Should possessing malware be illegal in itself? How did a Russian cryptocurrency exchange millionaire lose his fortune? And what on earth are Amazon Ring doorbell cams up to now?
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Lisa Forte.
And don’t miss our special featured interview with Adrian Sanabria, all about Thinkst Canary.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
And the FSB, for people who don't know, that's like the modern name for the KGB, isn't it?
Yes, the modern name.
Yes, the rebranded version.
Yes, it's like New Labour and Labour.
Circa 1985. Okay.
Anyway, it's like New Labour.
God, I know, just don't.
Smashing Security, episode 163: Russian Heists and Ring-Rong. With Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 163.
My name's Graham Cluley.
My name's Graham Cluley.
And I'm Carole Theriault. Still.
You're still Carole Theriault. Wonderful. Still haven't got the upgrade. Never mind. And we are joined this week by returning guest Lisa Forte. Hello, Lisa.
Hello.
Welcome to the show.
Well, she's been on before.
Thanks so much.
I know, but what, do you never welcome a guest when they come into your house for a second time?
Lisa, you have just returned to old Blighty, haven't you, from America? Did you leave pre-election or post-election?
I left pre-election.
Right, so you've come back to this dystopian nightmare that we're now living in, in the final days before the Brexit bell tolls. It's coming this Friday, isn't it?
I am actually flying into the UK on the morning of February 1st, at something like 7:00 AM.
That's what you think?
So I may be, yeah. So as long as I don't get the coronavirus, I'll be one of the first people to come into the country under its new guise.
Ah, lovely. Good to have you back. What's coming up on the show this week, Carole?
First, let's thank this week's sponsor, LastPass. Its support helps us give you this show for free. Now Graham looks into how Maryland might make malware possession a crime?
Lisa tells us a crazy Russian heist story. And I give Amazon a bit of a spanking. Plus, we have a bonus featured interview for you today, thanks to our friends at Thinkst.
Stay tuned to hear all about their Canary tool, which Graham and I both think sounds pretty darn cool. All this and so much more coming up on this episode of Smashing Security.
Lisa tells us a crazy Russian heist story. And I give Amazon a bit of a spanking. Plus, we have a bonus featured interview for you today, thanks to our friends at Thinkst.
Stay tuned to hear all about their Canary tool, which Graham and I both think sounds pretty darn cool. All this and so much more coming up on this episode of Smashing Security.
Now, chums, chums, malware. Do you have any in your pocket? Have you secreted any about your person?
What do you mean, like an infected USB?
Well, maybe, I don't know. Have you got some hidden away on your hard drive? Well, watch out.
Take heed because the state of Maryland in the good old US of A is proposing a new law that could ban the possession of malware, actually make it a crime to be carrying malware.
Take heed because the state of Maryland in the good old US of A is proposing a new law that could ban the possession of malware, actually make it a crime to be carrying malware.
Okay, I am so glad that Lisa's on the show. Lisa, is it not a crime already to be in possession of malware?
Oh, I don't know.
Oh, sorry.
Well, I can tell you, no, it's not. So why should it be?
I think— pretty sure it's the use of it at the moment.
But what's kind of interesting to me is that actually, when you look at what the bill is that they've put forward, it says possession and intent to use. Yes.
And what I don't understand is, why can't it not just be strict liability?
You know, in the same way that in the UK, possession of a firearm or possession of Class A drugs, you know, the fact that you've got it on you is the crime.
I don't understand why that wouldn't be the situation.
But what's kind of interesting to me is that actually, when you look at what the bill is that they've put forward, it says possession and intent to use. Yes.
And what I don't understand is, why can't it not just be strict liability?
You know, in the same way that in the UK, possession of a firearm or possession of Class A drugs, you know, the fact that you've got it on you is the crime.
I don't understand why that wouldn't be the situation.
Oh, well, you see, I think you should be able to possess malware.
And I speak as someone who used to be employed by an antivirus company which had millions of pieces of malware on its network for completely legitimate reasons, for analysis and research.
And it would have been a complete nuisance if we hadn't been able to store the stuff and indeed share it with other researchers.
And so distributing malware, I don't think should be a crime either.
And I speak as someone who used to be employed by an antivirus company which had millions of pieces of malware on its network for completely legitimate reasons, for analysis and research.
And it would have been a complete nuisance if we hadn't been able to store the stuff and indeed share it with other researchers.
And so distributing malware, I don't think should be a crime either.
I think it would be fair for the general public to assume that companies get special rights to view and manage and work with malware.
You'd like to think that was what was going on and that people that shouldn't actually have access to that stuff, it's illegal.
And the reason it's a problem is because computers are not vaults, right?
So if you've got malware sitting somewhere, that is maybe not fully secure and that gets out, that can cause all kinds of havoc.
You'd like to think that was what was going on and that people that shouldn't actually have access to that stuff, it's illegal.
And the reason it's a problem is because computers are not vaults, right?
So if you've got malware sitting somewhere, that is maybe not fully secure and that gets out, that can cause all kinds of havoc.
Oh yeah, that would be a problem, of course.
But who says that you shouldn't be allowed to have a virus-infected computer if you want to have a virus on your computer or a piece of ransomware?
But who says that you shouldn't be allowed to have a virus-infected computer if you want to have a virus on your computer or a piece of ransomware?
I would like to think that legislation would. I'm a little surprised it doesn't actually. I'm—
Carole!
What?
It's terribly right-wing of you. Really?
Yeah, make it a partisan issue.
Well, no, I just think that, you know, people should be allowed to do what they like with their computer, if they've got malware on it, it's not— if it's not doing any harm to anybody else, where's the problem?
I have no problem if the computer is completely offline and not connected to the good old internet. But if it is, then it's a problem.
It's a bit of argy-bargy this week. All right, just imagine this, right?
Imagine you are a 19-year-old student and you're really interested in computer security and you would love to have a job working for an antivirus company, but none of them will give you a job.
Because you haven't been able to demonstrate your expertise. And so you think, right, I will become an independent security researcher.
There's a piece of ransomware which is spreading right now. Let's imagine, for instance, the WannaCry worm, right, which hit the NHS.
And I will analyze it on my computer and I will try and work out some kind of antidote or some way of stopping it.
Should that person be guilty of a crime simply because they possess the ransomware? I would argue, no, they shouldn't.
Imagine you are a 19-year-old student and you're really interested in computer security and you would love to have a job working for an antivirus company, but none of them will give you a job.
Because you haven't been able to demonstrate your expertise. And so you think, right, I will become an independent security researcher.
There's a piece of ransomware which is spreading right now. Let's imagine, for instance, the WannaCry worm, right, which hit the NHS.
And I will analyze it on my computer and I will try and work out some kind of antidote or some way of stopping it.
Should that person be guilty of a crime simply because they possess the ransomware? I would argue, no, they shouldn't.
But maybe they should go through proper channels in order to be able to say, I am, in the same way the cops, you have to go into the evidence room, and if you have to sign in and sign out to say, "Yes, I've got possession of this now and I'm looking at it," it'd be nice to have a log of that, don't you think?
You're suggesting maybe people should have some kind of license.
So maybe companies or individuals who are in the business of analyzing malware should have some sort of checks done to make sure they're not, you know, don't have a neckbeard.
So maybe companies or individuals who are in the business of analyzing malware should have some sort of checks done to make sure they're not, you know, don't have a neckbeard.
But you know what? What about the exemptions though?
You know, if you think of cocaine, and someone, I don't know, the police confiscating it and sending it then to a lab to test that it was in fact cocaine.
That lab is in possession of cocaine at that moment in time, but they're exempt from being charged with the strict liability offense of possession of a Class A drug.
So I think we're talking about sort of outlying people, but I think the general public who are not interested in analyzing malware, certainly not in my household, why should they have that on their computers anyway?
You know, if you think of cocaine, and someone, I don't know, the police confiscating it and sending it then to a lab to test that it was in fact cocaine.
That lab is in possession of cocaine at that moment in time, but they're exempt from being charged with the strict liability offense of possession of a Class A drug.
So I think we're talking about sort of outlying people, but I think the general public who are not interested in analyzing malware, certainly not in my household, why should they have that on their computers anyway?
I think we're missing a much bigger point here, though.
Is the big point going to be that, oh, I got hit by ransomware, therefore there's ransomware on my network computer, therefore I'm breaking the law?
Is the big point going to be that, oh, I got hit by ransomware, therefore there's ransomware on my network computer, therefore I'm breaking the law?
Yeah. If your day wasn't going badly enough already. Quite. Okay.
