Smashing Security podcast #128: Shackled ankles, photo scrapes, and SIM card swaps

News slash, news slash, Smashing Security has made it to the finals of the European Security Blogger Awards. If you can be asked, please go to smashingsecurity.com slash vote, and vote for your favorite security podcast. Voting closes on the 31st of May, so don't delay or I'll electrocute your eardrums. That's smashingsecurity.com slash vote. Now, on with the show. Smashing Security, episode 128, Shackled Ankles, Photo Scrapes, and SIM Card Swaps, with Carole Theriault and Graham Cluley.

Hello, hello, and welcome to Smashing Security, episode 10000000. It's binary, Carole. Episode 128, my name is Graham Cluley.

Thanks for that. I'm Carole Theriault. Mansplaining, love it.

And we're joined by a special guest broadcaster and binary expert and technology guru David McClelland. Hello David.

Hello, hello. How you doing? Save me from Graham.

We're doing pretty gorgeous and we've got a fun packed show ahead of us tonight.

Well, you know, they do say, you know, speaking of binary, there are, oh no, gosh. One zero. Yes, I was going to go down that joke line, but I realize it doesn't quite sound as good when you say it out loud as it does when you see it written down on paper. Oh, making it up as we go along, folks. Making it up.

Things can only get better. Carole, what have we got lined up on the show this week?

Oh, of course, another entertaining and dare I say it, pertinent episode of Smashing Security this week. Thanks to our sponsors, Gartner, Recorded Future and LastPass. Now, Graham, you plan to prattle about Holland's use of ankle bracelets. David dishes out the dirty on the latest SIM swapping news. And strike a pose, kids, because I'm delving into the world of all things photo storage related and it ain't pretty. All this and much more coming up on this episode of Smashing Security.

Now, chaps, chaps, I've got a question for you. And it's this. Whoa, whoa, whoa, whoa.

Okay, stop, stop. Wait. I have a joke first. Okay, no, I know, I know, I know. But I have a really, really good joke. And if I don't tell it now, I'm going to forget. And okay, you ready?

Okay, it's a really good joke, is it? Go on then, let's hear it.

Hey, officer, how did the hackers get away? I don't know, ransom where.

Oh, God. You're welcome. How come I've never heard that before? Thank you, Reddit. That's quite good, actually, Carole.

I know. Okay, sorry, that's why I interrupted. Now.

David, Carole, have you ever found yourself manacled? I've manacled other people. I bet you have. Have you ever been shackled, handcuffed to a midget on a stag weekend in Lithuania, David, anything like that? Maybe you don't want to say too much. It's nothing to be ashamed of. In this era of Fifty Shades of Grey.

Don't give that piece of schlock an era title. Okay, carry on.

I've done my research in Fifty Shades of Grey. And it turns out it's not unusual for people to practice their reef knots, pop down the hardware store to pick up some cable ties and masking tape. This is what they're all up to these days. It was never like this when I was young. And it was all about milkshakes and going to the malt bar and mini golf and cucumber sandwiches. It was all an era of innocence back in my day.

Yeah, so cool. I love the Dutch.

But the youngsters today are up to all kinds of kinky stuff. And maybe some of our listeners are as well. We're not going to judge. We're not the judging kind, right? We're not going to do that. Well, yeah, you certainly aren't. You're woke, right? Woke. Absolutely. The world of lust and perversion may have passed me by. And that means that, you know, the best chance I have of feeling hard steel, clamped around my extremities, is if I get arrested one day, right? And that's the point of my story in today's podcast, because we are going to return to the land of the Dutch. This is pod jacking, isn't it? That's what you've just done. Now, do you remember last week we talked about those chaps in Dutchland?

I do love the Dutch. And this is becoming a regular feature of our show because, well, it turns out that they've been up to something again. From time to time, even in the free and easy Netherlands, police have reason to trouble criminals with a kindly reminder to behave themselves. Or if that doesn't work, because they're quite tough on law and order over there, they may force them to wear an ankle bracelet, which can monitor their movements. You know these kind of things, Carole? David, have you seen these?

Yeah, I think everyone in the universe knows what you're talking about.

Yeah, I'm not talking about Fitbits. These, if that's right, it's not one of those. Funny.

Well, it is. It is.

Well, maybe. But I mean, these are worn by people who are under house arrest or on parole. And it's sending a radio frequency signal containing their location back to HQ, right? And if an offender moves outside of their allowed geofence, it goes beep, right? And the police get notified. Or if they try and tamper with it or saw through it for a little hacksaw, it goes beep.

