Smashing Security podcast #131: Zap yourself from the net, and patch now against BlueKeep

That's not a bad idea, Crom. I think we could make a difference there. Well, it's better than

Microsoft's outreach at only getting 2,000. Oh, come on! I wonder if we could beat Microsoft. I wonder if Smashing Security could beat Microsoft. You know, we have a lot of listeners.

I'm not sure it would be possible to actually work out who made the biggest impact.

It's about saving the world, Graham. Smashing Security, episode 131. Zap yourself from the net and patch now against BlueKeep with Carole Theriault and Graham Cluley. Because we're fricking busy right now and it's InfoSec this week and we have to do talks. Anyway, to make up for all that disappointment, I suppose we better explain what's coming up on the show this week. on. Thanks to this week's sponsors, Recorded Future and MetaCompliance, their support helps us give you this show for free. A hooga, a hooga, a hooga, warp, warp, alert, alert, alert, Carole. We are on a countdown to destruction. this a bit of fear and doubt? Well, but maybe not uncertainty. Something ghastly this way comes, I have to say, because do you remember a couple of years ago? Well, of course you do. You remember WannaCry, right? It was a serious nightmare here in the UK. Horrendous. Because many hospitals and health services were just crippled. Yeah, awful. That worm was able to spread so quickly because it exploited a critical vulnerability in Windows. And even though Microsoft had issued a security patch for that vulnerability almost 60 days beforehand, WannaCry still successfully struck. Many computers had not been properly protected against it and well we saw what happened. ask a question sorry. I haven't used Microsoft products in a very long time. However, how come updates aren't automated? How come updates aren't automated? Right? Well, you're right. Many consumers may well have automated Windows updates, and that's fantastic. Some people sadly have not. like an old married couple. It was a Saturday. It wasn't a Friday. It was a Saturday. It happened at four o'clock. Remember? Don't you remember? What's wrong with you? You can't remember anything. You don't remember? WannaCry? It was 2017. It was 2016. It was 2017. Okay, fine, fine. I get that. But I think that maybe if Microsoft want to retire a product that they sold in good faith to people, maybe they should do a buyback scheme, right? But it's not a question of making it cheaper to buy the software. The problem is the computers which are possibly running these older operating systems aren't capable of running more up to date. That would be true certainly in things like the NHS or certainly was in case of WannaCry. But do you think for home users who are also potentially exposed to this, that's still an issue? There's still lots of people who don't want to change their operating system or don't want to update their computer if it's working just fine. I just last night, I was around my father-in-law. I will feel the same when I'm his age, when I'm presented with Apple 87 or whatever. I'm not far off, how dare you.

Well, last week, Microsoft issued its second warning about BlueKeep, begging computer users to patch their systems. Reports have emerged that there are nearly one million computers directly connected to the internet, which were vulnerable to this BlueKeep flaw. It's so nice that they're able to tell that just by sniffing around on the internet and looking around. Well, you can scan ports. Now, some of those are quite likely to be honeypots set up by researchers, but I doubt that they account for 923,000 vulnerable computers. And the thing is, it doesn't mean that that many computers are the only ones you have to worry about, because some of those computers will be inside organisations.

Yeah, exactly. Take heed, folks. Take heed. Right. So there's a real risk that we might see a big worm. Maybe we need to put a challenge out to all our thousands and thousands and thousands of listeners to go out and tell one person who you don't think is very computer savvy, who uses Windows, to make sure they update. If we all do that, that would be a good thing.

That would be a good thing. So if you're at the bus stop or if you're...

With a Dell, bashed up Dell laptop. Under their arms. Oh, so, I hope you've been updating that. Microsoft's outreach at only getting 2,000. Oh, come on.

I'm not sure it would be possible to actually work out who made the biggest impact or not.

It's about saving the world, Graham. So at the time of recording, there's no sign of an actual malicious worm exploiting this vulnerability, but it's likely to only be a matter of time. And there've already been a number of researchers and white hats who have successfully created exploits demonstrating how the flaw could potentially be exploited by a worm.

