The Samsung Galaxy S8 claims that its iris recognition technology provides “airtight security”, but the Chaos Computer Club knows better and shows how it can be easily bypassed. Australian researchers create a wearable gizmo that authenticates you through your walk, but is it ever going to be practical? Mac malware reportedly wastes no time stealing information from a software developer. And the boss of the Bank of England is smart enough not to fall for an email prankster.
All this and more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by special guest Paul “Duck” Ducklin.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
This episode of Smashing Security is sponsored by the folks at Iovation. They have a mobile multifactor solution called LaunchKey, which they would love you to try out.
Visit demos.launchkey.com for your free demonstration. And thanks to Iovation for supporting the show.
Smashing Security Episode 22: Walk This Way to Defeat Biometrics with Carole Theriault.
Visit demos.launchkey.com for your free demonstration. And thanks to Iovation for supporting the show.
Smashing Security Episode 22: Walk This Way to Defeat Biometrics with Carole Theriault.
Carole Theriault and Graham Cluley.
Hello, hello, and welcome to another episode of Smashing Security, episode 22. And I'm joined this week as ever by my chum Carole Theriault. Hello, Carole. Hey, how are you doing?
Are you all right?
Are you all right?
Well, no, you know, so last night I cut off the tip of my baby finger.
What?
Not like— no, no, okay, okay, that sounds— that's a I've cut off the very tip.
Oh, not halfway along?
No, no, no, no. Above the nail. But it means you can't type if you're someone who types with your baby finger all the time automatically.
What you're trying to tell everybody is that you're so cool that you're a full-on all-finger touch typist, really.
Yeah, yeah. I really, really wish I wasn't now, I'll tell you. And I can't play guitar. I can't do anything. It's really irritating.
A huge loss to music.
Tony Iommi managed to play guitar after chopping the ends of his fingers off on his last day at work before retiring.
What about that drummer in Def Leppard who lost his arm?
Well, that's drumming, that's easy.
Yeah, one-handed guitar playing could be quite tricky, I suggest. There is a certain requirement for two arms.
And as you've heard, we're joined by our special guest today, Paul Ducklin. How are things for you, Duck?
They're super. Just so everyone knows, Graham and I are in Manchester.
We were to be presenting today at an event which very sadly was cancelled for reasons that anyone in the UK will probably understand because we were going to have the event at the Man U football stadium.
So they've sort of put that into lockdown.
We were to be presenting today at an event which very sadly was cancelled for reasons that anyone in the UK will probably understand because we were going to have the event at the Man U football stadium.
So they've sort of put that into lockdown.
Yeah, yeah, sadly. Yeah, it's very sad. But hopefully we can raise spirits a little bit. We're not going to be talking about that kind of security issue today.
Instead, we're going to be talking about computer security.
And as always, we've chosen a few stories, what's been going on in the news, things which have caught our eye in the last week or so.
And I wanted to start it off with some stories of bizarre biometrics. First of all, we've seen those chaps at the Chaos Computer Club up to their old shenanigans once again.
And they have released a video of themselves bypassing the iris scanner in the Samsung Galaxy S8.
Instead, we're going to be talking about computer security.
And as always, we've chosen a few stories, what's been going on in the news, things which have caught our eye in the last week or so.
And I wanted to start it off with some stories of bizarre biometrics. First of all, we've seen those chaps at the Chaos Computer Club up to their old shenanigans once again.
And they have released a video of themselves bypassing the iris scanner in the Samsung Galaxy S8.
Oh, how do they do this? How do they do this?
Well, the Galaxy S8 is one of the first mainstream phones to offer iris recognition as an alternative for unlocking your phone, as opposed to passwords and PINs, which most people use.
And if you read the marketing material, it says the iris recognition, you know, is airtight security, allows consumers to finally trust that their phones are protected.
Quack, quack. As you probably guessed, that's not the case.
And if you read the marketing material, it says the iris recognition, you know, is airtight security, allows consumers to finally trust that their phones are protected.
Quack, quack. As you probably guessed, that's not the case.
That sounded like a quack. I'm not sure I'm entirely happy with that, but I guess it was Family Fortunes, was it?
It was a goose quack rather than a duck quack. Thanks for that. So yeah, if that helps make you feel a little bit better.
It does.
So what they did was this. They obviously set out to fool the sensors, so they took a photograph of their person of interest, as it were, from a few meters away.
They printed it out and they put a contact lens over the iris to imitate the curving of the eye. And that's all that was required. You know, it's really fairly basic.
All you needed was a digital camera, a decent laser printer— ironically, apparently Samsung printers provided the best results of all— and a contact lens, and they were able to unlock the phone.
They printed it out and they put a contact lens over the iris to imitate the curving of the eye. And that's all that was required. You know, it's really fairly basic.
All you needed was a digital camera, a decent laser printer— ironically, apparently Samsung printers provided the best results of all— and a contact lens, and they were able to unlock the phone.
I don't think this is really surprising, is it? Because it's photographs and printers that have been the hole, if you like, in previous biometric measures like fingerprints.
You take a photo of the fingerprint and then use it to generate, you know, a simulacrum of the original fingerprint.
And it doesn't really surprise me that you're relying on a photo of your iris taken by the camera in your phone.
So it doesn't beg belief that an image taken with a camera of similar quality can produce the resolution required to fool the—
You take a photo of the fingerprint and then use it to generate, you know, a simulacrum of the original fingerprint.
And it doesn't really surprise me that you're relying on a photo of your iris taken by the camera in your phone.
