Equifax’s shambolic response to its huge data breach, a scary-sounding Bluetooth exploit, and Apple’s iPhone X comes with Face ID.
All this and more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by special guest Javvad Malik.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
To find out if they've been breached. And they're saying, enter your surname and the last, I think, 6 digits of your Social Security number. Do you want to get that, Carole?
It's not mine.
Oh, it's not mine either.
It's not mine, is it?
It is.
It is mine. Who the hell's ringing me? Today's episode of Smashing Security is brought to you in part by Rapid7.
Identifying, prioritizing, and managing vulnerabilities all the way through to remediation is not only possible, it can be simple right now.
Build a vulnerability management program that works for you with InsightVM by Rapid7. Get started with your free 30-day trial right now.
Go to www.rapid7.com, and thanks to Rapid7 for supporting the show. Smashing Security, episode 42. Equifax, Blueborn and the iPhone X with Carole Theriault and Graham Cluley.
Hello, hello and welcome to another episode of Smashing Security number 42. My name is Graham Cluley and I'm joined as ever, by my good chum and co-host, Carole Theriault.
Hello, Carole, how are you?
Identifying, prioritizing, and managing vulnerabilities all the way through to remediation is not only possible, it can be simple right now.
Build a vulnerability management program that works for you with InsightVM by Rapid7. Get started with your free 30-day trial right now.
Go to www.rapid7.com, and thanks to Rapid7 for supporting the show. Smashing Security, episode 42. Equifax, Blueborn and the iPhone X with Carole Theriault and Graham Cluley.
Hello, hello and welcome to another episode of Smashing Security number 42. My name is Graham Cluley and I'm joined as ever, by my good chum and co-host, Carole Theriault.
Hello, Carole, how are you?
I am splendid today.
Lovely jubbly. And we are also joined by a returning special guest. He made a great impression on us last time with his snooker skills. It is Mr. Javvad Malik. Hello, Javvad.
Hello. Hello. Thank you for having me back.
It's our pleasure to have you back. Now, for those people who don't know you, Javvad, and what you do at AlienVault, why don't you just describe yourself?
Oh, that's always tough, isn't it? Describe yourself.
Very handsome.
5'4".
Short, fat, balding, hairy, podgy.
No, no, no, no, Javvad. It's 6'4", strapping, tall.
It definitely isn't, Carole. It definitely isn't.
Is this going on Tinder? I forgot.
But you are a security institution, basically, aren't you?
You are the video blogger par excellence.
You are the founding member of Host Unknown, and you're regularly espousing wisdom on behalf of AlienVault as well, all things computer security, right?
You are the founding member of Host Unknown, and you're regularly espousing wisdom on behalf of AlienVault as well, all things computer security, right?
That's correct. Yes.
So Mr. Amazing. Okay.
So what we to do every week, as you know, is we look back over the last week's news from the security point of view and pick out some of the topics which caught our attention.
And well, this one was pretty much a given, wasn't it? I think the security story of the last week is the enormous monumental screw-up, which is the Equifax data breach.
Now, if you're not familiar with Equifax, they are a consumer credit reporting giant.
They're the kind of company who can stop you from getting a loan or being accepted for a mortgage if you've been careless or unlucky with your finances.
And it's not so much that you are engaging Equifax. You may be going to your mobile telephone company or your mortgage company and trying to open an account or get a loan.
And they will consult a firm Equifax, and they will say, oh, what's this person's credit rating ?
And well, this one was pretty much a given, wasn't it? I think the security story of the last week is the enormous monumental screw-up, which is the Equifax data breach.
Now, if you're not familiar with Equifax, they are a consumer credit reporting giant.
They're the kind of company who can stop you from getting a loan or being accepted for a mortgage if you've been careless or unlucky with your finances.
And it's not so much that you are engaging Equifax. You may be going to your mobile telephone company or your mortgage company and trying to open an account or get a loan.
And they will consult a firm Equifax, and they will say, oh, what's this person's credit rating ?
People do do it themselves as well, don't they? They kind of want to keep an eye on their credit score. It became this kind of thing to do about 15 years ago.
Yeah, some people do, of course.
And particularly if they're trying to improve their credit rating or find out if they have a particular problem, then yes, they might well be doing it themselves as well.
But I think many people won't even realize that Equifax have been storing their details. And that's a problem.
And particularly if they're trying to improve their credit rating or find out if they have a particular problem, then yes, they might well be doing it themselves as well.
But I think many people won't even realize that Equifax have been storing their details. And that's a problem.
Yeah.
Because now they have suffered this enormous data breach, and 143 million US consumers—
That's half the States.
Yeah, it's 44% of the US population apparently have had their personal details, dates of birth, Social Security numbers, names, addresses, sometimes credit card information as well, grabbed by hackers.
Can you remember a bigger breach?
Well, there have been bigger breaches. Maybe the biggest breach of all was the one which happened at Yahoo, where something like a billion records. But this one—
Didn't they have Social Security numbers though.
Well, no, exactly. You'd be crazy to give something like that to Yahoo, wouldn't you?
But this is particularly bad because, like I said, you didn't give your information to this company.
And Equifax, one of the businesses which they're in, is in providing identity theft protection.
But this is particularly bad because, like I said, you didn't give your information to this company.
And Equifax, one of the businesses which they're in, is in providing identity theft protection.
They are—
The irony is not lost.
Yeah. They are one of those companies which, when a data breach happens, other companies will say, oh, don't worry.
Because we've signed you up with Equifax, who are going to protect you. And you say, oh, goody, goody, gumdrops.
I'd like to know they've got my information to see if it's been misused. Well, bad news. Now they've lost it.
143 million in the US, an unknown number in Canada, up to, I think it's 44 million UK consumers as well.
Because we've signed you up with Equifax, who are going to protect you. And you say, oh, goody, goody, gumdrops.
I'd like to know they've got my information to see if it's been misused. Well, bad news. Now they've lost it.
143 million in the US, an unknown number in Canada, up to, I think it's 44 million UK consumers as well.
Geez.
So it's this huge shitstorm.
As it's technically called.
And I think, as you alluded to, the difference between Yahoo and Equifax is that you can't simply just say, well, that's it, I'm going to close down my email account and move over to somebody else.
Right. Right. And furthermore, what's been taken here isn't something like passwords. It's not a case of just changing your password. It's your date of birth. It's your name.
It's your Social Security number.
Good luck changing any of those. That's going to be a bit of a pain, isn't it?
And meanwhile, the hackers potentially are taking that information and they're taking out loans in your name or they're opening up accounts in your name and your credit rating is damaged.
So fairly disastrous.
And meanwhile, the hackers potentially are taking that information and they're taking out loans in your name or they're opening up accounts in your name and your credit rating is damaged.
So fairly disastrous.
It's a nightmare.
Now, Equifax found out about this problem in late July and they—
Shut the front door.
Well, they didn't shut the back door. That's quite smooth of me really, wasn't it? It appears there was a flaw in software running on their web server which was exploited.
It then took them 40 days before going public and said, "We've got a problem here." So Equifax is asking people to sign up to go to its website to find out if they are amongst those being breached, to enter their surnames and the last 6 digits of their Social Security number.
And then they say, we will tell you if you've lost your identity or not. Now, there's a few problems with this.
