Smashing Security podcast #134: Sextortion, silicone face masks, and a DDoS doofus

Jess Crowe, have you ever firebombed a building?

Oh, firebombed. I just— I only heard cocktail. A Molotov cocktail. Okay, okay, okay, okay, okay.

I was— Yes. You've had cocktails at the Bank of Israel.

So first he tries to DDoS them. That doesn't work. And then he decides to firebomb the bank.

He doesn't throw a baby sham at them.

He throws a Molotov cocktail.

Smashing Security, Episode 134: Sextortion, Silicon Face Masks, and a DDoS Doofus with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 134. My name is Graham Cluley, and I'm Carole Theriault. Hello, Carole!

Hello!

Hi, and we are joined today by a returning guest. She's come back by popular demand. It's Jessica Barker from Sygenta. Hello, Jessica!

The amazing Jessica Barker from Sygenta, I think you'll find.

That's— I mean, that's in my contract. You're supposed to say that. Hello, it's wonderful to be back.

Come on, Graham.

It's great to have you back as well. Now, without further ado, plenty to talk about this week, I believe, Carole. What's coming up on this week's show?

Well, first thing is to thank this week's sponsors, LastPass and Edgewise. Their support helps us give you this show for free. On today's show, Mr. Cluley, you share a wacky story about a DDoS attack in Belgium. Jessica Barker heads to the next door country, la belle France, not to scoff a delicious croissant, but to showcase a political spearphish with a twist. And I yak up at all things cyberbullying and sextortion, sharing takeaways for victims, parents, and teachers. All this and buckets more coming up on this episode of Smashing Security.

Now, chaps, chaps, are you good at complaining?

You are. God, daily. That's the sound I hear out of his mouth most often.

Well, sometimes. Ah, geez. Sometimes we all need to complain about something, don't we? If we're frustrated by poor customer service, for instance.

Or friendships, yeah.

If you've got a problem, it can be hard to get a company's attention. How do you get a company's attention when their customer service sucks? What do you do?

Twitter.

Twitter is a great way to do it. That's one of my preferred ways to do it. I've never done that.

I've never done that yet.

I hate doing it. I try to just keep it back for extreme circumstances, but it can be quite effective.

Right.

I find if you can't get hold of the CEO on the phone or send in a snotty email, do you often call the CEO? No. If you try picketing the head office, all those things can fail. But sending a tweet and @ing them and they kind of go, emergency, emergency, there's an angry Twitter user. And it's almost like you sort of get past all the automated phone systems and get to someone.

I feel though that those with many Twitter followers, Graham Cluley, might find it easier to complain on Twitter than perhaps normal people?

No, I'm sure if Stephen Fry or somebody like that was to complain about a company, then maybe they do sort of put him higher up on the list. But I don't think it matters that much. I think normally these days companies have got someone who's monitoring social media, and one of their jobs is if someone's unhappy, you know, sound the alarm, extinguish them as quickly as possible by fixing the problem.

Yeah, I think they know that any tweet can go viral, however many followers you might have. So I agree, Graham. I think the best people responding on behalf of companies as well are the ones that can do it with a sense of humor.

Yes, absolutely.

Tesco Mobile, very good at that.

Are they good, are they?

Oh yeah. Hahaha, you got an account with us? No, I'm kidding, I'm kidding.

They laugh at people for having been customers. They'll never be sponsors.

I'm kidding. I'm jesting, for God's sake.

Now, okay, so there's different ways to complain to companies. What I hope you don't do is follow the example of a 35-year-old Belgian known only as Brecht S. Just an empty S. Now, back in 2014, he was rather upset with a branch of his bank, the Crelan Bank, in a suburb of the city of Roslaere.

In Belgium.

Yes, I make it sound Scottish.

I know, I'm not sure why.

Now, his grumble with the bank account occurred after his parents divorced. He felt that his mother's bank account had somehow sustained a quite substantial loss, €300,000.

People keep that in bank accounts? Just that?

Yes, some people do.

Do you have yours under the mattress?

Well, I don't have €300,000 lying around, actually.

Anyway, somehow, maybe as a consequence of the divorce, I don't know what, but money had been moved out of an account, and he obviously had a bit of a grumble about this, and his mother was upset too. And the bank officials simply wouldn't meet with him to discuss the matter. They sort of washed their hands and said, we will not meet you to discuss it.

Are you kidding me? €300,000? They didn't care?

Well, I think as far as they were concerned, it was quite a legitimate transaction.

Oh, I see.

So it wasn't their fault.

Okay.

But clearly somewhere along the line, he was very, very unhappy.

Brecht held them responsible.

Exactly. Now you might think, as we are the Smashing Security podcast, that he would launch a DDoS attack, a denial of service attack against the bank in response to this.