I'm imagining I'm doing that if I had a Windows machine. Okay. Yes, don't do this if you've got a Mac, by the way. Yeah, well, it'd be hard. It'd be difficult to find that Control Panel. Or if you've got a PlayStation as well. Again, not going to work. Or if you're listening on your Game Boy. Again, not going to happen. So you're in Windows Control Panel, choose System and Security, and you will see an option there which says Windows Update. Click on that.

Right? Yep, when they actually are. It wasn't a very big jump of faith, that one, was it? What? Teach them well? No, children are the future. Yeah, good. Right. It's on the ball that guy.

Anyway, there you go. BlueKeep, protect yourself. And I hope by the time the next podcast comes out, we don't have to say, oh dear, we all got hit by that BlueKeep worm. Worm? You sound drunk. Drunk. Yeah. Drunk. What story have you got for us this week, Carole?

Well, Graham, do you remember The Fugitive with Dr. Richard Kimble, who was accused of a crime he didn't commit?

So there was a TV show, wasn't there, in the 1960s? Yeah, there was a movie as well. A movie starring Harrison Ford. Harrison Ford. Harrison Ford, yes, yes.

Now, I want you to imagine that you're in a similar scenario, okay? Inspired by the storyline, I decided to write one just for you. Okay. So an occasionally entertaining cybersecurity pundit and podcaster, Graham, has found out that his podcast co-host, Carole, has been murdered ferociously in her own studio. It looks like someone strangled her with her Sony MDR headphones. The local Thames Valley police force locate you and accuse you of murdering me. You start thinking of all the rubbish emails and communiques you've sent over the last 20 years of knowing me.

I've never even met her. I podcast remotely. We're not in the same room. It couldn't possibly be me.

I know, but think of all the stuff sent to me over the years and even sent about me. All the stuff we edit out from the show. I'm being framed. I'm being framed.

You, Mr. Graham, need to scrub

Yes, I do. And the idea, you think, is to make it as hard as possible for the cops to associate you with anything related to my unfortunate and very devastating demise. Right. But where to start, right? Where do we look?

your digital footprint clean of any incriminating evidence.

Yeah, I thought I could change my name to Steve Gibson from the Security Now podcast. That may be a sense. Just try and divert the police onto another security podcaster. Yes. Okay, well, that's interesting because there are services out there where what they try to do is to delete your online profile. So one of them is called Delete Me and one is called DeSeat Me. These are just two I looked at. D-E-S-E-A-T. DeSeat you from the seat. Oh, okay. Yes.

Similar situation to you, the murderer. How do you wipe clean the photocopier? Yes. After you've taken a... Yes.

That's very good, Graham. I'm impressed. I'm impressed.

Well, exactly. I'm now going to have an account with them. The police can go to them. Right. So what have you been doing for Mr. Cluley? Yeah. Exactly. Because he's wanted for murder. Murder. Yeah.

Well, that's the worst thing, yes.

For you, yeah, your ego would really take a hit there. Now, okay. Now, would you ask Google to remove any personal information from its many, many services? Because there are webpages that allow you to do this.

Well, I have previously logged into Google and asked it to delete information and not track information. And I've been through their account settings in the past. Yes, right. But that's different. Are you talking about the actual search results? Because sometimes when you do a search result, it says some of the search results have been hidden.

For example, you may have information on Blogspot from days of yore. You might have information on YouTube videos. You might have left crazy comments somewhere. Oh, yes, definitely. Saying, God, cool, this is a stupid video, because there's lots of places you might be and you may want to get that scrubbed.

So if I understand you correctly, what you're saying is if you don't want to use services like DeSeatMe or DeleteMe, you can at least get Google kind of promises or it's offering to delete some of the records it stores about you to do the cleanup and that's for free I imagine.

I'm just giving you a few little options here on how you can reduce it so you can try and trust a third party to do it with you and for you by using services or paying for services. You can also go look at Google. Google is a bit of a monster on the web right, they're the ones that hold the most amount of information about most of us, you know, because you want to basically you don't want the cops to get you right?

It's very good that you're mentioning all this and giving me these tips, Carole, before the actual murder takes place. This is very handy. I'm sure plenty of our listeners are appreciating this as well.

All our listeners, if something happens to me, they're going to know who to point the finger at Mr. Cluley.

Well, I imagine that all this advice only applies if you're the murder victim, right? Not if anyone else. I don't want to give anyone else any ideas regarding murdering anybody else.

anyone how to murder anyone other than...

