A gallery is tricked into giving millions to a fraudster, software tells doctors to push opioids onto patients, and an artist finds a novel way to trick Google Maps into thinking there’s a traffic jam.
All this and more is discussed in the latest edition of the award-winning “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, who ended up recording without a guest this week.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
It's just a waste of time.
What, this podcast?
No, well, maybe.
Smashing Security, episode 164: A Bitter Pill to Swallow with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 164. My name's Graham Cluley.
And I'm Carole Theriault.
Hello, Carole. You're back from the Canadian tundras.
That's excellent to see. I am. I'm getting less and less jet-lagged, but yeah, I was there for a month, so it has its impacts, doesn't it?
Oh, yeah.
I miss the snow already, though. Can I say? Yeah.
Well, it's pretty, but I don't know if you noticed, it's also cold and slushy.
Yeah, it's good for the body, though, doing good old shoveling.
Well, oh, I see. I thought you meant you were rolling around in it.
I'm ripped. Now we don't have a guest today.
We don't.
Well, we did have a guest, but we had some technical issues.
Bloody technical issues.
So we will reschedule her. There's a hint.
Oh.
But you're gonna have to just put up with the two of us this week.
Ah, our podcast would be so much easier if there was no technology involved, wouldn't it?
Yeah, well, it wouldn't be possible, nor if we had more time, if we didn't stick to our schedules so closely.
So rigidly.
So rigidly. We're such professionals. Yes.
We are professionals. And talking of which, what's coming up on the show this week, Carole?
Well, first, let's thank this week's sponsor, LastPass. Its support helps us give you this show for free.
Now, Graham tries to show his more cultured side and shares the deets on an unusual art heist.
And I gab about an innocent-looking, though not so innocent-acting medical patient software. Just you wait. All this and loads more coming up on this episode of Smashing Security.
Now, Graham tries to show his more cultured side and shares the deets on an unusual art heist.
And I gab about an innocent-looking, though not so innocent-acting medical patient software. Just you wait. All this and loads more coming up on this episode of Smashing Security.
Now, chum chum.
I like it.
We aren't just security experts, are we?
No, God no.
Well, no, I mean, I don't know about you.
I mean, we are, you know, we are experts, but we also have other things.
We've got a podcast, therefore we must be experts, right? I mean, I consider myself also something of a bon vivant, a gourmand, a national treasure.
Treasure, you just like food.
Carole, I've seen your feet, you must be body part model. And of course you're an artist now, aren't you? How's the art going? All the painting and things that?
Yeah, you know, I have an art show coming up again.
Do you?
Yeah.
Oxford Art Weeks?
Yeah.
You participate in that again? Oh, marvellous.
Yeah. So I've got to get ready.
Well, as an appreciator of art, I'm sure you appreciate the works of John Constable.
Well, yes. He's a hero. Beautiful, beautiful skies.
One of England's greatest painters, famous for his landscapes, of course, the Suffolk countryside. In the first half of the 19th century.
See, you don't like landscapes though.
Well, I prefer people in my pictures, I think. I know I'm sort of, you know, quite like that sort of thing. But you come from Canada where there are no people.
There's just acres and acres of land.
There's just acres and acres of land.
Yeah, I like a good old landscape.
Well, word reaches us that hackers have managed to trick a Dutch art museum into paying them £2.4 million, which is about—
Ooh, that's gotta hurt a museum.
Yeah, about $12.50, I suppose, for our US friends. For a John Constable painting.
Yes.
So would you like to hear the story, Carole, of how all this happened?
Yeah, yeah.
Of course you would.
I'm sitting back. I've got my coffee in hand. Let's go.
Well, the story starts like this. In March 2019, the director of— I'm going to have to take a run-up at this.
The director of the Rijksmuseum Twenthe Art Museum in Enschede in the Netherlands.
The director of the Rijksmuseum Twenthe Art Museum in Enschede in the Netherlands.
I love how you put an accent on, just to give it a bit more authenticity.
The director popped in along to the European Fine Art Fair to check out the pictures. Went, "Oh, that's nice. Oh, that's lovely." All the great artists were represented.
Turner, Constable, Thériault, they were all there. But the picture which caught his eye was Constable's 1855 painting. I'm sure you know it. A View of Hampstead Heath.
Turner, Constable, Thériault, they were all there. But the picture which caught his eye was Constable's 1855 painting. I'm sure you know it. A View of Hampstead Heath.
Oh, I don't. I couldn't recall it in my head like that. No.
Oh, right. Well, I'll tell you which one it is. In fact, what I've done is I've just put it in the document which we shared, and I'll also link to it in the show notes.
Now, I'm not sure it's that amazing. This view from Hampstead Heath.
Now, I'm not sure it's that amazing. This view from Hampstead Heath.
But you're not looking at a finished painting here. The one you put in the document is just the study. It's just what's called a grisaille.
Is it?
Yeah. So it's just a tonal sketch of the landscape in one color. So you can kind of go, this is where the light's going to hit.
This is how the composition of the painting is going to work. So it's kind of a study.
This is how the composition of the painting is going to work. So it's kind of a study.
Oh, I thought he hadn't colored it in. Okay. So I've made a mistake.