Okay. Yeah, maybe.

Yeah. If you thought that, you'd be right.

Good one, Graham.

Boom, boom. I did a twist there. You weren't expecting that.

Yeah.

Yeah.

It was a double twist.

He's clever, he's clever.

So he actually launched this denial of service attack, which basically turned the online portal into porridge. And he did that for many hours on multiple occasions, according to ZDNet. We can read more about the story. But of course, a DDoS attack uses other people's computers, right?

Yeah, right.

To bombard a website with traffic. So it won't necessarily mean that the authorities are able to easily identify who the actual mastermind of the attack was.

Yeah, yeah, 'cause you have to kind of untangle the whole obfuscation he might've put in place in order to hide himself.

Yeah, he may have rented computers all around the world without the knowledge of their owners, different countries, all swamping a website with traffic. So that's one thing he did. But the next method which he used to complain about the poor customer service he'd received—

Even better?

Well, somewhat— Certainly easier for the authorities to find out who was responsible because Brecht decided to throw a homemade Molotov cocktail at his local bank branch.

Escalated things a little bit then.

Now, I don't know if either of you— Jess, Carole, have you ever firebombed a building?

Oh, firebombed? I only heard cocktail. A Molotov cocktail. Okay, okay, okay, okay.

Yes. You've had cocktails at the bank, obviously.

So first he tries to DDoS them. That doesn't work. And then he decides to firebomb the bank.

He doesn't throw a baby sham at them.

He throws a Molotov cocktail.

Showing your age a little bit there, Graham. Cocktails have moved on a touch.

Not where I live. But anyway, the thing is, if you've ever tried to firebomb a building, one of the first things you— You want to make that clear, do you?

I'm making it really clear. Nope.

Never, never done it. One of the first things you learn is it's a good idea to be a good distance from your target because otherwise your cardigan or your eyebrows might get singed. So, well, it didn't get burnt. But what happens is when you're throwing a firebomb, right. I can't believe I'm giving advice on the podcast as to how to throw.

Have you ever done this? Just— I just— Okay, so don't— listeners, do not take this as advice.

I've barely even thrown a cricket ball, to be honest. But anyway, you need a good forceful chuck to lug the firebomb a decent distance, because otherwise it's not going to go. What?

You can't say lug. Lugging is pulling. It's pulling from behind. You can't do that.

No.

Like toss?

Oh yeah, okay. So you're going to be tossing at the banking centre. Okay, that could upset them too. But the thing is that you've got to give it some welly, right? Because— but giving it some welly does increase the chance that something might fall out of your trousers. And that is potentially— Well, no, no, no, around the back of—

He lost his wallet.

The back pocket of your jeans. Something might pop out like a USB stick. And it was this USB thumb drive that the Belgian police found lying on the pavement. And obviously contained information.

It was a very small— That's probably the problem with it. If he had had a bigger USB, he would have noticed that it had fallen out of his jacket.

He wasn't going to bring a Seagate hard drive with him, Carole. Put that in his cargo pants.

Just saying.

You know, let's just go back to floppy disks.

Anyway, it contained information which led police to his door. And what the Belgian cops discovered was not just that he'd been behind the DDoS attack, against the bank, but also had been involved in other shady cybercriminal activity.

So it was all in the same USB, right? Right.

All kinds of evidence there. So he turned out to be a member of the elite Belgian chapter of the— I imagine they're the smoothest, most delicious hackers in the Anonymous collective. And he was also a member of the Cyber Crew hacking group that had previously launched an attack against FIFA in the run-up to the 2014 World Cup. Anyway, Brecht launched DDoS attacks not only against the bank, but also against a local pizza parlor.

It doesn't really compare to the firebombing. No. Just saying.

No, I suppose not.

And then—

What if it was an American hot or a pepperoni one or something with lots of peppers?

Then it could be American hot.

Now, okay, so he tried to extort money from a pizza company as well, and all kinds of things like that. Now, Brecht has now been sentenced to 18 months in prison. And ordered to pay €3,000 to the bank for the damage which he caused.

Okay, so it wasn't a very effective firebomb. €3,000. What? He broke the little pillar in the front?

Well, and he also caused problems for the website.

No, I'm just saying €3,000 is not very much money.

Well, I don't know how effective his little cocktail was.

Yeah, okay. Basically, he threw a lit cigarette, it sounds like.

A match.

It's right.

Anyway, he has been hit with I think we've got some lessons to learn here for everybody, right? First of all, don't firebomb banks. In fact, don't firebomb anybody. It's rather antisocial. Don't do it. an additional prison sentence of 3 Check. Don't launch DDoS attacks against banks either, Carole or Jessica. If you plan to do that, don't do it. Even if you're grumpy, just tweet them instead. years for the arson.