So it doesn't beg belief that an image taken with a camera of similar quality can produce the resolution required to fool the—
Yeah, but I think most people would think that an iris scan would be as safe as a digital fingerprint scan, would you think?
Yeah, I think you're right. And I guess the thing— oh, well, iris scan. And just to be clear, an iris scan is not a retina scan. A lot of people confuse them.
A retina scan is the old-school way of doing it, where you have to put your eye right up against something that shines a light in, and it takes a picture of the blood vessels at the back of your eye.
That never caught on because obviously you have to keep sticking your eye up against something. So imagine at an ATM if the previous guy had conjunctivitis. Yes, but so did you.
So it was, it kind of felt a little bit weird and intrusive, like peering into this device. So the iris, it's actually the pattern in the colored bit of your eye.
Now, let's assume that that is unique for you.
I mean, that, you know, and it's super unique and the way that the images get processed and the algorithm used kind of generates this unique, well, fingerprint or checksum for your iris.
That can all still be true.
And in fact, in a way, the more likely it is that your iris is unique, the more likely it is, I suppose, that the copy of your iris won't clash with anybody else's.
And so it's not surprising. The weak part is that it relies on essentially a photo that's captured by the phone.
A retina scan is the old-school way of doing it, where you have to put your eye right up against something that shines a light in, and it takes a picture of the blood vessels at the back of your eye.
That never caught on because obviously you have to keep sticking your eye up against something. So imagine at an ATM if the previous guy had conjunctivitis. Yes, but so did you.
So it was, it kind of felt a little bit weird and intrusive, like peering into this device. So the iris, it's actually the pattern in the colored bit of your eye.
Now, let's assume that that is unique for you.
I mean, that, you know, and it's super unique and the way that the images get processed and the algorithm used kind of generates this unique, well, fingerprint or checksum for your iris.
That can all still be true.
And in fact, in a way, the more likely it is that your iris is unique, the more likely it is, I suppose, that the copy of your iris won't clash with anybody else's.
And so it's not surprising. The weak part is that it relies on essentially a photo that's captured by the phone.
And the weak part is that the marketing material keeps on trying to present this kind of protection to people as being, you know, really airtight.
It says you can finally trust your phones are protected. And I'm thinking, well, I'd rather have a PIN or a decent password on it.
It says you can finally trust your phones are protected. And I'm thinking, well, I'd rather have a PIN or a decent password on it.
Do you know what?
I am sure someone inside came up and said this could be done, and they probably— I mean, they must have known this was a possibility if you're doing this and you're building a kind of security iris scanner.
I am sure someone inside came up and said this could be done, and they probably— I mean, they must have known this was a possibility if you're doing this and you're building a kind of security iris scanner.
Well, the thing is, any nerd is going to try this, right? It'd be one of the first things you would try if you were building this kind of technology.
You'd be thinking, exactly, what happens if I've got a decent printer? And in this case, they've combined it with a contact lens as well, in order to unlock the thing.
So it wouldn't be surprising, but I guess these things are still being developed because they're cool.
And they're the kind of things you want to show off to your friends, say, hey, look, I can just look at my phone and it unlocks.
You'd be thinking, exactly, what happens if I've got a decent printer? And in this case, they've combined it with a contact lens as well, in order to unlock the thing.
So it wouldn't be surprising, but I guess these things are still being developed because they're cool.
And they're the kind of things you want to show off to your friends, say, hey, look, I can just look at my phone and it unlocks.
I wonder if you even need a printer or whether you could actually do a similar thing by actually taking the photo of somebody's eye and then displaying the photo on the screen of your phone, and you could put the little distortion lens on it and holding that up.
Or maybe with mirrors, maybe you could, if you had assembled the right collection of mirrors in place, maybe you could.
Then sort of somehow, and something which— a magnifier as well. Maybe then you could get— I'm getting a little bit carried away, aren't I?
Then sort of somehow, and something which— a magnifier as well. Maybe then you could get— I'm getting a little bit carried away, aren't I?
It's the first time, Graham.
It's the first time. Graham Angus MacGyver.
Well, I've got another biometric kind of story for you as well.
What, two for one? A BOGO?
I know, I know. I just felt like doing it. Some Australian researchers, right?
So first of all, we've decided, all right, so we're probably not going to use our irises because it turns out that's no good at all, despite what some are telling you.
So first of all, we've decided, all right, so we're probably not going to use our irises because it turns out that's no good at all, despite what some are telling you.
It's not no good if you're using it in conjunction with something else. I guess as a second factor, it's kind of better than nothing.
Okay.
But yeah, and like with the fingerprint scanner, but I agree with you, I'm going to stick to my lock code because I kind of feel a bit safer with that.
So a bunch of Australian researchers have created a wearable gizmo that not only generates power through the kinetic energy as you're sort of waddling down the high street, cool, cool, but it also turns your gait into a supposedly unique authentication.
Okay.
Okay.
Yes. Now I've heard this actually. I've heard that everyone's walk is very unique.
Yeah, I think it's been used in court cases before as an evidence from video that this, you know, they couldn't make out the guy's face, but the way he walked was sufficient to remove some doubt.
I've seen this on Forensic Files.
Oh, well, there you go.
Exactly.
Oh, well, I remember, I think it was in the early 1990s, I remember a few college friends were always teasing me because they claimed that I walked like the Hofmeister bear, who was a popular mascot for a beer in the early 1990s.
When you said Hofmeister, I thought you meant The Hoff.
That's all, if only.
My mind was boggling a wee bit there, Graham.
Oh, can you imagine him jumping into his Knight Rider car?
