Join me and fellow computer security industry veterans Vanja Svajcer and Carole Theriault on the “Smashing Security” podcast, as we have another casual chat about the world of online privacy and computer security.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Hey, Carole.
Graham, I think we need to tell everyone that the sound quality on this podcast is not as good as our previous ones.
I know, it all kind of went a bit wrong, didn't it?
Yeah, and I think you need to apologize because it was your fault, wasn't it? It was, right? You know it was.
Yeah, it was. I kind of messed up a bit.
And you're sorry.
I am sorry, but you know, I still think it's worth putting out. Don't you?
Okay. Yes. Well, if people think it wasn't, let us know. All right. On to the show.
Smashing Security, Episode 008: I'll Give You My Android When You Pry It From My Cold, Dead Paws, with Carole Theriault, Vanja Švajcer, and Graham Cluley.
Hello and welcome to another episode of Smashing Security, episode 8 for Thursday the 16th of February, 2017. And I'm joined by my chums. Hello, chums.
Hello and welcome to another episode of Smashing Security, episode 8 for Thursday the 16th of February, 2017. And I'm joined by my chums. Hello, chums.
Hi, Graham.
Hello.
That is Vanja Švajcer of course. And the three of us will be chatting about some of the stories which caught our eye this week in the world of computer security. And I—
It was a bit dry out there, you know, in terms of news. Everyone's at RSA, I guess.
Could it be because of the RSA Security Conference?
That's right. So for those who don't know, probably the biggest security conference of the year is taking place right now in San Francisco.
Or is it a conference or is it a fair, trade fair? Yeah.
Well, there are a lot of talks, aren't there?
Forgive me for being slightly sarcastic about it.
It's, you know, it's so nice not to be there for once, isn't it? They're all over there.
And a lot of security firms, they sort of save up their research or they say, oh, we've discovered something new and come coincidentally, it's just during the RSA show when there'll be lots of security journalists around to talk about it.
So quite often there's a bit of a drought just before the RSA show and then it all happens this week.
And a lot of security firms, they sort of save up their research or they say, oh, we've discovered something new and come coincidentally, it's just during the RSA show when there'll be lots of security journalists around to talk about it.
So quite often there's a bit of a drought just before the RSA show and then it all happens this week.
Yeah. And you need at least one scandal as well during the RSA.
Oh, there is. Have you heard? There is a scandal going on right now.
Tell me, tell me.
Is there?
Well, there's a scandal between a security firm called CrowdStrike and a testing agency called NSS Labs. Oh yeah, we know that. And it is handbags dawn.
Basically, NSS Labs have tested CrowdStrike's product, and CrowdStrike aren't terribly happy about that.
They haven't been very happy with the testing methodology which NSS Labs uses.
And, you know, to be fair, I think both companies have sometimes been embroiled in some controversy, both the testing agency and the security firm as well. So who knows who's right?
But CrowdStrike went to the courts and tried to silence NSS Labs. And what a fantastic way to give it an awful lot more attention to a test that you didn't want people to read.
Basically, NSS Labs have tested CrowdStrike's product, and CrowdStrike aren't terribly happy about that.
They haven't been very happy with the testing methodology which NSS Labs uses.
And, you know, to be fair, I think both companies have sometimes been embroiled in some controversy, both the testing agency and the security firm as well. So who knows who's right?
But CrowdStrike went to the courts and tried to silence NSS Labs. And what a fantastic way to give it an awful lot more attention to a test that you didn't want people to read.
Yeah, I think it's not a very wise move on the CrowdStrike part, really.
On what, on CrowdStrike's part?
Yeah, yeah. I mean, why would you go and sue?
The best way, in my opinion, to go around or against this is yes, some tests are this, but we also have a list of other reputable testers that tested our products, and here are the results that are so much better than in this case.
The best way, in my opinion, to go around or against this is yes, some tests are this, but we also have a list of other reputable testers that tested our products, and here are the results that are so much better than in this case.
Yeah, this is a topic we should probably talk about at some point, you know, in depth because there's a lot of tests out there that maybe some would call pay-per-plays, which may not give a true representation of how products work.
And if you're not in the industry, how are you supposed to tell which ones are good and which ones are bad?
And if you're not in the industry, how are you supposed to tell which ones are good and which ones are bad?