Actually, she can, because I tend to look after ethical hacking, so she could do that.

Okay, but if we're permitted.

Probably with the agreement of the bank.

With a contract.

Exactly.

But if you do find yourself in the position of firebombing a bank, don't take with you a USB stick which contains identifying information and details of all your other cybercrime exploits. Or at least, I don't know, wear a tight pair of jeans or something so it doesn't fall out of your—

Tights!

Tights! You could wear tights.

No pockets in tights.

Leggings, yoga pants.

Actually, you know what? Pockets in tights would be quite handy for— well, it would have been when I was 25, I'll tell you.

Aren't they just trousers? Aren't you just describing trousers?

Well, no, you go to clubs, you go dancing, you don't want to be holding your handbag or anything like that, right?

Just wear trousers.

Well, okay.

Why not?

Because we have a choice, Graham.

Oh.

Thanks for your advice.

Lucky you. Anyway, so yeah, so there you are, some helpful fashion advice from Smashing Security, as well as some good other advice.

Very good top tips, I have to say.

Yes, yes, excellent, yes. Now, Jessica, what's your story for us this week?

Well, it begins in late 2015 and lasts for a couple of years, and we are moving to France.

Ooh la la.

When in this story, the French Defence Minister, Jean-Yves Le Drian— that's a tempting metaphor.

Beautiful, beautiful, beautiful.

That sounds a bit like Jean-Yves the drainpipe or something like that. Is that how it translates?

No, no.

I mean, we'd have to ask the French listeners.

Yeah, if you were dyslexic, maybe.

So Monsieur Le Drian was impersonated as part of a scam.

Wrecked, wrecked, wrecked.

In which wealthy individuals were contacted under the guise of a request for financial help for journalists apparently being held hostage in the Middle East.

Oh, hang on. So journalists had allegedly, or maybe they had been, they'd been kidnapped in the Middle East. Someone is trying to raise money to get them released. And so they're going to rich people like Jean-Yves Le Drian, the French Defence Minister.

We must keep our hands clean. But you, monsieur.

Exactly. Do your bit for the country and for these poor individuals. Vive la France.

Carole, can I say, for someone who's French-Canadian, your French accent is not as good as mine.

Yes, you're absolutely right.

I think I'm much more convincing.

You are, you are. Yes, you're so good at accents. Carry on, Jessica. I'm riveted.

So this obviously sounds like classic spear phishing, doesn't it?

Totally, totally.

Well, actually, this story has a dash of Mission: Impossible to it, and then we start to get the full picture.

Okay.

So, I'm going to talk through it. The scam started with a call pretending to be from one of Monsieur Le Drian's close circle to the wealthy individual being targeted. And this individual was contacted, and the advisor, apparent advisor for Monsieur Le Drian said, "We want to set up a video call with the French minister who needs to speak to you." Holy moly.

Yeah. Okay.

So, then the criminals used Skype video calls and a custom-made silicone mask, which looked a bit like Monsieur Le Drian.

No way.

They had a set which looked like his office, complete with French flag.

Yeah. Don't knock on the desk too hard. It's just made of MDF.

Oh, this is just awesome.

And then basically they lit this set quite badly. They had someone there with the silicone mask.

Like a B-rated film, he comes out of the shadows.

A poor, dodgy connection, dodgy Wi-Fi connection, so the video calls didn't last that long, but with the target and said basically, we need your help to pay the ransom to free these people.

Right.

And we promise to give you a tax break if you try. Yes, and we will forever be ingratiated and grateful and indebted to you, Mr. Millionaire.

Yeah, and you'll have done your thing for France.

You'd be feeling quite patriotic, wouldn't you?

Helping with a mask. I love it.

Yeah, there with the mask, the mock set. So a lot of people didn't pay up, but as with all of these scams, when you're targeting wealthy people, it only takes a few to become victim, and suddenly the criminals have made quite a bit of money. And they actually made an estimated €80 million.

Okay, that's more than my annual salary by a factor of a little bit.

It's more than I've got under the mattress, let's put it like that.

€70 million.

Yeah, so like £70 million.

So that would pay for the set and the Skype account.

Oh, do you think?

If the whole thing was made of solid platinum?

My goodness.

So this all started in 2015 though?

2015, and it ran for a couple of years. And then they thought they'd caught the guy behind it. It was thought to be the work of a convicted French-Israeli con artist called Gilbert Chikli. And he is currently in jail in Paris facing charges of organised fraud and usurping an identity. But earlier this year, with Chikli safely behind bars, the con started again.

Oh!

So it's now thought that there is a whole gang out there.

Well, at least two.

Yeah, yes! Someone to run the camera and someone in the house. Oh no, so sorry. They weren't going to him.

Are they stealing personal items?

The same minister?

Replicating the same minister.

