The FBI think they’ve identified the HBO hacker, the US military have been caught with a leaky bucket, and web tracking has just got scarier than ever.
All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, who are joined this week by special guest Iain Thomson from The Register.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Hi, it's me, the guy who introduces the podcast.
Just a quick note, we recorded this episode before news broke of the extraordinary Uber data leak and how Uber paid the hackers in order to keep the breach quiet.
You can read about all that in the show notes, but anyway, that's why we didn't mention it. Sorry about that. On with the show.
Hi, this episode of Smashing Security is supported in part by Netsparker.
Netsparker is a web application security scanner that can automatically find security flaws in your website and fix them before hackers can exploit them.
If you want to automatically check your web applications for cross-site scripting, SQL injection, and other vulnerabilities and coding errors that can leave you and your business exposed, then you need NetSparker.
Try it out now by downloading a demo from www.netsparker.com/smashing. Smashing Security, episode 53: Game of Thrones.
Ransomware, major Amazon cloud leak, and web tracking gone crazy with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 53.
My name is Graham Cluley and I'm joined as ever by my good chum and co-host, Carole Theriault. Hello, Carole.
Just a quick note, we recorded this episode before news broke of the extraordinary Uber data leak and how Uber paid the hackers in order to keep the breach quiet.
You can read about all that in the show notes, but anyway, that's why we didn't mention it. Sorry about that. On with the show.
Hi, this episode of Smashing Security is supported in part by Netsparker.
Netsparker is a web application security scanner that can automatically find security flaws in your website and fix them before hackers can exploit them.
If you want to automatically check your web applications for cross-site scripting, SQL injection, and other vulnerabilities and coding errors that can leave you and your business exposed, then you need NetSparker.
Try it out now by downloading a demo from www.netsparker.com/smashing. Smashing Security, episode 53: Game of Thrones.
Ransomware, major Amazon cloud leak, and web tracking gone crazy with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 53.
My name is Graham Cluley and I'm joined as ever by my good chum and co-host, Carole Theriault. Hello, Carole.
Hello, Graham.
How are you doing today?
I'm having a brilliant day, actually. Very good day.
Wonderful.
Thank you very much.
Oh, well, actually, hey, you remember what happened? I took you out for lunch today.
Yeah, well, that's a, that was very exciting. That doesn't happen very often. I was just like, woohoo.
Woo! I think what you found exciting was that I actually paid, wasn't it?
That was very exciting and extremely unusual. That's right.
We are joined by a special guest, Iain Thomson of The Register, one of their security correspondents. Hello, Iain.
Hi there, Graham. How's it going?
Not too bad, thank you very much. Good to have you on the show. You are dialing in all the way from California today, aren't you? You're tricking us with your English dulcet tones.
Indeed, indeed.
How long have you been out there now?
Ooh, 8 years. 8 years, really?
Yes, it was supposed to be a 1-year trip, but then things kept on getting extended, and then I met a local, and it now looks like I'm out here for the duration.
Yes, it was supposed to be a 1-year trip, but then things kept on getting extended, and then I met a local, and it now looks like I'm out here for the duration.
Would you ever move back to the UK?
Well, the UK is currently going slightly bonkers, so—
Oh, right, yeah, but everything's normal in the States. You're absolutely right. Everything is perfectly tickety-boo.
The only thing which has made the UK look less bonkers is what's been going on in the States over the last year or so, yeah.
Well, this was the marvelous thing though, but it was the one redeeming quality of the Trump election was that for 3 months my American friends have been talking about Brexit and going, "Ah, you see, you can be just as stupid as we can." And then America said, "Hold my beer and watch this." Yeah, they've taken it to a whole nother level, haven't they?
But yeah, no, I mean, I will always be British and I would like to move back, but my wife doesn't like British winters. So yeah, we'll have to see.
But yeah, no, I mean, I will always be British and I would like to move back, but my wife doesn't like British winters. So yeah, we'll have to see.
No one really does.
I think that's a pretty reasonable— my wife is slightly nationality challenged as well, and she's ever so slightly partly American and she resents the British winters very much too, and she would love to go and live in California or something like that.
But it's me longing for The Archers.
But it's me longing for The Archers.
Well, you see, you can get The Archers on podcast. This is fantastic.
Podcasts? Come on. Who listens to those? Hey! Okay.
Well, every week what we do is we each pick a topic, something which has happened in the world of computer security, and have a little bit of a chat about it.