Oh, yes, no, the leather jacket, the hair. Let's get—
Let's get— oh, please don't put me off everything. Let's get back to Password B.
Okay, go, go, go. I'd rather talk about your mullet, Graham.
According to CNET— I'm not going to let you distract me— according to CNET, the device monitors the pattern of power generation caused by the gait's kinetic energy as the movement creates small dips and troughs in the amount of energy being generated, the device is able to resolve it into a unique signature.
You just stole that because you had no idea how to say that.
Well, it was so beautifully written by CNET. So the obvious thing to do is work out, well, how unique are these signatures? And so what they did was they got a bunch of imposters.
So they got some devices which had already been linked to particular people with particular walks, and then they asked people, can you try and mimic their walk to see if you can get into the device?
And apparently some people managed it 13 times out of 100. So 13% of the time they were able to bypass the authentication method by sort of mimicking the walk-in.
You know, now clearly that's not good enough, right? They're going to have to keep on refining this technology if they're going to be serious about rolling it out.
But it suggests that the developers are on the right path.
So they got some devices which had already been linked to particular people with particular walks, and then they asked people, can you try and mimic their walk to see if you can get into the device?
And apparently some people managed it 13 times out of 100. So 13% of the time they were able to bypass the authentication method by sort of mimicking the walk-in.
You know, now clearly that's not good enough, right? They're going to have to keep on refining this technology if they're going to be serious about rolling it out.
But it suggests that the developers are on the right path.
Oh dear golly. Was that were you leading up?
Yeah, I think the whole story, I think the whole reason Graham brought up the second kinetic walk path.
Yeah, actually it's interesting because when you told me about that just before we started recording, I was— I first, when you said it detects your gait, I imagined it was something to do with the gate at the end of your driveway going up to your house when you open.
So you can tell the way someone opens the gate whether it's friend or foe.
But actually, when you said it meant gait as in G-A-I-T, I was figuring, I wonder how you extract that information, because all I've read about gait recognition before, as far as I know, is related to video, where you actually look at it, and I suppose you digitize how the points move like you would for animation software and so forth.
I was wondering how they do that when it's measured. It's a thing that you carry that you measure. I'm doing power generation.
I don't know whether you have to wear something that straps on either side of your knee or something. It seems like an interesting way to do it.
But I just wonder how much significance there is in that data. Do you get an 8-bit checksum or a 32-bit? Or how much do you get out that allows you to kind of milk it?
So you can tell the way someone opens the gate whether it's friend or foe.
But actually, when you said it meant gait as in G-A-I-T, I was figuring, I wonder how you extract that information, because all I've read about gait recognition before, as far as I know, is related to video, where you actually look at it, and I suppose you digitize how the points move like you would for animation software and so forth.
I was wondering how they do that when it's measured. It's a thing that you carry that you measure. I'm doing power generation.
I don't know whether you have to wear something that straps on either side of your knee or something. It seems like an interesting way to do it.
But I just wonder how much significance there is in that data. Do you get an 8-bit checksum or a 32-bit? Or how much do you get out that allows you to kind of milk it?
There are some people who have very unique walks, aren't there? It's not just the Hofmeister Bear. There's John Cleese with the Ministry of Silly Walks from the Monty Python days.
Although a lot of people, of course, try and take off that walk. There's the Bangles who used to walk like Egyptians. You know, there are some unusual ones.
Although a lot of people, of course, try and take off that walk. There's the Bangles who used to walk like Egyptians. You know, there are some unusual ones.
There are the Teletubbies, who kind of sort of boing around.
It would be no use on Daleks at all. I mean, if they were just sort of rolling around, I can't imagine that would be any use.
But I wonder what happens if you have some kind of a minor injury, like you strain your ankle, you hurt your knee, or if you're in a wheelchair, because you think with fingerprint— Yeah, well, I suppose there'd still be something unique about the way you put— the way you power with your arms.
So I'm gonna need to advise on your arms as well, or— I don't know how it's going to work.
I wonder if you need a full body suit.
But imagine you were out in the hinterland and you stumble and you twist your ankle and you can no longer walk normally, and you think, oh, at least I can call emergency services on my phone.
It's like, phone remains unlocked, phone remains unlocked because you can't generate the password anymore.
It's like, phone remains unlocked, phone remains unlocked because you can't generate the password anymore.
I think you'd find that there'll be a regulation requiring 999 or 911 to work under all circumstances.
I have a phone I carry, a little Mars Bar phone that I carry mainly as an alarm clock and just because it only weighs 60 grams and I don't have a SIM in it and you can always make emergency calls on that.
So I guess they've thought of that bit.
I have a phone I carry, a little Mars Bar phone that I carry mainly as an alarm clock and just because it only weighs 60 grams and I don't have a SIM in it and you can always make emergency calls on that.
So I guess they've thought of that bit.
Good point.
But it does seem that your gait is more likely to be altered by immediate surroundings or recent happenings than, say, a fingerprint or an iris or—
Or if you're wearing stilettos.
As you do.
But the thing is, you're wearing it all the time, so it's collecting a lot of information, right? So I guess the longer you wear it, the more accurate it can be.
Ah, that's an interesting observation. I wonder if you have to— if it syncs back to the proverbial cloud in order to find out about recent like your sort of walky DNA.
Oh, there's privacy concerns then as well, aren't there?
They work out that on Saturday nights you tend to get the high heels on or something, or you go jogging or whatever it is that you might do.
They work out that on Saturday nights you tend to get the high heels on or something, or you go jogging or whatever it is that you might do.
In high heels?
Well, I have no idea about jogging.
