How one guy’s exercise routine made him a burglary suspect, how multi-factor authentication can cause headaches as well as stop hacks, and how Virgin Media got itself in a pickle over its sloppy approach to data security.
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Maria Varmazis.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
I just think it looks a little unsightly to be walking on the street with a huge bag of toilet paper. Call me weird. Everyone can just calm down the toilet paper.
Stock up on newspaper or something.
Stock up on newspaper or something.
I bought a bidet because of this.
I'm not kidding.
You bought a bidet?
A bidet.
Why don't you just put your butt under the sink or something?
The ergonomics of that alone.
Smashing Security, episode 169. Burglaries, breaches, and bidets. With Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 169.
My name's Graham Cluley.
My name's Graham Cluley.
And I'm Carole Theriault.
And we're joined this week by a special guest. It's family favorite Maria Varmazis. Hello, Maria.
Hi, how's everyone doing?
Maria is jet-lagged, people, just a warning.
I am very jet-lagged.
And she's without coffee.
Yes.
This is you, raw and unplugged?
Yeah, the coffee is... That's usually what gets me more unplugged.
As though jet lag and lack of coffee were the only things on our minds at the moment. But maybe some other worries around as well.
But hey, good news is that the other day we got a voicemail here at Smashing Security. Someone actually sent one in. That was quite exciting.
But hey, good news is that the other day we got a voicemail here at Smashing Security. Someone actually sent one in. That was quite exciting.
Who uses voicemail anymore?
Well—
Hey Graham. Hey Carole. Just wanted to say, absolutely love Smashing Security. It's basically the highlight of my week.
Just love the shenanigans and the snafus that goes on in the show.
So thank you so much once again.
Leave us a message about the podcast at smashingsecurity.com/voicemail. Ah, wonderful.
Adorbs.
Adorbs.
So Carole, what's coming up on the show this week?
Well, first, thanks to this week's sponsor, LastPass. Its support helps us give you this show for free. Now, Graham, you were talking about the dangers of cycling.
It's gonna be interesting.
Maria tells us why we really should have multifactor authentication turned on, and I see whether Virgin Media did all the right things during its recent data snafu.
All this and much more coming up on this episode of Smashing Security.
It's gonna be interesting.
Maria tells us why we really should have multifactor authentication turned on, and I see whether Virgin Media did all the right things during its recent data snafu.
All this and much more coming up on this episode of Smashing Security.
Now, chums, chums, I wonder, what were you doing on Friday, March the 29th?
Is this your detective voice?
2019. Yes, it is.
This is your bad cop voice.
I've got an anglepoise lamp and I'm shining it in both of your faces right now, saying, "Okay, what were you doing?" I'm guilty, I'm guilty, I'm guilty. March 29th last year.
I'm so intimidated.
No idea.
Well, maybe we could find out. Were you perhaps in Gainesville, Florida?
Never been in my life.
As is your wont, by the way, Carole, you often say I don't research my stories enough, but just be impressed by this.
On a partially sunny day where humidity reached 40% and the temperature reached as high as 25°C...
On a partially sunny day where humidity reached 40% and the temperature reached as high as 25°C...
You did not go look at the weather. Someone already did that work for you. You just cut and pasted it.
I did it.
Well done.
Thank you very much.
Wow.
It was a relaxing scene. The wind was blowing in an easterly direction through the trees.
What was the air quality rating for that day? Do you know offhand?
I didn't look for that. The birds were singing, and there was the sound of someone bicycling past the neighbourhood.
Brring brring!
But all was not well. Because restaurant worker Zachary McCoy, he was—
Zach McCoy.
He was going about his regular business. Zachary. And he received an email, an unexpected email, claiming to come from Google's legal investigations support team.
Legal investigation support team?
If I got an email like that, I'd suddenly be like, ding!
Google police.
Well, the email told him that the local police force had demanded information related to his Google account.
And unless he went to court and tried to block it, Google would give the police the information within 7 days.
And unless he went to court and tried to block it, Google would give the police the information within 7 days.
Okay, so basically they got a request for his information. They warn the person whom the cops are— Oh, so I didn't know they warned when they did that. So basically—
I don't think they do.
Well, in this particular case, they did.
Really?
They said, "If you've got any problem with this, let us know." Oh, because there was no warrant, maybe.
Maybe it's 'cause they said, look, the cops said, "Look, can you just give us this guy's account 'cause we really need to check it out?" And they were like, "Okay, maybe, but we'll have to ask him first because there's no warrant." Just 7 days for him to try and block it in court.
How would you respond if Google sent you that kind of message?
Well, I probably wouldn't open the email, as we know. You probably wouldn't. Right? So I'm screwed.
Just claim ignorance. I never saw your email, sorry. So you can't do anything?
Probably doesn't work like that. I wouldn't claim it. I am ignorant.
Well, McCoy was flustered. And he thought, you know, what on earth's going on here? And he thought, well, I do have an Android phone.
And like many people, I use Google and YouTube, other Google products. And soon all of the data would be in the hands of the police. But he had a clue.
And the clue was a case number referred to in the email from Google, and he took that case number, and he went to the Gainesville Police Department's website, and he looked it up.
And what he discovered was that there was a wizened 97-year-old lady— oh, bless her— who lived less than a mile away from his home.
And like many people, I use Google and YouTube, other Google products. And soon all of the data would be in the hands of the police. But he had a clue.
And the clue was a case number referred to in the email from Google, and he took that case number, and he went to the Gainesville Police Department's website, and he looked it up.
And what he discovered was that there was a wizened 97-year-old lady— oh, bless her— who lived less than a mile away from his home.
Keep her safe from coronavirus.
She had found that several pieces of her precious jewellery, including her engagement ring— oh dear— worth more than $2,000, had been stolen, had gone missing from her home.
She'd been burgled, as they call it in America.
She'd been burgled, as they call it in America.
Oh, indeed.
Burgled?
You gotta add the -ised.
Look, they really do, Carole. They call it being burgled.
Burgled.
I think actually it might actually be Old English, which we've— a bit like gotten, which we've dropped, but the Americans have rather quaintly kept. So they say burgled.
It's very funny. Very strange people.
It's very funny. Very strange people.
Us colonials.
Now, so seemingly the police in Gainesville, Florida were interested in Zachary McCoy's Google account because of this little old lady's burglary. This is what he worked out.
So what he did was he went to his parents.
So what he did was he went to his parents.
He doesn't know this woman, does he?
Well, no, he doesn't.
It's not his nan.
He looks it up and he's like, "I have no idea what you guys are talking about." Yeah, exactly. Right, okay. Just to be clear, sorry.
Crying, "I've only got 7 days until Google hands over all of my data." He thinks, "What am I gonna do?" So he borrows a few thousand dollars from his parents.
And he hires a lawyer, and they did some digging around. They go looking around, trying to work out what's going on here.
And he hires a lawyer, and they did some digging around. They go looking around, trying to work out what's going on here.
What was that?
And they discover that the authorities were attempting to use a geofence warrant to get his personal information. Now, we've talked about geofence warrants before.
Sometimes they're called location dragnets or reverse location searches. If you dial back to episode 144—
Sometimes they're called location dragnets or reverse location searches. If you dial back to episode 144—
Oh, you have done your research, Mr. Cluley.
Yes, thank you very much. We described how the FBI had ordered Google to do one these reverse location searches to help them investigate a bank robbery in Wisconsin.