One of the problems is, as ZDNet discovered, you could enter any old rubbish onto that form. You could give your surname as Test and your Social Security number as 123456.
And the system would say, oh yeah, it looks like you may have been impacted.
And sometimes you would put in the same thing on multiple attempts and sometimes it'd say, yes, you may have been impacted. Other times it'd say, no, you haven't been impacted.
So that's pretty rubbish, isn't it?
It then took them 40 days before going public and said, "We've got a problem here." So Equifax is asking people to sign up to go to its website to find out if they are amongst those being breached, to enter their surnames and the last 6 digits of their Social Security number.
And then they say, we will tell you if you've lost your identity or not. Now, there's a few problems with this.
One of the problems is, as ZDNet discovered, you could enter any old rubbish onto that form. You could give your surname as Test and your Social Security number as 123456.
And the system would say, oh yeah, it looks like you may have been impacted.
And sometimes you would put in the same thing on multiple attempts and sometimes it'd say, yes, you may have been impacted. Other times it'd say, no, you haven't been impacted.
So that's pretty rubbish, isn't it?
So it's a loose algorithm that's trying to pretend to—
With a magic 8-ball in the background.
Yeah, yeah, right.
But it's just rubbish, isn't it? Now imagine if you're British, right? So 44 million UK consumers affected, which—
That's huge. That's two-thirds.
Yeah, because the UK's only got a population of about 65 million. So frankly, all of us are screwed on this podcast. We know our details have probably been included in this.
If you go to the website, you've got a problem because us Brits don't have Social Security numbers. So how are we meant to find out?
So I went to Equifax.co.uk and I thought, oh, well, they'll have British-specific information there, won't they?
If you go to Equifax.co.uk, there is no mention of the breach whatsoever on the front page.
If you go to the website, you've got a problem because us Brits don't have Social Security numbers. So how are we meant to find out?
So I went to Equifax.co.uk and I thought, oh, well, they'll have British-specific information there, won't they?
If you go to Equifax.co.uk, there is no mention of the breach whatsoever on the front page.
You're kidding me.
But there's a very comforting picture of an attractive young woman drinking coffee in a field.
And they're saying that if you want to know about identity theft, they can sell you a solution to help you do that kind of thing. And it's, what? They've had 40 days.
And the response has been so ramshackle. It's been diabolical.
And my fundamental problem with this, I think one of the things that really annoys me about this is they are putting the onus on consumers to hear about this breach and to visit their website and to enter their information to find out if they've been breached.
Why aren't they contacting people and saying, "We believe we've lost your information"? Shouldn't they be informing us if they've lost our details rather than us contacting them?
And they're saying that if you want to know about identity theft, they can sell you a solution to help you do that kind of thing. And it's, what? They've had 40 days.
And the response has been so ramshackle. It's been diabolical.
And my fundamental problem with this, I think one of the things that really annoys me about this is they are putting the onus on consumers to hear about this breach and to visit their website and to enter their information to find out if they've been breached.
Why aren't they contacting people and saying, "We believe we've lost your information"? Shouldn't they be informing us if they've lost our details rather than us contacting them?
Okay, but how would they— okay, but think about that. So they would call you up and go, "Hello, is this Mr.
Cluley?" And you would say, "Yes," and go, "Is your security number this?" Say, if you had a Social Security number.
So how do they identify you without revealing their information, I guess.
Cluley?" And you would say, "Yes," and go, "Is your security number this?" Say, if you had a Social Security number.
So how do they identify you without revealing their information, I guess.
They've got our names, addresses.
I know they have to give your information, but what if it's not actually you? And how do you verify that they're actually legit before you hand over any information?
Oh, so you're just apologising for Equifax?
No, I'm not. I'm just saying this is a real mess.
I'm not saying— yeah, you're right. I'm not saying that this is easy, right?
I'm not saying that it's an easy thing to do, but I think the solution they've come up to is completely shambolic and seems to be very badly done.
And in the United States, it appears it's awful. There are reports now that data may have leaked in other countries as well, and there may be other problems.
Brian Krebs has written today about an Argentinian Equifax portal where people can log in apparently with username admin, password admin, and get hold of lots of information, including details of Argentinian consumers.
So it's just dreadful security appears to be in place.
No surprise then that the lawyers are queuing up to sue Equifax, they are the ones who are actually going to get rich from all this.
I'm not saying that it's an easy thing to do, but I think the solution they've come up to is completely shambolic and seems to be very badly done.
And in the United States, it appears it's awful. There are reports now that data may have leaked in other countries as well, and there may be other problems.
Brian Krebs has written today about an Argentinian Equifax portal where people can log in apparently with username admin, password admin, and get hold of lots of information, including details of Argentinian consumers.
So it's just dreadful security appears to be in place.
No surprise then that the lawyers are queuing up to sue Equifax, they are the ones who are actually going to get rich from all this.
Do you know what I don't understand? How can anyone who has that much data keep it all in one place that? You just think you divide it up.
Well, it might be, but of course there will be some sort of interface which Equifax staff and Equifax's systems use to query their database.
And that's what the criminals would have done.
They would have queried the database and unfortunately, there clearly wasn't some kind of limit as to how much information they could collect.
And that's what the criminals would have done.
They would have queried the database and unfortunately, there clearly wasn't some kind of limit as to how much information they could collect.
Yeah, I'd to download 143 million accounts. Thanks.
Well, we don't know. I mean, they might have had access for a long time. Maybe they did do it in sections. Simply don't know.
It would take a while. That's a lot of data. Boy, oh boy.
But here's a funny thing. Someone has actually set up— I said lawyers are getting interested.
Someone has set up an online chatbot which used to take action over parking tickets and things. It's been customized now.
So you can go online without involving any lawyers, and it will lead you through the process of suing Equifax for up to $25,000. No lawyers need to be engaged at all.
So technology has been put to good use.
But I really dislike the idea that Equifax's solution to this data breach is to try and get people onto their own identity theft protection program.
It's like, why would I trust you with my details?
Someone has set up an online chatbot which used to take action over parking tickets and things. It's been customized now.
So you can go online without involving any lawyers, and it will lead you through the process of suing Equifax for up to $25,000. No lawyers need to be engaged at all.
So technology has been put to good use.
But I really dislike the idea that Equifax's solution to this data breach is to try and get people onto their own identity theft protection program.
It's like, why would I trust you with my details?
So what are next steps for people that feel they may have been impacted?
Well, certainly you can try and use the Equifax user interface.
You can try and contact Equifax UK, or if you're elsewhere in the world, to find out how on earth you're supposed to query them without a Social Security number and ask what they're planning to do about it.
You may want to sign up for identity theft protection.
You can try and contact Equifax UK, or if you're elsewhere in the world, to find out how on earth you're supposed to query them without a Social Security number and ask what they're planning to do about it.
You may want to sign up for identity theft protection.
Why don't you ask them publicly on Twitter? Why don't we all say, hey, Equifax, what are we supposed to do?
I'm sure that's a pretty busy Twitter account right now, but why not? Doesn't do any harm, does it?
And I think obviously you can sign up for other identity theft protection services. The other thing you can do is you can freeze your credit rating, what's it.
David Bissett on my website has written an article all about the different things you can do which simply prevents other accounts being created and access into your credit rating, which can prevent scammers from exploiting your identity in that particular way, which could be a good response as well.