So in respect to this law in Maryland, I have to backtrack a little bit because the specific Senate bill, which has been proposed, labels the possession and intent to use ransomware in a malicious manner as a misdemeanor punishable by up to 10 years in prison and a $10,000 fine.
So you have to prove that they've also got intent to use it maliciously, which hopefully antivirus companies and security researchers don't have.
So it's an interesting debate, this, you know, should all malware be banned? I personally don't think it should be, but yeah, and intent is an interesting word, isn't it?
So in respect to this law in Maryland, I have to backtrack a little bit because the specific Senate bill, which has been proposed, labels the possession and intent to use ransomware in a malicious manner as a misdemeanor punishable by up to 10 years in prison and a $10,000 fine.
So you have to prove that they've also got intent to use it maliciously, which hopefully antivirus companies and security researchers don't have.
So it's an interesting debate, this, you know, should all malware be banned? I personally don't think it should be, but yeah, and intent is an interesting word, isn't it?
I don't know about its legal parameters. Like, is it, you know, me going on Facebook and going, "God, I wish I could put some ransomware on this guy's computer." Done.
It certainly makes it a more difficult thing, I would imagine, to prove, as opposed to possession.
Yeah.
The problem really is that the main people possessing malware are, of course, the poor sods who've had their computers infected by it.
Yeah.
You know, and we wouldn't want to criminalize them because they're already having a tough enough time.
So, if you look at this Senate bill that's been proposed in Maryland, it says a person may not knowingly possess ransomware with the intent to use the ransomware for the purpose of introduction into a computer or network or system of another person without the authorization of the other person.
And I agree. I think existing computer crime laws pretty much cover that.
And they say, you know, you can go on to other people's computers, you can break into their networks if you've got their permission.
If you don't have their permission, if you don't have their authorization, then that's something which is obviously illegal.
And similarly, so I don't see why this law is necessary because it's already committing computer crimes through the malware actually breaking into the computer without the permission.
So, if you look at this Senate bill that's been proposed in Maryland, it says a person may not knowingly possess ransomware with the intent to use the ransomware for the purpose of introduction into a computer or network or system of another person without the authorization of the other person.
And I agree. I think existing computer crime laws pretty much cover that.
And they say, you know, you can go on to other people's computers, you can break into their networks if you've got their permission.
If you don't have their permission, if you don't have their authorization, then that's something which is obviously illegal.
And similarly, so I don't see why this law is necessary because it's already committing computer crimes through the malware actually breaking into the computer without the permission.
Exactly.
Yeah, it seems like an added layer of something that may be already addressed in the distribution, you know, with intent.
Which makes me wonder, why did Maryland do this?
Good question. Tell me you've got a cool answer.
Oh, well, I see. I was thinking about this and I was thinking, could Maryland's— Oh God.
Oh no.
I was thinking, you know, it might be a natural progression from the Maryland cookie debacle.
So maybe with web— anyway, it's cookie— no, no, no, it's nothing to do with cookie legislation, Mary.
So maybe with web— anyway, it's cookie— no, no, no, it's nothing to do with cookie legislation, Mary.
I don't even know what that means.
It's Maryland cookies, Carole. Do you not eat Maryland cookies?
Oh, you know what, I don't think people in Maryland know about Maryland cookies. Yeah, I don't know either.
They're a big hit here in Oxford in my household.
They're very yummy cookies or brownies or Graham's household will find this joke really funny, but everyone else, not so much.
Maybe we should be linking as a pick of the week to the Maryland cookies, I don't know.
But anyway, look, the real reason is this, the real reason, I'm sure someone out there eats Maryland cookies.
But anyway, look, the real reason is this, the real reason, I'm sure someone out there eats Maryland cookies.
Someone sniggered somewhere, yeah.
The real reason is that some cities in Maryland have had their run-ins with ransomware.
Who can forget Baltimore in Maryland, which in the space of one year, the city of Baltimore was hit twice by ransomware.
Once they had their 911 emergency dispatch system that was knocked offline.
And the other time they were hit by the Robin Hood malware when a bunch of merry men rode in on their horses wearing green tight pants and installed malware onto the computer systems.
Anyway, Baltimore refused to pay up, as we discussed way back in Smashing Security episode 151. And the mayor said, well, we're not going to give in to the extortionists.
You know, we're just gonna recover from our backups. Although it later turned out that their backups were shit because they were—
Who can forget Baltimore in Maryland, which in the space of one year, the city of Baltimore was hit twice by ransomware.
Once they had their 911 emergency dispatch system that was knocked offline.
And the other time they were hit by the Robin Hood malware when a bunch of merry men rode in on their horses wearing green tight pants and installed malware onto the computer systems.
Anyway, Baltimore refused to pay up, as we discussed way back in Smashing Security episode 151. And the mayor said, well, we're not going to give in to the extortionists.
You know, we're just gonna recover from our backups. Although it later turned out that their backups were shit because they were—
You know what's interesting? Yeah.
They were only backing up to the same hard drive. So they just copied files to another folder on the same computer. So the backups weren't safe.
You know, this is why municipalities should offer a fairly good salary package for their IT security folks.
Now, did I not read this week that New York is going to propose that paying ransomware is... You know, paying for ransomware, what's it called? Paying ransomware.
Now, did I not read this week that New York is going to propose that paying ransomware is... You know, paying for ransomware, what's it called? Paying ransomware.
Yeah, paying ransom demands.
Paying ransomware ransoms is going to be illegal.
Well, I don't know if it's illegal or not. Certainly they don't like it.
No, no, they're looking at putting a law to put it forward in New York.
It's not illegal now, but they're thinking of doing that, which is interesting because they're basically saying you're helping fuel more ransomware attacks by paying them off, even though you get on your feet faster.
It's not illegal now, but they're thinking of doing that, which is interesting because they're basically saying you're helping fuel more ransomware attacks by paying them off, even though you get on your feet faster.
It definitely does encourage more attacks, the knowledge that many people will pay up. Without doubt.
Especially with insurers as well. If insurers say you must pay and you know someone's got cyber insurance, pretty good bet that they're going to pay.
Yeah, it's a lot less hassle than all the paperwork you have to go through.
And a lot less money. In Baltimore's case, I think the bad guys were asking for about $70,000 and Baltimore ended up paying about $6 million.
Yes.
Well, we examined where that cash went and it didn't look very—
No.
Yes.
So there have been initiatives by different cities. There's a council of mayors or something where they're all sort of saying, we pledge not to pay ransoms in future.
So I think people are beginning to move that way a little bit.
Again, I'm not sure if it should really be legislation because sometimes a ransomware attack, you may have no option but to pay.
You know, it's your business goes bust if you can't recover the data.
So I think people are beginning to move that way a little bit.
Again, I'm not sure if it should really be legislation because sometimes a ransomware attack, you may have no option but to pay.
You know, it's your business goes bust if you can't recover the data.
Well, also I think the problem with black letter law, so I actually have a background in law and the problem with black letter law is that it's so slow to develop.
I mean, if you think about in the UK and the US, it has to pass through a bicameral system. Two houses have to approve any piece of legislation.
That's why in the UK, we're stuck with the Computer Misuse Act of 1990.
I mean, if you think about in the UK and the US, it has to pass through a bicameral system. Two houses have to approve any piece of legislation.
That's why in the UK, we're stuck with the Computer Misuse Act of 1990.
Yes.
I don't know if this bill is going to pass or not.
Obviously, I'm encouraged by the fact that they're saying you have to have intent and you have to infect or attempt to infect without authorization.
Obviously, I'm encouraged by the fact that they're saying you have to have intent and you have to infect or attempt to infect without authorization.
How are they going to enforce it though? Because it's all well and good having any law you want, but if you can't actually detect these people, make arrests, is there any point?
Exactly. I doubt many cybercriminals are going to be pooping their pants over this, right? I mean, has making anything illegal ever stopped it from happening?
The bad guys are making so much money anyway. I would have thought existing computer crime laws were enough to bring these guys to book if they've been identified.
And if they haven't been identified, this isn't going to help do it, is it?
The bad guys are making so much money anyway. I would have thought existing computer crime laws were enough to bring these guys to book if they've been identified.
And if they haven't been identified, this isn't going to help do it, is it?
Yeah, I'm just looking right now at Maryland's current computer misuse laws.
Oh yeah.
And so misdemeanor computer crimes, a person who illegally accesses computer is guilty of a misdemeanor. So it's basically authorization is very much part of that.
Yeah.
It seems like it's already being handled.
I think so.
Well, I'll put this link in your show notes so that people can go see what is currently being available in Maryland and you can see whether you think this is something that they need.