Well, anyway, the director of this Dutch museum, he saw this and he thought, "Oh, I'd love to stick that up on my wall.
I think that looked marvellous." And so he began negotiating with a London art dealer called Simon Dickinson to buy the Constable painting.
Well, anyway, the director of this Dutch museum, he saw this and he thought, "Oh, I'd love to stick that up on my wall.
I think that looked marvellous." And so he began negotiating with a London art dealer called Simon Dickinson to buy the Constable painting.
Okay, so this would be you falling in love with one of my paintings, and you call up your local art dealer.
You call your local art dealer and say, Richard, Richard, call Carole, and I want this painting on my wall. I want to look at it every day. Exactly. Okay, gotcha.
You call your local art dealer and say, Richard, Richard, call Carole, and I want this painting on my wall. I want to look at it every day. Exactly. Okay, gotcha.
So this art dealer was saying, oh yes, we should do this.
Fair enough. I imagine that's how it works.
And the negotiations began. You can imagine that, oh, there's a bit of haggling, bit of to and fro. It's, oh, will you include the little bit of string to hang it up on the wall?
Can you give me a rusty nail?
Can you give me a rusty nail?
Well, he is a director of a museum. Presumably he's got a few of those things in the back room.
I'm going to take off some of the price because it isn't colored in. That kind of thing, right?
I've got to buy a few more paintings this year. Yeah.
Well, these things take time. There's a lot of haggling going on. But then, aha, a breakthrough occurred, right? And the price was agreed. £2.4 million, or $3.1 million.
And Dickinson, the London art dealer, delivered the precious painting, the masterpiece, to the Dutch museum.
And Dickinson, the London art dealer, delivered the precious painting, the masterpiece, to the Dutch museum.
Okay, so they agreed. They agreed the price. They agreed everything. They did a digital handshake.
Well, I don't know about that. They agreed. You know, I don't know how it works with the old funny handshakes. But yeah, the painting has arrived. Marvellous. Everything's good, right?
Everything's good.
Everything's good.
Well, okay. And he's got his money?
Yeah.
Okay. Was the museum up to some no good, or what happened?
Well, no, the museum weren't the scammers.
Okay.
So the price had been agreed, right, in the email, and the money had been transferred.
And in the email it said, you know, transfer the money for payment of the painting into a Hong Kong bank account. And the museum, sure enough, funnelled the money over to Hong Kong.
And in the email it said, you know, transfer the money for payment of the painting into a Hong Kong bank account. And the museum, sure enough, funnelled the money over to Hong Kong.
Oh, okay. Was that— I guess that was agreed?
Well, it was agreed in the email, and the museum thought it was the art dealer in London who was telling them the banking details. But of course, kaboom! Yeah. It was disastrous.
You see, I kind of feel I would've got someone on the phone. Suddenly it was a different bank account and I had to use the IBAN number for Hong Kong.
Right. So you would've asked—
Unless I thought he was in Hong Kong or she was in Hong Kong who I was dealing with.
I suppose that's possible as well. So if you'd been in the museum, you would've asked the person emailing you, you wouldn't know that it was a hacker.
No, no, I'm assuming we made a relationship.
Can you say, "Give me the phone number." We're talking 2.4 million, right?
And I know we've talked and he says, "Yes, of course I'm in Brussels." I am based, right? Or wherever. There would have been some information passed on.
However, that does not mean that the person who's actually paying from the museum— I imagine, you know, it could be someone else who wasn't involved in the negotiation, so just paid it.
However, that does not mean that the person who's actually paying from the museum— I imagine, you know, it could be someone else who wasn't involved in the negotiation, so just paid it.
Oh, I think it was the museum who were buying.
No, I know, but it may be two people, two different cogs, right?
Oh, I see. So the person—
The finance department versus the purchasing department.
Okay, yes, that's always possible.
Anyway, this has now ended up in court because, as you correctly surmised, it was a hacker who had intercepted the conversation between the art dealer and the museum, jumped in on the negotiation, posing as the dealer, and given those phony bank details for the money to be put into.
And it's not the hacker who's shown up in court. They're nowhere to be seen. No one knows who they are. Instead, it is the museum which is trying to sue the art dealer.
Anyway, this has now ended up in court because, as you correctly surmised, it was a hacker who had intercepted the conversation between the art dealer and the museum, jumped in on the negotiation, posing as the dealer, and given those phony bank details for the money to be put into.
And it's not the hacker who's shown up in court. They're nowhere to be seen. No one knows who they are. Instead, it is the museum which is trying to sue the art dealer.
The one who provided the painting?
Yes.
The one who's out $2.4 million, or $20.4 million.
Yes, exactly.
So the museum, which paid the money to the wrong people is blaming the art dealer, saying that the art dealer should have noticed that the fraud was taking place because they'd been copied on the email thread, even though the bank account had been changed to Hong Kong.
And they didn't the lawyers for the museum actually say that the art dealer, by saying nothing, they said everything.
So they should have spotted what was going on and went, oi, oi, oi, yoy. Those aren't our bank details. What's going on here?