Anyway, NSS, CrowdStrike, who knows what is going to come of that? Maybe we'll find out in the weeks to come as people pour through the tests.
But I think there will continue to be a lot of antagonism between security companies and testing agencies, or at least some of the testing agencies and some of the security companies for some time to come.
Going forward, topics for this week. I've got something I want to get off my chest right now, and it is Donald J. Tru— can you guess?
But I think there will continue to be a lot of antagonism between security companies and testing agencies, or at least some of the testing agencies and some of the security companies for some time to come.
Going forward, topics for this week. I've got something I want to get off my chest right now, and it is Donald J. Tru— can you guess?
No.
The current president, the current US president.
Current United States president has been making the news for a number of reasons, and one of the things which has happened right now is people are getting more and more concerned about whether he has his own private insecure Android phone.
Now, we know that Donald loves to tweet, right?
Oh, actually, you know, he has a very active Twitter account, but it's interesting, he has said in the past that he doesn't actually tweet very much himself.
Now, we know that Donald loves to tweet, right?
Oh, actually, you know, he has a very active Twitter account, but it's interesting, he has said in the past that he doesn't actually tweet very much himself.
He's said a lot of things in the past.
Yes, yes, indeed he has. But he said in the past that he chooses to dictate tweets to an assistant who then types them in. Now, how that would—
Well, how else would I do it? I do it as well at home, exactly the same way.
Is that what Mrs. Švajcer does for you?
Yes, exactly. Andriana, please write this tweet. Retweet Smashing Security.
Why wouldn't you just use the microphone if that were the case? Wouldn't that be easier?
What if you misspell something or if you have a thick Eastern European accent and the computer doesn't understand anything what you're saying?
Oh, poor Vanja.
Poor Vanja. It is sad, isn't it? It is sad. But anyway, so there's a lot of concern about whether he has an insecure smartphone. This has been swirling around for a few weeks now.
And there was some digging around done by Android Central, who did a little investigative work. They took a close look at some photos of the US president.
And there he was holding in his little paw, his Android phone. And they sort of, you know how it is on CSI and things like that, right?
Where you enhance the picture, you blow it up to try and work out what kind of phone is that. So it's like enhance, enhance.
And there was some digging around done by Android Central, who did a little investigative work. They took a close look at some photos of the US president.
And there he was holding in his little paw, his Android phone. And they sort of, you know how it is on CSI and things like that, right?
Where you enhance the picture, you blow it up to try and work out what kind of phone is that. So it's like enhance, enhance.
I love it.
And they eventually determined he's probably got a Samsung Galaxy S3.
Oh, I had that one too.
Did you? Yes. Oh, interesting. That's one of the models which didn't blow up, right? Didn't actually catch fire of its own accord. It was pretty good.
It was pretty good while it lasted. Now I'm on the dark side of the spectrum.
The dark side.
Oh, the Apple-y thing.
The Apple-y thing.
Yeah.
Well, the Galaxy S3, the Samsung Galaxy S3 came out in 2012 and the last firmware update it received, software update for security patches and things like that was mid-2015 when it got updated to Android 4.3 Jelly Bean.
And of course that is not the latest and greatest version of Android. It isn't patched against all of the vulnerabilities.
It may not be considered necessarily a terribly secure phone if— and I have to stress if— someone was determined to get into it.
And of course that is not the latest and greatest version of Android. It isn't patched against all of the vulnerabilities.
It may not be considered necessarily a terribly secure phone if— and I have to stress if— someone was determined to get into it.
Yeah, I remember that Samsung is not being that great in terms of publishing all these up-to-date security patches, as for example Google with all the Google phones, the Nexus of the world.
Well, I think in recent years Samsung have got better actually in terms of updating some of their devices.
I think they've learned from some of that in the past, but there is a worry that if there's a poorly protected phone being held by the US president, is it possible at all that some people might want to target that phone?
I think they've learned from some of that in the past, but there is a worry that if there's a poorly protected phone being held by the US president, is it possible at all that some people might want to target that phone?
Okay, okay, but there's another way to look at this.
Maybe, as he is the US president, right, maybe he can say, 'Look, I really like this old handset, but I really want the upgraded version inside. Can you make that happen, please?'