Can I just say, I have one more issue with this thing, right? And it kind of comes around what lawyers love the most, which is defining things within an inch of their life.
Making money, I'd have said. But anyway, yes, okay.
If you look at, I was reading about this story, and if you look at the situation in the UK with legal highs, how they've done it is that they've defined the legal high by the formula.
So then someone changes the formula ever so slightly, and that substance is no longer an illegal substance anymore.
So then someone changes the formula ever so slightly, and that substance is no longer an illegal substance anymore.
Mm-hmm.
Oh, so if you want to make an illegal high, you've just got to look up the legislation and it gives you the recipe. Is that what you're saying?
And just change it a little bit and then it's not illegal because they've done it by the formula of the drug. So if you're starting to define ransomware, how does that work?
That's a really interesting point, Lisa.
And malicious software is a difficult thing to define as well, isn't it?
Yeah, and there's potentially unwanted apps, right? So then it's, where does it sit? It's kind of gray, you know, along the spectrum of bad to good.
Plenty of people would consider Windows 10 being pretty malicious, wouldn't they?
Well, I just hope that legitimate security researchers never find that they have to go and apply at the local council office or sub-post office to apply for a license to handle malware, rather like getting a dog license or something like that.
Well, I just hope that legitimate security researchers never find that they have to go and apply at the local council office or sub-post office to apply for a license to handle malware, rather like getting a dog license or something like that.
I don't know what your issue is with that. I don't have a problem with that. Well, it's just a bit too much work for you.
I probably would, probably. And also, I don't know if I'd qualify, Carole. I don't have the neckbeard. You know, I'd probably—
Well, maybe you shouldn't be playing with malware. I certainly don't like the idea of you sitting there playing with malware on your computer.
I don't think any of our listeners do either. Jeez.
I don't think any of our listeners do either. Jeez.
Come on, Graham, get it together.
I do.
Every week, Lisa. Every week I do this.
Lisa, what's your story for us this week?
So my story is a very interesting one, and it actually starts 6 years ago.
Oh, topical.
Okay, I've got my popcorn, so ready.
It's a story unlike anything you've ever heard.
So 6 years ago, two Russian gentlemen, Alex and Alexei, discover each other online, and they've never met, and they decide to start a cryptocurrency exchange together as a business.
So 6 years ago, two Russian gentlemen, Alex and Alexei, discover each other online, and they've never met, and they decide to start a cryptocurrency exchange together as a business.
How does that happen? What does that happen? What, do they have just a few chats and they go, yeah, okay, I trust you, let's go?
Pretty much. I think that's how it goes down. And they developed this really unique USP to attract their customers, as all good entrepreneurs have to consider.
And that is that they're not going to require anyone who invests to provide any ID. So no prizes here for guessing who this might appeal to.
And that is that they're not going to require anyone who invests to provide any ID. So no prizes here for guessing who this might appeal to.
Right.
Bad guys.
I mean, that's a good way to ensure privacy, right?
Totally. That's what they were really concerned about, I think. I'm reading between the lines, but I think roughly that's what it was.
Anyway, so this cryptocurrency exchange becomes the third largest in the world. So they actually do really, really well out of it.
And in a celebratory spirit, Alex says, "Well, let's go to Greece and take our families on holiday."
Anyway, so this cryptocurrency exchange becomes the third largest in the world. So they actually do really, really well out of it.
And in a celebratory spirit, Alex says, "Well, let's go to Greece and take our families on holiday."
Okay.
So off they go to Greece. And Alex is on the beach enjoying the beach with his wife and kids. And suddenly out of nowhere, Greek police pop up and arrest him.
And it turns out this was at the FBI's request.
So his family quickly call Alexi, his business partner, and say, "Oh my God, you know, he's been arrested." So he quickly smashes up his laptop, runs to the airport to go back to Russia.
Successfully. It transpires that the FBI have seized all of their stuff from their company because they were laundering stuff for people like the Fancy Bears and other criminals.
So Alex is in a Greek jail and Alexi is now back in Russia. The FBI have seized all his stuff. So you might be thinking, what is an entrepreneur to do in this situation?
Well, Alexey decides to recoup his losses by setting up another exchange.
And it turns out this was at the FBI's request.
So his family quickly call Alexi, his business partner, and say, "Oh my God, you know, he's been arrested." So he quickly smashes up his laptop, runs to the airport to go back to Russia.
Successfully. It transpires that the FBI have seized all of their stuff from their company because they were laundering stuff for people like the Fancy Bears and other criminals.
So Alex is in a Greek jail and Alexi is now back in Russia. The FBI have seized all his stuff. So you might be thinking, what is an entrepreneur to do in this situation?
Well, Alexey decides to recoup his losses by setting up another exchange.
Well, it worked before, didn't it? Let's have another go.
And he rakes in millions, and by millions I mean $450 million.
Barely anything.
Exactly. And we've all heard this story. He gets introduced to a Russian billionaire. We've all been there. And—
Some of my best friends.
Exactly. They're my best friends. And Alexi tells him, this billionaire, how much money he has in his company.
And the billionaire says, "Oh, well, you should go and meet with these two FSB guys I know who will help you with your security." Oh, yeah.
And the billionaire says, "Oh, well, you should go and meet with these two FSB guys I know who will help you with your security." Oh, yeah.
Okay.
So Alexi's thinking, "Okay, yeah, this makes total sense."
"This is awesome." And the FSB, for people who don't know, that's the modern name for the KGB, isn't it?
Yes, yeah, the modern name.
We're just living under the rebranded version.
Yeah, yes, it's like New Labour and Labour, circa 1985.
Okay, anyway, it's like New Labour.
God, I know, just don't.
We'll go with it.
Anyway, so Alexei goes and meets these two guys from the FSB, and they say to him, "Look, you've got to watch out for those pesky Americans, and we will set up special FSB fund, and if you transfer your $450 million into this fund, we will keep it secure from them." Okay, so yeah, so Alexi's thinking, "Oh my God, this is a genius idea, why didn't I think of this," right?
So he did it.
Anyway, so Alexei goes and meets these two guys from the FSB, and they say to him, "Look, you've got to watch out for those pesky Americans, and we will set up special FSB fund, and if you transfer your $450 million into this fund, we will keep it secure from them." Okay, so yeah, so Alexi's thinking, "Oh my God, this is a genius idea, why didn't I think of this," right?
So he did it.
Uh-huh.
So now Alexi goes back home.
He's feeling pretty smug, I'm guessing.
Well, he's actually feeling a little bit sick, and it's not because he's drunk some tea that's been poisoned.
He's feeling sick because he suddenly realizes that this doesn't make sense.
And it transpires that the billionaire, the FSB agents, and the $450 million have all disappeared into thin air.
He's feeling sick because he suddenly realizes that this doesn't make sense.
And it transpires that the billionaire, the FSB agents, and the $450 million have all disappeared into thin air.
Oh no.
So they totally— he got totally conned.
Yeah, totally conned.
Now if you're listening to this and you're thinking, funnily enough, men posing as the FSB stole $400 million out of my account, you would report that to Action Fraud.
Now if you're listening to this and you're thinking, funnily enough, men posing as the FSB stole $400 million out of my account, you would report that to Action Fraud.
Yeah.
Just so we're all clear. Who then spring into action.
Yeah. And they've got a special folder for cases just like this.
It's fine.
Yes.
Yeah, of course they do. So yeah, wow.
What a story. Poor Alexei.
So he didn't do that.
Oh, well. Yeah, literally.
I don't think Action Fraud are that interested in these things happening to Russian people in Russia massively. But—
So how does someone just set up an exchange and suddenly rake in $450 million?
Excellent marketing strategy would be my guess.
I don't know.
I wonder if they're using the marketing affiliate scheme just the crypto queen.
Or just describe yourself as the privacy-conscious cryptocurrency exchange, which doesn't require any ID, which is going to attract lots of cybercriminals and the fancy bears of this world to launder their money through it.
You know, and before you know it, ka-ching, you're making a little bit from every transaction which is happening. But my goodness.
You know, and before you know it, ka-ching, you're making a little bit from every transaction which is happening. But my goodness.
Yes, and if you can imagine, he's been through all this. He's basically lost all of his money twice now. And you think you've suffered from entrepreneurial burnout?
And this must be the extreme version of that.
And this must be the extreme version of that.
And don't forget, he also smashed up his laptop and threw it in the sea in Greece.
I know.
Right?
And it's holding his phone. That's expensive.
Yeah, he's got to get a new one of those. He's using Apple. Jeez.
Kroll, what have you got for us this week?