Yeah, basically imagine a huge net over a location in a city or a town or a neighborhood, and then they just go down and just scoop up any information from anyone there that might fit a profile or might be interesting to them.
Yeah, and they're interested in who was at a particular location or in the environment within a time period.
Yeah.
When they don't have any leads, they can find potential suspects by running this sort of location dragnet. It's really kind of interesting. And increasingly, cops are using these.
They want to know who's in the vicinity of a crime based upon the location data shared by their mobile phone.
So now, Zachary McCoy knows that his phone's location had linked him to the vicinity of the crime scene. And he thought, "Well, why me?" he's thinking.
"What makes me so suspicious?" Well, it turned out when he looked at his Runkeeper fitness tracking app that he realized that he had been riding his bicycle.
3 times within an hour, he'd been doing a loop, and he'd been passing this little old lady's house.
And because of that suspicious activity, a bit like— You know how, Carole, in your neighbourhood at least, there are people who sort of cruise around at low speed?
You know, just their arms sort of stuck out the window and everything?
They want to know who's in the vicinity of a crime based upon the location data shared by their mobile phone.
So now, Zachary McCoy knows that his phone's location had linked him to the vicinity of the crime scene. And he thought, "Well, why me?" he's thinking.
"What makes me so suspicious?" Well, it turned out when he looked at his Runkeeper fitness tracking app that he realized that he had been riding his bicycle.
3 times within an hour, he'd been doing a loop, and he'd been passing this little old lady's house.
And because of that suspicious activity, a bit like— You know how, Carole, in your neighbourhood at least, there are people who sort of cruise around at low speed?
You know, just their arms sort of stuck out the window and everything?
Well, that doesn't actually happen. But what did happen is we do have drag races.
What?
In Oxford?
Yeah, it was on a Sunday night.
On what streets?
And they were obviously going around quite a large block because they were going up our street every about 5 minutes and they did it for about an hour and a half.
And there was about maybe 10 cars.
And there was about maybe 10 cars.
What?
And it wasn't super late. It was maybe 9:00 PM or something that.
How could they do that on the roads that y'all have? Those are tiny.
Exactly. And there's people park on those roads on Sunday nights, right? And there's families and exactly. Really? Yeah, for real.
Anyway, it was all of this information being gathered by his Android app and being shared with Google which made him a person of interest.
Yeah, I get that now.
They thought he was casing the house or something, I guess.
Exactly.
And I think this really sort of highlights this whole problem of just how much information technology companies Google are scooping up about us from our mobile phones and the ease with which the police can potentially grab it.
It's pretty scary, isn't it?
And I think this really sort of highlights this whole problem of just how much information technology companies Google are scooping up about us from our mobile phones and the ease with which the police can potentially grab it.
It's pretty scary, isn't it?
Yeah, but you haven't answered the question yet.
What's that?
Did he steal the stuff?
No, of course he didn't.
Oh, I'm sorry.
No, he's a nice chap. I didn't know that.
Why would you—
No, he's now—
I'm waiting for that twist too. I was like, there's gotta be the twist.
It's like, surely his excuse was, I was just biking around, what was your big problem? But actually, he actually, you know, was up to something.
Well, as far as I know, he's claiming to have nothing to do with—
You've already said he's a nice chap. You've given your word.
He rides a bicycle, Carole. I ride a bicycle. Maria, I believe you're into biking, right?
I am. I am a cyclist, yes.
Wonderful. Carole?
Mm.
Yeah, but your bike doesn't have wheels, does it?
Well, one of my bikes does.
Yeah, but the one you use most often doesn't, which makes it useless.
Yeah, 'cause it rains a lot in England. There's a reason why I have an indoor bike. I don't like the rain.
Wait. Is it a Peloton? Are you one of those people?
No, no, no. Mine is not a Peloton. Old school, from Craigslist.
I was gonna say, I'm never talking to you again. Okay. It's just a metal disc and it just spins. Okay, got it. Yeah.
Now, there is a little bit of a twist because it turns out—
Peloton's not sponsoring the podcast now, so.
Yeah, real judgy, Maria.
It turns out that actually McCoy's lawyer was able to produce screenshots of his Google location history from the Runkeeper app, which showed that for months he had been making bike rides past this little old lady's home.
I don't know, maybe waiting until she popped down the bottom of the garden.
It turns out that actually McCoy's lawyer was able to produce screenshots of his Google location history from the Runkeeper app, which showed that for months he had been making bike rides past this little old lady's home.
I don't know, maybe waiting until she popped down the bottom of the garden.
This is really convenient. I'm sorry to have my little conspiracy hat on, but—
You can Photoshop that so easily. I know how to do that so easily.
Yeah, I'm thinking this is a little interesting.
There's more to this story.
According to TikTok. We're on the case.
That's right. True crime podcast. Move over, Phoebe Judge.
It's happening.
Anyway, there you go. So I thought that was a timely reminder. I thought you'd be a little bit more outraged that the police were collecting this kind of data and scooping it up.
Well, no, I paid attention to episode 144, so I know all about geolocation warrants.
But maybe our listeners need a reminder. So turn off your location stuff. Be careful what apps you're installing and where that data is being shared because you might end up—
And maybe now you have to frickin' read your email.
Yeah, right.
But then be careful it's not a spam email or a phishing email that's pretending to come from Google.
I would not have taken that email seriously. I totally would have been like, this is fake. The police don't just ask, they show up and do.
You know what, though, Maria? Super good point. I bet that happens to loads of people. And they never see the email. So then the cops just scoop up the data.
So really what it needs is a confirmation. Rather than saying you can opt out of this, it should be, do you mind? We're opting you in.
So really what it needs is a confirmation. Rather than saying you can opt out of this, it should be, do you mind? We're opting you in.
Opt-in policing?
No, no, opt-in from Google handing it over to the cops. Right. So Google collects this information from you.
Please, please have all your sensitive data, please.
I'm sorry I chopped this person's head off, but I did click the opt-out option when it came to coming to jail. So please let me off. Carole, that's not it.
You opt out by taking it to court and saying, no, you can't do it. That's the official way of opting out.
You opt out by taking it to court and saying, no, you can't do it. That's the official way of opting out.
I don't think you're hearing me. So obviously, if I were a suspect of something bad and the cops were like, we need to catch her, right?
Yes.
And we need her Google information, they would go get a warrant. And then it doesn't matter what I say. Right. The warrant then shows— Google hands it over. Done, done, done.
And they know what they know.
And they know what they know.
Right.
But if I'm just someone who might be in the vicinity in a kind of geolocation catch-all.
Perhaps it should be, yes, I don't mind handing this information to the police, and then therefore Google does. But if they don't, that's also an indicator, right?
The cops will know, hear all the stuff.
Perhaps it should be, yes, I don't mind handing this information to the police, and then therefore Google does. But if they don't, that's also an indicator, right?
The cops will know, hear all the stuff.
So you're gonna appear suspicious by not assisting?
Maybe.
And then they'll come over and go, I'm a fricking host of Smashing Security, and I maybe think you should listen to my show.
So you've got a sort of catch-22. So it's, if you don't opt in, then you're a suspect. Basically, you still have to give your info over to the state.
I am the way Carole's police state works.
No, I think this makes perfect sense. So, fuck you both.
The maths justice. Well done.
Lovely.