Wouldn't it be better just to have little mini spikes on the inside of the ankle bracelet that if they start screwing around, they would just start digging in slowly into the flesh?

This isn't Minority Report. You can't do things like that, especially not in Netherlands.

Just thinking, you know, a lot of police resource being wasted.

You're going back to a 50 shades of grey, I think. That's the sort of thing they might want to do over there. Anyway, right. So have you ever considered what might happen if that monitoring technology goes a bit wonky? What the impact may be on the criminals themselves? No. Guess what? It's just happened. Just happened to Dutch police. There was a duff software update pushed out, and it crashed hundreds of these devices. They were monitoring something like 750 people in the Netherlands with these ankle monitoring devices. And they all kind of went...

Well, thank goodness that none of them had Carole's spikes on there, otherwise that would have been pretty painful for a lot of criminals. Goodness me. Poor little criminal.

So according to the Dutch government, this disruption occurred and the signals weren't being received from the ankle bands last week. So does that

mean criminal could just go, OK, I can get out of my whatever, my limited geolocation pen?

Yeah, exactly. They could get outside of their sort of allowed area. They could, hey, hey, you know, even though it's 9 p.m. at night, I can go down the Aldi or the Lidl or supermarket.

And you can't do anything.

Or I could go to the dodgy end of town or I could go and visit those people I'm not supposed to visit. Maybe intimidate some witnesses. You know, it's quite serious. But did they even know that their ankle bracelets had broken? Well, I suppose word must have got round because the way in which the police responded to this was that they began to ring up criminals or began to ring up people who were wearing these things and made house visits and said, hey, look, we just want to make sure that you're behaving yourselves and you stay inside your house. Love the dodge. Some people were actually preemptively arrested and jailed. They were rounded up by the authorities, the most high-risk suspects. So word must have got round that maybe these things weren't working. But I say it's no laughing matter, really, especially for those who may have been fearful that someone who committed a crime against them may have not been monitored by the authorities. I have a question. Yes.

Did the authorities let the residents know that basically there were some criminals that were not being monitored?

Yes. In fact, local media reported, slachtoffers en getuigen worden zo snel mogelijk geïnformeerd. What? Was actually what, sorry? Well, as our Dutch listener base knows, that is me explaining that people who have been victims of crime and people who were witnesses in cases were told that, unfortunately, the people we're monitoring, we're not currently monitoring. So, you know, keep away from your windows or keep your head down.

Yeah, think Mad Max, go nuts, guys.

Well, fortunately, they did manage to fix the problem within about 24 hours. But astonishingly, this isn't the first time that the Dutch authorities have been caught with their clogs off over their ankle monitoring system. That's

a stupidly long time, 24 hours. Do you not think?

Well, I don't know the exact, I'm just saying roughly, Carole, but I mean, the thing was there was some sort of outage of the mobile phone system. These things are operating over the GSM network. And I suppose it's a bit like if here in the UK, for instance, was it T-Mobile or Orange or Vodafone or one of those anyway? They went out, didn't they, for about a day and a half?

Yeah, I think it was O2 a little while ago as well.

I named everyone else. Okay, so maybe it was O2. Hey, you know, we get our facts straight here. But the impact was a bit like Mad Max, wasn't it, Carole? It was a bit beyond the Thunderdome because people could not cope anymore because I don't have a data connection or I can't communicate with my family. Not the first time this has happened in the Netherlands. Last August, something similar happened. There was a widespread outage of the Dutch mobile phone network. Over half of the suspects the Ministry of Justice were monitoring at the time went dark. They didn't know where they were or what they were up to. It's

an interesting thing, though, isn't it? Because you kind of want people out of jail. So electronic monitoring seems like a great way to be able to reduce costs but also give people some kind of limitations on their freedoms. But not if it doesn't work.

I mean, what used to happen before all these technologies? Was there just a really long rubber band or something that they would tie around people's ankles so you couldn't get too far away from your home? Yes, that's

exactly what they did. Yes, you're so smart, Graham. Thank you very much. But I guess the

other worrying thing here is that by the looks of it, all of this was caused by a dodgy software update. It's as though once again, someone's rolled out a new software patch to hundreds, thousands, whatever of devices, and somehow the testing just hasn't worked properly. So again, that's the thing that needs to be sorted out. I get that we can leverage technology to civil liberties, whatever you want to call it. But if you don't test it, then this stuff is going to happen. That's the thing that's particularly upsetting here for me.

