Smashing Security podcast #163: Russian heists and Ring wrongs

And the FSB, for people who don't know, that's like the modern name for the KGB, isn't it? The modern name. Yes, the rebranded version. Yes, it's like New Labour and Labour. Yes, circa 1985.

New Labour. I know, just...

Hello, hello, and welcome to Smashing Security, episode 163. My name's Graham Cluley.

And I'm Carole Theriault, still.

You're still Carole Theriault. Wonderful. Still haven't got the upgrade. Never mind. And we are joined this week by returning guest Lisa Forte. Hello, Lisa. Welcome to the show. Well, she's been on before. Thank you so much.

I know, but do you never welcome a guest when they come into your house for a second time?

Lisa, you have just returned to Old Blighty, haven't you, from America. Did you leave pre-election or post-election? Right, so you've come back to this dystopian nightmare that we're now living in, in the final days before the Brexit bell tolls. It's coming this Friday, isn't it?

I am actually flying into the UK on the morning of February 1st at something like 7am. So as long as I don't get the coronavirus, I'll be one of the first people to come into the country under its new guise.

Lovely. Good to have you back. What's coming up on the show this week, Carole?

First, let's thank this week's sponsor, LastPass. Its support helps us give you this show for free. Now, Graham looks into how Maryland might make malware possession a crime. Lisa tells us a crazy Russian heist story. And I give Amazon a bit of a spanking. Plus, we have a bonus featured interview for you today. Thanks to our friends at Thinkst. Stay tuned to hear all about their Canary tool, which Graham and I both think sounds pretty darn cool. All this and so much more coming up on this episode of Smashing Security.

Now, chums, malware. Do you have any in your pocket? Have you secreted any about your person? What do you mean, like an infected USB? Well, maybe. I don't know. Have you got some hidden away on your hard drive? Well, watch out, take heed because the state of Maryland in the good old U.S. of A. is proposing a new law that could ban the possession of malware, actually make it a crime to be carrying malware. I am so glad that

Lisa's on the show. Lisa, is it not a crime already to be in possession of malware?

Well, I can tell you, no, it's not. I think it's pretty sure it's the use of it at the moment. But what's kind of interesting to me is that actually, when you look at what the bill is that they've put forward, it says possession and intent to use. And what I don't understand is why can't it just be strict liability, you know, in the same way that in the UK, possession of a firearm or possession of class A drugs, you know, the fact that you've got it on you is the crime. I don't understand why that wouldn't be the situation.

Well, you see, I think you should be able to possess malware. And I speak as someone who used to be employed by an antivirus company, which had millions of pieces of malware on its network for completely legitimate reasons for analysis and research. And it would have been a complete nuisance if we hadn't been able to store the stuff and indeed share it with other researchers. And so distributing malware, I don't think should be a crime either.

I think it would be fair for the general public to assume that companies get special rights to view and manage and work with malware. Like, you'd like to think that was what was going on and that people that shouldn't actually have access to that stuff, it's illegal. And the reason it's a problem is because computers are not vaults, right? So if you've got malware sitting somewhere that is maybe not fully secure and that gets out, that can cause all kinds of havoc.

Well, yeah, that would be a problem, of course. But who says that you shouldn't be allowed to have a virus-infected computer if you want to have a virus on your computer or a piece of ransomware?

I would like to think that legislation would. I'm a little surprised it doesn't, actually.

Carole, it's terribly right-wing of you. Yeah, make it a partisan issue. I just think that, you know, people should be allowed to do what they like with their computer. If they've got malware on it, if it's not doing any harm to anybody else, where's the problem?

I have no problem if the computer is completely offline and not connected to the good old internet. But if it is,

A bit of argy-bargy this week. All right, just imagine this, right? Imagine you are a 19-year-old student and you're really interested in computer security and you would love to have a job working for an antivirus company, but none of them will give you a job because you haven't been able to demonstrate your expertise. And so you think, right, I will become an independent security researcher. There's a piece of ransomware which is spreading right now. Let's imagine, for instance, the WannaCry worm, right, which hit the NHS, and I will analyse it on my computer and I will try and work out some kind of antidote or some way of stopping it. Should that person be guilty of a crime simply because they possess the ransomware? I would argue, no, they shouldn't. But maybe they should

Go through proper channels in order to be able to say, I am, in the same way that in the cops you have to go into the evidence room and if you have to sign in and sign out to say, yes, I've got possession of this now and I'm looking at it. It'd be nice to have a log of that, don't you think?

Or you're suggesting maybe people should have some kind of license. So maybe companies or individuals who are in the business of analysing malware should have some sort of checks done to make sure they're not, you know, don't have a neck beard. But you know what? The

Exemptions though, you know, if you think of cocaine and someone, I don't know, the police confiscating it and sending it then to a lab to test that it was in fact cocaine, that lab is in possession of cocaine at that moment in time. But they're exempt from being charged with the strict liability offence of possession of a class A drug. So I think we're talking about sort of outlying people, but I think the general public who are not interested in analyzing malware, certainly not in my household. Why should they have that on their computers anyway?

I think we're missing a much bigger point here, though. Isn't the big point going to be that, oh, I got hit by ransomware. Therefore, there's ransomware on my network computer. Therefore, I'm breaking the law.