Maria, what's your story for us this week?
My story this week is about multifactor authentication.
Right.
Trying to make that sound sexy. It's not. So I heard there was this conference a few weeks ago called RSA. It was sort of a thing. Some people were there. Graham?
Yeah, I was there. Yeah.
Yeah. How was that?
It was a show.
You washed your hands yet?
It was. It was. Oh, I was doing it.
It was several weeks ago. One would hope at least once.
They were actually handing out. So I was working on the booth of VeriCode. I was doing some talks then. Their giveaway was actually some hand sanitizer.
So rather than getting a stress ball, you got these little hand sanitizer. It was fun show, I suppose.
So rather than getting a stress ball, you got these little hand sanitizer. It was fun show, I suppose.
You know, it's basically currency right now in the States because there's no more hand sanitizer anywhere.
Anyway, this year I'm catching up on RSA by looking at what's on YouTube and what people are covering.
And so I saw a presentation that's making the rounds from the folks at the enterprise side of Microsoft and they're kind of a big business.
Don't know if you've heard of Microsoft, but you know, they do some stuff with large numbers.
Anyway, this year I'm catching up on RSA by looking at what's on YouTube and what people are covering.
And so I saw a presentation that's making the rounds from the folks at the enterprise side of Microsoft and they're kind of a big business.
Don't know if you've heard of Microsoft, but you know, they do some stuff with large numbers.
A medium-sized company.
They have an interesting amount of case numbers they can go through. I mean, they have such volume of customers that they can gather an unbelievable amount of data about stuff.
So they had some interesting stats about their business customers and how they authenticate into things like Exchange and Office and that kind of stuff.
So apparently the enterprise side of Microsoft sees 30 billion login events a day. Wow. Yeah, which is a lot. So that's, that's the kind of numbers we're talking about.
So during this presentation, right at the beginning, they said just half a percent of the enterprise accounts in their system get compromised monthly, just half a percent.
But we're talking about Microsoft numbers. That was in this past January, 1.2 million accounts.
So they had some interesting stats about their business customers and how they authenticate into things like Exchange and Office and that kind of stuff.
So apparently the enterprise side of Microsoft sees 30 billion login events a day. Wow. Yeah, which is a lot. So that's, that's the kind of numbers we're talking about.
So during this presentation, right at the beginning, they said just half a percent of the enterprise accounts in their system get compromised monthly, just half a percent.
But we're talking about Microsoft numbers. That was in this past January, 1.2 million accounts.
In January alone.
In January alone, that mere half of a percent. So the reason that is interesting in this context is 99.99% of those compromised accounts did not have multifactor authentication.
Did you do the math?
I did not. The guy presenting did.
I am literally just wondering what 99.99% of 1.2 million is.
Very close to 1.2 million. Probably 1.11. It's awfully close to 1.2.
So very few people have multifactor authentication switched on. Pretty much everybody did not have multifactor switched on.
So you mean of the compromised accounts, they did—
Of the compromised accounts, right? Virtually all of them had single authentication. There was no multifactor going on.
Right.
So that's interesting. Yeah. Feather in the cap for get the multifactor going, right?
Yeah, totally.
So for anyone who's ever done IT admin, I think none of the story will be a surprise to them.
So basically these hacked accounts that didn't have multifactor, were sort of a cocktail of old authentication methods like POP, SMTP, IMAP.
We've heard these a lot of times, and those are all single authentication factors. And then the inherent weaknesses present in just passwords.
So if you have a single authentication factor like POP or SMTP or whatever, and you just use passwords, if you have a weak password, that's going to break.
So sadly, these enterprise attack accounts were very easy pickings for people doing basic password attacks.
So basically these hacked accounts that didn't have multifactor, were sort of a cocktail of old authentication methods like POP, SMTP, IMAP.
We've heard these a lot of times, and those are all single authentication factors. And then the inherent weaknesses present in just passwords.
So if you have a single authentication factor like POP or SMTP or whatever, and you just use passwords, if you have a weak password, that's going to break.
So sadly, these enterprise attack accounts were very easy pickings for people doing basic password attacks.
Chances are these accounts were compromised by people doing credential stuffing or through phishing attacks or password reuse.
As far as I know, not even anything as complicated as phishing, just really basic stuff.
Like, didn't need— I needed to think I needed to say this, but don't use Hunter 2 as a password on an enterprise account.
So one of the methods attackers used, because there are basically two main methods that they saw in these compromised accounts, one was password spraying. So spray and pray.
Here are a whole bunch of passwords that tend to get used. Like, we have lists and lists of these. Hackers pass these around, we all know.
And they just tried them, and a lot of them worked. So again, yeah, so they just were, people are going to use zero password or 01234 password, and it worked.
Like, stuff like that, really basic stuff. So again, they didn't even have to go through anything as complex as setting up a phishing scam. It was just try zero password.
So anyway, spray and pray was one thing that people did, and yeah, and it worked. And that's why attackers do stuff is because they work, right?
So of all enterprise accounts in January, 7.2% of all existing SMTP accounts got compromised and 4.3% of IMAP ones did as well. So of all that exist in Microsoft purview.
So that method really worked for those guys. And then the other method they tried, the attackers tried, was just simply reusing stolen credentials.
So as you both hinted, there's some just very easy things that attackers do and they work. And it still worked.
Like, didn't need— I needed to think I needed to say this, but don't use Hunter 2 as a password on an enterprise account.
So one of the methods attackers used, because there are basically two main methods that they saw in these compromised accounts, one was password spraying. So spray and pray.
Here are a whole bunch of passwords that tend to get used. Like, we have lists and lists of these. Hackers pass these around, we all know.
And they just tried them, and a lot of them worked. So again, yeah, so they just were, people are going to use zero password or 01234 password, and it worked.
Like, stuff like that, really basic stuff. So again, they didn't even have to go through anything as complex as setting up a phishing scam. It was just try zero password.
So anyway, spray and pray was one thing that people did, and yeah, and it worked. And that's why attackers do stuff is because they work, right?
So of all enterprise accounts in January, 7.2% of all existing SMTP accounts got compromised and 4.3% of IMAP ones did as well. So of all that exist in Microsoft purview.
So that method really worked for those guys. And then the other method they tried, the attackers tried, was just simply reusing stolen credentials.
So as you both hinted, there's some just very easy things that attackers do and they work. And it still worked.
So, you know, imagine how many old email addresses or old accounts must be out there just floating around.
Oh, so many. And reused credentials. I mean, that seems such a basic easy one.
If you've been breached somewhere, you check yourself out on Have I Been Pwned, change that password maybe. But no, people are not— people are not doing that either.
If you've been breached somewhere, you check yourself out on Have I Been Pwned, change that password maybe. But no, people are not— people are not doing that either.
I used to have an email account on Hotmail, I don't know, 15 years ago. I'm sure it's not shut down. Anyway, someone go find it.
But this isn't a personal account, this is enterprise accounts. I think people are in theory getting paid to make sure this stuff is locked down.
I mean, if you're lazy with your own personal email, okay, fine, your photos to your grandparents might get hacked, I suppose. I mean, it's a business thing.
I mean, if you're lazy with your own personal email, okay, fine, your photos to your grandparents might get hacked, I suppose. I mean, it's a business thing.
But also the culprit here would be the companies who are like, focus on the next big thing, right?