Now, do you guys, do you all watch the fantasy starring lots of boobs and dragons, Game of Thrones. Are you all fans of that?
Well, every week what we do is we each pick a topic, something which has happened in the world of computer security, and have a little bit of a chat about it.
Now, do you guys, do you all watch the fantasy starring lots of boobs and dragons, Game of Thrones. Are you all fans of that?
Yes, I certainly am. Our household, they are avid fans.
I've watched episodes and got the general gist of it, but I just can't devote that long to watching the entire series. It's too late now.
I know, I know. I think I watched the first series and after that I thought, okay, I've got the gist of this really. I don't feel I need to see any more.
The first one was very dirty. The rest aren't as dirty.
Oh really?
I promise, I promise.
Oh really? Yes. Really, really.
The first series was just to lure us in, was it?
Promise of more naughtiness.
I know I sound my brother who told me, hey, let's watch Walking Dead. It's not scary at all.
It's not scary. Well, they have a phrase over here. It's not porn. It's HBO.
So, well, you might remember, 'cause we covered this in a previous Smashing Security podcast, I think it was number 37, where we talked about the fact that a hacker had broken into HBO and was trying to extort lots of money out of them.
And he'd actually managed to get hold of their contact checklists of the actors and actresses, their mobile phone numbers, managed to get hold of some scripts of upcoming episodes, which of course, the feverish fans are all desperate to get their claws on.
Well, that story has continued because this week, the FBI held a little news conference at lunchtime. You can imagine it, can't you?
They had all the cucumber sandwiches out and everything else.
Well, they said, "Right, gents, now you're all here, what we'd to tell you is that we believe we have identified and are going to charge the person we think hacked into HBO." And they have named him as Behzad Mesri, also known, and this was his hacker online handle, as "Sk0t Varshat." Oh!
I've never quite—
And he'd actually managed to get hold of their contact checklists of the actors and actresses, their mobile phone numbers, managed to get hold of some scripts of upcoming episodes, which of course, the feverish fans are all desperate to get their claws on.
Well, that story has continued because this week, the FBI held a little news conference at lunchtime. You can imagine it, can't you?
They had all the cucumber sandwiches out and everything else.
Well, they said, "Right, gents, now you're all here, what we'd to tell you is that we believe we have identified and are going to charge the person we think hacked into HBO." And they have named him as Behzad Mesri, also known, and this was his hacker online handle, as "Sk0t Varshat." Oh!
I've never quite—
Have you Googled to see what that means?
I don't. I don't. Google Varshat.
Yeah, you can't unsee things. That's right.
Exactly. It's a bit Lemon Party, isn't it?
So anyway, he is a self-professed expert hacker and believed to be a member of the Iranian hacking gang, the TurkBlack Smashing Security team.
I don't know where they get all these names. He's been defacing websites for a long time, leaving his—
So anyway, he is a self-professed expert hacker and believed to be a member of the Iranian hacking gang, the TurkBlack Smashing Security team.
I don't know where they get all these names. He's been defacing websites for a long time, leaving his—
So say the FBI.
Leaving the Varshat mark on web pages around the world.
But then earlier this year, according to the FBI, he targeted HBO, the maker of Game of Thrones and other shows Curb Your Enthusiasm. And he did this not in a sophisticated way.
I mean, frankly, this is the kind of way in which companies do get hacked. Quite often it won't be that sophisticated.
He simply grabbed employees' usernames and passwords and logged in using their accounts. Maybe he did that through phishing or piece of spyware.
I suspect it was probably just phishing.
But then earlier this year, according to the FBI, he targeted HBO, the maker of Game of Thrones and other shows Curb Your Enthusiasm. And he did this not in a sophisticated way.
I mean, frankly, this is the kind of way in which companies do get hacked. Quite often it won't be that sophisticated.
He simply grabbed employees' usernames and passwords and logged in using their accounts. Maybe he did that through phishing or piece of spyware.
I suspect it was probably just phishing.
Or a guess. Some people's passwords are so bad.
Well, maybe, yeah. I mean, you know.
Well, it's the layer 8 problem. People are very dumb about choosing their passwords and they just, you know, they fall down to a few basic defaults, reuse them everywhere.
And we've all, you know, okay, possibly not you two, but I mean, I had an incident recently where I tweeted a response to a far-right person on Twitter and somebody tried to log into my Facebook account, which was using a password which was just over a year old.