Not that I want you murdered either, Carole, but maybe... I'm not telling No, but you're sort of telling them how to cover their tracks. Interesting. Interesting.

Okay, carry on. Now, another idea is removing everything that might be stored on the cloud, right? And keep everything local. So a lot of people, you know, the real big privacy experts would say everything should be on a removable hard disk, right? And all backups should be on hard copy only, like on a USB key or whatever. Do you have any thoughts on that?

Well, I have both local backups and online backups because I like to have backups in different places. As long as they're sort of encrypted and secure, I don't mind that too much.

Yeah, that suggests, though, that you're more concerned about not losing data that you have as opposed to safeguarding your data from prying eyes.

No, I don't think so, because all of those backups are encrypted and I sort of hold the master key for them. Right. So other people shouldn't be able to access them, although I'm using cloud-based services in some cases for those backups. It's not as though I believe they would be easy for others to peruse.

But like there is a pitfall, right, if you get too obsessed with erasing your entire footprint on the web. Because you're flirting, A, you're flirting a bit with privacy burnout where you just can't care anymore. You know, it's like my nephew was over yesterday and he was playing Wii and he was doing some kind of sword fighting thing and he was really into it. And as soon as we kind of yanked the handset out of his hand, he literally just collapsed on the ground. He was so focused. Like he literally got burnout, he just collapsed and didn't move for about 15 minutes. So I'm wondering if people are going to, you know, you run into that kind of danger if you really start looking at trying to make everything private. And the other problem with it is it actually might have a counter effect of employers or dates, future dates, finding it strange that they can't, you know, find any information about you online.

Yes, maybe you've come here under an assumed name. Maybe your name isn't Graham Cluley. Maybe your name is Emily Buckwater or something. And yeah, that would be. It does seem rather a nuclear option to me.

But I think for the rest of us maybe a smarter approach is not to panic about all the data that's out there on you but focus on what, just focus on the important stuff like stuff that's personally identifiable and lock that down as much as possible and every user obviously has to decide for themselves what information they're comfortable sharing and what information they want to keep private.

So if for instance Google had a search record that I'd been searching in the web for details of, you know, how to strangle someone with a microphone cord or something like that. So those are the sort of things to remove rather than, you know, what time does Waitrose supermarket shut tonight?

Or I'd like to make a fish pie tonight, give me a recipe. The thing is, I don't know. I think there should, you know, we should all try and retain some measure of privacy, because if we don't, we're strangling life out of our individual right to have it. So now there's a few things. So here's just a few little things we can do. So EU subjects, anyone who lives in the EU can use GDPR to get companies to delete previously collated identifiable info. It's not easy, but for some services where you've shared a lot of information, it may be very worthwhile.

Well, I guess you can try and if you did have something which was potentially a little bit embarrassing, one thing you could do is try and lose it in the noise, couldn't you?

Yes, like needle in the haystack approach, right?

But if there are websites which are saying something nasty about you, then maybe you want lots of web pages which are saying something nice about you. And then people are less likely to stumble across the one which has something unpleasant. So do some good people and get people to write about it. And maybe people will forget those mistakes you've made in the past, such as that unfortunate microphone murder.

And you know what we could do? We could actually distill it to the big ones. So I've made a list of five big things I would do. The best result for the least amount of effort, according to me. Let's see if you agree with it, right? So first, delete messages, pics, tweets, comments, emails that you no longer want or basically make you look bad, right, Graham? Lock down apps and profiles as much as possible. So if they ask for, you know, I need to know your location at all times and you're thinking why you're just a chess app, you can turn that off.

Right. And look at your privacy settings is basically what you're saying as well. So if you're on social media, make sure that you're not sharing it with the entire world, but just sharing it with the people on the social network that you want to share your personal information with.

Yeah. And some people would say, why share anything personal on social media at all? Why don't you just go, oh, look, it's pretty outside today. You don't have to. You want to use different passwords for every account. Obviously, you know, I use a reputable password manager. I find it useful. I think you do too, Graham. We talk about it a lot. Use multi-factor authentication. So 2FA, it's also known as. Very good. And then the things you can consider is encrypt your data like Graham does. Use a VPN, which helps obfuscate your traffic and what you're looking at. And most importantly, don't kill anyone, especially not your co-host.