Because they don't want to get a new mask made, right? Exactly.

3D printers are expensive.

They're thrifty.

And they've only made 80 million.

They were posing as him and going to friends of France, wealthy individuals who had an affinity for the French state and asking them if they would pay the ransom money. It's quite a clever backstory saying we can't pay the ransom because it's not French policy. Aha, exactly. So they need to recoup a bit more. They've got a few bills to pay, obviously.

It kind of seems that the takeaways of this are, hey, there's a lot of money to be made here, guys. Go make more sets.

We are the government, of course. It goes to show, you know, the attackers are always evolving, unfortunately. And just when we think, you know, we've all been familiar with CEO fraud for a while, impersonation of people, over email, and those being quite convincing and using some of the same tactics that the criminals used in this, you know, trying to prey on people's good nature, trying to make them feel they're donating to a worthy cause, a time pressure. So, the importance of being aware of how those tactics are used, but also the fact that just when we get used to one method, the attackers are always going to be trying others. And just because you see something, just because, you know, they seem to be there on video doesn't mean it's true.

The thing is though, with the soon-to-be probably ubiquitous deepfakes, this type of targeted attack where you have a video, you know, for someone that is pretty celebby and is often on camera, that must be quite easy to kind of maybe grab their face.

And fire a dodgy Skype connection.

Yes. With bad lighting and homemade furniture.

And they've already been warmed up with the call, so.

Yeah, yeah, yeah.

Hey, can I raise a possible conspiracy theory here?

Oh, always.

What kind of salary does the French Defense Minister Jean-Yves Le Drian actually make?

Can I do a guess before anyone Googles? I'll do a guess. I'll bet on paper it'd probably be €150,000.

I don't know, but yeah, the thing is it's a lot less than €80 million, isn't it? So I wonder whether—

You think he was in on it the whole time? I'm just saying, he went down to the homemade office, turned the lights down.

It's just a possibility.

There's no mask at all.

I think it's something which the police should just not immediately rule out, that maybe he saw criminals pretending to be him and how much money they could make. Maybe he might have been tempted.

Well, let's just see if he has a château.

Oui.

The French version of moat around it.

Maybe underneath that fake mask. You know, who was really there?

Who's wearing the mask? Oh, definitely deliciously good. Get the popcorn.

It's been a crazy show so far, hasn't it?

Yes.

Bonkers. Carole, what have you got for us this week?

I am going to the land of cyberbullying and stalking. I know it's not a place we want to hang out. It's not a fun place, but I think it's an important subject. And the reason I chose this topic is based on a long-form Wired article penned by Stephanie Clifford. I pulled together some interesting takeaways from that article. So my story starts in 2012 in a small wooden town in New Hampshire. Live free or die. That's what they have in their license plates there. I think it's a town called Belmont. Now Belmont has less than 8,000 people. The biggest employer in town is the local supermarket. And they have this teeny tiny police force with a lone detective.

Is he a teeny tiny lone detective as well?

It's a female actually.

I didn't say anything about sex. I'm just talking about their height.

You said he.

You said—

Oh, now crime in Belmont normally tended towards things like opioids, thefts, burglaries, things you'd see in small towns. But suddenly our detective, Rachel Moulton, became aware that a cyberstalker was hounding teens for nude pics. And then when he didn't get his way, he would take over the victim's Facebook accounts. So here's how it went down. This girl, 16-year-old girl, she's new to the town, new to the school, and she hasn't yet established a gaggle of buddies or joined any teams yet, right? So when she gets a Facebook request from a guy called Seth Williams, she clicks accept, right? And typical stalking ensues over the next few weeks, right? He flatters her, asks her lots of questions, acts like he wants to get to know her, likes what he hears, etc., etc. And when their online relationship seems pretty stable, he asks for some photos of her body. And she hesitates for a while, but he persists. Come on, come on, come on, come on. So she finally sends him a photo that she thought of as fun. And this is of her behind in jeans with plastered handprints from, you know, I guess she was painting her room and she put her hands in the paint and put them on her butt.

Okay. Yeah.

And then sends him that thing, right? She's never met this guy.

It's just a picture of her jeans at the moment, right? With some—

Well, yeah, a fun picture of her rear in jeans. Yeah, with some handprints, right? So, but surprise, surprise, this does not appease him. Seth wants more, right? And after days or weeks or hours of cajoling, she ends up sending a picture in her pants— or sorry, undies for our North American audience— and eventually sends one of her bare butt, right? This is of course where he doesn't relent again, demands a full nude, and she says, no, that's where I draw the line. And this is where nasty things ensue. So he replies, no picture, no Facebook. Now he'd hacked her Facebook and her email and changed the passwords, and she begged him to return the accounts. He refused. He harassed her by text. She'd block his number, he'd use a new number, she'd block that one, and so on. This went on for months and months.