But I think most companies need to learn the lessons from Equifax because boy oh boy, their share prices suffered and to my mind, quite rightly too.
And I think obviously you can sign up for other identity theft protection services. The other thing you can do is you can freeze your credit rating, what's it.
David Bissett on my website has written an article all about the different things you can do which simply prevents other accounts being created and access into your credit rating, which can prevent scammers from exploiting your identity in that particular way, which could be a good response as well.
But I think most companies need to learn the lessons from Equifax because boy oh boy, their share prices suffered and to my mind, quite rightly too.
Doesn't this feel a bit like Groundhog Day though?
We have a massive breach, there's outrage, we say things must change, share price dips maybe for a day or two, and then 6 months, a year later, it's ancient history.
We have a massive breach, there's outrage, we say things must change, share price dips maybe for a day or two, and then 6 months, a year later, it's ancient history.
Yeah.
Which is why we really need, I think, some of these companies to get a bigger slap across the bottom, don't we? When these breaches happen, they need to feel it where it hurts.
Maybe they don't want to hear it over the bottom. Maybe they need a swift kick somewhere else.
But something needs to happen for other companies to get a very clear message that this isn't acceptable. We've got things GDPR coming along.
Maybe they don't want to hear it over the bottom. Maybe they need a swift kick somewhere else.
But something needs to happen for other companies to get a very clear message that this isn't acceptable. We've got things GDPR coming along.
We'll have to see what kind of financial penalties will come out of that.
But we can't carry on this, can we? You're right. It's Groundhog Day.
It is. With the Equifax breach, it's very difficult for anyone to tie in actual loss directly to this hack or breach, whatever you want to call it.
So if someone takes out a mortgage in my name 6 months down the road, you know, how do I actually prove that they actually got my details as part of this breach?
And therefore Equifax will be held liable for it. I can't really prove that. So the actual damage is, it's, you know, provable damage is very difficult to show.
So it becomes very difficult for any real impact to happen.
And you say, unless regulators actually step in and really hit them where it hurts, which is in the wallet, I doubt much will change.
So if someone takes out a mortgage in my name 6 months down the road, you know, how do I actually prove that they actually got my details as part of this breach?
And therefore Equifax will be held liable for it. I can't really prove that. So the actual damage is, it's, you know, provable damage is very difficult to show.
So it becomes very difficult for any real impact to happen.
And you say, unless regulators actually step in and really hit them where it hurts, which is in the wallet, I doubt much will change.
Yeah. AKA shitstorm.
I personally don't keep my wallet there. I tend to keep it to either side. But yeah, something that needs to happen. But you're right.
I mean, you said, 6 months down the line, this information could be abused in a year, 2 years, 10 years.
I mean, you said, 6 months down the line, this information could be abused in a year, 2 years, 10 years.
Yeah, because none of these numbers change. Your date of birth does not change. Your Social Security number does not change.
That's right. And so just getting a free year's worth of identity theft protection — no, thank you very much, but doesn't really fix the problem, does it? It's not very good.
So Javvad, what have you got for us this week?
So Javvad, what have you got for us this week?
Well, I'm going to try to cheer everyone up now.
Give us a cheery story, something we can feel really positive about, please.
Have you heard of this connection technology called Bluetooth?
Bluetooth. Have you heard of that? You're not trying to make — there was Green Fang, wasn't there? There was Yellow Tonsil. And now we've got Bluetooth. Okay, tell me about it.
So it's apparently really popular, probably amongst the millennials or something.
They use it for their wireless headphones, their wireless keyboards and all other — they're sort of like—
They use it for their wireless headphones, their wireless keyboards and all other — they're sort of like—
Their aversion to wireness.
Yeah, exactly. Exactly. And I suppose for good reason, as we found prior to calling how long it took me to untangle my headphones.
So maybe it's something I should consider going forward.
But there are a bunch of clever researchers at an IoT security company called Armis, and they've recently released what they call a Blueborne vulnerability, which is an attack vector that uses Bluetooth connections to take control of your device.
So it could be your phone, your desktop, your laptop, or any one of the gazillion sort of IoT thingies that you have lying around your home that use Bluetooth.
And so this is every vendor. So it's Windows, Apple, Linux, you name it. If it's got Bluetooth, it's—
So maybe it's something I should consider going forward.
But there are a bunch of clever researchers at an IoT security company called Armis, and they've recently released what they call a Blueborne vulnerability, which is an attack vector that uses Bluetooth connections to take control of your device.
So it could be your phone, your desktop, your laptop, or any one of the gazillion sort of IoT thingies that you have lying around your home that use Bluetooth.
And so this is every vendor. So it's Windows, Apple, Linux, you name it. If it's got Bluetooth, it's—
And everyone's encouraging us to use it. Retail shops want us to use it with their apps. And so we've all been encouraged to turn it on. Yeah.
Yeah. And it's a really nasty piece of work. I mean, it's beautiful in how it actually looks and executes, but it's really lethal.
So it's seeing a lion that's really majestic in the wild three seconds before it rips your head off. Wow. So it can do remote code execution on the device.
It can man-in-the-middle the connection and it can hop from device to device over the air.
So it's seeing a lion that's really majestic in the wild three seconds before it rips your head off. Wow. So it can do remote code execution on the device.
It can man-in-the-middle the connection and it can hop from device to device over the air.
So, and that's really what's caught people's imagination about this one, hasn't it?
Is the fact that if you were carrying an infected Bluetooth device and you went into a building or an office, for instance, it would then seek other Bluetooth devices which it doesn't have to pair with, but it can infect those as well.
And it spreads and it spreads and spreads.
Is the fact that if you were carrying an infected Bluetooth device and you went into a building or an office, for instance, it would then seek other Bluetooth devices which it doesn't have to pair with, but it can infect those as well.
And it spreads and it spreads and spreads.
It's an old virus, you know?
Yeah, it is.
It is.
And because it's using the Bluetooth protocol, it's not over IP or anything. You know, no one really has paid any attention to how to secure it.
I was just thinking, how heavy would it be to create an infected payload and attack, stick it to your drone and fly it over some buildings? Right.
I was just thinking, how heavy would it be to create an infected payload and attack, stick it to your drone and fly it over some buildings? Right.
Yeah.
And is this in the wild then? And how bad is it?
It's not in the wild. I think Armis have done a good thing. They sort of responsibly disclosed and coordinated with all the major vendors.
So some patches have been released, some are in development, but you know, in honesty, a lot of devices just won't receive patches.
If it's an IoT device, a lot of them just don't have a mechanism.
If you're running an old phone, an old Android version that can't run the new ones, you're not going to get protected.
So some patches have been released, some are in development, but you know, in honesty, a lot of devices just won't receive patches.
If it's an IoT device, a lot of them just don't have a mechanism.
If you're running an old phone, an old Android version that can't run the new ones, you're not going to get protected.
Yeah, my understanding is that Microsoft put out a patch July, I think, for this, although they did it on the quiet.
They've only sort of gone public now with the announcement of the vulnerability because they wanted to give it time to get onto people's computers.
Apple devices prior to, I think if you're on iOS 10 or later, certainly you're protected with that.
Android, yes, Google has released a patch, but we have this age-old problem with Android of so many Android smartphones not receiving operating system patches and being protected.
And they may be potentially the ones which are most at risk from this. Great piece of research by these guys. We have to hope obviously that no one tries to exploit it.