Well, we are gonna talk about Amazon Ring. This is the smart doorbell camera. And it is being snapped up hotcakes. Online sales grew 180% last year compared to the previous year.
And last month alone, shoppers bought around 400,000 of the things from Amazon and other retailers your Best Buy, Costco, Home Depot, and that sort of thing.
And last month alone, shoppers bought around 400,000 of the things from Amazon and other retailers your Best Buy, Costco, Home Depot, and that sort of thing.
It's amazing, isn't it? I mean, I'm just finding so many people now have got these installed.
I was down the chess club the other night and my mate Liam— hello Liam— he showed me his phone.
I was down the chess club the other night and my mate Liam— hello Liam— he showed me his phone.
He said—
Of course he does— and he said, look what's going on outside my house right now. And he showed me.
Right.
Nothing was going on.
Because I have a neighbor who has a kind of a stone wall around his front garden with a gate at the top. And it has a little inlet, right?
And he's been complaining that people who are a little bit worse for wear coming home from the pub on Friday night to use that little enclave as a urinal.
And he's been complaining that people who are a little bit worse for wear coming home from the pub on Friday night to use that little enclave as a urinal.
A little tinkle.
Which is quite— and so he was thinking of getting a Ring so that he could actually start yelling at them, right?
To move on. I don't know.
Anyway, so, so yeah, so there's lots of people that are really into this, right?
Nothing stops me mid-flow quite having an Amazon Ring shouting out at me, I have to say. Very off-putting.
Boo!
Crikey.
Exactly.
Goes all over my shoes.
So Amazon, one of the biggest and richest companies in the world, has, turns out, it's been secretly packing these Amazon Rings with third-party trackers.
And don't be confused by the word party here. This isn't like the party that any of you want to be attending.
By third-party trackers, I mean companies that Amazon agrees to do business with, and these guys get a proverbial front seat so they can hoover up all kinds of personal identifiable information from Ring users.
And don't be confused by the word party here. This isn't like the party that any of you want to be attending.
By third-party trackers, I mean companies that Amazon agrees to do business with, and these guys get a proverbial front seat so they can hoover up all kinds of personal identifiable information from Ring users.
But what are they collecting? I mean, a Ring is just looking out from your door, isn't it?
Well, it's looking from your door, but it also has an app on your device.
Oh.
More specifically, your Android device.
So four main analytics and marketing companies were discovered to be receiving information such as the names, private IP addresses, mobile network carriers, persistent identifiers, and sensor data on the devices of paying customers.
So there are four of these. One of them is called AppsFlyer.
It collected loads of stuff, but also collected info from the sensors, so that's your magnetometer—I don't know how you say the word.
So four main analytics and marketing companies were discovered to be receiving information such as the names, private IP addresses, mobile network carriers, persistent identifiers, and sensor data on the devices of paying customers.
So there are four of these. One of them is called AppsFlyer.
It collected loads of stuff, but also collected info from the sensors, so that's your magnetometer—I don't know how you say the word.
It's a measurement of how many Magnum ice creams you ate in the last 24 hours.
Magnetometer. I don't even know what that measures. There's a gyroscope, and I know there's internal calibration settings. There's also one going to our friends at Facebook.
Oh, Facebook.
So information delivered to Facebook, even if you don't have a Facebook account—like we don't, Graham—includes time zone, device model, language preferences, screen resolution, and a unique identifier which persists even if you reset the OS-level advertiser ID.
Oh, Facebook.
So information delivered to Facebook, even if you don't have a Facebook account—like we don't, Graham—includes time zone, device model, language preferences, screen resolution, and a unique identifier which persists even if you reset the OS-level advertiser ID.
So I don't have the Ring app, obviously. It doesn't display ads within the app, I imagine.
No, it just basically has a private deal with these, at least these four third parties. And according to the EFF, they are basically sending this data to them.
Now, what was slightly ironic here, so all this information's going out of your phone, right? Going out of your phone via the Ring app to these third-party providers.
Now, what was slightly ironic here, so all this information's going out of your phone, right? Going out of your phone via the Ring app to these third-party providers.
Yeah.
And the traffic that was observed was being encrypted using HTTPS.
That's good.
But what's more, the encrypted information was delivered in a way that eludes analysis.
So it made it much more difficult, according to the EFF, for security researchers to learn and report of these serious privacy breaches.
So it made it much more difficult, according to the EFF, for security researchers to learn and report of these serious privacy breaches.
Ah, yes.
Because it seems as though they've snuck these trackers on. And of course, you know, they're sharing them with third parties for vast profit.
So I can understand why Amazon might want to use some third-party services to understand how their app is being used, right?
I can understand how they might want to understand the user's experience, or if there were problems, or work out what kind of devices they were being run on and try and troubleshoot problems like that.
But I can't understand why they would be sending information to the likes of Facebook and some of these other firms.
I can understand how they might want to understand the user's experience, or if there were problems, or work out what kind of devices they were being run on and try and troubleshoot problems like that.
But I can't understand why they would be sending information to the likes of Facebook and some of these other firms.
For ka-ching.
Apart from the fact that sharing is caring, Graham. Sharing is caring, okay?
But what are these third-party companies doing with this data? That's what I don't understand.
Simply advertising.
So all this information is allowing these third-party marketing firms to build up a unique fingerprint of your activity, location, behavior, which in turn allows them to market services or products or anything to you much more accurately.
So all this information is allowing these third-party marketing firms to build up a unique fingerprint of your activity, location, behavior, which in turn allows them to market services or products or anything to you much more accurately.
Do you know what I get? I get this targeted advertising, and for some reason, all it ever sends me is like, is your piglet sick?
Do you want to know how to know if your piglet is sick? Or is your sheep okay?
Do you want to know how to know if your piglet is sick? Or is your sheep okay?
And I'm like, I swear we have been worrying about it.
People think I'm a farmer. I literally don't know why this is.
I'm just wondering, you know, and what's kind of annoying is that, you know, Amazon is going around.
So they've been in hot water about Ring for a number of months now for different reasons. And they've been doing a lot of, excuse me, the security is fine in Ring.
Actually, I think you'll find it's the user's problem because their Wi-Fi isn't secure enough or they're not choosing correct passwords or they haven't enabled two-factor authentication.
So they've been in hot water about Ring for a number of months now for different reasons. And they've been doing a lot of, excuse me, the security is fine in Ring.
Actually, I think you'll find it's the user's problem because their Wi-Fi isn't secure enough or they're not choosing correct passwords or they haven't enabled two-factor authentication.
Right.
And they've been kind of wiping their hands of all this responsibility.
And this is just a little bit dirty because according to the EFF, they are not clearly stating in any policy and getting clear consent from anyone in all this.
And this is just a little bit dirty because according to the EFF, they are not clearly stating in any policy and getting clear consent from anyone in all this.
So has Amazon said anything in response to this EFF report about this?
Not that I have seen at the time of recording, but I'm sure they will.
Well, you know what? I'm going to WhatsApp Geoff Bezos right now because I've got him in my contacts. I'm sure I can get him some of his attention if I send him a movie file.
Hang on, let me just do this and see.
Hang on, let me just do this and see.
What's interesting though is we as Smashing Security, for example, pulled off Facebook, right? We just said, look, your practices aren't very cool. We don't like them.
We are, even though it's, you know, better for us to be on Facebook because it helps us promote our show and do all that stuff.
It makes you wonder whether we as a collective should be actually giving the richest man in the universe more money.
We are, even though it's, you know, better for us to be on Facebook because it helps us promote our show and do all that stuff.
It makes you wonder whether we as a collective should be actually giving the richest man in the universe more money.
Well, funnily enough, didn't Amazon Ring literally a few weeks ago have an insider threat issue where some of their employees were watching the Ring feeds.
Yes.
And they just basically said, oh well, we've terminated their contracts. And that was kind of the end of it, as if to say, well, it's fine, and they're gone.
So that's that problem solved.
So that's that problem solved.
And you know, maybe we only have Rings because, right, so we got addicted getting our packages really fast, right?
So we're very happy to get people to pay less than minimum wage to be working 12-hour shifts peeing in bottles so they can get you your fuzzy whatever you ordered quickly to your door.
But then the problem was that people were stealing these packages, 'cause they're getting delivered at all times of the day.
And so basically, I think he's been onto this for a long time.
He's, now I can give you doorbells so you can watch your packages be, you know, mount up on your doorstep and make sure no one steals them.
So we're very happy to get people to pay less than minimum wage to be working 12-hour shifts peeing in bottles so they can get you your fuzzy whatever you ordered quickly to your door.