Yeah. But Dave wasn't going badly enough already. Quite. Okay. So in respect to this law in Maryland, I have to backtrack a little bit because the specific Senate bill which has been proposed labels the possession and intent to use ransomware in a malicious manner as a misdemeanor, punishable by up to 10 years in prison and a $10,000 fine. So you have to prove that they've also got intent to use it maliciously, which hopefully antivirus companies and security researchers don't have. So it's an interesting debate, this, you know, should all malware be banned? I personally don't think it should be.

Yeah, and intent is an interesting word, isn't it? I don't know about its legal parameters. Like, is it, you know, me going on Facebook and going, God, I wish I could put some ransomware on this guy's computer. It certainly

Makes it a more difficult thing, I would imagine, to prove as opposed to possession. The problem really is that the main people possessing malware are, of course, the poor sods who've had their computers infected by it. And we wouldn't want to criminalise them because they're already having a tough enough time. So if you look at this Senate bill that's being proposed in Maryland, it says a person may not knowingly possess ransomware with the intent to use the ransomware for the purpose of introduction into a computer or network or system of another person without the authorisation of the other person. And I agree. I think existing computer crime laws pretty much cover that. And they say, you know, you can go on to other people's computers, you can break into their networks if you've got their permission. If you don't have their permission, if you don't have their authorisation, then that's something which is obviously illegal. And similarly, I don't see why this law is necessary because it's already committing computer crimes through the malware actually breaking into the computer without the permission.

Yeah, exactly. Yeah, it seems an added layer, something that may be already addressed in the distribution, you know, with intent. Which makes me wonder,

Why did Maryland do this? Good question.

Tell me you've got a cool answer.

Oh, well, I see. I was thinking about this and I was thinking, could Maryland... Oh, God.

Oh, no. Oh, no. I was

Thinking, you know, it might be a natural progression from the Maryland cookie debacle. So maybe with Webster. No, no, no. It's nothing to do with cookie legislation. I don't even know what that means. It's Maryland cookies, Carole. Do you not eat Maryland cookies?

You know what? I don't think people in Maryland know about Maryland cookies.

Yeah, I don't know either.

They're a big hit here in Oxford in my household. They're very yummy cookies. Or brownies or whatever.

Graham's household will find this joke really funny, but everyone else not so much.

Maybe we should be linking as a pick of the week to the Maryland cookies. I don't know. Anyway, look, the real reason is this. The real reason. I'm sure someone out there eats Maryland cookies. Someone sniggered somewhere. Yeah. The real reason is that some cities in Maryland have, of course, had their run-ins with ransomware. Who can forget Baltimore in Maryland, which in the space of one year, the city of Baltimore was hit twice by ransomware. Once they had their 911 emergency dispatch system. That was knocked offline. And the other time they were hit by the Robin Hood malware when a bunch of merry men rode in on their horses wearing green tight pants and installed malware onto the computer systems. Anyway, Baltimore refused to pay up as we discussed way back in Smashing Security episode 151. And the mayor said, well, we're not going to give in to the extortionists. You know we're just going to recover from our backups although it turned out that their backups were shit because they were you know what's interesting yeah they were only backing up to the same hard drive so they just copied files to another folder on the same computer so the backups went you know

This is why municipalities should offer a fairly good salary package for their IT security folks. Now did I not read this week that New York is going to propose that paying ransomware is — you know, paying for ransomware, what's it called? Paying ransomware? Yeah, paying ransom demands. Paying ransomware ransom is going to be illegal.

Well, I don't know if it's illegal or not. No, no, they're looking—

At putting a law to put it forward in New York. It's not illegal now, but they're thinking of doing that, which is interesting because they're basically saying you're helping fuel more ransomware attacks by paying them off even though you get on your feet faster.

It definitely does encourage more attacks, the knowledge that many people will pay up without doubt.

Especially with insurers as well. You know, if insurers say you must pay and someone's got cyber insurance, pretty good bet that they're going to pay.

Yeah, it's a lot less hassle than all the paperwork you have to go through.

Well, and a lot less money. I mean, Baltimore's case, I think the bad guys were asking for about $70,000 and Baltimore ended up paying about $6 million.

Yes, well, we examined where that cash went and it didn't look very...

No. Yes. So there have been initiatives by different cities. There's a council of mayors or something where they're all sort of saying, we pledge not to pay ransoms in future. So I think people are beginning to move that way a little bit. Again, I'm not sure if it should really be legislation because sometimes a ransomware attack, you may have no option but to pay. It's your business goes bust if you can't recover the data.

Also, I think the problem with black letter law, so I actually have a background in law, and the problem with black letter law is that it's so slow to develop. I mean, if you think about in the UK and the US, it has to pass through a bicameral system, two houses have to approve any piece of legislation. That's why in the UK, we're stuck with the Computer Misuse Act of 1990.

I don't know if this bill is going to pass or not. Obviously, I'm encouraged by the fact that they're saying you have to have intent and you have to infect or attempt to infect without authorization.

How are they going to enforce it, though? Because it's all well and good having any law you want. But if you can't actually detect these people, make arrests, is there any point?

Exactly. I doubt many cyber criminals are going to be pooping their pants over this, right? I mean, has making anything illegal ever stopped it from happening. The bad guys are making so much money anyway. I would have thought existing computer crime laws were enough to bring these guys to book if they've been identified. And if they haven't been identified, this isn't going to help do it, is it?