So the museum, which paid the money to the wrong people is blaming the art dealer, saying that the art dealer should have noticed that the fraud was taking place because they'd been copied on the email thread, even though the bank account had been changed to Hong Kong.
And they didn't the lawyers for the museum actually say that the art dealer, by saying nothing, they said everything.
So they should have spotted what was going on and went, oi, oi, oi, yoy. Those aren't our bank details. What's going on here?
Do you know what's depressing about getting older in life? It's just how many shady moves there are. Why wouldn't they just both go, "Okay, we screwed up.
Let's, you know, I don't know, tear the painting in half. Let's split the diff." Tear the paint—
Let's, you know, I don't know, tear the painting in half. Let's split the diff." Tear the paint—
This isn't a Banksy which gets shredded. Do you remember when that painting by Banksy got shredded?
They could do 6 months, 6 months.
Oh, just sort of have co-ownership. No, no, Kroll, that's rubbish because the art dealer owned the painting, right?
Now they only own half the painting and they've received none of the money.
Now they only own half the painting and they've received none of the money.
No, no, no, and I think they should split the money as well. They should split the money. I think the museum should pay him 1.2, half the money.
For 6 months of the year?
No, just pay half, and then they both have equal loss and equal gain.
Okay, okay, look, sorry.
See, I can sort this.
This isn't some sort of divorce settlement where you're getting visiting rights at weekend. No, because the art dealer owned the painting outright.
Maybe they want to sell it to someone else who would offer 2.4 million rather than getting 1.2 million, and they'll never be able to sell the other half.
Maybe they want to sell it to someone else who would offer 2.4 million rather than getting 1.2 million, and they'll never be able to sell the other half.
I understand.
Who's gonna want to buy the other half of the painting?
I understand, okay? It's not an ideal situation. However, it is what it is.
And really the actual problem, the actual person who should be getting the finger is this mysterious hacker. If they pooled their resources, maybe go after them.
And really the actual problem, the actual person who should be getting the finger is this mysterious hacker. If they pooled their resources, maybe go after them.
Well, interestingly, both the art dealer and the museum are blaming each other for the hack.
Well, that's kind of stupid.
'Well, it wasn't us who had our email hacked. It must have been you.' So this has gone to the courts now. The courts are going to have to decide.
They're not going to get rich off it.
Well done, guys. No doubt. Clearly, the museum would have been wise to have independently verified the legitimacy of the bank account they're chucking money into.
But they argue that the art dealer as well should have been a little bit more vigilant. So—
But they argue that the art dealer as well should have been a little bit more vigilant. So—
It's just a waste of time.
What, this podcast? No, well, maybe.
No, no, but my story is about people. This situation, okay, so here, the problem here is two innocent parties that were trying to make a deal got screwed.
Yes.
Right?
And now they're blaming each other for getting screwed as opposed to just saying, "Okay, there's a bit of egg on both our faces here, but really it's because we got targeted." And so if whoever is found to have the malware or the issue is going to be the one that has to suck it up?
Is that the idea?
And now they're blaming each other for getting screwed as opposed to just saying, "Okay, there's a bit of egg on both our faces here, but really it's because we got targeted." And so if whoever is found to have the malware or the issue is going to be the one that has to suck it up?
Is that the idea?
I don't know. I don't feel that that necessarily means you're 100% to blame.
No.
If you're the one to be— it's some very wise old judge is going to decide this, right? Is it a computer program? That's not in a Dutch accent, obviously.
Yeah.
Which is probably a blessing for all of us. So what kind of advice can we offer people who might find themselves in a similar situation?
Double-check and check via a different method. Don't use email.
If you've been chatting to them via email so far, call them on the phone or maybe find some software where you can have, what are they called?
Sort of digital meeting, these sort of safe rooms, aren't they? Safe online rooms for having—
Double-check and check via a different method. Don't use email.
If you've been chatting to them via email so far, call them on the phone or maybe find some software where you can have, what are they called?
Sort of digital meeting, these sort of safe rooms, aren't they? Safe online rooms for having—
Exactly. Virtual safe rooms. These are places where companies can go or individuals can go in order to negotiate a deal with high stakes.
In a way that they can be guaranteed nothing leaves the room, right? All the paperwork, everything is gonna closed setting. So it means no one can infiltrate.
So when you're talking this kind of money, it's kind of a good idea to look into these virtual safe rooms.
In a way that they can be guaranteed nothing leaves the room, right? All the paperwork, everything is gonna closed setting. So it means no one can infiltrate.
So when you're talking this kind of money, it's kind of a good idea to look into these virtual safe rooms.
And all the communication's gonna be properly encrypted, and you can have lots of security in place to prevent unauthorized people getting an earwig into the room and hearing what's going on.
Well, Carole, if only they were as wise as you and talented, perhaps. Carole, what's your story for us this week?
Well, Carole, if only they were as wise as you and talented, perhaps. Carole, what's your story for us this week?
Okay, do you remember when you hurt your cooter? It was years and years ago.
Are we really?
Or maybe it was your— maybe— anyway, you've had a number— we've known each other a long time. And you've had a number of instances where you've had really bad pain.
I think there was one called beaver fever at one point.
I think there was one called beaver fever at one point.