Thankfully, there are some patches, but as you said, IoT devices and old Androids may really struggle and they're going to be the ones which are most at risk.
They've only sort of gone public now with the announcement of the vulnerability because they wanted to give it time to get onto people's computers.
Apple devices prior to, I think if you're on iOS 10 or later, certainly you're protected with that.
Android, yes, Google has released a patch, but we have this age-old problem with Android of so many Android smartphones not receiving operating system patches and being protected.
And they may be potentially the ones which are most at risk from this. Great piece of research by these guys. We have to hope obviously that no one tries to exploit it.
Thankfully, there are some patches, but as you said, IoT devices and old Androids may really struggle and they're going to be the ones which are most at risk.
And it's really hard because if someone is running that sort of infrastructure or what have you, what do you tell them?
You know, beyond saying, well, turn off Bluetooth or Wi-Fi or anything you don't need when it's not needed, there's not really much else you can do.
You know, beyond saying, well, turn off Bluetooth or Wi-Fi or anything you don't need when it's not needed, there's not really much else you can do.
Graham and I have talked about this before, so I'm a big anti-Bluetoother and have it off by default all the time. I think you have it on, Graham, don't you?
Yeah, well, I mean, I'm sitting here right now at a desk with a Bluetooth keyboard, which I use.
You know, I can't turn off the Bluetooth on my keyboard, otherwise it stops being a keyboard. There is no wire option.
And, you know, I've got a phone which connects via Bluetooth to my car so I can listen to the Smashing Security podcast as I'm driving.
That's what I listen to most of the time, to be honest. Bluetooth is an important part of my life.
I'm glad that my devices are at least patched against this vulnerability, as far as I know. I don't know about my keyboard.
You know, I can't turn off the Bluetooth on my keyboard, otherwise it stops being a keyboard. There is no wire option.
And, you know, I've got a phone which connects via Bluetooth to my car so I can listen to the Smashing Security podcast as I'm driving.
That's what I listen to most of the time, to be honest. Bluetooth is an important part of my life.
I'm glad that my devices are at least patched against this vulnerability, as far as I know. I don't know about my keyboard.
Yeah.
So if the drone travels above your house, watch out.
Yeah, I imagine you have to be within a certain number of feet. I'm not sure exactly, so you would have to have some proximity.
What I'm impressed by is that these security researchers didn't have to produce a very good logo for this, didn't they?
What I'm impressed by is that these security researchers didn't have to produce a very good logo for this, didn't they?
They did.
Did you see it?
They went all out.
They took the Bluetooth logo and they sort of twisted it about 90 degrees and put some evil eyes in it. I thought, oh, smashing security.
And they've done a couple of natty videos as well, which we'll link people to so you can see exactly how this operates.
And they have a demonstration with one of how it can be exploited on Android as well. So nice work by them.
Thank goodness they did some responsible disclosure, but a bit of a shame that there are devices out there which will still be vulnerable.
We just have to hope that a lot of the hackers out there actually don't pay that much attention to it and maybe look for other ways to infect devices instead.
And they've done a couple of natty videos as well, which we'll link people to so you can see exactly how this operates.
And they have a demonstration with one of how it can be exploited on Android as well. So nice work by them.
Thank goodness they did some responsible disclosure, but a bit of a shame that there are devices out there which will still be vulnerable.
We just have to hope that a lot of the hackers out there actually don't pay that much attention to it and maybe look for other ways to infect devices instead.
One would hope, yes.
We don't sound very positive there, do we?
No, actually, I think what the saving grace is, the fact that this is a proximity-based attack and what you probably see this more in is where there's a specific target.
Yes.
So I think pentesters, red teamers will be licking their lips at this because it'd be like, hey, this is great.
I can walk into this corporate office and I can launch this attack and that would look really good on the report.
I can walk into this corporate office and I can launch this attack and that would look really good on the report.
Yeah, totally, totally.
And you can imagine that some sort of state-sponsored attack or intelligence agency, if they were trying to get into a system which maybe wasn't connected to the internet, this would be a means by which potentially they could do it.
They could send someone in with an infected device in his pocket, doesn't have to plug it into anything, and bam, it's looking for Bluetooth connections.
They could send someone in with an infected device in his pocket, doesn't have to plug it into anything, and bam, it's looking for Bluetooth connections.
Yeah, but if it spreads right then through Bluetooth connections, there's no end to it.
They're not gonna be able to control the end of it unless they control the threat itself when it calls home.
They're not gonna be able to control the end of it unless they control the threat itself when it calls home.
Well, and that was the problem as well, of course, with Stuxnet way back when.
It was obviously designed to mess up a uranium enrichment facility, but it ended up spreading much, much further.
It was obviously designed to mess up a uranium enrichment facility, but it ended up spreading much, much further.
Yeah.
Well, so thanks for cheering us up. Yeah.
You said you were going to cheer us up. Yeah.
Thanks so much, Javvad.
Well, I said, there's a silver lining here that it's only a proximity-based attack. It's not like 143 million people were attacked.
You know, so it's World War III compared to Armageddon.
You know, so it's World War III compared to Armageddon.
But the important thing is, as far as we know so far, it isn't being actively maliciously exploited. So maybe don't panic too much. Just keep up to date with your patches.
If you're using devices which don't have some kind of update infrastructure, then you need to start looking at that because problems like this are only just going to carry on happening, aren't they?
If you're using devices which don't have some kind of update infrastructure, then you need to start looking at that because problems like this are only just going to carry on happening, aren't they?
They are, they are.
Particularly with IoT devices. Carole, what have you got for us?
We are going to talk about iPhone X, of course.
Oh wow, yes!
Yes, it's just been announced and it's going to be available in November, so I thought we could talk about some of the features that were announced.
So, what do you think of the iPhone X? Are you thinking, oh yeah, I'd like one of those?
No, no. I actually bought the 6S as opposed to the 7 when I was last in my phone cycle of buying. I went back just because I wanted the headphone jack. Oh, okay.
And also with the iPhone X, I mean, it may have loads of funky new features, but doesn't it cost something like £1,000?
Well, yes. So it's, and you know what? It's more expensive in the UK than the US.
Well, of course.
So the two, no, no, but quite substantially. So the 256GB model costs $380 more in the UK. So it costs 1,100 quid here, $1,500.
Carole, it's Brexit. Just get used to it. This is the future.
I think I saw someone had the maths on it and they said you could actually fly to New York and stay in a B&B and buy the phone for the same price that you could probably do that on a chartered flight.
Yeah. So we did talk about the iPhone way back in episode 32 when we were discussing some of the rumours. And so let's just review what we got right.
We talked about the overhauled handset so that there'll be a curved glass front and no home button, right? So there's only the on/off button. There's a new camera as well.
And of course there's the facial ID login feature. So we obviously complain constantly about the pain of password management.
And our friends at Apple have been busy bees trying to solve all this out.
So first came Touch ID, and there were a few stories around that, kids using their parents' fingers to buy apps when they were sleeping and all this kind of thing.
And the problem with Touch ID is that the authorities confronted this huge miasma of legal snafus on, could you force someone to use the Touch ID to log into the phone?
We talked about the overhauled handset so that there'll be a curved glass front and no home button, right? So there's only the on/off button. There's a new camera as well.