Maybe, as he is the US president, right, maybe he can say, 'Look, I really like this old handset, but I really want the upgraded version inside. Can you make that happen, please?'
Maybe he likes his separation of home and work. Can that happen for the President of the US? So just, now I'm at home.
I haven't seen a lot of evidence about that yet.
He's bringing his bring your own device to work.
Yes, he is. And wouldn't it be a shame if that BYOD device was actually a spy in his pocket knowing his location? And potentially, it's interesting. There's been a presentation.
Here we go again at RSA this week.
Google security engineers stood up and said, look, yes, we've had huge vulnerabilities like Stagefright, but they're saying nobody ever actually got exploited by that.
You know, they've seen no evidence.
Here we go again at RSA this week.
Google security engineers stood up and said, look, yes, we've had huge vulnerabilities like Stagefright, but they're saying nobody ever actually got exploited by that.
You know, they've seen no evidence.
That's a curious claim. I have read about it.
And many times we criticize at the security companies, criticize Google about all the insecurities in Android and the number of malware that's out there. But they always deny it.
They basically deny any kind of malware.
And many times we criticize at the security companies, criticize Google about all the insecurities in Android and the number of malware that's out there. But they always deny it.
They basically deny any kind of malware.
I mean, to my mind, there is no doubt there's much, much more malware.
I mean, huge amounts of malware for Android, although much of it may be based around downloading apps from Chinese app stores or unapproved apps.
I mean, huge amounts of malware for Android, although much of it may be based around downloading apps from Chinese app stores or unapproved apps.
Are you saying there's much more malware for Android than other types of mobile OSes?
Mobile OSes, yes.
Yeah.
Yes.
Yeah, yeah.
Absolutely.
Well, Android is the only one that actually opens the phone to third-party stores. And this is where the threat is coming from, not necessarily from Google Play.
Google Play, you get a campaign here and there, some malware, some annoying adware happening, but—
Google Play, you get a campaign here and there, some malware, some annoying adware happening, but—
But there's a vetting process, I guess. There's a much stronger vetting process.
Maybe not as strong as on iPhone store.
It doesn't seem to be as strong as what's happening on Apple. And that's one of the reasons why I prefer to use an iPhone rather than an Android device.
But even if you accept Google's claim this week that even though Stagefright was a huge vulnerability on Android, people weren't getting exploited on it, you've got to say to yourself, well, maybe that's true, but what about targeted attacks?
And that's where Trump comes in, right? Because he has to have in his little pool there one of the most widely prized devices on the internet for hackers.
He's going to be a top target for intelligence agencies around the world.
So if that device is vulnerable to bugs like Stagefright, it doesn't matter that millions weren't infected by Stagefright, he could be at risk.
And that is why, I imagine, this week we've had two senators, admittedly Democrats, who've written to the Department of Defense saying, we want details. Has he got this phone?
Has it been properly secured? What's being done to make sure that the phone the president is using has not been compromised in any fashion and is not being spied upon?
But even if you accept Google's claim this week that even though Stagefright was a huge vulnerability on Android, people weren't getting exploited on it, you've got to say to yourself, well, maybe that's true, but what about targeted attacks?
And that's where Trump comes in, right? Because he has to have in his little pool there one of the most widely prized devices on the internet for hackers.
He's going to be a top target for intelligence agencies around the world.
So if that device is vulnerable to bugs like Stagefright, it doesn't matter that millions weren't infected by Stagefright, he could be at risk.
And that is why, I imagine, this week we've had two senators, admittedly Democrats, who've written to the Department of Defense saying, we want details. Has he got this phone?
Has it been properly secured? What's being done to make sure that the phone the president is using has not been compromised in any fashion and is not being spied upon?
Oh dear. This is just—
Of course there would be Democrats.
I think we do need clarity around this. I think it would be great to know that his device is properly secured.
If nothing else, we want to know that those tweets that are being sent out really did come from the main man in charge and not some hacker, because sometimes it can be a little bit hard to tell who might have done the tweeting.
You can't necessarily tell from the tweet itself, right?
If nothing else, we want to know that those tweets that are being sent out really did come from the main man in charge and not some hacker, because sometimes it can be a little bit hard to tell who might have done the tweeting.
You can't necessarily tell from the tweet itself, right?
Yep.
Anyway, moving on. Let's, Vanja, what have you got up your sleeve for us?