I think maybe that should have been number one, Carole. Rather than...

I want to end on something powerful.

Okay. So if you only remember one thing, Graham...

Yeah, don't kill me. Quote, most business security breaches are the result of one thing, sloppy password practices. Effective enterprise password management is a must to ensure that your employees are properly protecting their accounts. Unquote. That's my co-host, Graham Cluley. This is what he says on the LastPass Enterprise page. And most of you know how much I hate to admit when he's right, but he is. Sloppy passwords are a huge contributor to security breaches within an organization. The way to manage that is get a password manager. And the one we recommend is LastPass Enterprise. Check it out at lastpass.com slash smashing. We also are sponsored by Meta Compliance. Now, Meta Compliance reduce cybersecurity risk by providing a platform for training.

Yeah, they do online training. They've gamified it. It's animated e-learning. It teaches you and your staff all about the risks of phishing and other threats which may impact them inside business. And best thing, it's not boring. No, not boring at all. You learn everything. GDPR, malware, data security, password safety. You can grab it all and save yourself a ton of cash because you're a Smashing Security listener. Go to smashingsecurity.com slash metacompliance. On with the show. And welcome back. And you join us at our favourite part of the show, the part of the show that we like to call Pick of the Week.

Pick of the Week. Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website or an app. Whatever they wish. It doesn't have to be security-related necessarily.

Better it not be after last week's debacle.

Well, mine has a tangential security connection. Do you mean tangential? Oh, I don't know. It's okay. Did I say tangential?

Yes. Is that what happens if you go to the tanning salon without your underpants?

Oh, dear. Anyway, my pick of the week this week is a TV show which I've been binging on. And it's not a barrel of laughs.

I thought you'd been all busy, busy. You keep saying how busy you are.

Well, I managed to slip in four hours of TV watching. I've still got one episode to go of Chernobyl.

Oh, I've been hearing about this everywhere. What are you watching it on?

Well, it is available on HBO in the United States and Sky Atlantic over here in the UK. And we don't have Sky, but Mrs. Cluley wanted to watch the final season of Game of Thrones, and so we found an online service where we paid some money and it hasn't quite expired yet. So I had to poke around and see what else they had to offer us. Now Game of Thrones is over and they had Chernobyl. I thought, oh, everyone's talking about that. I'll go and see. Yes. Oh, my goodness, Carole. Is it good? It is chilling. It does, of course, dramatise the true story of the Chernobyl nuclear accident. Fun. Well, no, it turns out, Carole, not so much fun, and yeah, the occasional bit of little gallows humour. It is tremendously well done. It is shot so beautifully. It is incredibly filmed and it is just absolutely gripping. It sort of has the actual accident itself. It has its aftermath, the cleanup and, of course, the cover-up.

So you're jumping on the Chernobyl bandwagon along with every other journalist out there. Is that right?

Well, there you go, that's what I've done. If you haven't had a chance to watch it, go and watch it. If it's not on your streaming service, hopefully it will be someday and you'll get a chance to watch it because it was quite interesting. The security, do you remember the security link, Carole? The security link? What, tangentially? Tangentially was because there was, of course, a Chernobyl virus back in the day. Oh, that's very tangential. Which triggered on the date. And I suppose it was a failure of their industrial control system as well. Was it not? But no, I imagine many people listening. I mean, I'm of an age where I remember the Chernobyl accident, and I imagine you do too, Carole, but there will be listeners who were too young to remember it. But it really comes across in this programme just how much more serious it could have been. I mean, it was horrendously serious.

Thank you for bringing so many really lighthearted and interesting topics to the show. Well, that's what we do. That's what we do on the show, Carole. Well, sometimes it's a giggle, sometimes it's smutty, and sometimes it's deadly serious. Welcome to the world of Smashing Security.

Well, until this morning when I sent you the video that I am featuring on my pick of the week, had you heard of Nellie Bly?

No, I'd never heard of Nellie Bly.

Okay, that's very cool. Because, you know, she was an American journalist from, you know, the Victorian Times.

It's true. I'm sure they did. Queen Elizabeth, Queen Victoria.