And of course there's the facial ID login feature. So we obviously complain constantly about the pain of password management.
And our friends at Apple have been busy bees trying to solve all this out.
So first came Touch ID, and there were a few stories around that, kids using their parents' fingers to buy apps when they were sleeping and all this kind of thing.
And the problem with Touch ID is that the authorities confronted this huge miasma of legal snafus on, could you force someone to use the Touch ID to log into the phone?
Ah, that's right, isn't it? Because I think people are protected. You don't have to tell a cop your password, for instance, or your passcode to unlock your phone.
But I believe there was nothing to stop them making you put your thumb or your finger on the Touch ID plate. Is that right?
But I believe there was nothing to stop them making you put your thumb or your finger on the Touch ID plate. Is that right?
Yeah, so according to the Guardian article, the US authorities could force you to unlock your phone using Touch ID because it's not a testimonial.
So a court can compel you to give the keys to your safe, but they can't compel you to divulge the safe's combination. That's a way to think about it.
So a court can compel you to give the keys to your safe, but they can't compel you to divulge the safe's combination. That's a way to think about it.
Okay.
So basically, passcodes are protected under the Fifth Amendment's right to remain silent, whereas Touch ID was arguably not.
Now in the UK, Touch ID was found not to be legally enforceable.
However, the cops did find a workaround, which was to steal unlocked phones very quickly from would-be criminals' hands.
Now in the UK, Touch ID was found not to be legally enforceable.
However, the cops did find a workaround, which was to steal unlocked phones very quickly from would-be criminals' hands.
Oh my gosh.
And then continually press the button.
So it doesn't go to sleep.
To make sure it didn't go to sleep.
Yes.
I love whose job that was. So that's where the landscape looks now. So now Face ID, how is that going to change things?
So could it be that, you know, the authorities or a jealous partner or a bully could basically detain you in some way, point the phone at your face, and abracadabra, they're digging through all your personal information?
So could it be that, you know, the authorities or a jealous partner or a bully could basically detain you in some way, point the phone at your face, and abracadabra, they're digging through all your personal information?
Okay.
Right? That's really the big question. And I think the answer to that is kind of yes and no.
So leaked firmware from iOS 11 shows an option that disallows Face ID logins even if your face is already enrolled. So the feature is an emergency services feature.
And what you would do is you click the on/off button 5 times quickly.
So leaked firmware from iOS 11 shows an option that disallows Face ID logins even if your face is already enrolled. So the feature is an emergency services feature.
And what you would do is you click the on/off button 5 times quickly.
Okay, so if you're worried that your phone is going to be unlocked with your face without your permission, you click on— you click 5 times, you go tick tick tick tick tick, right?
If that was 5. And that will then require your passcode or your PIN number?
If that was 5. And that will then require your passcode or your PIN number?
Well, it brings you to the emergency services is what it will do. But if you then close out, that means you then next time you log in, you will need your passphrase or passcode.
If you have set one.
If you have set one.
Right.
If you haven't set one, it ain't going to need it.
That's never going to happen with the phone in your pocket, is it?
How do you mean?
I mean, I call up people all the time with the phone in my pocket. I guarantee if the phone's in my pocket, I'm going to accidentally be hitting that one button.
Oh, you mean butt dialing? You're a butt dialer.
Exactly, yeah.
Yeah.
Well, my right cheek is, yeah.
So the other problem with this is— so, okay, so that's a way that people can get around this.
The other thing is the shot needs to be lined up properly, because it takes a second or two for the program to map your face and authorize your use.
So my advice here is if you decide to get the iPhone X and you use Face ID and you ever find yourself in a situation where someone is forcing Face ID on you, you need to close those peepers and dance around like your life depends on it.
And boom, right? Wiggle that butt.
The other thing is the shot needs to be lined up properly, because it takes a second or two for the program to map your face and authorize your use.
So my advice here is if you decide to get the iPhone X and you use Face ID and you ever find yourself in a situation where someone is forcing Face ID on you, you need to close those peepers and dance around like your life depends on it.
And boom, right? Wiggle that butt.
Keep your eyes closed and then Face ID won't trigger. Or gurn. Could you gurn?
Well, that's interesting. Some people were saying, well, why don't I just take a picture of my hand instead of my face? Because surely that would work. But actually, no, it will not.
It's actually quite clever software, and it's trying to bypass that snafu that happened to Samsung recently, where someone was able to bypass the face print by using a photo.
This was, I don't know, I saw reports of this on Ars Technica.
It's actually quite clever software, and it's trying to bypass that snafu that happened to Samsung recently, where someone was able to bypass the face print by using a photo.
This was, I don't know, I saw reports of this on Ars Technica.
Yeah, because I believe the iPhone X, it has some sort of, its camera has some sort of depth facility as well.
So it knows if it's looking at a flat picture, as opposed to a contoured face, for instance.
So it knows if it's looking at a flat picture, as opposed to a contoured face, for instance.
Exactly, it's a bit like, you know, what actors use to kind of remodel their faces. So it's a bit like that. So it needs the 3Dness in order to do it.
Okay.
But a cool thing about all this is that people are kind of worried, well, where's all that data going? And it's actually staying on your phone exactly like thumbprint ID is.
And we talked about that back in episode 32.
And we talked about that back in episode 32.
And that doesn't surprise me.
I think Apple are very conscious about these security and privacy issues, and they recognize that they needed to keep really tight control of the fingerprints so that it's stored in a secure enclave on your typical iPhone.
And with this new iPhone as well, it's storing that facial information on the device as well.
I think Apple are very conscious about these security and privacy issues, and they recognize that they needed to keep really tight control of the fingerprints so that it's stored in a secure enclave on your typical iPhone.
And with this new iPhone as well, it's storing that facial information on the device as well.
So it's I don't know why I do any research at all, really.
Yeah, why do you?
I don't know. I should just let Graham just do my whole story for me.
I'm just—
Well, I'm not trying to steal it.
I was like, no, it's fine, go.
A little bit of tension.
Good. You're the one that had a bad morning, Graham.
Yeah, get it all out. The problem I've got with all this though is our faces are our password, right?
Our faces that we bring out into the open all the time, that we wear on our shoulders, you know, it's out in the open. At least our fingertips weren't kind of just there.
I find it just, it's having your password written on your forehead or something.
Our faces that we bring out into the open all the time, that we wear on our shoulders, you know, it's out in the open. At least our fingertips weren't kind of just there.
I find it just, it's having your password written on your forehead or something.
Or it's a bit having to use the same Social Security number all your life.
Yes, exactly.
And the same name. It's something you can't easily change. Yes, you can grow a hipster beard or something or get a tattoo, but— You can't. Well, no, I couldn't, but—
This guy said—
You're saying you could, Carole?
No, no, I certainly cannot.
Baby smooth skin I have.
Okay, so, but one guy on our Slack has said this really well.
He said, if it is part of you that can be scanned for authentication, then it is data that could be copied by anyone but never changed by you. That is inherently insecure.
And I agree with that.
He said, if it is part of you that can be scanned for authentication, then it is data that could be copied by anyone but never changed by you. That is inherently insecure.
And I agree with that.
Yeah.
I think it's a really good point. And we're going down that route more because of convenience, right?
How convenient it is that we can log in anywhere and we don't have to have anything on us to do it.
I mean, remember all the tokens we used to have to carry and people probably still do to log into accounts.