That wasn't a problem with my beaver. Let's stress that.
Close your eyes and take yourself back to whichever one hurt the most. Okay.
Yes.
Okay. Now, what do you do? What do you do in that situation? You're "ow, ow, ow."
Oh, it's easy. I'm a man. So what I will do is I will complain about it a lot, but I won't actually go to the doctor.
I thought in your case you had quite a fetching doctor. So you'd be dashing off.
I did eventually go and see— I won't mention her name, but I did go— she no longer works there for reasons which may become apparent.
I did go and see my doctor, and she wanted to examine me.
I did go and see my doctor, and she wanted to examine me.
Right, okay, let's leave it to everyone's imagination, shall we? So, okay, so she's examining you. I want you to, you know, she's examining you.
Don't worry, this is not going to get too personal, right? But as she's examining you, she's probably filling in an online patient record, right?
She's saying, "Graham Cluley's come in." "Yeah, hurt his little guy. I'm here to help," whatever, right?
Don't worry, this is not going to get too personal, right? But as she's examining you, she's probably filling in an online patient record, right?
She's saying, "Graham Cluley's come in." "Yeah, hurt his little guy. I'm here to help," whatever, right?
Right. She's entering this on a computer.
Yeah, right. And she's— well, Graham, it is 2020. They're not doing it longhand.
Yes.
And one of the questions she probably asked you is, "Can you rate your pain, Graham?" Right? "How do you rate your pain on a level from 1 to 10?" Yes.
Well, I'm a bit Spinal Tap, so I normally try and go up to 11 or something that.
Yeah, with all your complaining and whining.
So okay, imagine your doctor puts that into the system and bish bash bosh, at the end of the examination, she goes, okay, well, thank you very much. Here are some painkillers.
I think you should take them to deal with your pain, your penile pain, right? And you would trust this recommendation because you your doctor.
And she's advising that you take the pills. Yes.
And the doctor, and effectively you, is trusting that the software is literally not trying to influence you and do anything that none of you are aware of.
So okay, imagine your doctor puts that into the system and bish bash bosh, at the end of the examination, she goes, okay, well, thank you very much. Here are some painkillers.
I think you should take them to deal with your pain, your penile pain, right? And you would trust this recommendation because you your doctor.
And she's advising that you take the pills. Yes.
And the doctor, and effectively you, is trusting that the software is literally not trying to influence you and do anything that none of you are aware of.
So she's got a piece of software on her computer which has made the recommendation or something.
She's not just Googling the symptoms because I can do that at home quite successfully. She's—
She's not just Googling the symptoms because I can do that at home quite successfully. She's—
Okay, sit down. Listen.
That's what she said.
So meet Practice Fusion. This is a San Francisco medical startup. Okay. And according to its own website, Practice Fusion streamlines the running of a typical healthcare practice.
And it does this by providing a cloud-based electronic health record system.
And it does this by providing a cloud-based electronic health record system.
Okay.
And you may remember that my first job was working at a medical office, a kind of place that— a practice, a medical practice, the kind of place that this software would be perfect for.
Yeah, you were working for your dad, weren't you?
Right. But I was working pre— I was working at, you know, when paper was moving to computer.
Right.
So we still had paper files. And I actually got fired from that job by my dad.
Your dad, your own dad fired you from the job?
My own dad fired me from the job because I did something really awful. I didn't do it on purpose, but I lost a patient file and the guy went to hospital.
The guy went to hospital and they couldn't find his file because I'd accidentally tucked it into someone else's file by accident when I was putting it away. Anyway, trauma trauma.
The guy went to hospital and they couldn't find his file because I'd accidentally tucked it into someone else's file by accident when I was putting it away. Anyway, trauma trauma.
Did they chop off the wrong leg or something? What happened as a result of this? Do you know?
I got fired.
Yeah, that's the most important thing. That's the most important thing.
So back to Practice Fusion. Okay, so its website says it's super popular, 4 million patient visits per month, 80 million patient records, yada, yada, yada. We're number one.
And the software is apparently used by tens of thousands of doctors' offices across the US of A. So presumably should be all tickety-boo.
And the software is apparently used by tens of thousands of doctors' offices across the US of A. So presumably should be all tickety-boo.
Oh yes, I'm sure that's why you're mentioning it on the show. Yes, yes, wonderful.
So yes, this software had this electronic health record system. So this is where all your information was being inputted by, you know, said doctor or health practitioner.
It's going to be a data breach, isn't it?
And occasionally, a pop-up window would show up with a question asking about a patient's pain level. And in your situation, you would say, oh, you know, I'm a 12, right?
And I said, no, Graham, could you please take this seriously? Right? And you would say whatever number you'd say.
The software, this dropdown menu, would then provide a list of treatment options, including perhaps a prescription for, say, oxycodone or another opioid.
And I said, no, Graham, could you please take this seriously? Right? And you would say whatever number you'd say.
The software, this dropdown menu, would then provide a list of treatment options, including perhaps a prescription for, say, oxycodone or another opioid.
Okay.
Now this is how it worked. This is what makes it all a little bit icky. This tool existed thanks to a secret deal. This is all according to a Bloomberg article in the LA Times I read.