Yeah, I'm just looking right now at Maryland's current computer misuse laws. And so misdemeanor computer crime is a person who illegally accesses computer is guilty of a misdemeanor. So it's basically authorization is very much part of it. It seems like it's already being handled. I think so. I'll put this link in your show notes so that people can go see what is currently being available in Maryland. And you can see whether you think this is something that they need.

Can I just say, I have one more issue with this thing, right? And it kind of comes around what lawyers love the most, which is defining things within an inch of their life.

Making money, I'd have said. But anyway, yes, OK.

If you look at, I was reading about this story. And if you look at the situation in the UK with legal highs, how they've done it is that they've defined the legal high by the formula. So then someone changes the formula ever so slightly and that substance is no longer an illegal substance anymore.

Oh, so if you want to make an illegal high, you've just got to look up the legislation and it gives you the recipe. Is that what you're saying?

And just change it a little bit. And then it's not illegal because they've done it by the formula of the drug. So if you're starting to define ransomware, how does that work?

That's a really interesting point, Lisa. And malicious software is a difficult thing to define as well, isn't it?

Yeah, and there's potentially unwanted apps, right? So then it's where does it sit? It's kind of grey, you know, along the spectrum of bad to good.

Plenty of people would consider Windows 10 being pretty malicious, wouldn't they? Well, I just hope that legitimate security researchers never find that they have to go and apply at the local council office or sub-post office to apply for a license to handle malware rather than giving a dog license or something like that.

I don't know what your issue is with that.

I don't have a problem with that. Well, it's just a bit too much work for you. I probably wouldn't. Probably. And also, I don't know if I'd qualify, Carole. I don't have the neck beard.

Maybe you shouldn't be playing with malware. Almost certainly not. I certainly don't the idea of you sitting there playing with malware on your computer.

Don't think any of our listeners do either. Come on, Graham, get it together.

Every week, Lisa, every week I do this.

Lisa, what's your story for us this week?

So my story is a very interesting one and it actually starts six years ago.

Oh, topical. OK, I've got my popcorn so ready.

It's a story unlike anything you've ever heard. So six years ago, two Russian gentlemen, Alex and Alexei, discover each other online and they've never met and they decide to start a cryptocurrency exchange together as a business.

How does that happen? How does that happen? What do they have just a few chats and they go yeah okay I trust you let's go. Pretty much I think that's how it goes down and they develop this really unique USP to attract their customers as all good entrepreneurs have to consider and that is that they're not going to require anyone who invests to provide any ID. So no prizes here for guessing who this might appeal to right bad guys that's a good way to ensure privacy right totally that's what they were really concerned about i'm reading between the lines but i think roughly that's what it was anyway so this cryptocurrency exchange becomes the third largest in the world so they actually do really really well out of it and sort of in a celebratory kind of spirit alex says well let's go to greece and take our families on holiday okay so if they go to Greece and Alex is on the beach enjoying the beach with his wife and kids and suddenly out of nowhere Greek police pop up and arrest him and it turns out this was at the FBI's request so his family quickly call Alexei his business partner and say oh my god you know he's been arrested so he quickly smashes up his laptop runs to the airport to go back to Russia successfully it transpires that the FBI have seized all of their stuff from their company because they were laundering stuff for people like the Fancy Bears and other criminals.

Well, it worked before, didn't it? Let's have another go.

And he rakes in millions. And by millions, I mean $450 million. Barely anything. Exactly. And we've all heard this story. He gets introduced to a Russian billionaire. We've all been there.

Some of my best friends.

Exactly. They're my best friends. And Alexei tells him, this billionaire, how much money he has in his company. And the billionaire says, oh, well, you should go and meet with these two FSB guys I know who will help you with your security. Oh, yeah. OK. So Alexi's thinking, OK, yeah, this makes total sense. This is awesome.

And the FSB, for people who don't know, that's like the modern name for the KGB, isn't it? Yeah. The modern name. The rebranded version. It's like New Labour and Labour. Circa 1985. Anyway. It's like New Labour.

Oh god I know just don't

We'll go with it anyway so Alexi goes and meets these two guys from the FSB and they say to him look you've got to watch out for those pesky Americans and we will set up a special FSB fund and if you transfer your 450 million into this fund we will keep it secure from them okay so yeah so Alexi's thinking oh my god this is a genius idea why didn't I think of this right so he did it so now Alexi goes back home

He's feeling pretty smug I'm guessing

Well he's actually feeling a little bit sick and it's not because he's drunk some tea that's been poisoned he's feeling sick because he suddenly realizes that this doesn't make sense and it transpires that the billionaire, the FSB agents and the 450 million have all disappeared into thin air.

Oh, no. So they totally, he got totally conned.

Yeah, totally conned. Now, if you're listening to this and you're thinking, funnily enough, men posing as the FSB stole 400 million out of my account, you would report that to Action Fraud. Okay. Yeah. Who would then spring into action. Yeah, and they've got a special folder for cases just like this. So, yeah. Wow. What a story. Poor Alexei.

So he didn't do that. He hasn't reported this.

I don't think Action Fraud are that interested in these things happening to Russian people in Russia.

Massively. So how does someone just set up an exchange like that and suddenly rake in 450 million?