Okay, this week I have a truly scary story, or is it, right?
Guys from Kaspersky were working on one of the incident response processes on one of the banks, and they discover this truly interesting piece of malware or an attack they used.
The attackers used malicious code, which actually hasn't existed as a file on the computer. So we are talking here about so-called fileless malware.
And some of the news sites picked it up as a very important story.
Guys from Kaspersky were working on one of the incident response processes on one of the banks, and they discover this truly interesting piece of malware or an attack they used.
The attackers used malicious code, which actually hasn't existed as a file on the computer. So we are talking here about so-called fileless malware.
And some of the news sites picked it up as a very important story.
Fileless malware.
Yes. So basically, you know how on computer, you have files and folders, Word documents, executable files.
So typically, a malware which comes to your machine as an attachment or somewhere from the web comes in the form of one of the files.
So typically, a malware which comes to your machine as an attachment or somewhere from the web comes in the form of one of the files.
Okay.
So when you run it, it's an EXE file or it's a JavaScript file, VBScript. When double-click on it, it runs and then a process in memory is created, right?
So many people believe, I think still, that anti-malware companies are only scanning files and nothing else.
So they only inspect files when the files are created and when the files are open.
So there's this idea that if you create a malicious code or you have malicious code which doesn't have a file on the hard drive or on the computer, you'd be able to evade all detections that's out there.
But this is really, you know, Graham, you remember Code Red?
So many people believe, I think still, that anti-malware companies are only scanning files and nothing else.
So they only inspect files when the files are created and when the files are open.
So there's this idea that if you create a malicious code or you have malicious code which doesn't have a file on the hard drive or on the computer, you'd be able to evade all detections that's out there.
But this is really, you know, Graham, you remember Code Red?
I do remember Code Red, yes.
Of course. But because that was, can you imagine it was 16 years ago. Yeah, unbelievable.
Okay, I don't remember Code Red. No, I was too young, Vanja. Tell me about it.
I'm sure you're still in diapers.
I'm sure you remember it it was yesterday, just the Crimean War.
If I remember correctly, there was some vulnerability in Microsoft SQL Server which allowed this really tiny piece of code which is less than 500 bytes to run and only exist in the memory of Microsoft SQL Server process and then spread from a computer to a computer by exploiting the same vulnerability in other machines.
So the idea, I remember we were shit scared at the time because as an anti-malware company at the time, we really inspected only files.
So the idea, I remember we were shit scared at the time because as an anti-malware company at the time, we really inspected only files.
File-based malware, right?
Exactly. So this was a non-file-based malware and how do we stop it?
The only way to stop it at the time was just to recommend everybody to apply the patch as soon as the Microsoft came out with the security patch.
So since then, you know, it was a long time ago, there were other types of malware that appeared as fileless malware.
There's some kind of organized, possibly country-sponsored groups that use those kind of malware.
But there are also typical information-stealing malware that can come to your machine without a file.
When they say without a file, there's still a representation of that malware on the hard drive and in the memory.
So usually the malware uses registry, which is a database on your Windows machine that contains a lot of settings for all the applications.
And it also allows some programs to run as soon as you boot the machine.
The only way to stop it at the time was just to recommend everybody to apply the patch as soon as the Microsoft came out with the security patch.
So since then, you know, it was a long time ago, there were other types of malware that appeared as fileless malware.
There's some kind of organized, possibly country-sponsored groups that use those kind of malware.
But there are also typical information-stealing malware that can come to your machine without a file.
When they say without a file, there's still a representation of that malware on the hard drive and in the memory.
So usually the malware uses registry, which is a database on your Windows machine that contains a lot of settings for all the applications.
And it also allows some programs to run as soon as you boot the machine.
All right, Vanja, thank you.
Yeah.
That's great. It's a bit nerdy, isn't it? I mean, should people... So are you saying we need to worry about this or not? Are these stories overhyped?
They're overhyped to a point. Right. There is a definite risk of being affected by this kind of malware.
I think the guys from Kaspersky were stressing the fact that they find this in banking IT departments or banking sites.
And they were saying that banks perhaps are not equipped to deal with this kind of attack yet.
However, you know, most of the endpoint protection software these days can and does inspect memory and registry.
And of course, doesn't just work on inspecting the content, but also the behavior of the system.