I wonder if you could train it to recognize particular dance moves, say how you waltz or how you do a tango.
And then when you actually, for super important things, like when you actually want to pay money out of your bank account, then you do a quick jog.
And then when you actually, for super important things, like when you actually want to pay money out of your bank account, then you do a quick jog.
It could send you push notifications. Like if you're walking purposefully, it'd be like, good luck at the meeting, Joel. Or, you know, have fun at the dance-a-thon.
You can just imagine an app like that, can't you? That it gauges your mood from your gait. And then it'll— good luck at the meeting. So that's interesting.
Let's move on. Duck, what have you got for us?
Well, I was rather intrigued. This is not an absolutely bang up-to-date story, but the message is still relevant to all of us.
It's a follow-on from I think we spoke about this last time I was on about the HandBrake app for Macs, where the HandBrake server that stored this video transcoding app, one of the servers actually got hacked.
And the crooks, instead of going in and trying to steal videos or encrypt all the guy's files, they actually poisoned the download DMG file for the Mac so that when you installed it, you still got the regular app, but you've got some secret sauce alongside it.
That almost immediately went after your keychain, which is the Mac's built-in password manager, if you like, and the browsing and web data history cache for four different browsers that it knew about: Opera, Firefox, Chrome, and Safari, as far as I recall.
And it immediately uploaded those to the crooks.
And it turned out— now, it was only up for a few days, and only people who downloaded from this one of the two servers and did an install rather than update actually got infected.
So it wasn't enormously successful in terms of its penetration. So there's no sort of WannaCry panic here.
But I use the word panic because the guy behind a company called Panic Inc., they make FTP and SSH apps and they have a thing called Panic Sync, which is a background cloud data storage service.
He actually got infected by this because he happened to install it at the wrong time. And as he said, I feel like a monumental idiot for having fallen for this. But do read my story.
What happened afterwards is almost immediately he noticed that there were alien logins to his Git account accessing his source code.
Now, we can't prove that they're related, but there's kind of a strong post hoc ergo propter hoc going on here. And what was amazing is just the speed with which this happened.
And you imagine that the reason for that is it's all automated by the crooks.
Up goes his web browsing history, up goes some kind of Git authentication token, and in go the crooks right away to have a sniffle around and grab his stuff.
So he didn't lose any data like you would in a WannaCry infection. In fact, he still had his stuff, but the crooks had it too, and they had it almost instantly.
It's a follow-on from I think we spoke about this last time I was on about the HandBrake app for Macs, where the HandBrake server that stored this video transcoding app, one of the servers actually got hacked.
And the crooks, instead of going in and trying to steal videos or encrypt all the guy's files, they actually poisoned the download DMG file for the Mac so that when you installed it, you still got the regular app, but you've got some secret sauce alongside it.
That almost immediately went after your keychain, which is the Mac's built-in password manager, if you like, and the browsing and web data history cache for four different browsers that it knew about: Opera, Firefox, Chrome, and Safari, as far as I recall.
And it immediately uploaded those to the crooks.
And it turned out— now, it was only up for a few days, and only people who downloaded from this one of the two servers and did an install rather than update actually got infected.
So it wasn't enormously successful in terms of its penetration. So there's no sort of WannaCry panic here.
But I use the word panic because the guy behind a company called Panic Inc., they make FTP and SSH apps and they have a thing called Panic Sync, which is a background cloud data storage service.
He actually got infected by this because he happened to install it at the wrong time. And as he said, I feel like a monumental idiot for having fallen for this. But do read my story.
What happened afterwards is almost immediately he noticed that there were alien logins to his Git account accessing his source code.
Now, we can't prove that they're related, but there's kind of a strong post hoc ergo propter hoc going on here. And what was amazing is just the speed with which this happened.
And you imagine that the reason for that is it's all automated by the crooks.
Up goes his web browsing history, up goes some kind of Git authentication token, and in go the crooks right away to have a sniffle around and grab his stuff.
So he didn't lose any data like you would in a WannaCry infection. In fact, he still had his stuff, but the crooks had it too, and they had it almost instantly.
Yeah, it's so fast.
And, you know, that's that warning that it doesn't necessarily require your stolen data to go into a queue where a human operator handles it in 45 minutes' time, or doesn't necessarily go into an underground forum where anybody else might buy it in two weeks' time.
Although both of those things could clearly happen.
But in many cases, it does look as though this is— there's a kind of industrialized cybercrime machinery behind this sort of malware.
Grab your credentials as soon as you've got them, particularly say if it's a login token, it's only going to be valid for a little while.
So go in right away and just see what you can get because everything's got that bit of value to the crooks these days.
Although both of those things could clearly happen.
But in many cases, it does look as though this is— there's a kind of industrialized cybercrime machinery behind this sort of malware.
Grab your credentials as soon as you've got them, particularly say if it's a login token, it's only going to be valid for a little while.
So go in right away and just see what you can get because everything's got that bit of value to the crooks these days.
Yeah, I guess they know strike while the iron's hot because every minute that goes past may be a chance for their victim to take action to try and lock you out of accounts and to change passwords.
And so maybe again, it's no surprise that these things are becoming so automated in their exfiltration of data.
So our message to Mac users is don't think that criminals are turning a blind eye to you.
Although most of the malware we see is written for Windows and then maybe Android, Mac users are being targeted as well. You should be running security software.
You should be following best practices to keep your systems defended and protect your data because you could be next. Oh, how about this?
It looks like a sponsor slot has just popped up, and it is my pleasure to thank Iovation for sponsoring this episode of Smashing Security.