Oh my goodness.

Yeah, you know, he'd be like, take your clothes off, get fucking naked on camera. I'm gonna have fun fucking with you this summer. So he's sending her all these horrible texts, right? And while this teen didn't end up sending any identifiably naked picture, using her Facebook account, he messaged all her friends at her new school where she wasn't yet really established. And of course, friends became jumpy, and their parents did too, right? Prohibiting her friends with hanging out with her. And she says, at this time, I never felt so alone in my life, which I can totally understand based on the story. Yeah, but you can also see other parents going, oh God, you know, she must be up to something. You know, when there's smoke, there's fire. You can imagine that kind of attitude happening, just wanting to keep your kids safe. And you just feel sorry for this one. Back to our detective, 41-year-old Rachel Moulton. She starts getting reports from numerous local girls naming online bully Seth Williams. And so she ends up figuring out that all the victims at one point or another attended the local high school. And it seems all of them felt basically socially unstable. And weirdly, our bully Seth sends nude pics of other victims to victims he is trying to get nude pics from. So our girl here was being sent pictures from other girls he was harassing and basically sextorting pictures out of.

Wow.

And because it's such a small town, our girl recognized some of the girls. And our detective did too. And she was able to identify and cold call these other kids because they hadn't said a word to anyone about this. Not their parents, not a teacher, not a trusted adult.

It feels to me like that's a bit of a mistake by the extortionist doing that, because of course it gives them the ability to sort of band together and think, I'm not the only one who's suffering at the hands of this toe rag.

You wonder, was he showing off? What was he — why was he doing that?

Yeah, he must have been because he had these girls cowering, right? And the thing was, according to the detective, family life is not always easy for those whose parents actually knew about it, you know. Detective Walton said girls would come into the station with parents and she sometimes would have to send the parents out of the room because she says, quote, some of the parents were blaming the girls and were really hard on them.

That's terrible.

Yep.

And the developer of TextFree sent back information that included the Apple identifier for Seth's phone. And with that, she could subpoena Apple for the phone's registration and billing information. So a little aside here, I'm actually kind of impressed that a detective, a single detective on her own in a town of 7,000+ is able to do this.

Yeah, she sounds amazing as well, right?

It's pretty commendable, I think.

Sounds awesome. Yeah.

So the results that Moulton got back from Apple were a little confusing, but she landed on a name: Ryan Valle. I don't know if I'm saying this right. V-A-L-L-E. And he was a 19-year-old graduate from the very same high school.

Nasty.

The girls who had been victimized by this guy were really suffering, right? One began sleeping in the same bed as her mom, and we're talking teens here. Several feared that this guy Seth would attack them.

Yeah.

One cried herself to sleep. Another routinely called her mom at work sobbing, terrified about being alone at home. And they battled depression, anxiety, nausea, etc. Now our detective knows who she thinks it is.

Yeah.

But she knows there's a mountain of paperwork and bureaucratic processes and limitations to local laws, right?

She presumably isn't in a position to tell these victims, I think it's this guy. She can't do that, can she?

Is she?

Well, I would—

So she decides to get the feds involved, right? Because of course, nationwide, they have a better legal framework for dealing with cyberstalking and these types of crime, much more than the small town she has or even her state. But she's also aware that when she gets them involved, they're going to need a really strong case, and that could take years. Detective Moulton decides to tell a few of the troubled girls that Valet, the former classmate, was a suspect.

Oh, really?

In the hope that it might ease their fears. Quote, they had a sense of this being a huge brute of a person, Moulton said. And when they found out who it was, some of them were like, really? Yeah, no, apparently he was one of these kinds of people that kind of disappeared in the classroom. They would say, this is the person in your class, and they'd be like, who? Which guy? Yeah. So fast forward the story here a little bit. They didn't remember him, right? Anyway, investigators eventually identified 23 stalked victims and suspect there are way more. So this all started in 2012, remember? Our detective rolls up her sleeves, right, and starts digging hard and getting to the bottom of this. Moulton learned that Seth had been able to text from 4 or 5 different numbers using a service like TextFree, a VoIP service that allows users to text without subscribing to a cell plan. This is now 2017, 5 years after the first attack was reported. And they were able at that point to sentence him to 8 years in prison, which was the high end of the federal sentencing guidelines at the time. Now Detective Moulton sent out subpoenas.

Good.

Wow.

Yeah, I mean, that detective did amazing work.