Excellent marketing strategy would be my guess I don't know I wonder if

They're using the other and a marketing affiliate scheme just like the crypto queen

Or just describe yourself as the privacy conscious cryptocurrency exchange which doesn't require any ID which is going to attract lots of cyber criminals and the Fancy Bears of this world to launder their money through it you know and before you know it ka-ching you're making a little bit from every transaction which is happening but my goodness yes

And if you can imagine he's been through all this he's lost basically lost all of his money twice now and you think you've suffered from entrepreneurial burnout and this must be the extreme version

And don't forget he also smashed up his laptop and threw it in the sea in Greece right and it's expensive yeah he's got to get a new one of those he's using Apple geez Carole what have you got for us this week

Well we are going to talk about Amazon Ring this is the smart doorbell camera and it is being snapped up like hotcakes online sales grew 180% last year compared to the previous year. And last month alone, shoppers bought around 400,000 of the things from Amazon and other retailers, your Best Buy, Costco,

Home Depot, and that sort of thing. It's amazing, isn't it? I mean, I'm just finding so many people now have got these installed. I was down the chess club the other night and my mate, Liam, hello, Liam. He showed me his phone. I hope you listen. Of course he does. And he said, look what's going on outside my house right now. And he showed me. Obviously, nothing was going on.

Because I have a neighbor who has a kind of stone wall around his front garden with a gate to the top. And it has a little inlet, right? And he's been complaining that people who are a little bit worse for wear coming home from the pub on Friday night use that little enclave as a urinal. A little tinkle. Which is quite... And so he was thinking of getting a Ring so that he could actually start yelling at them, right? To move on. I don't know anyway. So, yeah, so there's lots of people that are really into this, right? Nothing stops

me mid-flow quite like having an Amazon Ring shouting out at me, I have to say. It's very off-putting. Boo! Oh, crikey. Exactly. Goes all over my shoes.

So Amazon, one of the biggest and richest companies in the world, has, turns out, it's been secretly packing these Amazon Rings with third-party trackers. And don't be confused by the word party here. This isn't the party that any of you want to be attending. By third-party trackers, I mean companies that Amazon agrees to do business with. And these guys get a proverbial front seat, you know, so they can hoover up all kinds of personal identifiable information from Ring users.

But what are they collecting? I mean, a Ring is just looking out from your door, isn't it?

Well, it's looking from your door, but it also has an app on your device. More specifically, your Android device. So four main analytics and marketing companies were discovered to be receiving information such as the names, private IP addresses, mobile network carriers, persistent identifiers, and sensor data on the devices of paying customers. So there were four of these. One of them is called AppsFlyer. It collected loads of stuff, but also collected info from the sensors. So that's your magnetometer. I don't know how you say the

word. It's a measurement of how many magnum ice creams you've done in the last 24 hours.

A magnetometer. I don't even know what that measures. There's a gyroscope, and I know there's internal calibration settings. There's also one going to our friends at Facebook. Oh, bless them. So information delivered to Facebook, even if you don't have a Facebook account like we don't, Graham, includes time zone, device model, language preferences, screen resolution, and a unique identifier which persists even if you reset the OS level advertiser ID.

So I don't have the Ring app, obviously. It doesn't display ads within the app, I imagine.

No, it just basically has a private deal with these, at least these four third parties. And according to the EFF, they are basically sending this data to them. Now, what was slightly ironic here, so all this information is going out of your phone, right? Going out of your phone via the Ring app to these third party providers. And the traffic that was observed was being encrypted using HTTPS. Good. But what's more, the encrypted information was delivered in a way that eludes analysis. So it made it much more difficult, according to the EFF, for security researchers to learn and report of these serious privacy breaches. Because it seems as though they've snuck these trackers on. And, of course, you're sharing them with third parties for vast profit.

So I can understand why Amazon might want to use some third-party services to understand how that app is being used, right? I can understand how they might want to understand the user's experience or if there were problems or work out what kind of devices they were being run on and try and troubleshoot problems like that. But I can't understand why they would be sending information to the likes of Facebook and some of these other firms.

For ka-ching. Apart from the fact that sharing is caring, Graham. Sharing is caring, okay?

But what are these third-party companies doing with this data? That's what I don't understand.

Presumably advertising. So all this information is allowing these third-party marketing firms to build up a unique fingerprint of your activity, location, behavior, which in turn allows them to market services or products or anything to you much more accurately.

Do you know what? I get this targeted advertising. And for some reason, all it ever sends me is, is your piglet sick? Do you want to know how to know if your piglet is sick? Or is your sheep okay? And I'm like, I swear somehow.

We have all been worrying about your farm. We have been worrying about it.

People think I'm a farmer. I literally don't know why this is.

I'm just wondering, you know, and what's kind of annoying is that, you know, Amazon is going around. So they've been in hot water about Ring for a number of months now for different reasons. And they've been doing a lot of, excuse me, the security is fine in Ring. Actually, I think you'll find it's the user's problem because their Wi-Fi isn't secure enough or they're not choosing correct passwords or they have an enabled 2FA. And they've been kind of wiping their hands of all this responsibility. And this is just a little bit dirty because according to the EFF, they are not clearly stating in any policy and getting clear consent from anyone in all this.

So has Amazon said anything in response to this EFF report about this?

Not Not that I have seen at the time of recording, but I'm sure they will.