Right. So maybe if you're going to push out an update to the sort of ankle monitoring systems, for instance, don't send it out to everyone. Maybe you have a subset of less criminal people, people who've been jaywalking, people who, I don't know, didn't tip at the barbers. And those people, you wouldn't have a crime like that, though, in the Netherlands, would you? But you need to find some sort of lesser crime. Try it with them, first of all, and if they have a problem with them, don't roll it out to absolutely everybody.

Yeah, maybe the Dutch police could just kind of walk in and whoever the provider of this said technology is go, dudes, we're the police. We really need to up our game. Do you know? I think I'd pay attention.

Yes. Well, remember, it is Holland as well. So, I mean, they are... What, they just go out for a spliff afterwards? They're just going to be quite relaxed, I think. All of these stereotypes about the Dutch. I used to live in Amsterdam. David, what's your story for us this week? What do SIM cards and Bitcoin have in common, Graham and Carole? An I? Two syllables. So shall we role play that? Shall we have a go at that and see how well it works? So Carole, would you be the mobile phone operator?

Absolutely. Okay, okay, okay.

And I'll be, David, would you like to be the fraudster or shall I be the fraudster?

Oh, no, no, no. You be the fraudster.

All right. Okay, okay. So, all right. Carole, pick up the phone.

Normally it takes about four hours before it picks up. Yeah, I'm giving you the hold music. Hello, you've reached Carole Theriault Company. How can I help you?

Oh, hello, Carole. It's George Clooney here. You may have seen me in television programs such as ER. Now, I've lost my phone. I've had it stolen.

Oh, Georgie.

Yeah. And it's a bit of a nuisance, to be honest.

We would need to answer a few security questions before we do that.

Go ahead. Go ahead. No problems at all.

First off, can you give me the name of your pet?

I've got a new phone with a new SIM. But what I really need, you see, is I need my number switched over. Because everyone's trying to contact me. And so they want to have a word with me. So can we switch over my old number to this number, please?

Yes I can. Tiddles.

Correct. Correct it is Tiddles. No problem. Here you are. You have a new number. Thank you.

Thank you very much. Thank you very much and thank you Wikipedia as well for giving me the information. And that's exactly how it works people. Now the first thing that George Clooney would know about this is when his phone doesn't work. Picks up his phone in the morning and it just says no service.

Go back to bed being like, hallelujah. Exactly. Before you drum up the mental strength to get onto the phone, probably speaking to the bozo who's just given your phone number away to somebody else. And all that time, the forces have done their work and they are long, long gone.

And the way in which they make this comes back to this issue of password resets and websites and services which use your mobile phone as a form of authentication. The point is, once they've grabbed the phone number off someone else, they get your texts rather than you getting them. So they're able to get those magic numbers which help them into a site, for instance. It's almost like they are now in charge of the two-factor authentication. And that's exactly what has been happening here. So there's been a couple of cases that have kind of risen to the top at the same time. Oh. No way. Juicy, juicy. Inside job, yeah.

Unbelievable. I know. From a so-called Bitcoin bandit, he and his team stole $24 million worth of cryptocurrency. It's just ridiculous. It's like the guy I was talking a few weeks ago, but the guy was suing from Apple for a billion dollars.

Carole, what's your story for us this week?

How do you guys store photos? Like, do you use photo storage apps or anything like that?

I do a few different things, but I must admit, I do use one very convenient cloud storage option. You have a cloud storage option for your photos. I do too.

Yeah, we have an Amazon Prime account, and that comes with something called Amazon Photos. And I think they get uploaded to there. There's a lot of big ones. There's Google Drive. There's Microsoft OneDrive. It's been recommended by one of our listeners. I inherently trust them though, because they've already shown great taste. I'm really hoping that Dave's a little bit more skeptical. It might do a bit of digging. Oh, I see. So if you're putting up photos on Facebook, for instance, they will also be backed up to EverAlbum. So all your pictures get up there. And it's great for you as a user, they say, because, you know, all your stuff's in one place. So free. It's completely free. And they say things like high resolution photo storage, get your space back, share your best moments. You can share photos and stuff with people. I'm always nervous of quotes like this. It's a bit like the quotes which you see on the front of books or at outside West End shows where it says, "a marvel," it says, and they leave out the word "hardly" in front of it.

Exactly, because it's on their website, right?

And heaven forbid that some journalists write those quotes just so that their own names get emblazoned on the front of books and posters and so on. That would never happen to a legitimate, responsible journalist. Stop jesting. Yeah, so at this point, I might, I don't know about you guys, but I might go to the Apple or the Android store just to see what people say about the app, how many ratings it has, that kind of thing, right?

Yeah, people are going to find that reassuring. Right?