And this is another weird thing, right? So this happens. The guy goes to the slammer for 8 years for basically terrorizing 23 girls, right? Young girls. So you'd kind of expect there'd be some kind of whoops and cheers in the town of Belmont, but the kids didn't want to talk about it. The parents don't want to talk about it. And when Wired contacted teachers, some of them were like, yeah, I don't really know anything about this. It's like the shame and the embarrassment associated— people just want to bury it. But the problem with that is that new generations aren't learning how to get around that. Not that they have to go into details of this exact incident, but it should be on the curriculum now that, hey, these things happen. And, you know, you'll read—

And there's a way of fighting back, and someone can be caught and they can be put away for doing this sort of thing. Yeah. And you should talk about this.

I have to go on my soapbox just for one sec on this one, right? We have been reading a lot of a sharp increase in the last few years in teen depression, anxiety, suicide. And this is especially amongst girls, right? Apparently, it's up nearly 100% since the early years of 2000, this century. And this is all based on a book I read last year. I think it was my pick of the week, The Coddling of the American Mind.

Right?

So social media and device dependency are considered main attributors. This is how cyberstalkers are able to worm their way into your life. But how do you limit a teenage girl from her social media or her phone? Must be about as fun as commuting into London during rush hour, which I did yesterday. 5 and a half hours it took on return trip. Thank you very much. Anyway, so takeaways, takeaways. So these are things I took away from this. Now to see what you guys think, right? When the bully is giving his victim all this attention at the beginning, right, asking all the questions, things like what's your favorite color or ice cream, or depending on how old you are, right, he's actually curating and collecting information for the account takeover. And that's a real psychological annoyance for a young girl who may be feeling out of sorts and needs a friend, right? Because suddenly what you want is someone to listen to you and ask you questions, and really you're answering your security questions that will allow them to take over your Facebook or whatever, Instagram, or whatever account you have.

I think it's natural to feel uncomfortable.

And also, the stalkers seem to ease them into feeling comfortable, or making the victims think it's okay in stages. So for example, Graham, if you send pics of your moobs one day to someone and nothing bad happens, you might be more comfortable the next day. You know, to send a picture of your hairy butt or something.

I feel slightly uncomfortable right now because Carole Do you want was talking about my hairy butt. to make it more conversational?

Hello, what? Can we leave my body out of this?

Well, I'm just saying, you know, it's not a case of in for a penny, in for a pound, but lots of people kind of go, oh, I already did that, it's not so bad. So you kind of use that kind of mental breakdown of your wall.

It's like classic grooming, isn't it? Yeah, just a bit at a time, slowly eroding exactly what someone's comfortable or not comfortable with.

And my other big one was, don't assume parents handle this very well, especially if their daughters have been duped into compromising themselves by sending pictures to an idiot that's going to then drag their name through the dirt online. And thinking about this when I was reading this article, I am not sure my own dad would have handled this very well at all.

No, but let's be honest, if you're a teenager, you don't often want to talk to your parents about anything. Right? I don't think it's necessarily that they would handle this specifically badly, and I think many parents actually would have the best intentions. It's simply that you can't communicate anymore, or it's simply too embarrassing to talk with your parents who are just, oh, they're so uncool, about these things because they're too personal. It's almost like you need a school counselor or someone like that who you can turn to and talk about with these things, because sometimes I think it's just simply too close to discuss it with your parents.

Yeah. Totally.

It's not even there?

And I think that's a really important thing, you know. That's the question. The honest answer is no, then, you know, don't follow the Nike motto of just do it. Just trust yourself and absolutely do not do it. Walk away. That's my big takeaway. Oh, I haven't watched that. But I think we need to talk about this stuff so much more because even adults feel ashamed when they're caught up in sextortion. Or they sometimes feel ashamed when they're caught up in this kind of extortion scam. My personal advice in all this is, if you ever get to any crossroad on any decision, right, all you got to ask yourself is, is this good for me?

It's not there.

100%. And if we can't get our act together to talk about these things openly, honestly, and transparently, how do we expect a freaking 16-year-old girl to come forward and say, yeah, let me explain everything that happened to me, all the mistakes I made, and let's tell everybody about them. I don't know that. And yeah, here's my name. It's just too much.

We all feel uncomfortable.

I have some links on all things cyberbullying, some great links. There's actually games for kids and all kinds of resources. Check them out at the Smashing Security webpage. Sorry, I know it wasn't a hilarious one this week, but, you know, important. It's too much.

Very important.

Yeah. I think it's fine.

Have you finished? Is it safe for me to come out now?

You used an adverb and an No, keep your trousers on.

So, Carole, imagine a hacker has gained access to one of the computers inside your organization.

adjective there. I think it's perfect. Dun dun dun.

And of course, they're going to take advantage of any flat networks and ineffective security controls to try and move laterally towards their intended targets, which is gonna be all that juicy data your company collects.

Gotcha. Yep.

Right. Now, traditional solutions, they often find it difficult to reliably distinguish between legitimate software access and that data and unapproved applications.

Yeah. Okay.