But then the problem was that people were stealing these packages, 'cause they're getting delivered at all times of the day.
And so basically, I think he's been onto this for a long time.
He's, now I can give you doorbells so you can watch your packages be, you know, mount up on your doorstep and make sure no one steals them.
Well, I think a good advertising campaign for the Amazon Ring would be that now you can watch your Amazon delivery person taking a leak by your wall at the front of your garden, because he's not got any time to do it any other time, just your friend, Carole.
Exactly.
You know what though?
I just don't think— I know it sounds a terrible thing, and you and I and the rest of the infosec community really care about all this, but normal people don't care.
I say this to people and they say, I don't really care if people have that data.
I say this to people and they say, I don't really care if people have that data.
I don't really—
What?
Our listeners care, Lisa. Don't you guys? You do care. Listen, listen to them all screaming, yes, we care.
Maybe they could make even more people care if they told their friends to also listen to Smashing Security.
Oh, I like what you did there. You did a Geoff Bezos there.
Yeah, Geoff Bezos, he'd be proud. Anyway, go read the article on the EFF. It's penned by Bill Buddington. Go read and go care.
Cool.
Hey, Graham.
Yes?
There are people out there with companies a little bit bigger than ours, and one of the issues that they face is visibility and oversight.
And when it comes to cybersecurity, that is super important. So listeners, listen up.
If you do not have a password manager in your organization, please check out LastPass Enterprise.
They offer centralized admin oversight and control, shared access, and automated user management. All this stuff makes your life easier.
Plus, you can even use LastPass single sign-on to protect all your cloud apps and give seamless access to employees. Check it out at lastpass.com/smashing.
Let me try that again, folks. Check it out at lastpass.com/smashing.
And when it comes to cybersecurity, that is super important. So listeners, listen up.
If you do not have a password manager in your organization, please check out LastPass Enterprise.
They offer centralized admin oversight and control, shared access, and automated user management. All this stuff makes your life easier.
Plus, you can even use LastPass single sign-on to protect all your cloud apps and give seamless access to employees. Check it out at lastpass.com/smashing.
Let me try that again, folks. Check it out at lastpass.com/smashing.
And welcome back. Can you join us on our favorite part of the show, the part of the show that we like to call Pick of the Week?
Pick of the Week.
Oh, Pick of the Week.
Thanks for the enthusiasm.
You get one or the other. You either get lots of enthusiasm or nothing.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily.
Shouldn't be.
Enthusiastic crow. Well, my Pick of the Week—
I'm just taking after Lisa.
My Pick of the Week is not a funny story, a book that I've read, a TV show, a movie, a record, a podcast, a website, or an app.
It is a whatever, because my pick of the week is a person who sadly died this week. Who? Nicholas Parsons has died. Oh no. Oh no, are you finding out live on the show, Carole?
Oh crumbs. So Nicholas Parsons died on Tuesday morning, and he was the host of a very long-running, over 50 years, a radio show called Just a Minute.
Which is broadcast on the BBC World Service and Radio 4 here in the UK. And if you have access to the BBC Sounds app, you can also download episodes there.
And Just a Minute was a terrific game show where you had to—
It is a whatever, because my pick of the week is a person who sadly died this week. Who? Nicholas Parsons has died. Oh no. Oh no, are you finding out live on the show, Carole?
Oh crumbs. So Nicholas Parsons died on Tuesday morning, and he was the host of a very long-running, over 50 years, a radio show called Just a Minute.
Which is broadcast on the BBC World Service and Radio 4 here in the UK. And if you have access to the BBC Sounds app, you can also download episodes there.
And Just a Minute was a terrific game show where you had to—
Mostly because of him.
Well, he has obviously been an absolute institution. He was the moderator of the quiz.
And the point of the quiz, for anyone who hasn't ever heard Just a Minute, is to speak for 60 seconds without repetition, deviation, or repetition.
And the point of the quiz, for anyone who hasn't ever heard Just a Minute, is to speak for 60 seconds without repetition, deviation, or repetition.
Did you say repetition twice there?
Yes, I did.
You've got very far on the show. Nope.
What is it? It's repetition.
Deviation, repetition, or—
The other one. Oh, I've forgotten now. You see? Isn't that irritating?
That is the worst. And we listen, so I listen to the show.
Without hesitation, repetition. Hesitation. Or deviation. There you go.
Yeah.
Well, I've been listening to this ever since I was a kid. I remember it in the glory years of the 1970s.
It started in 1970.
1960-something?
About 1967, I think. So it's been going an awfully long time.
And he was the host the entire time, guys.
The entire time. He just died at the age of 96. Oh wow. And I remember it back in the 1970s, the glory years of Kenneth Williams being a contestant.
He was incredibly funny, very, very rude about Nicholas Parsons. It was just extremely entertaining.
So I'm going to put in a couple of links where you can read more about Nicholas Parsons and the Just a Minute show.
And I've also included a link in the show to a video of Nicholas Parsons at the age of— well, he must have been in his mid-90s— being interviewed very recently by comedian Richard Herring.
And you will see that he was just as sharp as anything right at the end of his life. Very funny and an absolute star.
He was incredibly funny, very, very rude about Nicholas Parsons. It was just extremely entertaining.
So I'm going to put in a couple of links where you can read more about Nicholas Parsons and the Just a Minute show.
And I've also included a link in the show to a video of Nicholas Parsons at the age of— well, he must have been in his mid-90s— being interviewed very recently by comedian Richard Herring.
And you will see that he was just as sharp as anything right at the end of his life. Very funny and an absolute star.
Legend. Legend. A legend.
There you go. So that is my pick of the week.
Oh, that is so sad.
Sorry about the repetition and the hesitation. And quite a lot of deviation, probably.
Constant deviation.
So Lisa, what is your pick of the week?
Well, mine is another game. As you remember, my last episode, it was also a game.
So this game is called Her Story, and it's by a guy called Sam Barlow, and it's a really fascinating game.
Basically, you are given access to a fake police database and you're asked to review files to solve a murder that happened back in the early 1990s.
So you have to start watching a few videos and pick out pieces of vital information that the victims or that, you know, friends and family and whatever give.
So it may be that they say something about the company that the victim worked at, and then you search for the company name and pull up employee videos and so on and so forth.
And there's so many avenues to go down, you can literally go down the wrong avenue for ages and then realize it was a red herring.
But it's an amazing game that's kind of a new genre of gaming in a sense.
So this game is called Her Story, and it's by a guy called Sam Barlow, and it's a really fascinating game.
Basically, you are given access to a fake police database and you're asked to review files to solve a murder that happened back in the early 1990s.
So you have to start watching a few videos and pick out pieces of vital information that the victims or that, you know, friends and family and whatever give.
So it may be that they say something about the company that the victim worked at, and then you search for the company name and pull up employee videos and so on and so forth.
And there's so many avenues to go down, you can literally go down the wrong avenue for ages and then realize it was a red herring.
But it's an amazing game that's kind of a new genre of gaming in a sense.
It came out a few years ago because I've played this.
Oh, have you?
Yeah, and it's, as Graham said to me, it's quite old.
I loved it. I loved it.
It's kind of like, yeah, yeah.
And you have to make decisions and choices and decide how you're going to go about finding out who the whodunit. Yeah, it's wonderful.
And you have to be so observant because you have to look at the time of the video and little things they say and pick things out.
Great pick of the week, Lisa. I would never have remembered this. Excellent.
It just so happens that they've actually got a sequel that got released in August 2019.
And this is like an NSA database that's been loaded onto a stolen laptop and you have to start piecing together that story. So it is really, really good.
You have to pay for it, but it does mean that you don't get served up ads and have to buy additional credits and stuff like that.
And this is like an NSA database that's been loaded onto a stolen laptop and you have to start piecing together that story. So it is really, really good.
You have to pay for it, but it does mean that you don't get served up ads and have to buy additional credits and stuff like that.
It's certainly very different from the typical video game, isn't it?
I watched the trailer for this, a little video, and the fact that you're sort of having to watch police interviews and videos and sort of then pick apart from the statements that people are giving you, it looked really interesting, all the different avenues which you could go down.
I watched the trailer for this, a little video, and the fact that you're sort of having to watch police interviews and videos and sort of then pick apart from the statements that people are giving you, it looked really interesting, all the different avenues which you could go down.
It does look a little bit weird if you're playing on the train because it kind of looks like you're just watching loads of police videos of people crying, but I mean, at least people don't sit next to you then.
Cheap thrills, right? Wherever, wherever flights should go.
Yeah, totally.