Well, you know what? I'm going to WhatsApp Geoff Bezos right now because I've got him in my contacts. I'm sure I can get some of his attention if I send him a movie file. Hang on, let me just do this and see. It's offline at the moment.

What's interesting, though, is we as Smashing Security pulled off Facebook, right? We just said, look, your practices aren't very cool. We don't like them. We are, even though it's better for us to be on Facebook because it helps us promote our show and do all that stuff. It makes you wonder whether we as a collective should be actually giving the richest man in the universe more money.

Well, funnily enough, didn't Amazon Ring literally a few weeks ago have an insider threat issue where some of their employees were watching the Ring scenes? And they just basically said, oh, well, we've terminated their contracts. And that was kind of like the end of it, as if to say, well, it's fine. And they go on. So that's that problem solved.

And, you know, maybe we only have rings because, right. So we got addicted getting our packages really fast. Right. So we're very happy to get people to pay less than minimum wage, to be working 12 hour shifts, peeing in bottles. They can get you your fuzzy whatever you ordered quickly to your door. But then the problem was that people were stealing these packages because they're getting delivered at all times of the day. Right. And so basically, I think he's been onto this for a long time. He's like, now I can give you doorbells so you can watch your packages mount up on your doorstep and make sure no one steals them.

Well, I think a good advertising campaign for the Amazon ring would be that now you can watch your Amazon delivery person taking a leak by your wall at the front of your garden because he's not got any time to do it any other time. Just like your friend, Carole.

Exactly. Do you know what, though? I know it sounds like a terrible thing and you and I and the rest of the InfoSec community really care about all this, but normal people don't care. I say this to people and they say, I don't really care if people have that data.

Our listeners care, Lisa. Don't you guys? You do care. Listen, listen to them all screaming. Yes, we care.

Maybe they could make even more people care if they told their friends to also listen to Smashing Security.

Oh, I like what you did there. You did a Geoff Bezos there.

Yeah, just Bezos. He'd be proud. Anyway, go read the article on the EFF. It's penned by Bill Buddington. Go read and go care. Hey, Graham.

Yes.

There are people out there with companies a little bit bigger than ours. And one of the issues that they face is visibility and oversight. And when it comes to cybersecurity, that is super important. So listeners, listen up. If you do not have a password manager in your organization, please check out LastPass Enterprise. They offer centralized admin oversight and control shared access and automated user management. All this stuff makes your life easier. Plus, you can even use LastPass's single sign-on to protect all your cloud apps and give seamless access to employees. So check it out at LastPass.com forward slash smashing. Let me try that again, folks. Check it out at LastPass.com forward slash smashing.

And welcome back. Can you join us on our favourite part of the show? The part of the show that we like to call Pick of the Week. Pick of the Week.

Oh, Pick of the Week. Thanks for the enthusiasm. One or the other you either get lots of enthusiasm or nothing. Pick of the Week is the part of the show where everyone chooses something they like could be a funny story a book that they've read a TV show a movie a record a podcast a website or an app whatever they wish doesn't have to be security related necessarily shouldn't be enthusiastic crow well my pick of the week I'm just taking after Lisa my pick of the week is not a funny story, a book that I've read, a TV show, a movie, a record, a podcast, a website or an app. It is a whatever. Because my pick of the week is a person who sadly died this week.

Oh, no. Oh, no. Are you finding out live on the show, Carole?

Yes. Oh, thrums. So, Nicholas. Oh, my God. Nicholas Parsons died on Tuesday morning. And he was the host of a very long running, over 50 years, a radio show called Just a Minute, which is broadcast on the BBC World Service and Radio 4 here in the UK. And if you have access to the BBC Sounds app, you can also download episodes there. And Just a Minute was a terrific game show where you had to... Mostly because of him. Well, he has obviously been an absolute institution. He was the moderator of the quiz. And the point of the quiz for anyone who hasn't ever heard Just a Minute is to speak for 60 seconds without repetition, deviation, or repetition.

Did you say repetition twice there?

Yes, I did. I've got very far on the show. What is it? It's repetition. Deviation, repetition, or... The other One. Oh, I've forgotten now. You see? Isn't that irritating? That is the worst. And we listened, so I listened to the show... Without hesitation, repetition, or deviation. There you go. Yeah. Well, I've been listening to this ever since I was a kid. I remember it in the glory years of the 1970s. It started in 1960-something. Yes, about 1967, I think. So it's been going an awfully long time. And he was the host the entire time, guys. The entire time. He just died at the age of 96. Oh, wow. And I remember it back in the 1970s, the glory years of Kenneth Williams being a contestant. He was incredibly funny, very, very rude about Nicholas Parsons. It was just extremely entertaining. So I'm going to put in a couple of links so we can read more about Nicholas Parsons and the Just a Minute show. And I've also included a link in the show notes to a video of Nicholas Parsons at the age of, well, he must have been in his mid-90s, being interviewed very recently by comedian Richard Herring. And you will see that he was just as sharp as anything right at the end of his life. Very funny and an absolute star. Legend, legend. A legend, there you go. So that is my pick of the week. Oh, that is so funny. Sorry about the repetition and the hesitation and quite a lot of deviation, probably. Constant deviation. So, Lisa, what is your pick of the week?