Thankfully two-factor was on, but I mean, we all do it and there is, you know, this guy seems to have got lucky.
And we've all, you know, okay, possibly not you two, but I mean, I had an incident recently where I tweeted a response to a far-right person on Twitter and somebody tried to log into my Facebook account, which was using a password which was just over a year old.
Thankfully two-factor was on, but I mean, we all do it and there is, you know, this guy seems to have got lucky.
So he had a password of yours, which was, although not a current one, it was a year old or so.
Yeah. I hadn't changed my password, my Facebook password in a year.
And then when I think I got caught up in the LinkedIn hack, there was a reused password in there, but I've got, you know, you've got to have two-factor on all accounts now.
I mean, you guys know this. You really do.
And then when I think I got caught up in the LinkedIn hack, there was a reused password in there, but I've got, you know, you've got to have two-factor on all accounts now.
I mean, you guys know this. You really do.
And I think that's another common way in which people do get hacked, of course, is reused passwords.
So if one site like LinkedIn, which famously got hacked, of course, even Mark Zuckerberg himself was caught with his pants down on that particular one by using a dumb password, which he was reusing in places.
And so, yeah, maybe that's what happened to these HBO staffers as well. But the fact is, according to the FBI, Behzad Mesri, or let's call him Mr.
Varshat, managed to break into these HBO accounts and gain access. He stole actual unaired episodes of Curb Your Enthusiasm and other shows Juice and Ballers.
He stole the scripts for upcoming episodes of Game of Thrones, grabbed this confidential information, and then he tried to extort money.
He sent them messages saying, "Hi to all losers. Yes, it's true. HBO is hacked. Beware of heart attack." Not quite sure what that means.
So if one site like LinkedIn, which famously got hacked, of course, even Mark Zuckerberg himself was caught with his pants down on that particular one by using a dumb password, which he was reusing in places.
And so, yeah, maybe that's what happened to these HBO staffers as well. But the fact is, according to the FBI, Behzad Mesri, or let's call him Mr.
Varshat, managed to break into these HBO accounts and gain access. He stole actual unaired episodes of Curb Your Enthusiasm and other shows Juice and Ballers.
He stole the scripts for upcoming episodes of Game of Thrones, grabbed this confidential information, and then he tried to extort money.
He sent them messages saying, "Hi to all losers. Yes, it's true. HBO is hacked. Beware of heart attack." Not quite sure what that means.
This is a bit of a different ransomware attack because it's not a question of them— him stealing the originals.
It's them having a copy and that copy being as powerful because it hasn't been released yet.
It's them having a copy and that copy being as powerful because it hasn't been released yet.
Right.
And if you've got sensitive information, which you can pass on to journalists Iain Thomson of The Register or something this, or one of the others out there, and you can damage a company's brand, can't you?
Because it, fair enough, it's a good story, which security journalists will want to write about.
And if you've got sensitive information, which you can pass on to journalists Iain Thomson of The Register or something this, or one of the others out there, and you can damage a company's brand, can't you?
Because it, fair enough, it's a good story, which security journalists will want to write about.
I would actually add a caveat to that. There are, you know, while, you know, The Register has its issues.
We are, and I think a lot of journalists out there are quite ethical about this and they're not willing to be used in that way.
It's kind of if a security company comes to us and says, we've got a fantastic new hole, the first question we ask is, is it patched?
Because we can't report about it until the patch is out there. And everyone I know in the industry is very, very strict about that.
So in this case, he was, I think, more interested in putting it out onto the public web and sort of hitting HBO's profits that way.
But, yeah, Graham, it's a really, as you say, it's a very bad form of ransomware. You know, it's just the complications are too high.
We are, and I think a lot of journalists out there are quite ethical about this and they're not willing to be used in that way.
It's kind of if a security company comes to us and says, we've got a fantastic new hole, the first question we ask is, is it patched?
Because we can't report about it until the patch is out there. And everyone I know in the industry is very, very strict about that.
So in this case, he was, I think, more interested in putting it out onto the public web and sort of hitting HBO's profits that way.
But, yeah, Graham, it's a really, as you say, it's a very bad form of ransomware. You know, it's just the complications are too high.
Yeah.
Yeah.
Carole's having a go at me for suggesting you do that.
I mean, certainly I've been approached by groups the Dark Overlord in the past who've shared sensitive information from inside companies which they've hacked and said, why don't you publish details from this?