So it turns out that Practice Fusion was paid by a major opioid manufacturer Pharmaco X, let's call them that for this moment because they're unnamed.
So this major opioid manufacturer paid Practice Fusion money in order to kind of boost prescriptions to addictive pain pills.
So it turns out that Practice Fusion was paid by a major opioid manufacturer Pharmaco X, let's call them that for this moment because they're unnamed.
So this major opioid manufacturer paid Practice Fusion money in order to kind of boost prescriptions to addictive pain pills.
Oh, crumbs.
Yeah. And this went on for 3 years between 2016 and 2019.
And so the software is telling the doctor to prescribe, you know, these addictive pills?
So it would just show up. It wouldn't show up on everyone's system. So let's say, so sometimes with some patients, suddenly this pop-up would show up.
And the pop-up would ask about pain level. And it was targeting, it was targeting patients that weren't currently taking opioids.
And patients that were maybe on medicines that were less profitable for the company.
And the pop-up would ask about pain level. And it was targeting, it was targeting patients that weren't currently taking opioids.
And patients that were maybe on medicines that were less profitable for the company.
Oh my goodness. So they're basically recruiting.
They're upselling. They're upselling people to an addictive drug. So it's back to the '40s with the cigarettes.
This is horrific.
Yeah. And the doctors didn't know this, right? So you'd go, you'd toddle off to your local medical center and your doctor would go, oh, you know, hey, you have a headache.
Well, I think maybe, oh, you should maybe, pain pill does this. Okay, maybe you should try some oxycodone to deal with that.
Well, I think maybe, oh, you should maybe, pain pill does this. Okay, maybe you should try some oxycodone to deal with that.
My goodness.
They've now been hit.
The DOJ did a big investigation and the DOJ alleges that Practice Fusion took financial kickbacks from drug companies and let the drug makers draft the language in the so-called clinical decision support alerts, which we're talking about.
These are these pop-ups that were presented to doctors.
So they were able to massage the wording and decide on what the levels would be and what would be presented as possible options.
The DOJ did a big investigation and the DOJ alleges that Practice Fusion took financial kickbacks from drug companies and let the drug makers draft the language in the so-called clinical decision support alerts, which we're talking about.
These are these pop-ups that were presented to doctors.
So they were able to massage the wording and decide on what the levels would be and what would be presented as possible options.
I'm slightly speechless, Carole, which is no good for a podcast at all.
Don't worry, I've got lots more to say. Maybe it's a big improvement. Finally. Okay, so listen to this.
So employees inside, okay, the drug company said that they bolstered opioid sales by as much as $11.3 million through this partnership.
So in the contract, the drugmaker paid Practice Fusion almost $1 million for the opportunity to present their drugs to patients in this way.
So employees inside, okay, the drug company said that they bolstered opioid sales by as much as $11.3 million through this partnership.
So in the contract, the drugmaker paid Practice Fusion almost $1 million for the opportunity to present their drugs to patients in this way.
Wow.
So I'm researching the story, right? And what I'm annoyed about is who is this drug company?
Oh, because we don't know.
I wasn't alone though.
Yeah.
Because Reuters figured it out. Okay.
So despite it being redacted from the government documents, and if you want to read about this, I've got it, you know, as you know, I do a ton of research.
So there's a ton of links inside the, you know, the Smashing Security webpage. You want to read more about this.
So Reuters published that the oxycodone maker was in bed with Practice Fusion was none other than Purdue Pharma.
So despite it being redacted from the government documents, and if you want to read about this, I've got it, you know, as you know, I do a ton of research.
So there's a ton of links inside the, you know, the Smashing Security webpage. You want to read more about this.
So Reuters published that the oxycodone maker was in bed with Practice Fusion was none other than Purdue Pharma.
Purdue Pharma.
Now, Purdue was not criminally charged in this case or accused of any wrongdoing. In fact, there's been no determination of liability on civil claims.
So I don't know, I was thinking about this, right? So say your doctor had done this and you'd read about this and you might think, God, I was on oxycodone for my head.
Which, you know, you might in some instances want to sue that medical practice. And what the medical practice would then probably, you know, there has to be a route.
So I don't know, I was thinking about this, right? So say your doctor had done this and you'd read about this and you might think, God, I was on oxycodone for my head.
Which, you know, you might in some instances want to sue that medical practice. And what the medical practice would then probably, you know, there has to be a route.
They'd sue up the chain, wouldn't they? I mean, that's how it works in America, isn't it? Everybody sues everybody.
Practice Fusion have agreed to pay 145 million squids to resolve this. And this is to basically pay for any criminal, pay the lawyers and any civil investigations.
But golly, yeah. What a story. It reminds me a little of, do you remember back in episode 122 of Smashing Security?
Oh yes, of course I remember that episode.
Well, I've just looked it up. That's why I remember. Office Depot. They were fined millions because they tricked customers into thinking their computers were infected with malware.
Because what would happen is you'd take your computer into Office Depot and they say, oh, we'll check to see why your computer's running slow, why you're having crashes.
They'd run this piece of software which would falsely claim it was infected by malware and then tell you you needed to buy a certain antivirus.