Well, mine is another game. As you remember, my last episode, it was also a game. Yes. So this game is called Her Story, and it's by a guy called Sam Barlow, and it's a really fascinating game. Basically you are given access to a fake police database and you're asked to review files to solve a murder that happened back in the early 1990s. So you have to start watching a few videos and pick out pieces of vital information that the victims or that friends and family and whatever give. So it may be that they say something about the company that the victim worked at and then you search for the company name and pull up employee videos and so on and so forth. And there's so many avenues to go down. You can literally go down the wrong avenue for ages and then realize it was a red herring. But it's an amazing game that's a new genre of gaming in a sense. It came out a few years ago because I've played this, I think.

Oh, have you?

Yes.

As Graham said to me, it's quite old. I loved it. I loved it. It's so good. Yeah, yeah. And you have to make decisions and choices and decide how you're going to go about finding out the whodunit. Yeah. It's wonderful.

And you have to be so observant because you have to look at the time of the video and things they say and pick things out.

Great pick of the week, Lisa. I would never have remembered this. Excellent.

It just so happens that they've actually got a sequel that got released in August 2019. And this is an NSA database that's been loaded onto a stolen laptop and you have to start piecing together that story. So it is really, it is really really good. You have to pay for it but it does mean that you don't get served up ads and have to buy additional credits and stuff that. So certainly very different, different from the typical video game isn't it? I watched the trailer for this a little video and the fact that you're sort of having to watch police interviews and videos and sort of them pick apart from the statements that people are giving you. It does look a little bit weird if you're playing on the train because it looks like you're just watching loads of police videos of people crying. But, I mean, at least people don't sit next to you then. Hey, no, cheap thrills, right? Whatever, whatever. Exactly.

So I just wanted to carry on with my Bezos theme, right? So my pick of the week is an article penned by the Guardian columnist Marina Hyde. Do you guys read her ever? I do. She's quite funny. I have to say. I know what it is.

I think. I seem to recall that she had some kind of relationship with Piers Morgan. Oh, no. They were certainly emailed. She lost her job at one point. I think she was working for The Sun and he was the editor of The Mirror. They were secret, probably because she's quite witty and attractive in that fashion. Maybe he was shouting after her. Who knows?

She's also a bit famous because Elton John once brought a libel suit against her. Oh, really? Because she wrote, she used to write this jesty piece, kind of a peek in the diary of X, right? This was a weekly column thing. She did one on Elton John and he was not amused. But as he's not the actual queen, the judge threw it out. Which is strange because normally he's considered so level-headed, isn't he? He's not someone who gets upset easily. Is definitely level headed in my view. Anywho, anywho, anywho. Marina wrote about the whole Saudi Arabia Geoff Bezos scandal that you were alluding to at the end of my story. Oh, yes. Right. So this is, what was it? End of January, UN investigators alleged that the de facto ruler of Saudi Arabia may have been the one responsible for hacking Geoff Bezos' mobile phone. And according to a forensic report prepared for Bezos, Bezos got the infected video file on WhatsApp and claims that it opened a back door on Bezos's phone. And that's how all the pictures got leaked. Right. Now, of course, of course, there's the Saudi embassy in Washington is saying this is absurd. But Marina wrote about this and she had some. Let me just read a little, just a little excerpt for you guys. So she says, what elevates the story of how Bezos's underpanted selfies may have made their way into the public domain is the identity of the hacker, who was probably none other than Saudi bear and human lumberjacker Mohammed bin Salman. From here on in we will refer to the crown prince by his desired nickname MBS which he has no idea sounds like a dinosaur carpet warehouse on the ring road or the name slapped on the off-brand trainers your mum picked up at the supermarket which she insists are exactly the same as Nikes except for a couple of tiny bits that no one's going to notice. Cute right she's...

Got a real cute way better who can blame Piers Morgan I mean that is quite funny isn't it.

Exactly even you can't. So I say read it yeah and I've put a few links to a few of my other favorite stories she's written about but she's you know sometimes in this world a very very a lot of news can be pretty dry sometimes you need someone with a bit of sass.

I agree you need that sometimes because it's so monotonous otherwise so.

Yeah and scary and awful so you can read the stories and you yourself can make up your own mind as to whether the Saudi prince hacked the Amazon king.

Well, great pick of the week, Carole. Now, before we say chariot, everyone, we've got a little bonus. Oh, yes, we do. Coming up, haven't we, Carole? Yes. Carole and I, we met up with Adrian from Thinkst, who wanted to tell us all about his really rather cool sounding canary tool. And we think you'll be interested too. Enjoy.

So we have a featured interview for you today on Smashing Security. Meet Adrian Sanabria. Now, he works at a company called Thinkst. And Thinkst creates this pretty nifty little tool. Graham and I got a demo last week, and we both thought it was so cool that you might want to hear about it from the horse's mouth. Well, not a horse's mouth, but Adrian's mouth. It's not Mr. Aid. Adrian, welcome. What an intro. SPEAKER_00. Yeah, thanks for calling me names already. I'm not even on the show yet. So maybe we should start with a pain point so everyone can kind of get cozy. Can you give me maybe a typical frustrating scenario for an IT security guy or gal out there? SPEAKER_00. It's a narrative that we've seen for decades in security. And it's that when attackers get past these preventative defenses we have, these exterior defenses. It always seems like they have just carte blanche to stroll around the network, take what they want, do what they want. And it's, you know, we're used to seeing these dwell time metrics in the hundreds of days where attackers have just been lounging about doing whatever they want to do, whatever they need to do on our networks. And it's frustrating, right? I'm sure it's embarrassing. And it's frustrating to think that somebody might be in right now and you wouldn't know it. So that's what we go after.