Iovation is a company that creates authentication and fraud prevention solutions, helping to secure businesses while making it simple for users to log into their favorite apps and services.
And they have a new mobile multifactor solution called LaunchKey that can be built into your mobile apps, websites, and online services, providing a simple, streamlined remote login function.
It promises a path to a passwordless future and provides a way to stop storing user credentials, meaning you won't have to live in constant fear of your users' details being hacked and the consequent damage to your brand.
You can even white label Iovation's LaunchKey to fit in with your brand. Now the great news is this: Smashing Security listeners can benefit from a free demo of LaunchKey.
Just visit demos.launchkey.com to try it out. And thanks very much to Iovation for supporting the show. Doug, it's always a pleasure having you on.
Carole, take us— what have you got for us?
And so maybe again, it's no surprise that these things are becoming so automated in their exfiltration of data.
So our message to Mac users is don't think that criminals are turning a blind eye to you.
Although most of the malware we see is written for Windows and then maybe Android, Mac users are being targeted as well. You should be running security software.
You should be following best practices to keep your systems defended and protect your data because you could be next. Oh, how about this?
It looks like a sponsor slot has just popped up, and it is my pleasure to thank Iovation for sponsoring this episode of Smashing Security.
Iovation is a company that creates authentication and fraud prevention solutions, helping to secure businesses while making it simple for users to log into their favorite apps and services.
And they have a new mobile multifactor solution called LaunchKey that can be built into your mobile apps, websites, and online services, providing a simple, streamlined remote login function.
It promises a path to a passwordless future and provides a way to stop storing user credentials, meaning you won't have to live in constant fear of your users' details being hacked and the consequent damage to your brand.
You can even white label Iovation's LaunchKey to fit in with your brand. Now the great news is this: Smashing Security listeners can benefit from a free demo of LaunchKey.
Just visit demos.launchkey.com to try it out. And thanks very much to Iovation for supporting the show. Doug, it's always a pleasure having you on.
Carole, take us— what have you got for us?
Oh, I only have a teeny tiny story because I hurt my finger.
Oh, you poor thing.
Okay, so I want to talk about the Canadian economist and governor of Bank of England and chairman of G20 Financial Stability Board. Do we know who I'm talking about? Mr. Mark Carney.
So he was duped in an email prank, and I wanted to talk about it for two reasons. One, to talk about email security and watching out for pranksters like this.
But also, he came out looking quite not bad out of this, I think, and I want to get your opinion on that. Okay, so here's what happened. So Mr. Carney receives an email from Mr.
Habgood. Now, he happens to be the court of the Bank of England, and he gets it from his personal email address, . Now, turns out, of course, that's not Mr.
Habgood's email address, and it was a prankster that was using it, and he started an email exchange with Mark Carney. Now, it was quite interesting reading the thread.
The thread's been, of course, all published now on Twitter. And the thread opens up referencing Jane Austen because she's going to be on the new £10 note.
And there's conversation about it because apparently they've prettified her for the bill.
So there's a few articles out there showing this is what she really looked like and this is how she's been prettified.
So he was duped in an email prank, and I wanted to talk about it for two reasons. One, to talk about email security and watching out for pranksters like this.
But also, he came out looking quite not bad out of this, I think, and I want to get your opinion on that. Okay, so here's what happened. So Mr. Carney receives an email from Mr.
Habgood. Now, he happens to be the court of the Bank of England, and he gets it from his personal email address, . Now, turns out, of course, that's not Mr.
Habgood's email address, and it was a prankster that was using it, and he started an email exchange with Mark Carney. Now, it was quite interesting reading the thread.
The thread's been, of course, all published now on Twitter. And the thread opens up referencing Jane Austen because she's going to be on the new £10 note.
And there's conversation about it because apparently they've prettified her for the bill.
So there's a few articles out there showing this is what she really looked like and this is how she's been prettified.
They've airbrushed her.
They've airbrushed her.
In case anyone thought, oh, I won't use a £10 note because she's not quite pretty enough. Why would they? Why would they do that? It's Jane Austen, for goodness' sake.
Yeah, she hasn't earned enough in legacy. She has to also have a bit of rouge on.
I'm going to show my ignorance here that I don't know when she was born and died. So she lived in the photograph, the daguerreotype era, did she?
No, they didn't photograph her. They have drawings of her, but they seem fairly accurate. In our document, I threw in a few images so you could take a look if you want to comment.
If you're working off artists' impressions, then aren't you allowed to artist impression your artist impression?
Well, they certainly did, and they've made her look very pretty. So there's a little bit of argument about that, and people are talking about it.
And this is how Anthony Hapgood, the email prankster, started the conversation, saying—
And this is how Anthony Hapgood, the email prankster, started the conversation, saying—
He wasn't really Anthony Hapgood though.
No, no, no, it wasn't really the chairman of the Bank of England, right?
So yeah, I guess that's quite a cool thing to choose, isn't it?
Because it's exactly—
It's not real, it's not really business. You don't have to know all this about economics, but it's stuff that's the relationship between the Bank of England and the public.
It's kind of an issue. And so it's quite a cunning choice.
It's kind of an issue. And so it's quite a cunning choice.
Exactly, exactly. So I think that's how we establish trust very quickly.
So even if Mark Carney might have gone, I've never received an email from his home address before, the first opening line kind of talking about Jane Austen's face but not saying that— so what he writes is, apparently her face resembles that of someone who had a bracing martini.
You know, I prefer Scotch myself. So it has a kind of tone of camaraderie and authority.
And so anyway, Mark Carney fell for it and responded back, but just said that he'd have a few martinis.