And so you're thinking, oh, do you install at this point? You've already installed, Graham, but Dave, would you install at this point? Well, I mean, apart from the fact that it's free, I'm just trying to think about what the red flags are here. I mean, clearly you've read the terms of service. Until April 15th, you would have read that term and condition and thought, "OK, I'm pretty cool with this."

Good Housekeeping. Yeah. I know. Get all your app recommendations.

Their tech section's great, Graham. You should try it.

I think it's a trusted household brand. I think consumers would trust something like Good Housekeeping. I do.

All right. And then Gizmodo, so for people like you, Gizmodo listed it as one of the best photo album apps you've probably never heard of, right, as a kind of cool hipster app.

The fact that it's free isn't necessarily a bad thing because, of course...

There's in-purchase things, yeah. Exactly, because there may be sort of professional tiers where you pay or something for more features. Little crowns. Back in your box, okay. Because just last week MSNBC News delivered what I feel is an incredibly scoopy story, right, all about EverAlbum and what they were really up to with all our photos.

That's a lot of selfies, isn't it? Goodness me. What MSNBC's investigation team uncovered is that the photos people were sharing were being and are being used to train the company's facial recognition system. And that Ever then touts this technology to private companies like law enforcement and the military. Yes, well, that would have ruined their business model, wouldn't it, telling people that's what they were going to do with it. You can't tell someone you're stealing from them. Yeah. Jacob Snow, a civil liberties attorney, said they are taking images of people's families' photos from a private photo app and using it to build surveillance technology. Well, I think they've been a bit wimpy. I don't know why they've stopped at this.

Yeah. I don't want to sound all conspiracy, but I'm willing to bet there's more than a smattering of startups out there and app firms that are touting for our attention today and are doing something very similar to this. And they're doing it without our knowledge and consent because there's not enough liability laws in this space to help control this kind of behavior.

Well, you mentioned tech startups. It's not just the tech startups that have been doing some interesting things in this area as well. So NBC and the amazing Olivia Solon, I think it was back in March, wasn't it? Yes. So they did an expose on something that IBM has been doing with its facial recognition AI, where it's been taking a look at faces that are in the public domain, specifically from Flickr photo sharing site of Yahoo, Flickr. Yeah. And that's really interesting because I'm just thinking actually while you were saying that, that from what I read, Ever Album changed their privacy policies based on this MSNBC, you know, working on the story. So they did this prior to it and updated their privacy policy. I think it was April 15th, if I remember correctly. Stinky bowels. Clunk flush. Thank you, Carole. Excellent. Oh, I think we need a little refreshing now, don't we? Need something just to cleanse the palate a little bit. We are also sponsored this week by our friends at LastPass. Now, Graham, isn't it something 90% of security breaches involve stolen password or a poor password?

Yeah, stolen passwords, poorly chosen passwords, reused passwords. Passwords are really sort of the hinge pin of so many security attacks which happen, which means that you probably want an enterprise password manager the one offered by LastPass.

Listeners can learn all about LastPass Enterprise at lastpass.com slash smashing.

You don't have to say forward slash by the way, you can just say slash, just so you know.

And last but not least, we are supported this week by Gartner. Gartner is the world's leading research and advisory company, and they are having a big event.

It's Massivo, I'll tell you. All the big security vendors are going to be there. They're going to and much more. It's all taking place between June the 17th and 19th at the Gaylord National Convention Centre in National Harbour, Maryland. So I'd really recommend that if you are a CISO, IT security and risk professional, you probably want to go to the Gartner Security and Risk Management Summit.

And listen up, listeners, you can receive $350 off the registration fee by using the code SMASHING with a G. To learn more, visit smashingsecurity.com slash Gartner. And welcome back. And you can join us in our favourite part of the show, the part of the show that we like to call Pick of the Week. Pick of the Week! Pick of the Week. Pick of the Week is the part of the show where everyone chooses something they like. It could be a funny story that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security-related necessarily. dad I didn't agree. It's nice. It's nice. There you go. There you go. It's rare. And looking at these videos on here, there aren't that many of them. What are there, about 15 or so there? Probably less than that. Let's put David's suggestions in the show notes as well. CGP Grey, that's his name, isn't it? CGP Grey, yes. Well, I guess I'm going to cheat a little bit in the means of self-promotion and say that BBC Rip Off Britain is on television at the moment. This is a series that I've been working on since 2012 as their tech face. I give up. I know, it's crazy, isn't it? It's just so gross. Everything's so gross.