How convenient it is that we can log in anywhere and we don't have to have anything on us to do it.
I mean, remember all the tokens we used to have to carry and people probably still do to log into accounts.
And even if Apple have done a really good job securing this information, we have seen breaches in the past which have meant that biometric information has been exposed.
I remember with the OPM data breach, many, many fingerprint details were also taken as part of that, which potentially could be abused in future.
We just have to wait and see how that might be exploited.
I remember with the OPM data breach, many, many fingerprint details were also taken as part of that, which potentially could be abused in future.
We just have to wait and see how that might be exploited.
Yeah.
And I heard something, I think actually you told me this when we were talking about this earlier, that even the facial recognition even records your aging process or how you change day to day or month to month.
Yeah, that's what I've heard. Because of course people do change, you change your appearance over time, right? You might grow a moustache, Carole. Your hair colour.
Hey!
Hey!
I'm—
What? No, or I might trim my eyebrows, right? Let's be fair.
Unlikely.
Javvad may go clean-shaven for a few hours before growing it back again. But you know, people do change over time.
You lose weight, you put on weight, you grow your hair, whatever it is.
And so I believe, I obviously haven't used one of these devices, but from what I heard, that it keeps kind of track of how you're changing.
It learns more information, maybe even learns more information about what you're wearing as well.
You lose weight, you put on weight, you grow your hair, whatever it is.
And so I believe, I obviously haven't used one of these devices, but from what I heard, that it keeps kind of track of how you're changing.
It learns more information, maybe even learns more information about what you're wearing as well.
Yeah.
If you're wearing a motorcycle helmet or something, I don't know.
Yeah.
It could be, couldn't it?
See, I think one of the things that I don't get about phone authentication, I think the phone manufacturers are missing a trick here, is to have native built-in layered authentication.
Yes.
So that your face could unlock your phone, but it would only unlock your low-level sort of apps that, you know—
Like user rights versus admin rights.
Exactly.
Yeah. Yeah. But having more layers like that, I think that's an excellent idea.
Yeah. Good idea. Yeah. And maybe you could use your ear to unlock your password manager or your left foot to use Apple Pay. That'd be fun, wouldn't it?
So guys, hey, look, the new iPhone's come out. We've seen the videos or whatever. Carole, you're saying you wouldn't buy one?
So guys, hey, look, the new iPhone's come out. We've seen the videos or whatever. Carole, you're saying you wouldn't buy one?
No, I love, I love the 6S. So I love it, love it, love it. And I'm hoping it lasts forever.
And I have one of these iPhone SEs, which is like a really tiny one. It's like the sort of iPhone 4 size. For your small hands. It makes my hands look bigger.
So I'm not the only person with that problem. So that's why I have one of those. But I'm sort of, I'm not sure.
It just feels like they're adding all the, it's like they have these animated emojis. I mean, what's the point of those?
So I'm not the only person with that problem. So that's why I have one of those. But I'm sort of, I'm not sure.
It just feels like they're adding all the, it's like they have these animated emojis. I mean, what's the point of those?
Okay, Javvad, Javvad.
Yes.
Let's make a bet. I bet within 4 months he's got the new iPhone X.
No way. I won't. No.
I think you will.
But I'll tell you what happened this morning to me, right? My wife knows nothing about the iPhone launch and everything.
She comes downstairs and she says, oh, my phone stopped working. I've got a bad feeling that it won't start up and all the rest of it.
Every single time Tim Cook does an announcement about a new iPhone, within 24 hours, she will have some kind of catastrophic iPhone disaster.
Dropped down the loo, dropped in the dog bowl.
She comes downstairs and she says, oh, my phone stopped working. I've got a bad feeling that it won't start up and all the rest of it.
Every single time Tim Cook does an announcement about a new iPhone, within 24 hours, she will have some kind of catastrophic iPhone disaster.
Dropped down the loo, dropped in the dog bowl.
She's a smart lady.
Because of course she will want the brand new one. So maybe not me in 4 months, but I can tell, I can pretty much bet someone else might.
Does she ask permission to buy a phone?
She doesn't have to ask permission.
Oh, okay.
She's a human being. She's not a slave.
I thought that's what you were saying, that she comes down and goes, "Hi." Oh no, because I'm the CTO in the house, right?
Oh, I see.
Sorry.
I'm in charge of technical support and fixing printers and devices and things. Yes.
So she was reporting, she was basically submitting an IT request for me to fix something is what she was doing. She was filling out the form. To me, the service desk.
That's how modern marriage works. Big thanks to Rapid7 who are supporting this episode of Smashing Security. We really appreciate their support.
If you are interested in identifying, prioritizing, and managing vulnerabilities inside your organization all the way through to remediation, well, good news, it's not only possible, it can be simple.
And that's what Rapid7 can do for you. They can help you build a vulnerability management program that works for you with InsightVM.
You can get started with your free 30-day trial right now. Just go to www.rapid7.com. And thanks to Rapid7 for supporting the show. And welcome back.
And we're through to that part of the show.
So she was reporting, she was basically submitting an IT request for me to fix something is what she was doing. She was filling out the form. To me, the service desk.
That's how modern marriage works. Big thanks to Rapid7 who are supporting this episode of Smashing Security. We really appreciate their support.
If you are interested in identifying, prioritizing, and managing vulnerabilities inside your organization all the way through to remediation, well, good news, it's not only possible, it can be simple.
And that's what Rapid7 can do for you. They can help you build a vulnerability management program that works for you with InsightVM.
You can get started with your free 30-day trial right now. Just go to www.rapid7.com. And thanks to Rapid7 for supporting the show. And welcome back.
And we're through to that part of the show.
Oh, finally.
Which we like to call Pick of the Week.
Pick of the Week. Okay, Javvad.
I'd still like him to say it if possible.
Look, could you just say it?
Pick of the Week.
Thank you, Javvad.
So every week we choose something that we like. Could be a funny story, book we've read, TV show, movie, record, an app, a website, a podcast, whatever.
It doesn't have to be security-related necessarily. It could be, but it doesn't have to be my Pick of the Week.
It doesn't have to be security-related necessarily. It could be, but it doesn't have to be my Pick of the Week.
Is—
Shouldn't be, says Carole. My pick of the week is a website which you're only going to want to go to, to be honest, if you're interested in chess and improving your chess.
Okay, so next, Javvad?
I go to a website called Chessable.com, and it's— no, no, it's a— Carole, actually, I think you would find this interesting.
Every time you talk about chess on the show, come on!
Now, come on, let me explain why this is clever, right?
Because I'm not very good at chess, but what's clever about this is it teaches you, and it puts you through the motions of learning chess openings by giving you situations, and it teaches you this is how you play 1.d4, and then c4, and all the rest of it, Queen's Gambit and all the rest of it, and you begin to learn the variations.
But it learns where you make mistakes, and where you make mistakes, it keeps on testing you on that particular position until finally it's beaten into your dumb brain until you begin to learn how to do it.
And the idea is that rather than me spending 3 hours sat at a computer trying to learn an opening, what it does is just say, "Just spend 10 minutes today." And then I have to log back in the next day in order to do it again.
And it's very good at encouraging you. Basically, you have a streak of how many days in a row you've done it, you win points and jewels and things like this.
Not real jewels, obviously. Obviously this is a chess website after all, there's no money in it.