So, you know, it's pretty much your everyday work for anti-malware companies these days to deal with fileless malware.
I think the guys from Kaspersky were stressing the fact that they find this in banking IT departments or banking sites.
And they were saying that banks perhaps are not equipped to deal with this kind of attack yet.
However, you know, most of the endpoint protection software these days can and does inspect memory and registry.
And of course, doesn't just work on inspecting the content, but also the behavior of the system.
So, you know, it's pretty much your everyday work for anti-malware companies these days to deal with fileless malware.
But in summary, fileless malware isn't a new concept. It's been around for over 15 years. Antivirus software has developed in those 15 years.
It's doing much more than just examining the contents of files.
As you mentioned, antivirus, for instance, is looking at the behavior, what's going on on your computer, and trying to intercept that and stop things like that.
As with any other kind of malware attack, obviously you need to keep your antivirus up to date and make sure that it's properly defending against these kind of things.
And banks obviously are in the front line because they have so much to lose.
Typically, though, banks are pretty well secured against things, but they need to keep on top of these threats.
It's doing much more than just examining the contents of files.
As you mentioned, antivirus, for instance, is looking at the behavior, what's going on on your computer, and trying to intercept that and stop things like that.
As with any other kind of malware attack, obviously you need to keep your antivirus up to date and make sure that it's properly defending against these kind of things.
And banks obviously are in the front line because they have so much to lose.
Typically, though, banks are pretty well secured against things, but they need to keep on top of these threats.
Absolutely. And of course, they have all the logging in place so they can actually detect whatever happened in their system. So it's not just anti-malware software used.
They use from network to the endpoints, all sorts of layers that allows them to detect when something happens within the organizations.
They use from network to the endpoints, all sorts of layers that allows them to detect when something happens within the organizations.
Carole, what has grabbed your interest?
Well, I am going to talk about Facebook. So do you guys remember this tool called Graph Search or Graph Searcher, something called that? It was launched in 2013 by Facebook.
And it was this—
And it was this—
I'm not a huge Facebook user, so, but it does sound interesting.
Well, it basically was kind of a Google for Facebook, a big data tool that would basically give you a user-specific search engine.
And it's collated from all the billion users they have and external data, et cetera, et cetera.
So this caused huge media, you know, media went around going, now that this graph search has been launched, you know, this is how you protect yourself.
There was a lot of concern about in terms of privacy, because it really did allow some deep dives into Facebook users.
And it's collated from all the billion users they have and external data, et cetera, et cetera.
So this caused huge media, you know, media went around going, now that this graph search has been launched, you know, this is how you protect yourself.
There was a lot of concern about in terms of privacy, because it really did allow some deep dives into Facebook users.
Because you were able to sort of use an English, in regular English language, weren't you? Put in search terms to search for things.
So you could, for instance, I imagine I could look for I don't know, single people in my village who are under 30 years old or something like that.
So you could, for instance, I imagine I could look for I don't know, single people in my village who are under 30 years old or something like that.
Right, exactly. And people did a lot of, at the time, try to show how invasive this was.
There was one search, for example, it was called mothers of Jews who like bacon, just to show what could actually be displayed, which is pretty outrageous, right?
There was one search, for example, it was called mothers of Jews who like bacon, just to show what could actually be displayed, which is pretty outrageous, right?
So, can I just correct you there? It's not outrageous to like bacon.
That's what you think?
I would definitely agree with that.
Not for everybody though.
You know, everything kind of went quiet about this tool and I think you'd be forgiven to be thinking that this had been decommissioned, but it actually just moved into the shadows and we have a Dutch bounty hunter and self-professed ethical hacker who's shining a spotlight on it with his tool called StalkScan.
So the idea here is just to show you just how much information a particular user is showing on their Facebook profile, and how much information can a third party actually just get to find out about that person.
So effectively, you've got a homepage, you put in the profile, you know, the URL of the person you're wanting to look up.
And using Facebook's API, it'll go and give you all the information they can find.
I think it's quite, you know, so I did this with a few people and it's quite scary what you can find out even from people that you would assume are quite secure.
So the idea here is just to show you just how much information a particular user is showing on their Facebook profile, and how much information can a third party actually just get to find out about that person.
So effectively, you've got a homepage, you put in the profile, you know, the URL of the person you're wanting to look up.