So there's nothing, you know, it makes reference to Eddie George, who was the Bank of England head, what, in the '80s, '90s? Yeah.
So even if Mark Carney might have gone, I've never received an email from his home address before, the first opening line kind of talking about Jane Austen's face but not saying that— so what he writes is, apparently her face resembles that of someone who had a bracing martini.
You know, I prefer Scotch myself. So it has a kind of tone of camaraderie and authority.
And so anyway, Mark Carney fell for it and responded back, but just said that he'd have a few martinis.
So there's nothing, you know, it makes reference to Eddie George, who was the Bank of England head, what, in the '80s, '90s? Yeah.
Yes.
Yesteryear.
Anyway, so the conversation goes on, and then the prankster, who's pretending to be Anthony Hapgood, starts saying, "Can you come to a party?" He says, "You'll have very pretty ladies there." And he'll keep the glasses low down, so that you can kind of see their enchanting dexterity.
And Carney basically closes down the conversation right there and then.
Anyway, so the conversation goes on, and then the prankster, who's pretending to be Anthony Hapgood, starts saying, "Can you come to a party?" He says, "You'll have very pretty ladies there." And he'll keep the glasses low down, so that you can kind of see their enchanting dexterity.
And Carney basically closes down the conversation right there and then.
It's a little unprofessional, isn't it?
At that point, is that a prank? Or is it going a little bit beyond that?
I mean, is that— I suppose you're not trying to obtain money by deception or anything, so I presume it's not a criminal offense.
I mean, is that— I suppose you're not trying to obtain money by deception or anything, so I presume it's not a criminal offense.
I'm really glad you bring that up, this whole idea of prank, because this guy who's doing this, this is not the first time he's done this.
He's also done this to the CEO of Barclays, or the president of Barclays, a few weeks ago. So he's calling himself email prankster.
So it's a self— he's self-titled himself that, and then the press have grabbed onto that title.
He's also done this to the CEO of Barclays, or the president of Barclays, a few weeks ago. So he's calling himself email prankster.
So it's a self— he's self-titled himself that, and then the press have grabbed onto that title.
Yeah, he's not going to call himself low-grade phisher, is he?
Right. And that's what he's doing. And that's exactly what he's doing. And then he's publishing all this.
And he's using the excuses, look, I'm trying to tighten security because if I can get into the Bank of England and make the head of Bank of England look like an idiot, then shouldn't we look at this?
So some people are arguing this is a good idea. What do you think?
And he's using the excuses, look, I'm trying to tighten security because if I can get into the Bank of England and make the head of Bank of England look like an idiot, then shouldn't we look at this?
So some people are arguing this is a good idea. What do you think?
Well, I don't really like these sort of— it's not really phishing because he wasn't after a password or something like that, but he certainly was trying to embarrass these chiefs of the banks by being a little bit lewd and all the rest of it.
And you bet your bottom dollar he probably would have published whatever he could get his hands on. Yeah, right?
Yeah, so the whole conversation is out there now on the web for people to go and have a look at.
But I just think if email security needs to be tested, shouldn't it be done with the permission of the organization itself rather than—
But I just think if email security needs to be tested, shouldn't it be done with the permission of the organization itself rather than—
Graham.
Everybody could launch these kind of things.
You've just fallen into my trap though, Graham, because didn't you open this whole podcast talking about the Samsung and talking about people trying to break that security?
Well, that's not breaking— let me think. It's not breaking—
I think that's a bit different, Carole. You've got this technology that has been pitched as airtight, and it's the security process between—
Oh, Duck to the rescue—
Between the individual, the person who bought the phone, and the operating system.
Yes, that's true.
In other words, it's a little bit— I'd say that that's more like you take a version of Windows and you decompile some of the stuff to see whether there's a bug in SMB, for example, and you find that there is.
That's kind of uncovering an exploit.
That's a little bit different from then taking that exploit and using it against someone so you can say, "Ha ha ha." I think there is a difference between the two.
That's kind of uncovering an exploit.
That's a little bit different from then taking that exploit and using it against someone so you can say, "Ha ha ha." I think there is a difference between the two.
And he's arguing, he's arguing, our prankster here is arguing that he's trying to show that the Bank of England is not as secure if he can infiltrate via email like this.
This.
So, you know, that argument I think does hold some water.
Well, I think he showed that a few weeks ago with the Barclays thing.
And he showed it. Yes.
I'm not sure why it's necessary to show it again with the Bank of England thing. I mean, it's—
I think to drive the point home. I mean, I'm just going to play devil's advocate. I think he's getting the point home.
And I suspect people are going to start thinking about internal pen testing and looking at phishing simulations, right, and trying to just test, get their employees up to scratch on that, to be aware of these things.
And I suspect people are going to start thinking about internal pen testing and looking at phishing simulations, right, and trying to just test, get their employees up to scratch on that, to be aware of these things.
What I would hate is if hundreds and hundreds of people started sending off these sort of emails to CEOs up and down the country and people are having to deal with this.
You know, you get enough spam and nuisance messages.
You know, you get enough spam and nuisance messages.
100% agree. 100% agree. 100% agree.
Yeah, I suppose not everyone's going to do it and you can argue that if somebody is, you know, essentially, if you like, a public figure as important as the head honcho of the Bank of England, then if it were to have been shown that he was like a drunken, crazy, sexist chap, that would have kind of been in the public interest.
Yeah, and this is not—
Clearly in this case he passed. It seems like he passed the test with flying colours.
He smelled, you know, he wasn't going to respond, probably figured that's not how my colleague would talk anyway.