Okay, well, we will put links in the show notes for people who want to explore them even more.
Yeah, and I second it. Great, great, great pick of the week. Excellent.
Carole, we've had two awesome picks of the week. What have you got for us this week?
So I just wanted to carry on with my Bezos theme, right? So my pick of the week is an article penned by The Guardian columnist Marina Hyde. Do you guys read her ever?
I do. She's quite funny, I have to say.
Well, scathing.
Well, yes, that's—
But she's a great columnist. She's very witty. There's only one thing I don't like about her.
I know what it is.
I think, I seem to recall, I seem to recall that she had some kind of relationship with Piers Morgan.
Oh no, they were certainly email pen pals.
She lost her job at one point. I think she was working for The Sun and he was the editor of The Mirror.
They were secret, probably because she's quite witty and attractive in that fashion. Maybe he was sharp enough to her, who knows.
They were secret, probably because she's quite witty and attractive in that fashion. Maybe he was sharp enough to her, who knows.
She's also a bit famous because Elton John once brought a libel suit against her.
Oh really?
Because she wrote, she used to write this jesty piece, kind of a peek in the diary of X, right? This is a weekly column thing. She did one on Elton John and he was not amused.
But as he's not the actual queen, the judge threw it out.
But as he's not the actual queen, the judge threw it out.
Which is strange because normally he's considered so level-headed, isn't he? He's not someone who gets upset easily.
Well, anyone who wears those glasses has definitely got a level head in my view.
Anywho, anywho, anywho, Marina wrote about the whole Saudi Arabia Geoff Bezos scandal that you were alluding to at the end of my story.
Anywho, anywho, anywho, Marina wrote about the whole Saudi Arabia Geoff Bezos scandal that you were alluding to at the end of my story.
I was.
Right, so this is end of January, UN investigators alleged that the de facto ruler of Saudi Arabia may have been the one responsible for hacking doxing Geoff Bezos's mobile phone.
And according to a forensic report prepared for Bezos, Bezos got the infected video file on WhatsApp, and claims that it opened a backdoor on Bezos's phone, and that's how all the pictures got leaked.
Right now, of course, the Saudi Embassy in Washington is saying this is absurd. But Marina wrote about this, and she had some— let me just read a little excerpt for you.
Guys, so she says, "What elevates the story of how Bezos's underpanted selfies may have made their way into the public domain is the identity of the hacker, who was probably none other than Saudi bear and human lumberjacker Mohammed bin Salman.
From here on in, we will refer to the Crown Prince by his desired nickname, MBS, which he has no idea sounds like a dinosaur carpet warehouse on the Ring Road, or the name slapped on the off-brand trainers your mum picked up at the supermarket, which she insists are exactly the same as Nikes except for a couple of tiny bits that no one's going to notice." Cute, right?
She's got a real cute way about her.
And according to a forensic report prepared for Bezos, Bezos got the infected video file on WhatsApp, and claims that it opened a backdoor on Bezos's phone, and that's how all the pictures got leaked.
Right now, of course, the Saudi Embassy in Washington is saying this is absurd. But Marina wrote about this, and she had some— let me just read a little excerpt for you.
Guys, so she says, "What elevates the story of how Bezos's underpanted selfies may have made their way into the public domain is the identity of the hacker, who was probably none other than Saudi bear and human lumberjacker Mohammed bin Salman.
From here on in, we will refer to the Crown Prince by his desired nickname, MBS, which he has no idea sounds like a dinosaur carpet warehouse on the Ring Road, or the name slapped on the off-brand trainers your mum picked up at the supermarket, which she insists are exactly the same as Nikes except for a couple of tiny bits that no one's going to notice." Cute, right?
She's got a real cute way about her.
Who can blame Piers Morgan? I mean, that is quite funny, isn't it?
Exactly. Even you can. So I say read it.
Yeah.
And I've put a few links to a few of my other favorite stories she's written about. But she's, you know, sometimes in this world of very— a lot of news can be pretty dry.
Sometimes you need someone with a bit of sass.
Sometimes you need someone with a bit of sass.
I agree. You need that sometimes because it's so monotonous otherwise.
So yeah, and scary and awful. So you can read the stories and you yourself can make up your own mind as to whether Saudi Prince hacked the Amazon King.
Well, great pick of the week, Carole. Now, before we say cheerio to everyone, we've got a little bonus.
Oh yes, we do.
Coming up, haven't we, Carole?
Yes.
Carole and I, we met up with Adrian from Thinkst, who wanted to tell us all about his really rather cool-sounding Canary tool. And we think you'll be interested too.
Enjoy. So we have a featured interview for you today on Smashing Security. Meet Adrian Sanabria.
Now he works at a company called Thinkst and Thinkst creates this pretty nifty little tool.
Graham and I got a demo last week and we both thought it was so cool that you might want to hear about it from the horse's mouth. Well, not a horse's mouth, but Adrian's mouth.
Now he works at a company called Thinkst and Thinkst creates this pretty nifty little tool.
Graham and I got a demo last week and we both thought it was so cool that you might want to hear about it from the horse's mouth. Well, not a horse's mouth, but Adrian's mouth.
It's not Mr. Ed.
Adrian, welcome. What an intro.
Yeah, thanks for calling me names already. I'm not even on the show yet.
So maybe we should start with a pain point so everyone can kind of get cozy. Can you give me maybe a typical frustrating scenario for an IT security guy or gal out there?
It's a narrative that we've seen for decades in security, and it's that when attackers get past these preventative defenses we have, these exterior defenses, it always seems like they have just carte blanche to stroll around the network, take what they want, do what they want.
And it's, you know, we're used to seeing these dwell time metrics in the hundreds of days where attackers have just been lounging about doing whatever they want to do, whatever they need to do on our networks.
And it's frustrating, right? I'm sure it's embarrassing and it's frustrating to think that somebody might be in right now and you wouldn't know it. So that's what we go after.
And it's, you know, we're used to seeing these dwell time metrics in the hundreds of days where attackers have just been lounging about doing whatever they want to do, whatever they need to do on our networks.
And it's frustrating, right? I'm sure it's embarrassing and it's frustrating to think that somebody might be in right now and you wouldn't know it. So that's what we go after.
It's a terrible thing. I mean, sometimes it takes months for businesses to realize that they've been breached.
And if it's taken months and months, then the amount of data which could have been stolen is enormous.
And if it's taken months and months, then the amount of data which could have been stolen is enormous.
And the first question would be, how long have they been there?
Yeah, right.
That's what the boss is gonna ask. So what does Canary do? How does that address this problem?
Yeah, so our Canaries are honeypots that you put on the internal network.
You can make them look like various different things, anything from a SCADA device, you know, something from Honeywell or a Windows file server, something like that.
And they look the part down to the MAC address, how they talk on the network. You know, they look and talk and walk like the ducks we make them to look like.
You know, you put them places, there's some strategy behind it. You know, where are you going to place them, how many you're going to use, what you make them look like.
You want them to look enticing to the attacker.
You know, we want to be the first device that the attacker goes after so that you find out as quickly as possible that there's been an intrusion.
And the idea is you have a chance to, you know, once they go after our device and we start sending off alerts, which is going to happen the moment they start messing with it, if they scan, if they try and log into it, do anything with it, that it's gonna scream bloody murder, let you know.
You can make them look like various different things, anything from a SCADA device, you know, something from Honeywell or a Windows file server, something like that.
And they look the part down to the MAC address, how they talk on the network. You know, they look and talk and walk like the ducks we make them to look like.
You know, you put them places, there's some strategy behind it. You know, where are you going to place them, how many you're going to use, what you make them look like.
You want them to look enticing to the attacker.
You know, we want to be the first device that the attacker goes after so that you find out as quickly as possible that there's been an intrusion.
And the idea is you have a chance to, you know, once they go after our device and we start sending off alerts, which is going to happen the moment they start messing with it, if they scan, if they try and log into it, do anything with it, that it's gonna scream bloody murder, let you know.
I guess when you, when you say enticing, you don't mean so enticing that they actually want to attack you.
More that if they are sniffing around your network already, you want to have them go into a honey trap as opposed to on a real live, you know, bona fide data service.
More that if they are sniffing around your network already, you want to have them go into a honey trap as opposed to on a real live, you know, bona fide data service.
Right.
So, so the scenario here is they've already achieved some level of access to your network. They've already gotten in. You're going to have these canaries on your internal network.
So this works equally well for insider threats as it does for external threats.
So this works equally well for insider threats as it does for external threats.
And these are literally, I mean, let me get my head around this.