But over time you really begin to learn these things through the repetition and there's some fascinating— and I'll link to a blog entry we can learn all about the science behind learning which they claim that they used behind the site.
But of all the chess sites and all the chess books which I've ever read and I've learned absolutely nothing, I have to say Chessable is fantastic.
And with that I will hand over for his pick of the week. Before we do that, before we do that—
Because I'm not very good at chess, but what's clever about this is it teaches you, and it puts you through the motions of learning chess openings by giving you situations, and it teaches you this is how you play 1.d4, and then c4, and all the rest of it, Queen's Gambit and all the rest of it, and you begin to learn the variations.
But it learns where you make mistakes, and where you make mistakes, it keeps on testing you on that particular position until finally it's beaten into your dumb brain until you begin to learn how to do it.
And the idea is that rather than me spending 3 hours sat at a computer trying to learn an opening, what it does is just say, "Just spend 10 minutes today." And then I have to log back in the next day in order to do it again.
And it's very good at encouraging you. Basically, you have a streak of how many days in a row you've done it, you win points and jewels and things like this.
Not real jewels, obviously. Obviously this is a chess website after all, there's no money in it.
But over time you really begin to learn these things through the repetition and there's some fascinating— and I'll link to a blog entry we can learn all about the science behind learning which they claim that they used behind the site.
But of all the chess sites and all the chess books which I've ever read and I've learned absolutely nothing, I have to say Chessable is fantastic.
And with that I will hand over for his pick of the week. Before we do that, before we do that—
You know, I think we should just patent it right now. I'm going to go for SOCable, which is going to take all the learnings but apply it to a SOC, a security operations center.
So you can train your new grads out of university to be analysts really quickly, as in, here's the situation, find the anomaly in the log.
So you can train your new grads out of university to be analysts really quickly, as in, here's the situation, find the anomaly in the log.
Trademark it, Carl.
Trademark it.
Oh dear, what a shame. You're too late. Never mind, Javvad.
Next time.
You should keep your mouth shut. Javvad, what's your pick of the week?
My pick of the week is by far the favorite bit of medical research I've ever come across, and I shall be referring to this a lot.
So there was a website, and we'll probably put the link in the show notes below. Listen to me taking over.
Joe O'Leary is a gentleman who went to dinner with his parents and he had a pizza. Right.
Then he set out to go to the gym, as I suppose one does, you know, once they feel a bit guilty after having some pizza. And he hopped on the elliptical trainer.
After about half an hour, he started to feel really weird.
So there was a website, and we'll probably put the link in the show notes below. Listen to me taking over.
Joe O'Leary is a gentleman who went to dinner with his parents and he had a pizza. Right.
Then he set out to go to the gym, as I suppose one does, you know, once they feel a bit guilty after having some pizza. And he hopped on the elliptical trainer.
After about half an hour, he started to feel really weird.
Yes.
His eyes were watering. He was having trouble breathing.
He's having a heart attack?
It could have been.
I don't know why your eyes would water. I'm guessing.
Now, in his words, I looked behind me into the mirror, and my eyes were swollen. Every part of my face was swollen.
Okay.
So he wasn't able to unlock his phone to ring emergency services.
The thumbprint was in there.
Yeah.
Luckily, probably one of the staff called up. He was rushed to the emergency room and pumped full of steroids and antihistamines.
Okay.
Because he'd had an allergic reaction.
To what?
To what?
Yeah.
It was the combination of food and exercise.
What?
For real?
For real. It's a condition called exercise-induced anaphylaxis.
Okay, just because you give it a fancy medical name doesn't make it real.
Doesn't make it not bullshit.
It's a reaction where the reaction only happens to the allergen only in conjunction with exercise.
So if he'd just eaten the pizza and sat down and done nothing, in front of the sofa, watch TV—
So if he'd just eaten the pizza and sat down and done nothing, in front of the sofa, watch TV—
Like most of us would.
Like most of us sensible people would. He would not have had the reaction. If he'd not eaten anything and gone to the gym, he would not have gotten the reaction.
But because he ate and then he felt guilty and wanted to work it off, he had the reaction. So for him, it was a reaction to tomatoes, pepper, soy, and nuts.
But because he ate and then he felt guilty and wanted to work it off, he had the reaction. So for him, it was a reaction to tomatoes, pepper, soy, and nuts.
Wow.
So anyone who wants to go for a walk after their dinner, think twice.
Think twice. Don't do it. Eat and then sit down and binge watch your favorite show on Netflix or Amazon Prime or whatever you— or terrestrial TV for all you poor people out there.
I think it's so great that we're now giving medical advice on Smashing Security.
Oh, just wait, because actually my pick of the week is also medically related, which is weird because Javvad and I didn't talk about our picks beforehand.
So as you know, Graham, I've been suffering with a trapped nerve for a week or two. And this meant I couldn't turn my head very well. I couldn't lift anything.
Really, I couldn't even raise my arm without yelping. So anyway, I called the physio, couldn't get an appointment.
And so I turned to the internet and a little YouTube angel cured me.
So it turns out that a lot of us get trapped nerves in our necks and it happens because we're always bent forward. Our heads are kind of bent forward.
So we're looking at a device or looking at a keyboard or cooking or reading or playing guitar in my activity, in my life.
So all these things make your head much heavier, increases pressure on your neck, and then helps the nerve get trapped.
So my pick of the week is YouTube's Motivational Doc channel, which the link will be in the show notes.
But he walks through exactly my neck pain gives advice, and I followed it, and pop, bloody relief immediately, which was incredible.
It just snapped the nerve right out of its thing. So check it out. I'm not a doctor. I'm not a doctor. I'm not a doctor. I don't know if he's a doctor.
So as you know, Graham, I've been suffering with a trapped nerve for a week or two. And this meant I couldn't turn my head very well. I couldn't lift anything.
Really, I couldn't even raise my arm without yelping. So anyway, I called the physio, couldn't get an appointment.
And so I turned to the internet and a little YouTube angel cured me.
So it turns out that a lot of us get trapped nerves in our necks and it happens because we're always bent forward. Our heads are kind of bent forward.
So we're looking at a device or looking at a keyboard or cooking or reading or playing guitar in my activity, in my life.
So all these things make your head much heavier, increases pressure on your neck, and then helps the nerve get trapped.
So my pick of the week is YouTube's Motivational Doc channel, which the link will be in the show notes.
But he walks through exactly my neck pain gives advice, and I followed it, and pop, bloody relief immediately, which was incredible.
It just snapped the nerve right out of its thing. So check it out. I'm not a doctor. I'm not a doctor. I'm not a doctor. I don't know if he's a doctor.
So for a second then, when you talked about this video where he's going to guide you through, I thought it was going to be that video about— remember the guy who does the squinch?
I love him.
I love him.
I love Squinch Guy.
Javvad, I don't know if you're familiar with the Squinch Guy. There's a guy on YouTube, and we'll put the link in the show notes because this will be just as useful as—
Glorious.
And it's a guy who's got a method for making you look more photogenic every time you're in front of a camera.
It's all about— you start off with the jaw, but then with your eyes, you kind of squinch.
It's all about— you start off with the jaw, but then with your eyes, you kind of squinch.
Squinch.
It's a bit like Blue Steel in a way, isn't it? Yeah, but it's all about the squinch.