And then you imagine— and what doesn't get shown in the so-called prankster stuff is behind the scenes— you'd imagine that they would have contacted each other and IT Security and said, hey, someone's trying to— someone's trying to impersonate you.
He smelled, you know, he wasn't going to respond, probably figured that's not how my colleague would talk anyway.
And then you imagine— and what doesn't get shown in the so-called prankster stuff is behind the scenes— you'd imagine that they would have contacted each other and IT Security and said, hey, someone's trying to— someone's trying to impersonate you.
That's not as fun as the way I thought it.
I saw it as, you know, he's sitting there, you know, remember Terminator 2 when Linda comes around the corner and she sees Arnold Schwarzenegger coming towards her and she kind of slides across the floor pushing herself back?
That's what I imagine Carney did when he realised, going, oh God, I've been duped.
I saw it as, you know, he's sitting there, you know, remember Terminator 2 when Linda comes around the corner and she sees Arnold Schwarzenegger coming towards her and she kind of slides across the floor pushing herself back?
That's what I imagine Carney did when he realised, going, oh God, I've been duped.
Well, it is important that it's almost like when— when he— when you— if someone does that to you and you realise that they're phishing, then, you know, they're impersonating somebody else, and that's a colleague, it's really important that you let IT security and that other person know.
Yes.
Because actually it's, you figure, oh, that's great, that's fine, you know, I didn't fall for it. But actually it's the other person's name who now risks being made mud.
Yeah, good point.
If this doesn't get reported, because imagine that he does this with the same person's name, under the same person's name several times, and he gets slightly varying responses.
Then it kind of, you could pitch that as though, well, obviously, that's how this chap behaves in real life. Otherwise, everybody would have closed off the correspondence sooner.
Then it kind of, you could pitch that as though, well, obviously, that's how this chap behaves in real life. Otherwise, everybody would have closed off the correspondence sooner.
Well, I know that, yeah. And I know that Barclays, since this happened to them, similar situation a few weeks ago, and they've now instilled the situation.
So, every time an email goes outside the company or outside the network, there's a kind of pop-up.
Now, part of me kind of thinks I was just going to say, yes, I know it's going outside because I know it's, you know, home address. Yes, I think people just need to be more wary.
So, and this is probably going to become more popular, and this is the problem with this, is it's making it popular because he's getting press for it.
So, every time an email goes outside the company or outside the network, there's a kind of pop-up.
Now, part of me kind of thinks I was just going to say, yes, I know it's going outside because I know it's, you know, home address. Yes, I think people just need to be more wary.
So, and this is probably going to become more popular, and this is the problem with this, is it's making it popular because he's getting press for it.
And we're talking— do you know who I feel sorry for?
Mr. Carney?
No, Jane Austen.
Because Jane Austen today, if she had a bad photograph taken from— if she was on a night out, right, you know, enjoying herself with the Brontës or something like that, you know, and someone took a photograph and she thought, "Oh dear, I look a bit bad in that photo.
Do you mind deleting it, or can you take that off Facebook?" It would have just happened.
As it is, we've got this one-line drawing of Jane Austen which is being used over and over again for us to work out what she looked like.
It could have been drawn by some completely incompetent artist who didn't capture her true beauty, and forevermore now we're thinking, "Oh, that picture of Jane Austen on the banknote, that can't be accurate.
She's far too attractive. She needs to look like this minger instead." I think it's a bit unfair on lovely Jane Austen.
Because Jane Austen today, if she had a bad photograph taken from— if she was on a night out, right, you know, enjoying herself with the Brontës or something like that, you know, and someone took a photograph and she thought, "Oh dear, I look a bit bad in that photo.
Do you mind deleting it, or can you take that off Facebook?" It would have just happened.
As it is, we've got this one-line drawing of Jane Austen which is being used over and over again for us to work out what she looked like.
It could have been drawn by some completely incompetent artist who didn't capture her true beauty, and forevermore now we're thinking, "Oh, that picture of Jane Austen on the banknote, that can't be accurate.
She's far too attractive. She needs to look like this minger instead." I think it's a bit unfair on lovely Jane Austen.
Oh, what? She can only be lovely if she's good looking?
It's a good job you don't have strong feelings about it, Graham.
I actually studied Jane Austen when I was doing English literature.
One of the only books, Graham, I'm sure you studied.
I couldn't bear it. It wasn't my cup of tea at all. Didn't enjoy it. I thought it was a load of old rubbish.
That explains so much.
Doesn't it? And on that bombshell, I think it's time to wind up the podcast for another week. Thank you for joining us, Mr. Paul Ducklin from Sophos.
We greatly appreciate you being here. Thank you.
We greatly appreciate you being here. Thank you.
Yes, a pleasure. Thanks for having me on.
And Carole, thanks for joining us as always. And if you enjoyed the show, please subscribe to us on iTunes or in your favorite podcast app.
And if you would subscribe, then you will get every episode as it comes out.
You won't miss one in future, and you might even want to leave us a review on iTunes because it makes a big difference and means more people get to hear about the show.
Thanks for tuning in. If you like the show, tell your friends, let us know what you think.
Go to www.smashingsecurity.com and you'll find our email contact form, links to our Twitter and places like that. And until next time, toodle-oo!
And if you would subscribe, then you will get every episode as it comes out.
You won't miss one in future, and you might even want to leave us a review on iTunes because it makes a big difference and means more people get to hear about the show.
Thanks for tuning in. If you like the show, tell your friends, let us know what you think.
Go to www.smashingsecurity.com and you'll find our email contact form, links to our Twitter and places like that. And until next time, toodle-oo!