It's a terrible thing. I mean, sometimes it takes months for businesses to realize that they've been breached. And if it's taken months and months, then the amount of data which could have been stolen is enormous.

And the first question would be, how long have they been there? That's what the boss is going to ask. So what does canary do? How does that address this problem. SPEAKER_00. Yeah. So our canaries are honeypots that you put on the internal network. You can make them look like various different things, anything from a skated device, something from Honeywell or Windows file server, something like that. And they look the part down to the Mac address, how they talk on the network. They look and talk and walk like the ducks we make them to look like. You put them places, there's some strategy behind it, where you're going to place them, how many you're going to use, what you make them look like. You want them to look enticing to the attacker. We want to be the first device that the attacker goes after so that you find out as quickly as possible that there's been an intrusion. And the idea is you have a chance to once they go after our device and we start sending off alerts, which is going to happen the moment they start messing with it, if they scan it, if they try and log into it, do anything with it, it's going to scream bloody Mary, let you know. I guess when you say enticing, you don't mean so enticing that they actually want to attack you. More that if they are sniffing around your network already, you want to have them go into a honey trap as opposed to on a real live, you know, bonafide data service. SPEAKER_00. So the scenario here is they've already achieved some level of access to your network. They've already gotten in. You're going to have these canaries on your internal network. So this works equally well for insider threats as it does for external threats.

And these are literally, I mean, let me get my head around this. These are literally little black boxes or can be little black boxes, which you plug in, you scatter around your network, maybe pretending to be some old Windows computers or running whatever operating system you wish, disguised as different things. And so if an intruder or if a malicious insider was snooping around, they might trigger it just by almost trying the handle of the door. It's not that they can get into them, but just trying the handle will set off an alarm which you will pick up, but they won't even know that they've triggered it. SPEAKER_00. That's exactly right. And what we're taking advantage of is the act of snooping, as you put it, requires you to do certain things. And I to say, unless the attacker's just extremely lucky and lands right on top of a very detailed Visio diagram of your network and how to get to the good stuff, they're going to have to do some snooping. They're going to have to take some actions to search the network to find what they're looking for. And we use that to detect those actions. We use these canaries.

Canary, these are actual physical devices, right? They're plug and play. So it's not, I remember you showing us how easy it was to set up and it kind of blew me away. So maybe you could kind of walk our listeners through that. SPEAKER_00. And a lot of it goes back to that philosophy of making this as simple and painless for the customer as possible. It takes three or four minutes to set up these devices, whether it's the physical one that you mentioned, or we've got VM versions where we've got an Azure, AWS, and Google Cloud versions. It'll take three or four minutes to set up. We to say, you know, you could stay back from lunch, let your colleagues go out to lunch. By the time they get back, you could have 10 or 20 of these deployed and be done, right? Another philosophy is we didn't want to create another product where you've got somebody in the organization labeled the canary guy. And what the canary guy does is he comes in, he logs into the canary console, and the canary console creates busy work for him to click things and tune things and gives the illusion that he's doing security work when he's really just got busy work inside of this console. Yeah, that's such a good point, that idea that tinkering feels work, but actually, if it's properly set up to begin with, if you can get a nice kind of almost default setup where there's just only the basic configurations you have to do, it's so much more attractive to me, certainly. SPEAKER_00. And I hate to offend anybody. I'm sorry if you're the guy that manages the WAF or the SIEM, you're probably familiar with what I'm talking about. I don't want to say that what you're doing isn't important, but there's a chance that it might not be all that helpful in the greater scheme of things. So yeah, we wanted to avoid that. And our devices update themselves. Once you've deployed them, there's nothing left to do except wait for them to send you alerts.

And what I about this approach is it is rather different from the conventional security tools, which many companies already have. It's not you're saying, run Canary Tools, you know, put these in place across your network and chuck out your antivirus and chuck out all these other protection measures. This is something which very much complements your existing security measures. SPEAKER_00. That's right. Yeah. And it does one thing very, very well. It lets you know if something fishy is going on on your network or if we get into talking about the canary tokens in other places. So we've got tokens that you can put in your email, on file servers, on flash drives, even in physical places to allow you to trap and trick people in other ways. So these tokens, they're almost landmines, if you, or they're some sort of sensor. So if someone was to go into an email or maybe into an Amazon bucket and mess around there, you could trigger one of these things and you'd be thinking, whoa, what's going on here then? There's obviously some badness going on. They don't actually have to activate anything, do they? So this accidental triggering is an interesting idea because I'm wondering what happens if you get a pen test crew in? What if you actually challenge a company to see what your defenses are? I would imagine they might stumble across some of these things and think that they've hit the motherlode, think that they've almost accessed some great big database or some such.