So, you know, you're like, I gotta do some maintenance, I gotta go through all our old existing accounts, make sure everything, no, no, no, no, no, you're not, you're making money for us.
You're gonna go help the sales team with their new tool.
So, you know, you're like, I gotta do some maintenance, I gotta go through all our old existing accounts, make sure everything, no, no, no, no, no, you're not, you're making money for us.
You're gonna go help the sales team with their new tool.
Funny that you mentioned that. I'd love to just say end of story, everybody just switch to MFA, problem solved.
The reason Microsoft was even presenting about this at RSA was that in 2018 they tried to basically go, okay, we're instituting a new policy overnight.
Basically everybody moves over to multifactor, you know, it's going to be great. And they did that in October 2018 and they broke so much stuff trying to do that.
So many legacy apps they didn't know that they had just broke overnight and things like IT admin tools for Exchange and SharePoint, the compiler tools that engineers at Microsoft were using to make their product broke.
But that wasn't even the biggest one. The biggest one was Microsoft's telesales tool, which apparently most of their Asia offices and Australia offices were using.
Apparently all the sales guys in those offices logged into this one legacy app using the same credential set.
And so when they instituted this MFA policy, the entire sales teams for these countries could not do their work for an entire day.
So this was, again, huge company like Microsoft, hundreds of thousands of salespeople unable to make any sales for a whole day. That's a huge problem.
The reason Microsoft was even presenting about this at RSA was that in 2018 they tried to basically go, okay, we're instituting a new policy overnight.
Basically everybody moves over to multifactor, you know, it's going to be great. And they did that in October 2018 and they broke so much stuff trying to do that.
So many legacy apps they didn't know that they had just broke overnight and things like IT admin tools for Exchange and SharePoint, the compiler tools that engineers at Microsoft were using to make their product broke.
But that wasn't even the biggest one. The biggest one was Microsoft's telesales tool, which apparently most of their Asia offices and Australia offices were using.
Apparently all the sales guys in those offices logged into this one legacy app using the same credential set.
And so when they instituted this MFA policy, the entire sales teams for these countries could not do their work for an entire day.
So this was, again, huge company like Microsoft, hundreds of thousands of salespeople unable to make any sales for a whole day. That's a huge problem.
That's shocking.
Yeah, it's massive.
So not super surprising based on, you know, how much shit's floating around the digital space.
And I'm not trying to cast aspersions into Microsoft. This is a big problem. You don't know what you're running.
And so for people who are at companies smaller than Microsoft, which is everybody, I mean, it's a big problem. What is actually running on your network?
And so for people who are at companies smaller than Microsoft, which is everybody, I mean, it's a big problem. What is actually running on your network?
Yeah.
And even Microsoft had an issue with this. So they basically, after they made that policy for MFA, they had to unroll it out.
Although, good way to find out what apps you have running, isn't it? Is to turn it on.
Turn it on.
Oh, we didn't know about that.
You know, I might actually even say that if one was gonna try and do this in their own enterprise, I think you should expect that this will happen.
You will find loads of gunk that you haven't properly locked down or disowned or put to bed or RIP'd. And it's a good exercise and it's brave.
It's brave for them to even talk about it. I think it's quite impressive.
You will find loads of gunk that you haven't properly locked down or disowned or put to bed or RIP'd. And it's a good exercise and it's brave.
It's brave for them to even talk about it. I think it's quite impressive.
So, I mean, Microsoft's talking about it saying, hey, they fucked up.
Wow.
Thank you. I censored myself and uncensored myself. And they're actually rolling it back out later this year.
So I guess watch RSA 2021 if coronavirus doesn't prevent it from happening to see how they did. And they have a much more gradual rollout plan right now.
It sounds like they have a much better handle on what their legacy apps are as well.
You know, this is a big roadblock for them, but they're not stopping from moving ahead with MFA, but it's a really interesting case study.
And as I said, everybody is going to be dealing with a similar problem to some degree. So it's very cool.
So I guess watch RSA 2021 if coronavirus doesn't prevent it from happening to see how they did. And they have a much more gradual rollout plan right now.
It sounds like they have a much better handle on what their legacy apps are as well.
You know, this is a big roadblock for them, but they're not stopping from moving ahead with MFA, but it's a really interesting case study.
And as I said, everybody is going to be dealing with a similar problem to some degree. So it's very cool.
Yeah, it's really cool to know. And I think it should make people — when this happens to you, don't feel bad.
Just say, well, if it happened to Microsoft, yeah, let's try and be prepared.
Unless you're a security company, and in which case you should feel ashamed.
No, wait, no, no, we don't mean that at all.
Hey, didn't you do that once in the show?
Shame, shame. Yeah, I've got my shame bell.
That's true.
No, it's tough. It's hard. It's really, really, really hard. But it's a good thing, moving towards MFA, the case is obvious. It's like we should be doing it.
Hey, and as your company might be down on work right now anyway, right, if employees are having to stay home and they're not — you know, they may not be all fully connected, this might be a great time to try it out.
Oh yeah, just compound any problems you already have communicating with your staff by locking them out of their email by enabling multifactor authentication.
You just don't want any work, Carole. You just want to put your feet up for a month.
You just don't want any work, Carole. You just want to put your feet up for a month.
Your entire team has gone virtual and they can't log in. It's a vacation for everybody.
Great plan.
Great plan. Yeah.
Yeah.
Nothing could possibly go wrong.
Carole. Carole, what's your topic for us this week?
So last week we heard in the press that UK ISP Virgin Media had a bit of a mishap with customer data. And I thought for my story, we could maybe play a little game.
Ooh, a game.
Okay.
I was gonna go through what's been communicated by various parties on the matter, and you guys can honk like geese if you think Virgin Media could have handled things maybe a little bit differently, say.
I was gonna go through what's been communicated by various parties on the matter, and you guys can honk like geese if you think Virgin Media could have handled things maybe a little bit differently, say.
So Maria, you be the annoying goose, and I'll be —
Just yourself, just say hello.
Okay.
Honk.
Here's the sitch. Like that? Yes, perfect. Here's the sitch. So Virgin Media database was full of customer personal details, right?
And this was 900,000 people strong, and it was found to be improperly secured. And by that I mean it was accessible to anyone online for 10 whole months.
And this was 900,000 people strong, and it was found to be improperly secured. And by that I mean it was accessible to anyone online for 10 whole months.
Wait, wait, wait, am I supposed to be honking right now? Because that sounds like — am I — yeah, if it's false.
Yeah, I would honk at that.
Although a lot more handy than if they had multifactor authentication in place. I mean, you know, at least it was easy to access. That's the thing, isn't it?
Right.
And it wasn't even encrypted or anything like that. Right.
So nice of them.
All you needed was the link and bish bash bosh.
Okay.
So this breach was not due to a hack or a criminal attack, but because the database had been incorrectly configured by a member of staff.
Incompetence.
It happens. It happens.
And Claim Virgin Media says they did not follow the correct procedures. So who knows what that means.
Now, the database did not include passwords or financial details, but it did contain phone numbers and home and email addresses. Home addresses as well, so you know.
Now, the database did not include passwords or financial details, but it did contain phone numbers and home and email addresses. Home addresses as well, so you know.
Okay.
Yeah. Now, those affected were Virgin customers with television or fixed line telephone accounts. Some were Virgin Mobile customers that were also potential customers.