And using Facebook's API, it'll go and give you all the information they can find.
I think it's quite, you know, so I did this with a few people and it's quite scary what you can find out even from people that you would assume are quite secure.
Yeah, so it is pretty scary. So this tool is actually a free tool that everybody can use?
Yes, well, it's just a web page at the moment.
And yeah, because if I remember, there are some, I think, paid for tools that, you know, allow some of the agencies, let's say, to try to find the similar information.
Yes, they do exist. But this is a free website right now, which anyone can go to, stalkscan.com. That's right. And you can go there and just enter anybody's URL to their profile page.
And I've just done it just now to my own Facebook profile page. I'm not an avid Facebooker by any means and I tend to be quite careful about my security and privacy.
And I've just done it just now to my own Facebook profile page. I'm not an avid Facebooker by any means and I tend to be quite careful about my security and privacy.
I expect you would be.
But I still see some things which I'm kind of grumpy about. And I'll tell you what's happening in my particular case.
One of the things that I've never really liked about Facebook is that people can tag you in photographs, right?
One of the things that I've never really liked about Facebook is that people can tag you in photographs, right?
Yes.
And no one likes that because everyone's all "oh look, I don't look very nice in that photograph." People want to have some sort of vetting as to what photographs end up of them on Facebook.
Now, the way Facebook works and the way I've set up my privacy settings, if someone tags me in a photograph, it sends me a message saying, "Graham, do you want to put this on your timeline or do you want it to appear automatically?" And I'm "no, I don't want it to appear on my timeline." But what I can't do is I can't prevent my friend from uploading that photograph, putting it on their timeline, and still tagging me.
The only way I can remove that is if I actually go and ask the person, "do you mind untagging me from that photograph? Would that be okay?" Which of course you're never going to do.
Now, the way Facebook works and the way I've set up my privacy settings, if someone tags me in a photograph, it sends me a message saying, "Graham, do you want to put this on your timeline or do you want it to appear automatically?" And I'm "no, I don't want it to appear on my timeline." But what I can't do is I can't prevent my friend from uploading that photograph, putting it on their timeline, and still tagging me.
The only way I can remove that is if I actually go and ask the person, "do you mind untagging me from that photograph? Would that be okay?" Which of course you're never going to do.
No.
Yeah.
And this tool, if I put in my details into stalkscan.com, you can see those pictures which I've sort of said, you know, I don't really want up there because someone has tagged my name in them.
And that really pisses me off.
And that really pisses me off.
Well, you've stolen my thunder. That's exactly— that is exactly the problem.
Even if you're locked down, there is still information out there because people tag and you have no control over that. And that's exactly a big problem, I think, with Facebook.
I don't like that either.
Even if you're locked down, there is still information out there because people tag and you have no control over that. And that's exactly a big problem, I think, with Facebook.
I don't like that either.
Yeah, just unfriend everybody.
Well, so this is what's interesting. So the amount of information you see when you're using StalkScan depends on the relationship you have with a particular person.
If it's yourself, obviously you've got quite a strong relationship. I'm sure in your case, Graham, it's best buds, BFFs.
If it's yourself, obviously you've got quite a strong relationship. I'm sure in your case, Graham, it's best buds, BFFs.
I love him. Love him. Yes. Yeah. Well, actually, actually, it's kind of complicated.
It's a complicated relationship.
And also, obviously, it depends on the security settings that are set in the profile.
So I think a few tips are just— I think people should maybe have a go at this and just have a look, even if they think they're pretty secure, just using your example you've given, Graham, I think, you know, you're pretty secure and I think everyone else might want to take a look.
I certainly was a bit surprised when I had a—
So I think a few tips are just— I think people should maybe have a go at this and just have a look, even if they think they're pretty secure, just using your example you've given, Graham, I think, you know, you're pretty secure and I think everyone else might want to take a look.
I certainly was a bit surprised when I had a—
But we still can't do anything about it because the graph is out there and then, you know, when you search the graph, you know, how do you remove? Except if you leave Facebook.
I think the big thing is the amount— so I don't think people review the friends that they are connected with very often.
And there may be people that are listed there that you have no interest in seeing, don't see anymore, the relationship is over, yet you're still connected to them through Facebook.
That means they still have a lot more access than they would if they were outside your groups.
