least new to me, podcasts.
You know, you think you're so connected, and you think you know everything about podcasts, you know the landscape, and then suddenly this brand new one just pops into your echo chamber, and you're like, oh, this is great.
The other night I was listening to a podcast I've talked about on the show before called We the People Live, hosted by Jurno Joszepps, and I'm a big fan of that one.
And on that show he was interviewing the host of the Godless Spellchecker Podcast. So the Godless Spellchecker Podcast is an award-winning weekly show served up in long format.
The host is bright, thought-provoking, and he interviews public figures and also unknowns who have important stories or views to share.
Thing is, is Stephen Knight seems to talk about a lot of the issues that many of us just shy away from.
So religion, politics, gender issues, societal issues, they're all fair game here. Now I've only listened to 3 or 4 episodes so far, but I find it super listenable.
I find him a critical thinker, and I love talking about these issues that are affecting us all. Now it's not going to say that everyone's going to agree with him.
The whole motto of the show actually is, I think we've all learned something here today.
This is all thanks to me having a lot of trouble sleeping, right?
And I subscribe, I don't know, I was looking at this the other day, I subscribe to over 100 podcasts, and I listen regularly to about 12 of them.
And still, I'm always looking for new, or at least new to me, podcasts.
You know, you think you're so connected, and you think you know everything about podcasts, you know the landscape, and then suddenly this brand new one just pops into your echo chamber, and you're like, oh, this is great.
The other night I was listening to a podcast I've talked about on the show before called We the People Live, hosted by Jurno Joszepps, and I'm a big fan of that one.
And on that show he was interviewing the host of the Godless Spellchecker Podcast. So the Godless Spellchecker Podcast is an award-winning weekly show served up in long format.
The host is bright, thought-provoking, and he interviews public figures and also unknowns who have important stories or views to share.
Thing is, is Stephen Knight seems to talk about a lot of the issues that many of us just shy away from.
So religion, politics, gender issues, societal issues, they're all fair game here. Now I've only listened to 3 or 4 episodes so far, but I find it super listenable.
I find him a critical thinker, and I love talking about these issues that are affecting us all. Now it's not going to say that everyone's going to agree with him.
The whole motto of the show actually is, I think we've all learned something here today.
Does he ever talk about multifactor authentication or poorly secured Amazon buckets?
Do you know, even people that are in love with technology occasionally need to get away from it.
Yes, I know, but I just think maybe he should be covering those very important issues too.
You're not scraping the barrel or anything. Check out The Godless Spellchecker with Stephen Knight.
It will help solidify your thoughts and opinions whether you agree with them or not. So that's the reason I suggest it.
It will help solidify your thoughts and opinions whether you agree with them or not. So that's the reason I suggest it.
Cool. Okay, cool. Is there any explanation why it's called the Godless Spell Checker?
Not that I found yet, but as I said, I've only listened to 3 or 4, so not clear to me yet. He's self-professed atheist, so maybe that's where the godless comes.
Okay.
And spell checker, maybe he's just close friends with Clippy or something like that.
Maybe he likes to draw a little red squiggly line under people's words. Well, that just about wraps it up for this week.
We're sorry not to have brought you a guest this week, but as you heard, I think it's for circumstances beyond our control, but hopefully he will be back in a future episode.
If you want to follow us on Twitter, you can do so @SmashingSecurity, no G, Twitter won't allow us to have a G.
You can go to our spanking new refurbished, wonderful online store to grab merchandise like stickers and t-shirts. They're going like hotcakes.
We're sorry not to have brought you a guest this week, but as you heard, I think it's for circumstances beyond our control, but hopefully he will be back in a future episode.
If you want to follow us on Twitter, you can do so @SmashingSecurity, no G, Twitter won't allow us to have a G.
You can go to our spanking new refurbished, wonderful online store to grab merchandise like stickers and t-shirts. They're going like hotcakes.
It's been really popular, hasn't it?
It has been very popular actually. Go to smashingsecurity.com/store. And thank you for tuning in. If you like the show, give us a rating on Apple Podcasts, write a review.
It really helps people find the show. It really, really does.
I keep hearing about people saying to me, oh, I saw this review and I thought it sounded great, and then I discovered you and you're amazing.
I keep hearing about people saying to me, oh, I saw this review and I thought it sounded great, and then I discovered you and you're amazing.
Do they say to you, you're amazing?
Yeah, they say, they say, Carole, you are so amazing. I don't know how you put up with that Graham chap.
And on that bombshell, I think it's time to say cheerio. Bye-bye.
Bye everyone.
David, you gonna say bye-bye? Right, well, there we go.
It's okay.
Yeah, I thought it was all right.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Show notes:
- What do the drsolomon.com and sands.co.uk domains look like now?
- Hacking law firms with abandoned domain names
- Fraudsters Can Access Sensitive Information from Abandoned Domains
- Have I Been Pwned: Domain search
- John and Lorena Bobbitt
- He Used Tinder to Hunt the Women He Raped and Killed, Police Say
- Missing Paperwork Got Him Out of Jail. Then, Police Say, He Raped and Killed
- Man jailed after attempting to rob man he met on dating app
- Search for images with reverse image search
- Swytch lets you use up to five 'burner' UK phone numbers from a single device
- Smashing Security 072: Why are firms so cr*p with our private data?
- A Hacker's Guide to Protecting Your Privacy While Dating
- How to Protect Your Privacy While Online Dating
- Gibbons have the longest arms relative to body size of any primate
- Bomb Chicken Teaser Trailer – YouTube
- Bomb Chicken for Nintendo Switch
- Fortnite fury over how Google handled its security hole
- The Godless Spellchecker podcast
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsor: LastPass
LastPass Enterprise makes password security effortless for your organization.
LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
Sponsor: MetaCompliance
People are the key to minimizing your Cyber Security risk posture. MetaCompliance makes this easier by providing a single platform for Phishing, Cybersecurity training, Policy, Privacy and Incident management. Listeners can get a 10% discount off the high-quality CyberSecurity eLearning catalog by quoting the code SMASHING. Visit www.smashingsecurity.com/metacompliance now.
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