Because what would happen is you'd take your computer into Office Depot and they say, oh, we'll check to see why your computer's running slow, why you're having crashes.
They'd run this piece of software which would falsely claim it was infected by malware and then tell you you needed to buy a certain antivirus.
Oh yeah, yeah, yeah.
It was absolutely scandalous at the time. And they ended up having to settle with the FTC millions and millions and millions. Over those tricked consumers.
But it's a little bit like that because although you genuinely did have the symptoms of some kind of illness or pain, the software is the thing which is telling you to take the wrong remedy or perhaps—
But it's a little bit like that because although you genuinely did have the symptoms of some kind of illness or pain, the software is the thing which is telling you to take the wrong remedy or perhaps—
Well, no, it's the people that created it. It's both the drug maker and the people that created the software and the people that allowed the software in the practices.
So they're obviously just buying an EDM. They're just buying an electronic patient record holder. They weren't even expecting these pop-ups.
That wasn't, you know, they were just looking for place to hold data. But still, that's patient data. So thinking of the vetting they did, they obviously did no security testing.
How clear are they that the data that they're holding on patients is actually secure? It just makes the whole thing feel a bit not as safe as one assumes.
So they're obviously just buying an EDM. They're just buying an electronic patient record holder. They weren't even expecting these pop-ups.
That wasn't, you know, they were just looking for place to hold data. But still, that's patient data. So thinking of the vetting they did, they obviously did no security testing.
How clear are they that the data that they're holding on patients is actually secure? It just makes the whole thing feel a bit not as safe as one assumes.
This kind of thing really gets my goat. I don't think a financial penalty is enough. I think someone has to have their goolies cut off because of this.
If they have no goolies, what then? Well, you're planning to remove ovaries?
Oh, okay. Yeah, maybe I've gone too far.
As usual. Okay, I'm not gonna lie to you, passwords often are a pain in the you-know-where, but they don't always have to be. Take for instance LastPass's single sign-on feature.
Now, single sign-on is very cool because it is integrated with more than 1,200 different applications, applications that your users need to do their jobs.
And this simplifies accessing those applications, making it far more streamlined. Want to learn more? Check it out at lastpass.com/smashing. On with the show.
Now, single sign-on is very cool because it is integrated with more than 1,200 different applications, applications that your users need to do their jobs.
And this simplifies accessing those applications, making it far more streamlined. Want to learn more? Check it out at lastpass.com/smashing. On with the show.
And welcome back. Can you join us on our favorite part of the show, the part of the show that we like to call Pick of the Week?
Pick of the Week. Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security related necessarily.
Should not be.
And my Pick of the Week isn't really security related. It is instead, see what I like to do is I like to thread, I like to weave a theme through the podcast.
It's very, this isn't some ramshackle shambolic recording, Carole. I've put genuine thought into this because I am now coming back to the topic of art, and specifically—
It's very, this isn't some ramshackle shambolic recording, Carole. I've put genuine thought into this because I am now coming back to the topic of art, and specifically—
That's very good, Graham. I don't think I've ever heard you do this before.
Specifically, an artist called Simon Weckert, or maybe it's Simon Weckert, who is based in Berlin, which is in Germany, don't you know?
And he did something rather extraordinary this week, and he produced a video, and you can read all about it on his webpage. We will link to those in the show notes.
What he did was he generated a virtual traffic jam on Google Maps.
And he did something rather extraordinary this week, and he produced a video, and you can read all about it on his webpage. We will link to those in the show notes.
What he did was he generated a virtual traffic jam on Google Maps.
Okay. How? Explain.
Okay. So, do you know how Google Maps works regarding traffic?
Well, I'm assuming it's going, oh, there's a lot of people here. And we know that through their— we know that through their GPSs or their phones. Yeah, right.
Through their phones. Exactly. So, people are carrying phones running Google software, racing around in their motor cars.
And Google is able to identify where they are roughly, and it says, "Oh, there's an awful lot of them here, and they did look like they were in a car, and now they don't appear to be moving very fast," and et cetera, et cetera.
So that's how Google is able to tell you this is a busy bit of road or this is a quiet bit of road, right?
And Google is able to identify where they are roughly, and it says, "Oh, there's an awful lot of them here, and they did look like they were in a car, and now they don't appear to be moving very fast," and et cetera, et cetera.
So that's how Google is able to tell you this is a busy bit of road or this is a quiet bit of road, right?
Right, right.
Very clever. So what Simon Weckert did was he got a kid's little trolley, like a little wagon, right?
Okay.
Filled it up with 99 secondhand smartphones. And he walked around Berlin and just ambled along.
I love it. And then basically Google Maps was saying, "Oh, traffic jam, traffic jam, traffic jam." And Google Maps thought there was loads of traffic jams happening.
Oh, okay.
It's very cute. However, I can see some serious problems here, actually.
Okay, go on.
Well, imagine if you were having a heart attack.
Oh, yes.
Right? And the ambulance is like, "Oh, shit." Well, yes, exactly. Yeah.
Because the ambulance might take a longer route.
Yeah.
I don't think he's planning to do this on a regular basis. I think he's proved his point. But yes, if other people wanted to do—
Or someone's being held at knifepoint and the cops can't get there.