So I'm recommending that people just take a look at their— who they're friends with and, you know, maybe do a cull if appropriate.
And there may be people that are listed there that you have no interest in seeing, don't see anymore, the relationship is over, yet you're still connected to them through Facebook.
That means they still have a lot more access than they would if they were outside your groups.
So I'm recommending that people just take a look at their— who they're friends with and, you know, maybe do a cull if appropriate.
Do a regular audit of your friends list.
And I think the default, whenever you post something on the social— well, first of all, your default should probably be to not post anything.
But if you are going to post something, have your default to be security locked down. You know, I'm only going to share this with my friends.
It definitely isn't going to be public rather than having to remember, oh, I don't want this one to be public, I want this one to be private.
The default should be as much privacy as you can. But of course, everything you post on Facebook, remember, this is getting shared with Facebook.
But if you are going to post something, have your default to be security locked down. You know, I'm only going to share this with my friends.
It definitely isn't going to be public rather than having to remember, oh, I don't want this one to be public, I want this one to be private.
The default should be as much privacy as you can. But of course, everything you post on Facebook, remember, this is getting shared with Facebook.
Yeah.
And, you know, they can get their little mitts on it and they can see it. Whether they choose to share it with others is a different question entirely.
But always be very careful about what you share.
But always be very careful about what you share.
This is advice we've been giving probably for 15 years. Always be careful with what you post, what you like, what you share, and what you comment on.
But it continues to be a problem. And you know, I think we should do a special Splinter episode sometime on some of this social media privacy.
Oh, totally agree.
And maybe specifically Facebook as well. So maybe we'll do that in the future. We can look at this a little bit deeper.
Yeah. And this is also just last thing, it might be a good tool to use to check up on your kids, but also your parents.
You know, last year there was a 14-point increase in new users aged 65+ on Facebook. And that's a huge amount, right?
So I'm not sure all of them can navigate the security settings that are currently available on Facebook, and it might be good to have a helping hand.
You know, last year there was a 14-point increase in new users aged 65+ on Facebook. And that's a huge amount, right?
So I'm not sure all of them can navigate the security settings that are currently available on Facebook, and it might be good to have a helping hand.
Okay, well, we're heading towards the close of the show.
But before we do that, we've got some feedback from listeners who've written in, telling us what they think of past episodes and some of their comments.
Martijn Grooten, friend of the show, editor of Virus Bulletin. He actually gave us our first piece of media coverage, you know. Isn't that fantastic?
So he's actually written about us and some of his other favorite security podcasts, including the SANS Daily, Stormcast, which is a great one, Risky Business, and a bunch of others as well.
Go and check them out. We'll put a link in the show notes to some of those.
And he said about us, "The three presenters of the brand new Smashing Security are all past Virus Bulletin authors and speakers because we've been at the conferences and chatted there.
So I was excited to learn about their new adventure in podcast land.
Podcast is presented with a good sense of humor, which has already made it one of my favorite security shows." Well, thank you very much, Martijn, for saying that.
But before we do that, we've got some feedback from listeners who've written in, telling us what they think of past episodes and some of their comments.
Martijn Grooten, friend of the show, editor of Virus Bulletin. He actually gave us our first piece of media coverage, you know. Isn't that fantastic?
So he's actually written about us and some of his other favorite security podcasts, including the SANS Daily, Stormcast, which is a great one, Risky Business, and a bunch of others as well.
Go and check them out. We'll put a link in the show notes to some of those.
And he said about us, "The three presenters of the brand new Smashing Security are all past Virus Bulletin authors and speakers because we've been at the conferences and chatted there.
So I was excited to learn about their new adventure in podcast land.
Podcast is presented with a good sense of humor, which has already made it one of my favorite security shows." Well, thank you very much, Martijn, for saying that.
High five.
Good man.
Yeah, I never say anything humorous. I'm always deadly serious.
Oh, Vanja, you make me laugh.
We have another comment from Bearded and Balding on iTunes, "The Three Musketeers of Computer Security," and he's commenting on Graham and your abilities to do accents.
Graham, your friend, he says your friends are very understanding and your accents are so bad, but entertaining podcast that helps us lesser mortals in IT.
Graham, your friend, he says your friends are very understanding and your accents are so bad, but entertaining podcast that helps us lesser mortals in IT.