I need to find this man.
Yeah.
It's like the Harrison Ford look, you know. The middle distance, little, you know, I'm important, I'm doing something very important.
We will share a link for all of you. But no, that's seriously, Carole, that's fantastic. So that's helped you, has it?
Totally. And I think it would help anyone because he has some good advice.
Basically, all of you dudes who are sitting down at computers, just try and do, I call it the chicken thing.
You want to tuck your chin in, just move it back a bit occasionally, just get some air in the back of your neck. It's not fun.
He claims we're all going to be suffering of this in 20 years.
Basically, all of you dudes who are sitting down at computers, just try and do, I call it the chicken thing.
You want to tuck your chin in, just move it back a bit occasionally, just get some air in the back of your neck. It's not fun.
He claims we're all going to be suffering of this in 20 years.
So.
There you go. Do it.
We are all doing something rather strange, aren't we? Which is that we're all sitting down all the time for 8, 10 hours a day, and all we're commuting and doing the same thing.
And you know, it's going to have some kind of impact on our bodies.
And you know, it's going to have some kind of impact on our bodies.
I'm at my standing up desk right now.
Good girl. Well, I suppose you're going to change your neck position when you unlock your new iPhone. So that should help relieve some of the stress.
Yes, yes, you will. You'll want to look. Yes, you will. So see, it's going to help us all physically too. Brilliant. Thanks, Apple.
Well, I think that just about calls an end to this episode of Smashing Security. If you're interested— oh, did you know, Carole, something very exciting has happened?
What?
We now have over 1,000 followers on Twitter @SmashingSecurity.
Thanks, guys. That's great.
Which means that roundabout only 1 in 10 of our listeners have bothered to follow us on Twitter. So what are the rest of you doing, eh?
Well, maybe they're on Facebook, Graham.
Oh, in which case—
Maybe they're on LinkedIn.
They could join us on Facebook at smashingsecurity.com/facebook. We don't have a LinkedIn group because LinkedIn is vile. Mind you, we have a Facebook one.
That argument doesn't really work, does it? We have a Squinch channel and we've got swag.
If you want to buy a t-shirt or if you want to buy a sticker or mug and things like that, you can go to smashingsecurity.com/store and you can help support us.
And all that remains is that we need to ask our guest, Javvad Malik. Javvad, where can people find you online? How should they follow you and follow your words of wisdom?
That argument doesn't really work, does it? We have a Squinch channel and we've got swag.
If you want to buy a t-shirt or if you want to buy a sticker or mug and things like that, you can go to smashingsecurity.com/store and you can help support us.
And all that remains is that we need to ask our guest, Javvad Malik. Javvad, where can people find you online? How should they follow you and follow your words of wisdom?
Well, you can follow me easily. Just go to Equifax.com. You can find me on Twitter most times. It's J4VV4D, which is also the name of my website, J4VV4D.com.
You can find all my links there.
You can find all my links there.
So geek.
AlienVault.com.
So thanks everyone for tuning in. And if you enjoy the show, please do tell your friends because the more people who get to hear about the show, the better it is for us.
And we like to know that we're talking to someone. One of the ways in which you can help us is you can leave a review on iTunes. That gives us a bit more visibility in the search.
I think they may call it Apple Podcasts now. I'm not sure which it is, but anyway, leave us a review up there. Subscribe to us on iTunes or any of the other podcast apps out there.
And we like to know that we're talking to someone. One of the ways in which you can help us is you can leave a review on iTunes. That gives us a bit more visibility in the search.
I think they may call it Apple Podcasts now. I'm not sure which it is, but anyway, leave us a review up there. Subscribe to us on iTunes or any of the other podcast apps out there.
And just share the show with your friends.
Yeah. Tell them about it and say, oh yeah, I heard this show the other day. You might like it as well. Yes, it is a bit geeky.
It's about security, but occasionally we talk about other things as well. Until next time, Graham's small hands. I'll give people a little clue.
Next time we've got a special splinter episode coming up, haven't we, Carole? Next week's episode is going to be a splinter. How do you know it's a good one, Carole?
Oh, we haven't recorded it yet, have we?
It's about security, but occasionally we talk about other things as well. Until next time, Graham's small hands. I'll give people a little clue.
Next time we've got a special splinter episode coming up, haven't we, Carole? Next week's episode is going to be a splinter. How do you know it's a good one, Carole?
Oh, we haven't recorded it yet, have we?
Yeah, we have.
We're going to be talking about backups next week, so tune in for that. And then we will be back with a regular episode the week after that. Toodle-oo, cheerio, bye-bye.
Bye.
See ya.
Bye-bye, Agent Vod.
Jesus.
Where's my agent?
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Javvad Malik – @j4vv4d
Show notes:
- We tested Equifax's data breach checker — and it's basically useless | ZDNet
- Equifax hack: 44 million Britons' personal details feared stolen in major US data breach
- "The front page of Equifax's UK website. They don't seem to have room to mention the data breach affecting up to 44 million Brits." – Twitter
- Chatbot lets you sue Equifax for up to $25,000 without a lawyer – The Verge
- How to protect yourself in the wake of the Equifax data breach
- Ayuda! (Help!) Equifax Has My Data! — Krebs on Security
- BlueBorne Information from the Research Team – Armis Labs
- The five biggest questions about Apple’s new facial recognition system – The Verge
- Can the government force you to unlock your own phone? | The Guardian
- UK police have a new tactic to circumvent strong iPhone encryption: steal the unlocked phone out of the criminal’s hand | 9to5Mac
- Chessable
- The science that makes chess learning easier – Chessable.com
- You can actually be allergic to exercise – Pop Science
- Dr Mandell's Push and Pull Technique (20-Second Neck Pain Relief) – YouTube
- It's all about the Squinch! – YouTube
- Smashing Security on Facebook
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Thanks to our sponsor:
This episode of Smashing Security is made possible by the generous support of Rapid7.
Identifying, prioritizing and managing vulnerabilities all the way through to remediation is not only possible, it can be simple. Right now.
Build a vulnerability management program that works for you with Insight VM, by Rapid7. Get started with your free 30 day trial at www.rapid7.com
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, or visit our website for more episodes.
Remember: Subscribe on iTunes or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
You mentioned the bluetootth on your phone/headset etc being patched, but what about on your actual car – is that possible to be infected and then as you're driving around town, it's spreading the lurgee?
iPhoneX FaceID
Question: What FAR means when it does not come with the corresponding FRR?
Answer: It means nothing.
According to some tech media¸the FAR (false acceptance rate) of iPhone X Face ID is said to be one millionth, which might be viewed as considerably better than the reported one 50,000th of Touch ID.
It is not the case, however. The fact is that which is better or worse can by no means be decided when the corresponding FRR (false rejection rates) of Face ID and Touch ID, which are in the trade-off relation with FAR, are not known. This crucial observation is seldom reported by major tech media. It is really sad to see the misguided tech media spreading the misguiding information in a huge scale.
The only meaningful fact that we can logically get confirmed by the trade-off between FAR and FRR is that the biometrics deployed with a password as a fallback means against false rejection would only provide the level of security lower than that of a password-only authentication.
Face ID, which brings down security as such, could be recommended only for those who want better convenience, as in the case of Touch ID. If recommended for better security, it would only get criminals and tyrants delighted.
Security professionals are expected to speak up