And I refuse. It's just well, look, it's interesting that that company has been hacked, but I'm not going to publish their personal emails or details of their databases.
I mean, certainly I've been approached by groups the Dark Overlord in the past who've shared sensitive information from inside companies which they've hacked and said, why don't you publish details from this?
And I refuse. It's just well, look, it's interesting that that company has been hacked, but I'm not going to publish their personal emails or details of their databases.
This is, I think, the real, the sort of the nub of this story is that this is really about the fact that HBO has terrible security.
Well, they certainly wanted to keep this guy quiet and keep him sweet and not have him releasing these episodes.
Obviously there'd be commercial damage which would be done if things like Game of Thrones episodes leak onto the internet, and they didn't want that.
And there were some emails which came out of HBO.
I'm not quite sure how they appeared on the internet, but it appeared that some of their sysadmins had been given the authority to offer up to a quarter of a million dollars.
They weren't prepared to pay him the $6 million, but they said, look, we can offer you this as a bug bounty if you will agree to our terms and conditions.
Obviously there'd be commercial damage which would be done if things like Game of Thrones episodes leak onto the internet, and they didn't want that.
And there were some emails which came out of HBO.
I'm not quite sure how they appeared on the internet, but it appeared that some of their sysadmins had been given the authority to offer up to a quarter of a million dollars.
They weren't prepared to pay him the $6 million, but they said, look, we can offer you this as a bug bounty if you will agree to our terms and conditions.
Balls on it.
Now, yeah, well, I wonder actually whether that might be how they ultimately identified the guy because we don't have any details from the FBI.
Oh, follow the money, follow the money.
Well, maybe what it was, I've known companies in the past where they've said, look, you're trying to blackmail us. The legal department needs a contract to be signed.
So you have to tell us your name, address, sign the contract.
Or if we're going to present this as some kind of bug bounty, and it's understandable, some hacker in Iran, if he's offered a quarter of a million quid and thinks he's not going to get anything else, he might say, okay, here are my details.
You can send me the money. And then the company might go to the FBI and say, we've identified our hacker. So maybe that has happened. Behzad Mesri is believed to still be in Iran.
It's likely he's beyond the reach of American authorities, quite frankly, because of that.
But if he ever takes a little trip to Disneyland or something, he's going to be in a spot of bother, isn't he?
So you have to tell us your name, address, sign the contract.
Or if we're going to present this as some kind of bug bounty, and it's understandable, some hacker in Iran, if he's offered a quarter of a million quid and thinks he's not going to get anything else, he might say, okay, here are my details.
You can send me the money. And then the company might go to the FBI and say, we've identified our hacker. So maybe that has happened. Behzad Mesri is believed to still be in Iran.
It's likely he's beyond the reach of American authorities, quite frankly, because of that.
But if he ever takes a little trip to Disneyland or something, he's going to be in a spot of bother, isn't he?
Yeah, well, poor thing.
But no, this is how they catch them. We had the son of the Russian politician who was running the credit card database.
He was arrested in the Maldives, which doesn't have an extradition agreement with the US, but for some reason he was expelled.
The US lent on the local government, he was expelled from the country and then picked up immediately and flown to Guam by American agents.
So I mean, there are ways around this, but yeah, as long as he stays in Iran, he's not going anywhere.
He was arrested in the Maldives, which doesn't have an extradition agreement with the US, but for some reason he was expelled.
The US lent on the local government, he was expelled from the country and then picked up immediately and flown to Guam by American agents.
So I mean, there are ways around this, but yeah, as long as he stays in Iran, he's not going anywhere.
So basically they're saying, we want to arrest you but we can't get you, so, but we got our eyes on you. And they've publicly announced that they think he's the one who signed it.
Yeah. If he shows up in any airport, then whether they have the US extradition treaty, he's toast.
Yeah. It has seriously curtailed his future holiday plans. There's a message to all you hackers out there. Watch out.
Yeah. Poor Mr. Vashat.
You're so juvenile, Carole. Iain, what's your topic this week?
For the last 6 to 9 months, I've probably had to write 1 or 2 stories a month about somebody finding an open Amazon S3 bucket packed full of really useful information.
And 9 times out of 10, it hasn't even been accessed by an outside thing. But I'm just getting a wee bit sick of writing these stories.
And then we had the really big one on Friday, which was terabytes of data from the US military.