So even if you didn't have a relationship with Virgin, but somehow maybe a friend referred you to it, or you were checking out something, with some, I don't know, some promo service, your information might be in there as well.
Just listen to the wording of this, 'cause it's a cool little bit of a quote.
So the information was accessed, quote, "On at least one occasion," unquote, "by an unknown user." So that's very, it's very vague, right?
Now, so I'm looking at the story, and I'm kind of looking around on it, and according to The Bee, Bullet Shuler, the chief executive of Virgin Media, said, "We recently became aware that one of our marketing databases was incorrectly configured, which allowed unauthorized access." We immediately solved the issue by shutting down access.
So sounds competent as an answer. And then I went to Twitter to see what they said there.
And they pinned a message saying, we're sorry to say database containing some of our customers' personal data has been accessed without their permission.
And it didn't include financial details. So they just give the high-level messages very clearly. So I'm thinking, okay, this is cool. This is good.
But the thing is, is the whole database was open for 10 whole months. So how did they suddenly find out about it?
So even if you didn't have a relationship with Virgin, but somehow maybe a friend referred you to it, or you were checking out something, with some, I don't know, some promo service, your information might be in there as well.
Just listen to the wording of this, 'cause it's a cool little bit of a quote.
So the information was accessed, quote, "On at least one occasion," unquote, "by an unknown user." So that's very, it's very vague, right?
Now, so I'm looking at the story, and I'm kind of looking around on it, and according to The Bee, Bullet Shuler, the chief executive of Virgin Media, said, "We recently became aware that one of our marketing databases was incorrectly configured, which allowed unauthorized access." We immediately solved the issue by shutting down access.
So sounds competent as an answer. And then I went to Twitter to see what they said there.
And they pinned a message saying, we're sorry to say database containing some of our customers' personal data has been accessed without their permission.
And it didn't include financial details. So they just give the high-level messages very clearly. So I'm thinking, okay, this is cool. This is good.
But the thing is, is the whole database was open for 10 whole months. So how did they suddenly find out about it?
Yeah.
You know, did maybe they did something Microsoft did? Maybe they went and did some investigation and went, oh, holy moly, we got to fix this.
So I went to their FAQ and on there, so I've given you guys a link to their FAQ here.
So I went to their FAQ and on there, so I've given you guys a link to their FAQ here.
Okay. Okay.
Just for listeners, all three of us, I'm sure in the past have been involved in that panic situation of we need to write an FAQ for clients right now.
Many, many times.
And it's a very complicated, difficult job because some people want it to be really short, some people want it to be very exhaustive, and you've gotta find the right balance.
And you also have to make sure you have the right information.
Oh yeah, and that can be very hard.
Very hard to track that down in a crisis situation.
So, okay, so this whole page, I'll just start off with the beginning and then I wanted you guys to kind of look at the other questions that they put into their FAQ.
So they say, we recently became aware that some personal information stored on one of our databases has been accessed without permission.
Our investigation is ongoing and we've contacted affected customers and the ICO, the Information Commissioner's Office.
They say that some of the information that was taken was contact details, as we talked about earlier, technical and product information, they say, including any requests you have made to us using forms on our website.
So they say, we recently became aware that some personal information stored on one of our databases has been accessed without permission.
Our investigation is ongoing and we've contacted affected customers and the ICO, the Information Commissioner's Office.
They say that some of the information that was taken was contact details, as we talked about earlier, technical and product information, they say, including any requests you have made to us using forms on our website.
Right.
And in a very small number of cases, it includes date of birth. Okay, so you're— and then it gives you an email address.
It says, those affected will receive an email from . So that's the email address you look out for in your box.
It says, those affected will receive an email from . So that's the email address you look out for in your box.
That's good.
And it even says check your spam filters because you may have received it and we might have got in there, which is interesting.
And that way you know if you get an email that it's legitimate from the right sender. That's good.
Well, or if I'm a scammer, I now know what email address to forge my email from, of course.
Fair, fair enough.
Yeah, check the other answers. There's a few more.
Maybe you guys can read out some of the questions and just open up and see what the answers are from their FAQ.
So they have this interesting one. So they have this interesting, they've got an interesting one. Was this a cyber attack and has Virgin Media been hacked?
And they said, no, this wasn't a cyber attack and no, our database was not hacked.
And they said, no, this wasn't a cyber attack and no, our database was not hacked.
Full stop.
And yeah, it's like, nope, let's just stop talking about that.
It's so terse.
The curious thing about this, of course, is the reason why it wasn't hacked was because they had no protection on the database whatsoever.
So it's a little bit saying, no, we weren't burgled because we hadn't locked any of our doors.
So it's a little bit saying, no, we weren't burgled because we hadn't locked any of our doors.
Our front door was actually wide open. Yeah.
Yeah, we were having an open house for the last 10 months. Someone came in.
There's a big sign up saying, take what you like.
It's still a burglary, but still, yes. We did nothing to prevent it.
But the rest of the questions are quite tersely answered, aren't they?
Yeah, is that— is this an American versus UK perception thing? Because I— to me as an American, I'm going, that's very terse.
No, no, me too.
I was shocked.
And I didn't see any sorry in there.
They did have one on their Twitter pin, but there was nothing in there, you know, we take our responsibility to protect personal information seriously, yada yada yada.
I hate it when breach notifications say that shit because it's we wouldn't be here if you did.
I hate it when breach notifications say that shit because it's we wouldn't be here if you did.
Yeah, especially when your pants are caught around your ankles.
You think you're British, girl. We haven't apologised over India yet, you know, so give us a chance. We're not going to apologise over the Virgin Media data breach.
Is there anything in there that you guys see that say how they found out about this breach or how they discovered it?
It's notably absent, isn't it?
So I did a little bit more digging. And there I am, I'm looking around for this information. And then I see that it mentioned that it was due to a security company called TurgenSec.
Now, this is not one I know.
Now, this is not one I know.
Turgen.
Yeah, TurgenSec. So I look them up and lo and behold, they have their own statement on this whole snafu. And it starts this.
Ooh, really?
I think I gave you guys a link so you guys can follow along if you want. So it says, do you feel that Virgin is being honest about the severity of this finding? Ooh, loud.
That's a strong start to a page.
And it says, we cannot speak for the intentions of their communication team, but stating to the customers that there was only a breach of quote limited contact information is from our perspective understating the matter potentially to the point of being disingenuous.
Popcorn moment.
That's a strong start to a page.
And it says, we cannot speak for the intentions of their communication team, but stating to the customers that there was only a breach of quote limited contact information is from our perspective understating the matter potentially to the point of being disingenuous.
Popcorn moment.
Throwing a lot of shade there.
Yeah, seriously, damn. Right now my butthole is clenching a lot.
Well, wait till my pick of the week. Okay, so then it says, would customers consider the following to be an accurate description of limited contact information?
And then they provide a list to this. And check out bullet number 2 on the page. I'll read it for you.
Request to block or unblock various pornographic, gore-related, and gambling websites corresponding to full names and addresses.
And then they provide a list to this. And check out bullet number 2 on the page. I'll read it for you.
Request to block or unblock various pornographic, gore-related, and gambling websites corresponding to full names and addresses.
Oh, for fuck's sake.