Yes, exactly. Exactly.
Or if you were transported— and I remember an old episode of Captain Scarlet where a very dangerous nuclear missile was being taken via some sort of vehicle through the streets of London for reasons which were best known to itself.
But the bad guys wanted to divert the course of this nuclear weapon to go the particular way that they wanted so that they could try and steal the weapon.
So you could create a fake traffic jam and get them to move another way.
Or if there's a very important person like, I don't know, a politician or something like that, and your security detail are trying to get you through the city, right, in an emergency, and they don't want to be ambushed by the bad guys.
Well, they might see a traffic jam in Google Maps and go, "Ooh!" Oh yeah, that's way more important than someone being held at knifepoint.
Or if you were transported— and I remember an old episode of Captain Scarlet where a very dangerous nuclear missile was being taken via some sort of vehicle through the streets of London for reasons which were best known to itself.
But the bad guys wanted to divert the course of this nuclear weapon to go the particular way that they wanted so that they could try and steal the weapon.
So you could create a fake traffic jam and get them to move another way.
Or if there's a very important person like, I don't know, a politician or something like that, and your security detail are trying to get you through the city, right, in an emergency, and they don't want to be ambushed by the bad guys.
Well, they might see a traffic jam in Google Maps and go, "Ooh!" Oh yeah, that's way more important than someone being held at knifepoint.
You're right.
Right.
No, no, good point.
Anyway, I thought this was rather cunning and clever and also cute. And for me, that's what counts. And that is why it is my Pick of the Week.
Mm, yeah. Cute but dangerous. I think needs a bit more thought, I think.
Well, I'm not suggesting people do it. I just think it's interesting that it was done. Yeah, yeah.
But he's now done and proved a concept, hasn't he?
Oh, so you're saying he's a bad guy?
No, I'm not.
Okay, good. He's a fellow artist. You just don't like the competition.
That's right. That's right. Oh, no, no, I seriously, I'm looking for artist friends, actually. I'm looking to expand my artist friends. So unfortunately, Graham, you might get dumped.
Okay, my pick of the week.
Okay, my pick of the week.
Yes.
Okay, so my pick of the week. Do you remember last week we had Lisa Forte on the show?
I do.
And she was talking about Her Story, which is a game I play. And she mentioned also that they had a new one out, a new game called Telling Lies. And so I played it.
And I can, I can attest it's pretty cool. So it's basically kind of called a desktop thriller. That's how one of the creators calls it.
Okay, so you have to imagine you have 4 characters, right? And you only get one side of the conversation. You are basically an NSA person, right?
And you come to a computer, you sit down, and you are now going through files.
And I can, I can attest it's pretty cool. So it's basically kind of called a desktop thriller. That's how one of the creators calls it.
Okay, so you have to imagine you have 4 characters, right? And you only get one side of the conversation. You are basically an NSA person, right?
And you come to a computer, you sit down, and you are now going through files.
Okay.
And you are hearing snippets. Some of the files are 13 seconds, some of the files are 8 minutes long, and it's one side of the conversation. It's like a digital puzzle.
You have to go and find the two bits of conversation that go together.
You have to go and find the two bits of conversation that go together.
Oh, okay. So it's like if— so it's like maybe a telephone conversation, but you've got two different recordings, one from each end.
Exactly. That's exactly what it is, right?
So if you and I were planning something really bad, a heist or something and you had my side of the conversation, but there'd also be all these moments where I wouldn't be talking, right, because I'd be listening to you.
So sometimes you're watching it, right, and they're doing nothing.
They're just looking at you, they're looking right in the camera as though you're speaking, and that can go on for minutes at a time. It's really bizarre.
However, the story is fantastic, and slowly as you start dissecting all these different little audio clips and video clips, you can figure out what's going on.
And what makes it great is the acting is super cool.
Acting is great, and the script is noticeably tight, and there's a number of different endings, a number of different things you can learn. So there's no one ending.
And the one thing though, is I'm not really sure what the goal is — I haven't figured that out yet.
So if you and I were planning something really bad, a heist or something and you had my side of the conversation, but there'd also be all these moments where I wouldn't be talking, right, because I'd be listening to you.
So sometimes you're watching it, right, and they're doing nothing.
They're just looking at you, they're looking right in the camera as though you're speaking, and that can go on for minutes at a time. It's really bizarre.
However, the story is fantastic, and slowly as you start dissecting all these different little audio clips and video clips, you can figure out what's going on.
And what makes it great is the acting is super cool.
Acting is great, and the script is noticeably tight, and there's a number of different endings, a number of different things you can learn. So there's no one ending.
And the one thing though, is I'm not really sure what the goal is — I haven't figured that out yet.
That's more realistic. You don't necessarily know what you're investigating.
Yeah, so there's a number of different story threads. I'm not finished it yet, but I'm still at this stage where I'm like, am I — I don't know how to conclude.
And I think that you have to — I mean, I've actually built this baby obsession wall.
My husband and I, he comes down with thread, you know, you've got an obsession wall and Blu Tack and a few 3M sticky Post-its, and they're all over our front room.