Oh, and Graham, hope your finger feels better. Thanks, Graham. No problem, no problem. I was here doing the show for you even though I was injured. You're welcome. High five?
No, no, high four. High four. High four.
I've got a sore toe. Does that count?
You try typing.
Yeah, try typing with your toes. Do you know how hard that is?
Show notes:
- Chaos Computer Clubs breaks iris recognition system of the Samsung Galaxy S8 – Chaos Computer Club.
- Breaking the iris scanner locking Samsung’s Galaxy S8 is laughably easy – Ars Technica.
- New technology uses the way you walk as a password – CNet.
- Hofmeister – follow the bear TV advert – YouTube.
- Monty Python’s Flying Circus’s Ministry of Silly Walks sketch – YouTube.
- Source Code for Several Panic Apps Stolen via HandBrake Malware Attack – MacRumors.
- Bank of England accused of airbrushing Jane Austen on the new £10 note – Liverpool Echo.
- Bank of England governor falls for email prank but maintains his composure – The Guardian.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Paul Ducklin – @duckblog
Thanks to our sponsor:
This episode of Smashing Security is made possible by the generous support of Iovation.
iovation is offering Smashing Security listeners a free demonstration of its mobile multifactor solution product, LaunchKey, which can be built into your mobile apps, websites and online services to provide a simple, streamlined remote login function.
Visit demos.launchkey.com, and thanks to iovation for their support.
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, or visit our website for more episodes.
Remember: Subscribe on iTunes or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Paul Ducklin is wrong when he says he can still make emergency calls from a SIM-less telephone. He's unknowingly perpetrating an internet hoax.
OFCOM specifically prohibit the making of 999/112 calls from mobile handsets without a SIM because of the difficulties in immediately barring repeated hoax callers.
Therefore you *must* have a SIM in your handset in order to make a 999/112 call.
Proof; if anybody needs it:
"Consumers must also ensure that the mobile handset from which they wish to make the emergency call contains a SIM card."* Paragraph 11.6
They don't explain the rationale behind blocking SIM-less calls in this document but I can confirm that calls to 999/112 *do not* connect if no SIM card is present.
*https://www.ofcom.org.uk/__data/assets/pdf_file/0016/43063/ai_statement.pdf
I wasn't aware of that – I have been outside the UK for many years until recently. AFAIK that SIMless emergency call restriction doesn't apply in every country – I am pretty sure that the place where I bought the phone doesn't have such a limitation. Fortunately, I have had to make an emergency call only once in recent memory (to report a bush fire that turned out to be controlled burning, but thanks for your call anyway, Sir) and I had a SIM in the phone at the time, so I do accept I don't have any evidence either way on the issue. So I will take your word for it.
Sad comment on UK society that OFCOM felt the need to react that way, isn't it?
(I'd be inclined to block the IMEI to suppress hoaxers of this sort, considering that in the UK you don't need ID to buy a SIM, and you can buy new SIMs much more easily than new handsets. As an aside, given current moods about surveillance, how long do you reckon before you'll need proof of identity, maybe even proof of address, to activate a new SIM in the UK?)
Thanks for replying. I wasn't sure if you were UK-based and I did notice on your Twitter that you're down under.
It's complicated how it started. Originally you couldn't use it SIM-less, then you could and now you can't.
OFCOM stopped it after a substantial increase in hoax calls to 999. It is possible to block the handset by the IMEI but that can be easily changed although doing so is a criminal offence.
Normally the exchange operator, who answers the 999 call, transfers the call to the relevant emergency service (fire, police, ambulance, coastguard, mountain rescue) and they relay the CLI to the emergency service orally. Nowadays CLI details are relayed electronically along with name and address and a precise/approximate location.
To bar a SIM is trivial for the emergency services but to bar an IMEI is much more difficult because there's no single UK registry of IMEI numbers (apart from lost or stolen) which can be used to prevent calls from being made.
Imagine if a high-profile VIP somehow had their IMEI captured using a stingray and a number of hoax 999 calls made by a miscreant using that same IMEI – spoofed on another handset. The emergency services would bar that IMEI. Then, the bad guys kidnap the VIP and leave him/her unable to call for help. It'd require a determined attacker but for a VIP target it'd be worth it for the bad guys.
Being unable to call 999 without a SIM is a non issue because everybody I know has a SIM in their phone. Even if they are pre-paid you can still make a 999 call without any credit so there's no real advantage in allowing calls without a SIM.
The SIM-less restriction doesn't apply to every country because every national telecommunications regulator makes their own decision.
How long before you need to produce ID to buy a SIM? I'm not sure although the way things are going this may be introduced. However many calls are being made over modern technologies like VOIP services (like Signal or WhatsApp) or even TOX which can make tracing somebody virtually impossible. The metadata can be useful so that's one argument for requiring ID although Signal retain almost nothing.
That's Monty Python's "Minister of Silly Walks"; probably John Cleese! (in silhouette). NB: I typed this BEFORE listening to the show. Bring back Benny Hill!! or someone like him. Hurray fro MR. Bean!! Or others like him; The Python, Hill of Beans Liberation Army announces a massive takeover of the Internet. We have gone underground to keep up production so we may defeat the capitalist roaders who run the world. (That was from an old VC agit-prop film in the early stages of the Vietnamese War.) I'd say more. It would not be PC.
Wack-a-Doo, Wack-a-Doo,
BEBBEBBE, that's all folks.
About the Mark Carney email hoax, why doesn't IT departments setup their own internal email testing, a memo warning staff that they would be tested at certain times could be issued so they would be more aware of their own security.