Yeah, yeah, yeah. Right. And that's where our sponsor comes in this week. Edgewise is the industry's first zero-trust segmentation platform.

OK.

It has a simple-to-use interface which lets you stop data breaches by allowing only verified software to communicate within your cloud or data center.

Clever.

Yeah, really smart. In a nutshell, Edgewise's data-centric approach makes micro-segmentation simpler and more secure.

And then it OK, I want to learn more.

Well, that's easy. All you have to do is go to edgewise.net and request a trial of their one-click micro-segmentation.

Awesome. Boom. brought you way wider, right? Hey Graham, yes, there are people out there with companies a little bit bigger than ours, and one of the issues that they face is visibility and oversight. And when it comes to cybersecurity, that is super important. So listeners, listen up. If you do not have a password manager in your organization, please check out LastPass Enterprise. They offer centralized admin oversight and control, shared access, and automated user management. All this stuff makes your life easier. Plus, you can even use LastPass's single sign-on to protect all your cloud apps and give seamless access to employees. Check it out at Smashing Security— no, at— check it out at lastpass.com/smashing. Let me try that again, folks.

I don't know.

Check it out at lastpass.com forward slash smashing. Perfect. I think that sounded great.

I know you've

Yeah.

Yeah.

And welcome back. Can you join us on our favourite part of the show? been told to The part of the show that we like to call Pick of the Week.

Pick of the Week. Pick of the Week.

know his name. Oh, okay. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish. It doesn't have to be security-related necessarily.

Better not be.

Right. And my pick of the week this week is not security-related. It is actually a book. I always say it could— sorry, I always say it could be a funny story, a book that they've read, a TV show, movie, a record, etc., etc.

You don't read.

But I have actually bought a book.

Oh, okay, you've bought one.

Now let me tell you about this book.

You have to

Oh yes, exactly, I've bought it for the shelf.

go to a Now, a book, Carole, this is something which comes back.

It's lots of pages. Can you hear those? There you are. Yes.

website called mynoise.net. Oh, it's like a good 20 in there. So it's hardback, this. This book is called Dreyer's English, or maybe Dreyer's English, I'm not sure. An Utterly Correct Guide to Clarity and Style. And it is written by the copy chief at Random House called Benjamin Dreyer. Oh, very good—

The American edition contains lots and lots of mistakes, like no U's. But the English version is absolutely fine. I heard about this book in a fun interview which I heard Benjamin Dreyer give with a hero of ours, I think a podcast hero, Preet Bharara. Preet on the Stay Tuned with Preet podcast of Good Fun Podcast. Go and listen to that. And the interview was my pick of the week. Oh, was it? Oh, there you go. Excellent. And it's— although it is obviously discussing how to write better, and I have to be very careful what I say now, don't I? Is it write better?

Well, I have a question. Can I— can you check? I think it's an amazing site. So you can get it off Apple Music or Spotify or Deezer, Google Music, Amazon Music, all of them.

Okay, of course, of course.

I've got the book right here. You used to get really pissy with me. We used to have a big fight. And, or you can just check it out probably with your home assistants as well by barking an order at it. mynoise.net.

Yeah.

Yes, with the word whilst. That's my pick of the week.

Yes, what's wrong with whilst?

Right, you'd always put it into all your articles, and I was just like, what are you, Middle Ages? Come on, right? And you'd get all like, no, no, no, it's proper English. So can you just check it up in your Bible?

Okay, I'm gonna look up whilst, and it'd be right at the back of the index here, and it's not in here. So that book's rubbish. So forget that book.

Are you serious? It's such an old-timey word that it doesn't even make it.

No, it's a fine— there's nothing wrong with the word whilst at all.

Okay, Jessica, I think we've made our point. Excellent Pick of the Week. I'm right, you're wrong.

Jessica, what's your Pick of the Week?

Well, my Pick of the Week is a documentary miniseries that I watched on Netflix. Oh, very good. I've actually watched it twice, which I don't often, watch films or TV programs more than once. I highly recommend it, hence it being my pick of the week. It covers the careers of Jimmy Iovine and Dr. Dre. I usually get bored the second time, but this documentary miniseries is full of so much stuff that, yeah, I feel I could watch it 100 times.

Okay.

And it is called The Defiant Ones. And in doing so, it explores musical history over the last 4 or so decades, and it has interviews of people like Bruce Springsteen, Snoop Dogg, Eminem, Stevie Nicks, Patti Smith. Crazy! Everyone who's anyone from rock or hip-hop is interviewed, and, you know, footage of them in the studio concerts.

I'm gonna have a look. You carry on talking, I'm looking.

I feel I used

Can I just apologize now?