I think something like this has been happening at my house because we get regular deliveries from Amazon, which are a complete mystery to me. But it's like four times a day someone comes along delivering a parcel or something. Anyway, so that's not really my pick of the week. Oh, okay, right, right. I've watched a lot of these. Is it Geoff Marshall? He's obsessed with the underground to the extent that he's held the world record for what's called the London Tube Challenge. And this is where you have to visit every station on the London Underground in as short an amount of time as possible. Carole, seriously, this is brilliant. You've got to look up this guy on YouTube. So a couple of years ago, he travelled around to all 2,563 railway stations in Great Britain, along with his now wife, Vicky. And this year, he visited... What a woman.

I'll have to speak to my wife to find out if that's...

If you watch A to Z of all the movies and shows he's put

Yes, indeed. He's managed to get a video tag of every single station.

So he would have Coleraine train station where I spent many a night trying to get into a town to go into a club. Yes, I remember it well. I will locate that. I don't think he's put all the videos online just yet. I'm just looking at the website. It looks like Northern Ireland may not have been updated all the videos yet, but he's obviously been to all of them and taken videos. Yes, and he also put out a feature-length documentary on that as well. So, yeah, look it up. It is youtube.com slash all the stations, all one word. And yeah, there's a load of stuff on there. Cool. Well, he's got that great characteristic about him, which is sheer enthusiasm. And that's why tuning into anything on BBC4, television channel BBC4, history documentary, whatever it is, you're watching people who are so passionate about their subject. Fantastic. Well, great pick of the week. Thank you very much, David. Apologies, Graham. So I am sure you have something to apologise to me for, something big. What? Carole, I'd like to apologize for... Oh, there have been so many things. method. Just go ahead. Just go ahead.

Carole, I'm sorry that you thought that I made a mistake and somehow you have taken offense by what I did when I did it in the best interests of the podcast. You see what I mean, folks. We've all received shitty apologies. It's a little bit wonky Yeah, so it made me think of you. Get a spine, right? Okay, well, I will go and find it. While you've been speaking, I have dug out from my little notepad how to say sorry.

Well, act them out. Act them out to David. Say you've done David an injustice. That's too much imagination. I'm going to explain to you how it's done right. And for the benefit of the listeners as well. Do you know what? That is nothing compared to this apology. Okay. And the final thing is don't excuse or explain. And that's it. Apparently, those three steps I've been told. this whole apology is actually about sexual harassment, right? So that's a big deal.

That's a pretty good apology because that's a pretty bad thing to do.

Me listening to it also forgave him. If I was thinking in my head if this were happening to me and this was the apology I got I would I would take it I'd be like okay done for real I'm not kidding so take a listen it's good and I'm you know well done to This American Life for publishing something so cool

Interesting well with that insight into a little chink inside Carole's heart where can I just

Say one more thing actually to make this a little bit more interesting, the guy who delivers this apology is someone a little bit famous. He is a co-creator of one of my preferred TV shows Rik and Morty and he was also NBC comedy show called Community and that's where it all happened.

The community, the hacking?

No, no, not the community. That's why I smirked earlier, but there you go interesting so it kind of gives it all a bit of a little twist.

There you go and well you know what, what a great show it's been this week. All kinds of things for us to explore and for listeners to check out, listen to things, watch videos. You did great Graham. Discover, no I'm not talking about me. I'm saying you know we've had Geoff Marshall's train videos, we've got your episode of This American Life Carole.

Well, it's probably on Twitter, where I am, at David McClelland, all the C's, all the L's. And you can follow us on Twitter at Smashing Security, no G. Twitter won't allow us to have a G. And you can also join us on Reddit. We have a Smashing Security Reddit up there as well.

Not if you have a skin condition. We are hugely obliged this week's Smashing Security sponsors, LastPass, Gartner, and Recorded Future. Their support helps us give you this show for free. out, would you see every single station that's in Ireland and Northern Ireland?

I call it your episode, I wish I produced it, but I think on that note it's a perfect time to wrap things up. David, thank you so much for joining us on the show this week. I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that?

So be sure to check out their offers and high five to all you listeners out there. Check out smashingsecurity.com for past episodes, sponsorship details, and info on how to get in touch with us. Terrific. Until next time. Cheerio.

David, David, I have a question for you. Shoot. Who is your favourite Julia Somerville, Angela Rippon or Gloria Hannaford?

I could not possibly say that. I will say that all three of the ladies are amazing in their own ways and they all bring something very different to the show and Angela Rippon is as formidable in real life as she comes across on screen. She certainly does not suffer fools gladly but yeah they're all great.

You handled that beautifully.