So when Virgin Media's own FAQ had said, oh, we may also have captured information you used to fill in on forms on our website, they didn't mention those forms included ones like 'Can you unblock Pornhub.com for me?' 'With the gore special, please.' 'I like the blood and guts.' Which is potentially embarrassing information which could be used to extort money from you, or nasty.
Mm.
Mm.
Okay, but this bunfight gets worse, right? Because this page continues.
It says, 'We would recommend that all customers affected by this breach immediately issue a GDPR request to Virgin Media to identify exactly what information has been breached and what information the company continues to hold on them.' So they are seriously peed off.
And I'm sure that doesn't help that Virgin kind of ambushed these guys. This is what happened according to the TrojanSec post.
It says, 'We would recommend that all customers affected by this breach immediately issue a GDPR request to Virgin Media to identify exactly what information has been breached and what information the company continues to hold on them.' So they are seriously peed off.
And I'm sure that doesn't help that Virgin kind of ambushed these guys. This is what happened according to the TrojanSec post.
Right, let's find out what happened, yep.
Yeah, so in their view, they say they contact Virgin, right, to say, hey, look guys, we found this database, 900,000 people, totally wide open.
And they say their initial response to the breach was really strong. They got back to them immediately, kept them updated on progress. The database was removed swiftly.
They had also involved a third-party forensics organization to help analyze the content.
And they say their initial response to the breach was really strong. They got back to them immediately, kept them updated on progress. The database was removed swiftly.
They had also involved a third-party forensics organization to help analyze the content.
So Virgin's IT security team responded well, promptly, no complaints there.
Yeah, and TrojanSec was like, "This is wicked.
This is exactly how we always thought this should work." These guys were under the employ of Virgin at the time as a contractor, or they just discovered it on the web?
This is exactly how we always thought this should work." These guys were under the employ of Virgin at the time as a contractor, or they just discovered it on the web?
These guys were under the employ of Virgin at the time as a contractor, or they just discovered it on the web?
TrojanSec, I don't think, had been hired to find the content.
Yeah, no, TrojanSec were not hired by them at all. So they were just floating around the web, saw this, and thought, "We should tell them."
Okay, which is a good thing to do, to disclose it. It's good, it's good.
Absolutely. And they also received systemic updates explaining that they could not provide them with all the information, but they would do as soon as possible.
And they were citing different reasons for that because they were under investigation.
And now TrojanSec says in this blog post that they did not seek any remuneration as a result of responsibly disclosing their breaches.
And they were citing different reasons for that because they were under investigation.
And now TrojanSec says in this blog post that they did not seek any remuneration as a result of responsibly disclosing their breaches.
We're not asking for money.
They didn't want cash. They wanted no cash, but they want it to be said, this is thanks to TrojanSec who found it.
They want the credit. It's fine.
And if we go back to our days where we used to have people, Graham, getting in touch with us about certain situations that we might have had in software that we were at the company where we were working, you would always say, hey, and this is thanks to blah, blah.
And sometimes you don't love doing it, but you've got to do it.
Instead, Virgin Media went straight to the media, and TrojanSec were contacted 15 minutes before the article publication in the FT asking for a statement.
They did not know there was an article going to be made live in the FT.
Obviously, the articles were sent in under embargo because journalists were calling them 15 minutes before to get statements from them, and they felt totally ambushed by Virgin Media.
And sometimes you don't love doing it, but you've got to do it.
Instead, Virgin Media went straight to the media, and TrojanSec were contacted 15 minutes before the article publication in the FT asking for a statement.
They did not know there was an article going to be made live in the FT.
Obviously, the articles were sent in under embargo because journalists were calling them 15 minutes before to get statements from them, and they felt totally ambushed by Virgin Media.
So they'd been cut out. Virgin Media are trying to control the message.
And they've received no mention, no public credit, no mention from Virgin Media. So you know what? Shame on you, Virgin Media.
Because none of these 900,000 people would— they'd still— all their data would be out there still. And to not mention it just seems—
Because none of these 900,000 people would— they'd still— all their data would be out there still. And to not mention it just seems—
It's just rude. It's at the very least rude. It's rude.
So what's good, I think, is Virgin acted swiftly, apologized, and provided some useful information, but they left the people responsible, you know, those that helped alert them, like, left them in the wind.
Their statement doesn't seem fully transparent in light of what Turjansek is saying that they actually found.
And going through this was sort of semi-disclosure without involving the people who actually discovered it is just not great from a comms point of view.
You want to hop on a call with those guys and go, you know, give us the download, here's what we're gonna do, these are moving forward.
I'm reading the statement from the TurjanSec guys and they're talking about the wider debate of responsible disclosure and how companies should behave to encourage what positive cybersecurity research culture.
And smaller companies, I will give a pass that they don't understand that there is sort of a way that you behave.
And going through this was sort of semi-disclosure without involving the people who actually discovered it is just not great from a comms point of view.
You want to hop on a call with those guys and go, you know, give us the download, here's what we're gonna do, these are moving forward.
I'm reading the statement from the TurjanSec guys and they're talking about the wider debate of responsible disclosure and how companies should behave to encourage what positive cybersecurity research culture.
And smaller companies, I will give a pass that they don't understand that there is sort of a way that you behave.
Sure.
In the security world, and that, you know, certain things are done in a certain way. But I mean, this is a huge company.
Yeah.
And I would find it really shocking if their comms team didn't have some sort of very basic understanding of working with the security guys.
And then if they don't, please go do that yesterday. That's really important.
I mean, I would expect at a really big company that you've got a comms person working specifically with the security like that would be my expectation.
And then if they don't, please go do that yesterday. That's really important.
I mean, I would expect at a really big company that you've got a comms person working specifically with the security like that would be my expectation.
Also, they may have poked the bear because with TurjanSec saying, "And you may wanna ask them about GDPR and maybe report them," you know, they've basically, that's gonna be a nice mess for them to handle.
If they don't like paperwork, get ready, people.
If they don't like paperwork, get ready, people.
Well, that's why you do it right. You try to do it right at first as opposed to later. So yeah, ugh.
I was certainly bemused by Virgin Media's response on Twitter where any discussion of the data breach was being dealt with by one of their Twitter handlers saying, "We weren't hacked, we weren't hacked." It's like, we didn't say you were hacked, but you know, you're right, you weren't hacked because you didn't have any protection in place.
It's almost like they got more people to look at the issue and made a bigger deal of it by their amateurish handling of it.
It's almost like they got more people to look at the issue and made a bigger deal of it by their amateurish handling of it.
Yeah, they were holding onto that line, telling its social media team, just repeat that we weren't hacked. It's like, that's kind of disingenuous.
That's not really the whole story, so.
That's not really the whole story, so.
And not giving Trujillo the credit, you know what it reminded me of, Graham? You might remember this.
You might remember, but you know, there was this time where I noticed these two people, right, who worked in an office that I worked in. And he was on a hunt for a girlfriend.
And she was on the hunt for a boyfriend. They didn't know each other, right? And I kind of thought, oh, they could work out, right?
So I would talk to him and say, oh, she was talking about you. And then I'd go to her and go, oh, you know what, he was talking about you. And he thinks you're kind of good looking.
And, you know, start— and then they started thinking about each other, and eventually the guy asked the girl out, and they started dating, they started going steady, got engaged, and I was over the moon for them.
But did I fucking get invited to the stupid wedding?
You might remember, but you know, there was this time where I noticed these two people, right, who worked in an office that I worked in. And he was on a hunt for a girlfriend.