Yes. Well, they had to be queens to get mentioned. Boudica.

So there's no real reason that she might make it into your school books, particularly those when you were at school, I'm sure, featured many, many men of historical note as opposed to women.

Yeah. Yes, I suppose.

Now, I had never really read a lot about her or watched any documentaries on her before. So when I saw this little Atlantic article show up in my feed this week, I checked it out. Now, just for those who don't know, Nellie Bly is the name of one of the first daredevil gotcha female journalists. And her shtick was to go undercover and do, quote unquote, stunt reportage. So where you never really identify yourself as a reporter, but then later on do a gotcha and expose the company or the person explaining all your experiences with not holding anything back.

Right. So she's like an undercover investigative journalist getting the scoop.

She did something. OK, so what she's best known for was her first big stunt or what I know to be her first big stunt. So it was in 1887. She got herself committed to the women's asylum in New York City. So it's called Blackwell Island. And she spent 10 days there as a psychotic patient faking psychosis. And the point was to collect stories and facts and then expose them all in her column.

My goodness.

Yes. And, you know, she had to trust. She just went up to, I think it was the editor of The World, Mr. Pulitzer, and she basically said, OK, he offered her this. He said, we can't get in. We're all guys. We can't get in there. Can you? And so she did. That's the terrifying thing, isn't it? I mean, if you throw yourself, I don't know if you've ever done this, Carole, if you've ever put yourself into a mental asylum and pretending to be mad.

Podcast, Graham, is

And then, of course, if you're trying to get out afterwards and you're trying to convince them that you're sane, well, that is what a mad person would do, isn't it? Yeah. And it's an unbelievable story. And it's led to many, many more stunts. And it's kind of all touched upon in this gorgeous 12-minute video. The film director, Penny Lane, uses animation and documentary-style reenactments.

a similar analogy.

I really enjoyed it. And I liked that the animation part of it was sort of made out of newspaper headlines. They actually sort of made the landscape. And like you said, there was this asylum story, but there was also a story of how she set the world record for going around, circumnavigating the world, you know, on train and steamboat. And she did it in about 72 days.

Yeah, she wanted to beat Jules Verne's Around the World in 80 Days concept.

She met him en route when she was in France. And I also got a little tidbit because I was quite fascinated by this little video. I thought you would like it. I was reading up about her on Wikipedia and I found out that she married, when she was in her early 30s, she married some 73-year-old uber businessman. And of course he popped his clogs just a few years later and she inherited quite a lot. She was quite a woman. And this was also the days before the suffragette movement as well. I mean, she went all around the world. She only took one dress with her and a couple of pairs of underpants.

Oh, and you know what? She was annoyed that people focused on that and so was I watching this video.

Well, if she'd had a humongous trunk in Victorian times, Carole, she'd have been the elephant woman. Boom, boom. Oh, whoa. Well, that just about wraps it up for this show. Carole, if you want to follow us on Twitter, you're already following us on Twitter. But if you at home want to follow us on Twitter, we are at Smashing Security. No G. Twitter wouldn't allow us to have a G. And we're also on Reddit. You can continue the discussion with us up there at smashingsecurity.com slash reddit.

Everyone kept talking about her outfit, the fact that she didn't have a humongous trunk. Honestly.

And shout out to our sponsors Recorded Future and Medic Compliance. Their support helps us give you this show for free so check out their offers please and high five to you listeners as well. We're so glad you listen to us week in week out until

Next time cheerio bye bye bye. Have you got your pop screen on? I have a problem. What's your problem?

The A on my keyboard, 30 seconds ago, decided to stop working. Any advice? It's going to make taking notes a real pain.

Only the letter A? Have you dropped some coffee on it? What have you done?

No, no, no, nothing. Just the letter A. It's just not responding at all? Look, I'll write you a message in the little thingy-majig. Yeah, go on then. Okay, I'm pressing a lot of A's.

I'm not seeing anything. Oh. Look. Okay, I'm looking. You've written... I'm pressing A-A-B-B, A-A-B-B. Oh, the B's are coming through, but no A's.

Yep. Anyway, fun times, even with caps lock. So the key's dead. So I need a new keyboard. So that's fun.

Welcome, everybody, to the latest episode of Smashing Security.