So that's actually something our customers really, really love. If you think about it, some companies have been doing pen tests for almost two decades now, and they're used to the pen testers coming to them and just laying down this laundry list of things that they should feel ashamed about. Like, look at all the ways that I pwned your systems. We hear stories like, oh, while waiting in the lobby for them to come get me and show me to the cubicle where I do my pen test work, I already broke in and I got domain admin. We hear stories like that. Now from our customers, we hear the opposite. We hear, oh, we caught the pen testers in the first 10 minutes. Or stories like, you know, the pen test was supposed to end on Friday, but they continued on Monday. And we know because our canaries told us.

I love it. That could be your strapline. Canaries, get your smugness back.

So another feature which I really liked was not just that you could set up these sort of fake computers and fake servers for the hackers to try and hack into, but you could also make it appear as though they had certain files on them, like an employee database or an HR spreadsheet and so forth. And although they wouldn't necessarily be able to download it, they could see the file name and they would keep on trying to access this darn thing. And that's something you can do with the Canary too.

Absolutely. And actually you can let them download them. Those files can have data in it that looks real. You could create a password spreadsheet with realistic looking passwords. Just get a password generator, get a bunch of real sites and fill that thing with real data. None of it's actually real, but the attacker doesn't know that and name it appropriately. And that spreadsheet will let you know anytime anyone opens it anywhere in the world. It's not dependent on being on your network. And also this is a service we give away for free. You can go to canarytokens.org and you can create these for free. We've got over 100,000 people that use this free service. And the commercial version has a few more things that make it more polished, more nice to use in an enterprise. But generally, most of the same tokens we have in the commercial version are available in the free version. And I know people that, for example, upload their resume and token the resume. So they know if people have opened their resume after they've sent it off, when did they open it? How many times did they open it? Did they open it right before the interview? Oh my goodness. Yeah. So generally with the Canary tokens, the bit of information that's most important is that somebody's in there in the first place. And the information you get back varies. For example, just the standard Word document token will at most let you know what IP address that they were coming from when they opened that Word doc and it reached out. So that'll be somebody's internet address. In my case, that'll be my AT&T broadband IP address. But in other cases, we have some macro Word and Excel documents. And if somebody enables that macro, which you can do if you name it the right type of file, a lot of accounting departments use macros in their documents. Maybe you can get somebody to enable that macro and that macro will pull your username, the host name and the internal IP address as well. So that's kind of the other extreme of the information you can get. We're not putting a remote access Trojan or anything like that. Yeah, it's just little bits of information. Yeah.

And of course, if someone is accessing something they shouldn't be with a web browser, then there'll be certain information about the web browsing client that they're using, I would imagine, and the operating system and the screen dimension. So there's still some information. So this is like a

really early heads up so that you can go and lock down whatever particular place you might think might be vulnerable.

And that's the whole idea, the strategy behind the product is to give you this early detection so that perhaps you can do something about it before any damage is done. Cool.

Before we go, how does this product fit in with threat hunting and all that stuff? Traditionally in threat hunting, you're searching for indications that somebody's already gotten in. You know, indications of threats that weren't surfaced by your IDS or your WAF or the rules and signatures that are already in place to detect bad stuff.

Because the typical scenario at the moment is that a data breach occurs and the first a company knows about it is when the credit card companies or more likely Brian Krebs gives you a phone call and tells you you've got a data breach. You don't know anything about it until it's brought your attention that way. Something like this will hopefully catch an intruder much earlier on in the process and hopefully before any damage is done and data is stolen. Exactly.

Cool. Very cool. Adrian, thank you so much for coming to chat with us today. It has been fascinating. I love businesses doing clever, clever things like this to help ease our lives. So, thank you for existing.

Thank you for having me on. I love listening to the podcast because there's so much humor. It can be such a dry topic. You guys, the banter back and forth. Someone once called it Bickertainment that's brilliant.

That just about wraps it up for this week. Lisa, thank you so much for coming on the show. I'm sure lots of our listeners would love to follow you online and find out more. What's the best way for folks to do that?

Twitter is a really good option at Lisa Forte UK.

Terrific. And you can follow us on Twitter as well at Smashing Security, no G, Twitter on the loose. And don't forget that if you want to ensure that you don't miss a future episode of Smashing Security, you should subscribe to us in your favourite podcast app. Just go to the App Store, whatever flavour of smartphone you have, and check out a podcast player such as CastBox.

And a huge thank you to all of you for listening to us, supporting us on Patreon and giving us swoon-worthy reviews. Also a big shout out to this week's sponsor, LastPass, and to our special guest, Thinkst. Their support helps us give you this show for free. Check out smashingsecurity.com for past episodes, sponsorship details, and information on how to get in touch with us.

Until next time, cheerio. Bye-bye.

Bye. Bye. Why are you laughing there, Graham?

Nothing. My parents have been listening to our show. My parents have been listening to this show recently. Oh, have they? I didn't listen to last week. And my dad, who is now a retired medical doctor, is very concerned about your wheeze. He has brought it up to me about four times now. And the way he does, he goes, "What's with the wheezing? What's with all the wheezing?" Graham. He doesn't talk like that. He's not one of the freaking sisters out of The Simpsons.

I was going to say, it is a little bit, it kind of makes me feel like you have something to do with the mafia, but in a kind of fun, in an approachable way as well.

Do you think I'm funny? You think I'm funny, do you? I amuse you. Yeah, the Quebec mafia.

That's what I'm involved in. We eat poutine by night and listen to Celine Dion. It's amazing.