And she was on the hunt for a boyfriend. They didn't know each other, right? And I kind of thought, oh, they could work out, right?
So I would talk to him and say, oh, she was talking about you. And then I'd go to her and go, oh, you know what, he was talking about you. And he thinks you're kind of good looking.
And, you know, start— and then they started thinking about each other, and eventually the guy asked the girl out, and they started dating, they started going steady, got engaged, and I was over the moon for them.
But did I fucking get invited to the stupid wedding?
Oh, I know who you're talking about now.
Yeah, I didn't get invited to the wedding, and apparently she serenaded him from the stage, and I didn't get to see that.
What was it she I don't remember.
Sunlight.
You set the wind beneath my wings.
You're the light of my life.
It was something.
You light up my sense. Something like that.
Wow. Did I ever tell you you're my hero?
It might have been that.
Thanks for taking my IT request.
Anyway, would have been nice to be invited to the wedding. Just as it would be nice for Trujillo to get some love off this. So Virgin Media, get to it.
Not that you're bearing a grudge 10 years on.
No.
Well, you know, they probably don't listen.
You better hope not.
Did you know that LastPass Enterprise gives a vault for every single user? Every employee has their own secure vault to access all their own work tools.
In fact, every user can have both a work vault and a personal vault.
If you want to make your organization safer and reduce friction for users, why not check out LastPass Enterprise at smashingsecurity.com/lastpass?
In fact, every user can have both a work vault and a personal vault.
If you want to make your organization safer and reduce friction for users, why not check out LastPass Enterprise at smashingsecurity.com/lastpass?
And welcome back. And you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week.
Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily.
Mm, should not be.
My Pick of the Week this week is not security-related. It is a video game.
I have a young son, which means that we play video games together, and we normally play them on the Nintendo Switch.
And this game is available for Nintendo Switch, and it's also available for the PS4, the Xbox, and you can even download it on Steam as well.
I have a young son, which means that we play video games together, and we normally play them on the Nintendo Switch.
And this game is available for Nintendo Switch, and it's also available for the PS4, the Xbox, and you can even download it on Steam as well.
Wow.
And the game is called—
Contagion?
No, no, no. Ultimate Chicken Horse. And it is rather wonderful. Ultimate Chicken Horse is a sort of party game where you can have more than one person playing.
And over time you build— You've basically got to get your animal from the start to the finish.
And there are a number of jumps and different things, and you can place traps and hazards to try and screw your friends from getting to the end.
And over time you build— You've basically got to get your animal from the start to the finish.
And there are a number of jumps and different things, and you can place traps and hazards to try and screw your friends from getting to the end.
Is that what you like doing, screwing your friends?
Zing!
It is, but it's very entertaining.
And the things which you put together to— the graphics are very kind of quaintly done, and the things which you put in place, it's a bit like a Rube Goldberg or Heath Robinson kind of construction.
What are we like killing animals with buzz saws here?
And the things which you put together to— the graphics are very kind of quaintly done, and the things which you put in place, it's a bit like a Rube Goldberg or Heath Robinson kind of construction.
What are we like killing animals with buzz saws here?
What is going on? What? Animal brutality. Cartoonish animal brutality.
Do you not find the soundtrack irritating?
No. Even if you're disastrous, even if you're failing, you're still having a good time. It's a bit like Overcooked.
Oh, that game almost made me and my husband divorce. So just be real careful with that one.
Overcooked, you get so frustrated with each other, but you're having such a great time.
Are you though? Screaming at each other?
Did you rip off your rig and went, "Fuck you!"
"You didn't get the burrito to the plates on time, and now we're over our time!" "What is the point of us? Why are the two trucks moving apart?
Why are we serving food on two trucks at the same time?"
Why are we serving food on two trucks at the same time?"
"What is wrong with you?" Well, it's not completely like Overcooked, but it's a similar kind of enjoyment, at least for me.
And I enjoyed it greatly, and so other people may want to check it out as well. And so my pick of the week is Ultimate Chicken Horse.
And I enjoyed it greatly, and so other people may want to check it out as well. And so my pick of the week is Ultimate Chicken Horse.
Well, there you go. Should I get a Switch?
Yeah, you bloody should.
How many times have we said yes, you should totally get one?
I trust you more than Graham.
Graham's told me to get a lot of stuff in my life, and there's a lot of stuff that I have purchased, thousands of dollars worth of crap that turned out it was just because he was enjoying it for the first time.
Graham's told me to get a lot of stuff in my life, and there's a lot of stuff that I have purchased, thousands of dollars worth of crap that turned out it was just because he was enjoying it for the first time.
It's not me who told you to get it. I told you to buy that Peloton, Crow.
I don't have a Peloton.
Anyway, Maria, what's your pick of the week?
So my pick of the week is a very practical pick of the week because I was going to recommend Star Trek: Picard, but I figured that's just a given that I would recommend that.
So I've been watching it.
So I've been watching it.
It's very good.
I also enjoy it. I just, I figure anyone who wants to see it has seen it by this point because the season's almost over.
So my pick is coronavirus-related because plague is happening.
There's a link that we can share in the show notes, and Los Angeles Times put together a list of 20-second song choruses that you can sing while washing your hands in lieu of singing Happy Birthday twice or the ABC song.
Because I have a toddler, so I'm always singing the ABC song and Happy Birthday because my daughter thinks every day is her birthday. It's very cute, but drives you a little crazy.
But if you want to sing Raspberry Beret or Jolene or Tooth Hurts or, oh, I don't know, Africa by Toto, they tell you what parts of the song, the chorus usually, that will last about 20 seconds and wash your hands in time.
So my pick is coronavirus-related because plague is happening.
There's a link that we can share in the show notes, and Los Angeles Times put together a list of 20-second song choruses that you can sing while washing your hands in lieu of singing Happy Birthday twice or the ABC song.
Because I have a toddler, so I'm always singing the ABC song and Happy Birthday because my daughter thinks every day is her birthday. It's very cute, but drives you a little crazy.
But if you want to sing Raspberry Beret or Jolene or Tooth Hurts or, oh, I don't know, Africa by Toto, they tell you what parts of the song, the chorus usually, that will last about 20 seconds and wash your hands in time.
Can you twerk? Can you twerk while washing your hands? Does anyone know that?
I'm not gonna stop you.
More dangerous.
Yeah, they're telling people to stay out of hospitals right now, so if it's gonna put you in traction, don't do it. That's my—
I know, I just got an SMS from my medical center saying it was time for my annual checkup. And I was, "Dudes, seriously?"
Yeah. Not happening.
Marvelous. Well, everyone loves a little sing-song. So I think that's a great thing to do. Now you've got a variety of songs. You've got greatest hits. It's a Kate Hall album.
You can get through during the day.
You can get through during the day.
That— wow, that's a reference. There's more of that on Twitter. I've seen a bunch of people compiling lists of songs that you can sing.
So if you're a death metal fan, there's options for you out there. You know, that kind of thing.
So if you're a death metal fan, there's options for you out there. You know, that kind of thing.
Marvelous. What's your pick of the week?
Well, it just goes to show you how connected and similar Maria and I are on some levels, right? Because mine is also coronavirus-related.
Now, if you guys just go to my link, please, I want you to watch. It's a video, which I know is so great for a podcast.
Now, if you guys just go to my link, please, I want you to watch. It's a video, which I know is so great for a podcast.