Oh, thank you. Well, it is supremely directed by Alan Hughes, who apparently I read when I was, you know, looking this up earlier. Apparently he is working on a TV series documentary about Tupac that's coming next. those words right.

Are you a bit of a Tupac fan? I'm a little bit of a hip-hop fan.

So that is what drew me to The Defiant Ones. And I didn't know much about Jimmy Iovine, I have to be honest, but I Yeah, and I would recommend it to, you know, if you're interested in hip-hop, then it's a given you're gonna this. If you're interested in rock, then it really covers that and the intersection between rock and hip-hop. found him a really inspiring figure. And so I was drawn in by the hip-hop angle.

So put down that Tony Robbins book and check this out instead.

Definitely. Yes. Don't read any Tony Robbins. Exactly. I don't really know anything about hip-hop, but I'd be quite interested in still watching.

Hip-hop?

What's wrong with that?

Is that how you say it?

Hey, I'm actually quite hip, Carole, just so you know. Do they interview Wiki Wiki Wa Wa Wiki Wa Wa Will Smith in this?

No, not Will Smith. Will.i.am does feature.

I don't think it's in the film. Will.i.am, the stupidest name ever. Is it small i, big a, m or something?

And stupidest spectacle wearer as well. Yeah, he said, I can't really put up with that sort of nonsense.

Well, don't let that put you off. John Lennon does also feature.

Now you're talking.

Cool.

Give it a whirl.

Good of him to make an appearance.

Yeah. How did they interview him?

You know, they must have just— They dug him up.

Okay. Oh, please. Right. Right. Okay. So, and it's called The Defiant Ones, and that's on Netflix.

The Defiant Ones. Yeah. Check it out.

Awesome. Carole, what's your pick of the week?

Okay. You guys have to do something.

mynoise.net.

Now, mynoise.net is my pick of the week. It is a collection of noise-scapes. How's that for a modern word?

Okay.

So this is basically that people, more and more of us, are working from home, but it seems as though there's research that suggests that when we have a noisy environment, like a cafe background or office sounds or just something white noisy, it helps us be more productive and we can work longer with more focus. So this is a site created by an audio processing guru named Stéphane Pigeon.

Stephen the Pigeon.

Exactly, Stephen the Pigeon. Exactly.

And you— I'm sure that's how you pronounce it.

There is an app as well. There is an app as well. But I've used things like Distant Thunder. That's my favorite. My least favorite is Georgian chants.

Gregorian.

By a long, long— sorry, yes, Gregorian chants. That is definitely not my best.

I've just found one. I've started listening to one. It's called Examination Time. It says it can be hard to focus in an exam hall full of students when you're used to studying in silence, prepare now so you could have the sound of an examination hall.

Yeah, but there's loads of research that suggests that having mimicking the same environment makes you perform much better because you don't have to then take all the stress of the new environment in.

Well, here's an interesting one if we're thinking of mimicking an environment.

Cool.

Oblivion. Embrace that darkness.

Cool.

Okay. Well, excellent. Well, we chose a book, we chose a documentary, and we chose, well, I don't know what you are, a noise, I suppose, Carole, is what you came up with.

Noisescape.

Noisescapes.

And mine's the coolest.

I wasn't going to say that. And that just about wraps it up for this week. Jessica, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that and find out more about what you're up to?

Well, check out our website, Cygentr.co.uk, and you can go and have a look at our blogs from there. And then also follow me on Twitter @DrJessicaBarker.

Super duper. And you can also follow us on Twitter @SmashingSecurity, no G, Twitter won't allow us to have a G. And we've got a Reddit community as well. Just look for Smashing Security up on Reddit.

And thanks once again to this week's Smashing Security sponsors, LastPass and Edgewise. Their support helps us give you this show for free, so be sure to check out their offers. And fist bumps to all you listeners out there. If you don't know it, you rock. Check out smashingsecurity.com for past episodes, sponsorship details, and info on how to get in touch with us.

Until next time, cheerio, bye-bye.

Bye!

Hi. I like that, sounds a bit sexy.

Ask me where I was yesterday. Where were you?

I was at the NCSC, the National Cybersecurity Center in London.

Ah, oh, in London.

Oh, the London, not the Cheltenham donut.

Yeah, pretty cool, huh? How was I can't really say. What were you doing there?

What were you doing there?

I can't really say.

Who were you there to meet? Graham. I can't say. But I can tell you one thing. They are looking for speakers for their upcoming Cyber Threat 2019 event. Cool.

Yeah. Boom. Graham, I don't know if it's your bag. Yeah. Bit too advanced. Bit too technical for you, I think.

Bit too technical? You're all right with the groom in your bottom, but it was just a mental You can now, but it's the end of the show now. image which came up, which wasn't very pleasant.

I'm sorry, your butt's not her suit.

You're okay.

What do you want me to say? Done.