These are literally little black boxes or can be little black boxes, which you plug in, you scatter around your network, maybe pretending to be some old Windows computers or running whatever operating system you wish, disguised as different things.
And so if an intruder or if a malicious insider was snooping around, they might trigger it just by almost like trying the handle of the door.
It's not like they can get into them, but just trying the handle will set off an alarm which you will pick up, but they won't even know that they've triggered it.
These are literally little black boxes or can be little black boxes, which you plug in, you scatter around your network, maybe pretending to be some old Windows computers or running whatever operating system you wish, disguised as different things.
And so if an intruder or if a malicious insider was snooping around, they might trigger it just by almost like trying the handle of the door.
It's not like they can get into them, but just trying the handle will set off an alarm which you will pick up, but they won't even know that they've triggered it.
That's exactly right. And what we're taking advantage of is the act of snooping, as you put it, requires you to do certain things, you know.
And I to say, unless the attacker's just extremely lucky and lands right on top of a very detailed Visio diagram of your network and how to get to the good stuff, they're going to have to do some snooping.
They're going to have to take some actions to search the network to find what they're looking for. And we use that to detect those actions. We use these canaries.
And I to say, unless the attacker's just extremely lucky and lands right on top of a very detailed Visio diagram of your network and how to get to the good stuff, they're going to have to do some snooping.
They're going to have to take some actions to search the network to find what they're looking for. And we use that to detect those actions. We use these canaries.
Canary. These are actual physical devices, right? they're plug and play. So it's not the— I remember you showing us how easy it was to set up and it kind of blew me away.
So maybe you could walk our listeners through that.
So maybe you could walk our listeners through that.
And a lot of it goes back to that philosophy of making this as simple and painless for the customer as possible.
It takes 3 or 4 minutes to set up these devices, whether it's the physical one that you mentioned or we've got VM versions where we've got an Azure, AWS, and Google Cloud versions all take 3 or 4 minutes to set up.
We to say you know, you could stay back from lunch, let your colleagues go out to lunch. By the time they get back, you could have 10 or 20 of these deployed and be done, right?
another philosophy is we don't want— we didn't want to create another product where you've got somebody in the organization labeled the canary guy.
And what the canary guy does is he comes in, he logs into the canary console, and the canary console creates busywork for him to click things and tune things and gives the illusion that he's doing security work when he's really just got busy work inside of this console.
It takes 3 or 4 minutes to set up these devices, whether it's the physical one that you mentioned or we've got VM versions where we've got an Azure, AWS, and Google Cloud versions all take 3 or 4 minutes to set up.
We to say you know, you could stay back from lunch, let your colleagues go out to lunch. By the time they get back, you could have 10 or 20 of these deployed and be done, right?
another philosophy is we don't want— we didn't want to create another product where you've got somebody in the organization labeled the canary guy.
And what the canary guy does is he comes in, he logs into the canary console, and the canary console creates busywork for him to click things and tune things and gives the illusion that he's doing security work when he's really just got busy work inside of this console.
Yeah, that's such a good point, that idea that tinkering feels work, but actually, you know, if it's properly set up to begin with, if you can get a nice, you know, kind of almost default setup where there's just only the basic configurations you have to do, it's so much more attractive to me, certainly.
And I hate to offend anybody, you know, I'm sorry if you're the guy that manages the WAF or the SIEM, you know, you're probably familiar with what I'm talking about.
I don't want to say that what you're doing isn't important, but there's a chance that it might not be all that helpful in the greater scheme of things.
So yeah, we wanted to avoid that. And there's our devices update themselves once you've deployed them. There's nothing left to do except wait for them to send you alerts.
I don't want to say that what you're doing isn't important, but there's a chance that it might not be all that helpful in the greater scheme of things.
So yeah, we wanted to avoid that. And there's our devices update themselves once you've deployed them. There's nothing left to do except wait for them to send you alerts.
And what I about this approach is, is rather different from the conventional security tools which many companies already have.
It's not you're saying run Canary tools, you know, put these in place across your network and chuck out your antivirus and chuck out all these other protection measures which you— this is something which very much complements your existing security.
It's not you're saying run Canary tools, you know, put these in place across your network and chuck out your antivirus and chuck out all these other protection measures which you— this is something which very much complements your existing security.
That's right, yeah. And it does one thing very, very well.
You know, it lets you know if something fishy is going on on your network or if we get into talking about the Canary tokens in other places, you know, so we've got tokens that you can put in your email on file servers, on flash drives, even in physical places, you know, to allow you to trap and trick people in other ways.
You know, it lets you know if something fishy is going on on your network or if we get into talking about the Canary tokens in other places, you know, so we've got tokens that you can put in your email on file servers, on flash drives, even in physical places, you know, to allow you to trap and trick people in other ways.
So these tokens, they're almost like landmines, if you like, or they're some sort of sensor.
So if someone— yeah, so if someone was to go into an email or maybe into an Amazon bucket and mess around there, you could trigger one of these things and you'd be thinking, whoa, what's going on here then?
There's obviously some badness going on.
So if someone— yeah, so if someone was to go into an email or maybe into an Amazon bucket and mess around there, you could trigger one of these things and you'd be thinking, whoa, what's going on here then?
There's obviously some badness going on.
Yeah, and we do have an Amazon S3 bucket token that'll do exactly that.
They don't actually have to activate anything, do they?
No, but generally because we operate on the inside, you know, even maybe that initial device that they get onto, you know, that's the behavior we're looking for.
And the problem with going any further out than that, we wouldn't ever recommend putting a canary on the public internet, for example, is all of a sudden you go from this device that we can easily get down to zero false positives.
When it fires off and alerts you, you can be sure that something's going on that shouldn't be. When you move it to the outside, those types of activities are normal all day long.
There are thousands of IPs that are just scanning the entire internet, trying to log into things, and all of a sudden you get that alert fatigue issue again and you're just overwhelmed with maybes instead of higher quality alerts.
And the problem with going any further out than that, we wouldn't ever recommend putting a canary on the public internet, for example, is all of a sudden you go from this device that we can easily get down to zero false positives.
When it fires off and alerts you, you can be sure that something's going on that shouldn't be. When you move it to the outside, those types of activities are normal all day long.
There are thousands of IPs that are just scanning the entire internet, trying to log into things, and all of a sudden you get that alert fatigue issue again and you're just overwhelmed with maybes instead of higher quality alerts.
So this accidental triggering is an interesting idea because I'm wondering what happens if you get a pen test crew in?
What if you actually challenge a company to see what your defenses are like?
I would imagine they might stumble across some of these things and think that they've hit the motherlode, think that they've almost accessed some great big database or some such.
What if you actually challenge a company to see what your defenses are like?
I would imagine they might stumble across some of these things and think that they've hit the motherlode, think that they've almost accessed some great big database or some such.
That's actually something our customers really love.
If you think about it, some companies have been doing pen tests for almost two decades now, and they're used to the pen testers coming to them and just laying down this laundry list of things that they should feel ashamed about.
Look at all the ways that I pwned your systems.
We hear stories like, oh, you know, while waiting in the lobby for them to come get me and show me to the cubicle where I do my pen test work, I already broke in and I got domain admin.
And, you know, we hear stories like that. Now from our customers, we hear the opposite.
We hear, oh, we caught the pen testers in the first 10 minutes, or stories like, you know, the pen test was supposed to end on Friday, but they continued on Monday, and we know because our canaries told us.
If you think about it, some companies have been doing pen tests for almost two decades now, and they're used to the pen testers coming to them and just laying down this laundry list of things that they should feel ashamed about.
Look at all the ways that I pwned your systems.
We hear stories like, oh, you know, while waiting in the lobby for them to come get me and show me to the cubicle where I do my pen test work, I already broke in and I got domain admin.
And, you know, we hear stories like that. Now from our customers, we hear the opposite.
We hear, oh, we caught the pen testers in the first 10 minutes, or stories like, you know, the pen test was supposed to end on Friday, but they continued on Monday, and we know because our canaries told us.
That could be your strapline. Canaries, get your smugness back.
Yeah.
So another feature which I really liked was not just that you could set up these sort of fake computers and fake servers for the hackers to try and hack into, but you could also make it appear as though they had certain files on them, like an employee database or an HR spreadsheet and so forth.
And although they wouldn't necessarily be able to download it, they could see the file name and they would keep on trying to access this darn thing.
And that's something you can do with the canary too.
And although they wouldn't necessarily be able to download it, they could see the file name and they would keep on trying to access this darn thing.
And that's something you can do with the canary too.
Absolutely. And actually, you can let them download them. Those files can have data in it that looks real. You could create a password spreadsheet with realistic looking passwords.