But I don't think we're doing it seriously enough, because there's all kinds of little clues like timestamps and word clues.
So there's one conversation going on, and they'll say something, you'll be like, hey, they mentioned that before.
And that's how you find your clips is by doing a word search — it's not all the clips are in front of you.
You have to go, oh, I want to look for the word liar, for example, right, or I'm going to look for the name Peter, and then clips where that's mentioned comes up.
Anyway, I've talked too much. It's really cool, check it out. It does cost money, but I think it was $7.
And I think that you have to — I mean, I've actually built this baby obsession wall.
My husband and I, he comes down with thread, you know, you've got an obsession wall and Blu Tack and a few 3M sticky Post-its, and they're all over our front room.
But I don't think we're doing it seriously enough, because there's all kinds of little clues like timestamps and word clues.
So there's one conversation going on, and they'll say something, you'll be like, hey, they mentioned that before.
And that's how you find your clips is by doing a word search — it's not all the clips are in front of you.
You have to go, oh, I want to look for the word liar, for example, right, or I'm going to look for the name Peter, and then clips where that's mentioned comes up.
Anyway, I've talked too much. It's really cool, check it out. It does cost money, but I think it was $7.
So you got the iPad version?
I got the iPhone one.
I got it for the iPhone because I was traveling, but then what I ended up doing is we ended up doing it in our living room and I beamed it to the telly through the Apple TV.
So we were playing together and we were 3 of us actually, and it was great fun.
I got it for the iPhone because I was traveling, but then what I ended up doing is we ended up doing it in our living room and I beamed it to the telly through the Apple TV.
So we were playing together and we were 3 of us actually, and it was great fun.
I'm just checking out the website now. You can also buy it for Windows.
Yeah, and it's available on Steam.
Yep.
Anyway, I thought it was great fun and it's something you can do on a Friday night with your other half, right, if you need to have something because you get pretty into it.
Anyway, that's my pick of the week.
Anyway, that's my pick of the week.
And it's called Telling Lies.
Telling Lies.
Excellent.
Okay, I just want to repeat that because we had a listener say, can you always try and remember to tell us what the pick of the week was at the end of the pick of the week?
Okay, I just want to repeat that because we had a listener say, can you always try and remember to tell us what the pick of the week was at the end of the pick of the week?
It's published by Annapurna Interactive, and it was published initially in August 2019. So it's not even a year old, still fairly nascent.
Well, sounds really cool, Carole.
Good. It is.
I think that just about wraps it up for this week. If you'd like to follow us on Twitter, do it. Follow us on Twitter @SmashingSecurity, no G. Twitter allows to have a G.
And you can also join us on Reddit in the Smashing Security Reddit.
And don't forget, if you want to be sure never to miss another episode of Smashing Security, subscribe in your favorite podcast app, such as Castbox, which is currently featuring Smashing Security.
Hooray!
And you can also join us on Reddit in the Smashing Security Reddit.
And don't forget, if you want to be sure never to miss another episode of Smashing Security, subscribe in your favorite podcast app, such as Castbox, which is currently featuring Smashing Security.
Hooray!
That is so cool. Thank you, Castbox. And a huge thanks to all of you for pointing your ears our way, supporting us on Patreon, and giving us wonderful reviews.
Also, a big shout out to this week's Smashing Security sponsor, LastPass. Its support helps us give you this show for free.
Check out smashingsecurity.com/lastpass for past episodes, sponsorship details, and information on how to get in touch with us.
Also, a big shout out to this week's Smashing Security sponsor, LastPass. Its support helps us give you this show for free.
Check out smashingsecurity.com/lastpass for past episodes, sponsorship details, and information on how to get in touch with us.
Until next time, cheerio, bye-bye, bye.
You think they missed the guest this week?
Well, she would have been a very good guest.
She'll come back. We'll explain what happened. We're not going to blame anyone. No, no, we're not blaming anyone.
Well, it's technology.
Your story.
Computer's fault.
Yeah. I don't want to get into it.
I blame Babbage. If he hadn't started all of this.
Nice, nice, nice.
Ada Lovelace as well.
Nice.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Show notes:
- Fraudsters Posing as Art Dealer Got Gallery to Pay Millions — Bloomberg.
- ‘Hampstead Heath, Harrow in the Distance’, John Constable, David Lucas, published 1855 — Tate.
- Electronic Health Records Vendor to Pay $145 Million to Resolve Criminal and Civil Investigations — Department of Justice.
- In secret deal with drugmaker, health-records tool pushed opioids — Los Angeles Times.
- Practice Management Software — Practice Fusion.
- Opioid epidemic in the United States — Wikipedia.
- Exclusive: OxyContin maker Purdue is 'Pharma Co X' in U.S. opioid kickback probe – sources — Reuters.
- Smashing Security 122: The big fat con at Office Depot.
- Google Maps hacks — Simon Weckert.
- Google Maps Hacks by Simon Weckert — YouTube.
- Telling Lies launch trailer — YouTube.
- Telling Lies — iOS App Store.
- Telling Lies — Steam.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsor: LastPass
LastPass Enterprise makes password security effortless for your organization.
LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, Spotify, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