Bad? Is that bad as in Michael Jackson bad?
Yeah, I think he means bad in a really good way. Okay, it's bad. That's so bad, man. Clearly, yeah, that's right, I'm sure they do that up north.
Yeah.
And we have a review from Playrish on iTunes says, "Security was never such fun as this. Not always the most profound of security podcasts, but certainly the most entertaining.
That said, the discussion on ad blocks and on the pros and cons of antivirus in episode 6 were highly informative and thought-provoking.
Go watch one of the early video episodes to see their lovely simple faces.
And those images in your mind, you'll enjoy the later audio-only episode all the more." Oh, that's so great. Thanks very much.
That said, the discussion on ad blocks and on the pros and cons of antivirus in episode 6 were highly informative and thought-provoking.
Go watch one of the early video episodes to see their lovely simple faces.
And those images in your mind, you'll enjoy the later audio-only episode all the more." Oh, that's so great. Thanks very much.
He's suggesting people go onto YouTube because the first few episodes for people who've joined us since we did do on video as well.
He's suggesting people actually go and check those out, see what we look like.
He's suggesting people actually go and check those out, see what we look like.
But it's great to connect voices with faces.
Well, it is until you see the faces.
Oh, that's true.
You know, it's like you have this wonderful image, you think, oh, she sounds lovely, you think. And then it turns out it's like a gorgon.
It happened to me. I think I felt, when I was a kid, I think I fell a little bit in love with a DJ.
And this went on for a number of, probably years until I got to see a picture of him.
Because of course, Google didn't exist then, so it's not like you just typed it in, and I was shocked.
And this went on for a number of, probably years until I got to see a picture of him.
Because of course, Google didn't exist then, so it's not like you just typed it in, and I was shocked.
And obviously DJs are chosen for their sexy voice. They are.
They are. And there's that phrase in there, "the perfect face for radio." Well, I hope you've enjoyed the show today.
I hope you've enjoyed not seeing our faces during the podcast, but you enjoyed what we were talking about.
We are on iTunes and Google Play Music and Stitcher and TuneIn and Overcast and all manner of other podcast apps as well. So please go and check us out and leave a positive review.
Or you could leave a negative review, I suppose, if you wanted to, but we'd rather you didn't.
I hope you've enjoyed not seeing our faces during the podcast, but you enjoyed what we were talking about.
We are on iTunes and Google Play Music and Stitcher and TuneIn and Overcast and all manner of other podcast apps as well. So please go and check us out and leave a positive review.
Or you could leave a negative review, I suppose, if you wanted to, but we'd rather you didn't.
We'll delete that one.
Can we do that? That'd be great.
I don't know.
Leave us a review. It'd make a big difference because it means more people get to see that we have a podcast and listen in as well. Maybe we spread the news. Thanks for tuning in.
If you like the show, tell your friends, follow us on Twitter. We're @Smashin'— without a G— Security. Smashing Security. And until next time, cheerio. Bye-bye.
If you like the show, tell your friends, follow us on Twitter. We're @Smashin'— without a G— Security. Smashing Security. And until next time, cheerio. Bye-bye.
Bye.
Blurb:
Handbags at dawn for CrowdStrike and NSS Labs! Donald Trump’s insecure Android phone! File-less malware – is that so new? And StalkScan makes it easier to reveal what Facebook users have been carelessly sharing…
Computer security veterans Graham Cluley, Carole Theriault and Vanja Svajcer discuss.
Show notes
- AEP Public Test Announcement
- NSS Labs Report Confirms Testing of CrowdStrike Falcon was Incomplete and Wrong
- Some thoughts on the CrowdStrike vs NSS Labs debacle
- Which Android phone does Donald Trump use?
- Senators raise concerns over Donald Trump’s smartphone security
- Google claims ‘massive’ Stagefright Android bug had ‘sod all effect’
- A Scary New Kind of Malware Is Invading Banks All Over the World
- Fileless attacks against enterprise networks
- StalkScan
- This creepy Facebook tool is revealing a LOT about you
Hope you enjoy the show, tell us what you think and leave us a review on iTunes! You can follow the Smashing Security team on Bluesky.
Hi,
i think "Fileless attacks against enterprise networks " news is same before , lie and Ads news from Kaspersky .