I'm not going to get Rickrolled, am I?
This comes from my brother who sent it to me this morning because he knows I'm a bit of a—
So we've got a guy who's driven up to a takeaway drive-thru.
This isn't for real. No, this is a hoax.
Oh, I see. Rather than handing her money for his burger, he's handing her toilet roll. Yes.
So this isn't my pick of the week. This is, I think, my nitpick of the week. Which is this whole, what is the world is running out of toilet paper because people are stockpiling?
We're gonna all have the shits at once.
What I find difficult to understand on this is that I'm hearing this mostly from people in North America and in Australia, right?
This whole stockpile, stockpile, stockpile of toilet paper. And toilet paper is right up there, it's they mention toilet paper before food.
And what I don't understand is the people that I know in that area, most people that live tend to shop big compared to us Euro people, right?
I don't buy, you know, 12 rolls or 18 rolls or 84 rolls or whatever.
This whole stockpile, stockpile, stockpile of toilet paper. And toilet paper is right up there, it's they mention toilet paper before food.
And what I don't understand is the people that I know in that area, most people that live tend to shop big compared to us Euro people, right?
I don't buy, you know, 12 rolls or 18 rolls or 84 rolls or whatever.
You're supposed to be able to run out of toilet paper.
I just think it looks a little unsightly to be walking on the street with a huge bag of toilet paper. Call me weird, okay? Everyone else does.
But it's all disappeared, hasn't it? Because I went down my local Waitrose I went down the aisle and it's just deserted. There was nothing in there.
I thought, oh crap, what's going on here?
I thought, oh crap, what's going on here?
Okay, so let's imagine you get marooned on a desert island, right? Because of this virus. And they say, look, we're just dumping you here for a month.
It's probably safer there anyway, yeah.
Here you go, we're gonna leave you here for a month, right? Here is, now you can have some basic food to keep you alive, some lentils, rice, you know, some water.
What 3 things do you want? Would toilet paper be on that list or would an iPad? I just wanna know.
What 3 things do you want? Would toilet paper be on that list or would an iPad? I just wanna know.
There won't be Wi-Fi, Carole, on the desert island.
There might be.
There might be.
Desert island doesn't have to be that far from land.
There's Wi-Fi, but no plumbing? Wow.
You'll get sand in the headphone jack. That wouldn't be any good.
First world problems.
Anyway, just everyone can just calm down the toilet paper. Stock up on newspaper or something.
I bought a bidet because of this.
You bought a bidet? A bidet.
Why don't you just put your butt under the sink or something?
The ergonomics of that alone. Hilarious.
I mean, there was a legit conversation I had with my mother about this because she remembers a time before toilet paper and she was saying people used to use newsprint.
So she's like, I'm saving my junk mail in case we run out of toilet paper.
I mean, there was a legit conversation I had with my mother about this because she remembers a time before toilet paper and she was saying people used to use newsprint.
So she's like, I'm saving my junk mail in case we run out of toilet paper.
Smart.
And I'm just like, in many parts of the world, people just wash with water and that's cleaner anyway. So, you know, in a pinch, you've got a showerhead.
And then after I said that, I was like, I'm buying a little bidet shower thing.
And then after I said that, I was like, I'm buying a little bidet shower thing.
Circulation of the Daily Mail is going to soar, isn't it? If this really takes off.
You can use it for what it's meant for anyway.
Well, Maria, I guess when you're washing your hands, you're now singing Happy Bidet to you, aren't you?
Hey, friend of the show, Lisa Forte, she is currently in the United Arab Emirates and she has been posting pictures on social media of the sheer amount of loo paper there is out there.
No one's buying it out there. Have they used it? No, I wasn't going to say that. But anyway, first—
Hey, friend of the show, Lisa Forte, she is currently in the United Arab Emirates and she has been posting pictures on social media of the sheer amount of loo paper there is out there.
No one's buying it out there. Have they used it? No, I wasn't going to say that. But anyway, first—
Well, I mean, not everybody uses toilet paper.
No, they don't. But if anyone wants to make a killing, go out there.
No, don't leave your house.
Stuff your suitcases and put it up on eBay.
You'll get stuck in the UAE right now. They won't let you back in.
Well, on that scatological note, we've just about wrapped up the show. Maria, I'm sure lots of our listeners would love to follow your B-day adventure. Is it bidet or bidet?
I say bidet. You say bidet, whatever. I'm on Twitter. I will not be tweeting about anything toilet related on there, but it's @mvarmazis. That's M. Varmazis.
And I'm also @ if you're on there.
And I'm also @ if you're on there.
Maria's just shy. Just ask her about it.
I'm not talking about my poops on Twitter. It's not happening.
And you can follow us on Twitter @SmashingSecurity, no G. Twitter @MalzTaberG. And don't forget, you can also leave us a voicemail at smashingsecurity.com/voicemail.
Yeah, pick up that phone, guys. As always, a mega thank you for listening.
Weekend Wakeout, supporting us with a few dollars on Patreon in exchange for some extra content— basically just saying we're funny even means a lot.
Also, a huge thank you to Smashing Security sponsor LastPass. Its support helps us give you this show for free.
Check out Smashing smashingsecurity.com for past episodes, sponsorship details, and information on how to get in touch with us.
Weekend Wakeout, supporting us with a few dollars on Patreon in exchange for some extra content— basically just saying we're funny even means a lot.
Also, a huge thank you to Smashing Security sponsor LastPass. Its support helps us give you this show for free.
Check out Smashing smashingsecurity.com for past episodes, sponsorship details, and information on how to get in touch with us.
Until next time, cheerio, bye-bye, later, wash those hands.
Graham, why do you always say bye first?
What?
She had found on Friday, March 2019. Sorry, Friday, March 29th. Friday, March 29th.
All right.
She had found last year. Several pieces.
What day was it last year? Was it Friday? Sorry.
Friday, March 29th.
I can't do it.
I can't do it. Friday, March 29th, 2019.
Hey!
Oh goodness. She found— She found the body of a dead podcaster who'd collapsed from the exhaustion of trying to work out— No, no.
She had found that several pieces of her precious jewellery—
She had found that several pieces of her precious jewellery—
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Maria Varmazis:
Show notes:
- Leave Smashing Security a voicemail!
- Google tracked his bike ride past a burglarized home. That made him a suspect. — NBC News.
- Smashing Security episode 144: "Google helps the FBI, Twitter Jack’s hijack, and car data woes."
- Breaking Password Dependencies: Challenges in the Final Mile at Microsoft — YouTube.
- FYI: When Virgin Media said it leaked 'limited contact info', it meant p0rno filter requests, IP addresses, IMEIs as well as names, addresses and more — The Register.
- Data Breach Information FAQ — Virgin Media.
- Virgin Media Disclosure Statement — TurgenSec.
- Virgin Media breach 'linked customers to porn' — BBC News.
- Ultimate Chicken Horse — Clever Endeavour Games.
- Ultimate Chicken Horse – Trailer – Nintendo Switch — YouTube.
- Coronavirus prevention: 10 songs for hand washing — Los Angeles Times.
- New currency circulation in Australia — Reddit.
- Lisa Forte reports on loo roll stocks in the Abu Dhabi Waitrose — Twitter.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsor: LastPass
LastPass Enterprise makes password security effortless for your organization.
LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, Spotify, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