Just get a password generator, get a bunch of real sites, and fill that thing with real data. None of it's actually real, but the attacker doesn't know and name it appropriately.
And that spreadsheet will let you know anytime anyone opens it anywhere in the world. It's not dependent on being on your network. And also, this is a service we give away for free.
You can go to canarytokens.org and you can create these for free. We've got over 100,000 people that use this free service.
And the commercial version has a few more things that make it more polished, more nice to use in an enterprise.
But generally, most of the same tokens we have in the commercial version are available in the free version.
And I know people that, for example, upload their resume and token the resume so they know if people have opened their resume after they've sent it off. When did they open it?
How many times did they open it? Did they open it right before the interview?
Just get a password generator, get a bunch of real sites, and fill that thing with real data. None of it's actually real, but the attacker doesn't know and name it appropriately.
And that spreadsheet will let you know anytime anyone opens it anywhere in the world. It's not dependent on being on your network. And also, this is a service we give away for free.
You can go to canarytokens.org and you can create these for free. We've got over 100,000 people that use this free service.
And the commercial version has a few more things that make it more polished, more nice to use in an enterprise.
But generally, most of the same tokens we have in the commercial version are available in the free version.
And I know people that, for example, upload their resume and token the resume so they know if people have opened their resume after they've sent it off. When did they open it?
How many times did they open it? Did they open it right before the interview?
Oh my goodness.
Yeah, so generally with the canary tokens, the bit of information that's most important is that somebody's in there. And the information you get back varies.
For example, just a standard Word document token will at most let you know what IP address that they were coming from when they opened that Word doc and it reached out.
So that'll be somebody's internet address. In my case, that'll be my AT&T broadband IP address. But in other cases, we have some macro Word and Excel.
And if somebody enables that macro, which you can do if you name it the right type of file, you know, a lot of accounting departments use macros in their documents.
Maybe you can get somebody to enable that macro and that macro will pull your username, the hostname, and the internal IP address as well.
So that's kind of the other extreme of the information you can get. You know, we're not putting a remote access Trojan or anything like that.
For example, just a standard Word document token will at most let you know what IP address that they were coming from when they opened that Word doc and it reached out.
So that'll be somebody's internet address. In my case, that'll be my AT&T broadband IP address. But in other cases, we have some macro Word and Excel.
And if somebody enables that macro, which you can do if you name it the right type of file, you know, a lot of accounting departments use macros in their documents.
Maybe you can get somebody to enable that macro and that macro will pull your username, the hostname, and the internal IP address as well.
So that's kind of the other extreme of the information you can get. You know, we're not putting a remote access Trojan or anything like that.
No, no.
It's just little bits of information. Yeah.
And of course, if someone is accessing something they shouldn't be with a web browser, then there'll be certain information about the web browsing client that they're using, I would imagine, and the operating system and the screen dimensions.
So there's still some information.
So there's still some information.
This is a really early heads up so that you can go and lock down whatever particular place you might think might be vulnerable.
And that's the whole idea of the strategy behind the product is to give you this early detection so that perhaps you can do something about it before any damage is done.
Hmm. Cool. Before we go, how does this product fit in with threat hunting and all that stuff?
Traditionally in threat hunting, you're searching for indications that somebody's already gotten in, you know, indications of threats that weren't surfaced by your IDS or your WAF or the rules and signatures that are already in place to detect bad stuff.
And with the canaries, the idea is, well, what if that would just come to you?
What if we flip that model and we set up your network in such a way that badness would just reveal itself automatically?
And with the canaries, the idea is, well, what if that would just come to you?
What if we flip that model and we set up your network in such a way that badness would just reveal itself automatically?
Because the typical scenario at the moment is that a data breach occurs and the first a company knows about it is when the credit card companies, or more likely Brian Krebs, gives you a phone call, right?
And tells you you've got a data breach. You don't know anything about it until it's brought to your attention that way.
Something like this will hopefully catch an intruder much earlier on in the process and hopefully before any damage is done and data is stolen.
And tells you you've got a data breach. You don't know anything about it until it's brought to your attention that way.
Something like this will hopefully catch an intruder much earlier on in the process and hopefully before any damage is done and data is stolen.
Exactly.
Cool.
Very cool.
Adrian, thank you so much for coming to chat with us today. It has been fascinating. I love businesses doing clever things like this to help ease our lives. So thank you for existing.
Thank you for having me on. It's— I love listening to the podcast because there's so much humor. You know, it could be such a dry topic. You guys, the banter back and forth.
Someone once called it bickertainment.
That's brilliant. Yeah.
That just about wraps it up for this week. Lisa, thank you so much for coming on the show. I'm sure lots of our listeners would love to follow you online and find out more.
What's the best way for folks to do that?
What's the best way for folks to do that?
Twitter is a really good option, @LisaForteUK.
Terrific. And you can follow us on Twitter as well, @SmashingSecurity, no G. Twitter won't allow us to have the G.
And don't forget that if you want to ensure that you don't miss a future episode of Smashing Security, you should subscribe to us in your favorite podcast app.
Just go to the App Store, whatever flavor of smartphone you have, and check out a podcast player such as CastBox.
And don't forget that if you want to ensure that you don't miss a future episode of Smashing Security, you should subscribe to us in your favorite podcast app.
Just go to the App Store, whatever flavor of smartphone you have, and check out a podcast player such as CastBox.
And a huge thank you to all of you for listening to us, supporting us on Patreon, and giving us swoon-worthy reviews.
Also, a big shout out to this week's sponsor, LastPass, and to our special guest, Thinkst. Their support helps us give you this show for free.
Check out smashingsecurity.com for past episodes, sponsorship details, and information on how to get in touch with us.
Also, a big shout out to this week's sponsor, LastPass, and to our special guest, Thinkst. Their support helps us give you this show for free.
Check out smashingsecurity.com for past episodes, sponsorship details, and information on how to get in touch with us.
Until next time. Cheerio.
Bye-bye. Bye.
Bye.
Why are you laughing like that?
Nothing.
My parents have been listening to our show. Parents have been listening to this.
They didn't listen to last week's.
And my dad, who is now a retired medical doctor, is very concerned about your wheeze.
He has brought it up to me about 4 times now, and the way he does it, goes, what's with the wheeze? What's with all the wheezing?
He has brought it up to me about 4 times now, and the way he does it, goes, what's with the wheeze? What's with all the wheezing?
Hey, Carole, Graham—
He doesn't talk like that. He's not one of the freaking sisters out of the Simpsons.
I was going to say, it is a little bit like it kind of makes me feel like you have something to do with the mafia, but in a kind of fun— in an approachable way as well.
Do you think I'm funny? You think I'm funny, do you? I amuse you?
Yeah, the Quebec Mafia.
That's what I'm involved in.
Yeah, we eat poutine by night and listen to Celine Dion. It's amazing.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Lisa Forte – @LisaForteUK
Show notes:
- Senate Bill 30 (PDF)
- Maryland: Make malware possession a crime! Yes, yes, researchers get a free pass — The Register.
- The City Of Baltimore Blew Off A $76,000 Ransomware Demand Only To Find Out A Bunch Of Its Data Had Never Been Backed Up — Techdirt.
- Smashing Security 151: Frankly, sometimes paying the ransom is a good idea.
- Maryland Computer Crimes Laws — FindLaw.
- Maryland Cookies TV advert — YouTube.
- Hunting the missing millions from collapsed cryptocurrency — BBC News.
- Inside the hellish workday of an Amazon warehouse employee — New York Post.
- Ring Doorbell App Packed with Third-Party Trackers — Electronic Frontier Foundation.
- Nicholas Parsons: 'Broadcasting legend' dies at 96 after short illness — BBC News.
- Just a Minute — Wikipedia.
- Nicholas Parsons interviewed by Richard Herring — YouTube.
- Her Story – A Video Game About a Woman Talking to the Police.
- Her Story trailer — YouTube.
- Her Story follow-up takes place on a stolen NSA hard drive — Polygon.
- Bezos learns the harsh lesson of texting a crown prince fond of crucifixions — Marina Hyde, writing in The Guardian.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsor: LastPass
LastPass Enterprise makes password security effortless for your organization.
LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
Sponsor: Thinkst
Most companies discover they’ve been breached way too late. Thinkst Canary fixes this: just 3 minutes of setup; no ongoing overhead; nearly 0 false positives, and you can detect attackers long before they dig in.
Go to canary.tools to find out why its Physical, VM and Cloud Based Canaries are deployed and loved on all 7 continents…
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Castbox, Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