And 9 times out of 10, it hasn't even been accessed by an outside thing. But I'm just getting a wee bit sick of writing these stories.
And then we had the really big one on Friday, which was terabytes of data from the US military.
Oh no.
Basically, the US military runs a social media monitoring campaign that goes under the name of Coral Reef, which seeks to find basically angry teenagers in countries where terrorism is growing and sort of check what they're doing on social media and try and sort of steer them away from certain sites.
That certainly seems to be the gist of it, although we're still waiting from the US military for comment. Anyway, this obviously gets huge amounts of data.
Just one of these buckets had 1.8 billion social media scrapes, organized within a searchable format.
So yeah, terabytes of compressed data just left wide open on the web for anybody who was happening to pop along to find, and not even well hidden.
It was named CENTCOM and PACCOM after Central Command and Pacific Command. This is not deep camouflage from the US military.
So as I say, it was available, it shut down, and it's about time companies really did something about this because I'm sick of writing this stuff and it's a major security hole.
That certainly seems to be the gist of it, although we're still waiting from the US military for comment. Anyway, this obviously gets huge amounts of data.
Just one of these buckets had 1.8 billion social media scrapes, organized within a searchable format.
So yeah, terabytes of compressed data just left wide open on the web for anybody who was happening to pop along to find, and not even well hidden.
It was named CENTCOM and PACCOM after Central Command and Pacific Command. This is not deep camouflage from the US military.
So as I say, it was available, it shut down, and it's about time companies really did something about this because I'm sick of writing this stuff and it's a major security hole.
This is something which they left publicly accessible to anyone to find without even a password in front of it, right?
Oh yeah, totally. All you had to do is get a free AWS account and you can go looking.
So is this just lack of knowledge? Do you think this is just lack of IT security knowledge within this group?
I think actually it's more laziness. If you've got the skills to set up an S3 bucket, you've got to know about basic security.
Yeah.
You've got to, you know, it's not rocket science, but at the same time, you've got to have a certain, it's the kind of skills you'd expect from someone with 1 or 2 years in an IT department could set this up, although quite frankly, you could learn how to do it in 20 minutes.
But just getting an account, anybody can do.
What they've done to actually find this stuff is built scripts to search for S3 buckets and their open S3 buckets and then looking inside them.
And it's that kind of automation of it that should make anybody who's leaving this open very worried.
But just getting an account, anybody can do.
What they've done to actually find this stuff is built scripts to search for S3 buckets and their open S3 buckets and then looking inside them.
And it's that kind of automation of it that should make anybody who's leaving this open very worried.
Yeah.
You need another kind of website like Troy Hunt's Have I Been Pwned saying, is my cloud bucket open?
The problem is people wouldn't even use it.
That's the problem.
People aren't even using tools like that to see if they've left this sort of information just lying around on the internet for other people to find.
There's a certain irony here that what this was, was a database of publicly posted social media posts by people around the world who are of interest.
And you can kind of go, weren't they silly leaving their privacy open so anyone could read these things on social networks?
And then the US military has published it itself publicly for anyone to view.
There's a certain irony here that what this was, was a database of publicly posted social media posts by people around the world who are of interest.
And you can kind of go, weren't they silly leaving their privacy open so anyone could read these things on social networks?
And then the US military has published it itself publicly for anyone to view.
And puts it in order. So you were saying it was all parsed and beautifully laid out so you could search it.
So maybe other agencies around the world can use it.
I think the problem behind this is that it's just basic human laziness. Now, I mean, Amazon, a couple of weeks ago, we've been on at them about this for months.
A couple of weeks ago, they announced these new security protocols to help protect against this sort of thing.
And that amounted to basically a bright yellow button and a warning screen saying, are you aware you're leaving this bucket open? Now, you both know how well security buttons work.
You just click through to get on with it. You can't get past that human problem.
And presumably somebody left these open so that they could be shared with another member of the team and then forgot to close it off again.
And it's that kind of basic human failing that I think we're going to be seeing again and again.
A couple of weeks ago, they announced these new security protocols to help protect against this sort of thing.
And that amounted to basically a bright yellow button and a warning screen saying, are you aware you're leaving this bucket open? Now, you both know how well security buttons work.
You just click through to get on with it. You can't get past that human problem.
And presumably somebody left these open so that they could be shared with another member of the team and then forgot to close it off again.
And it's that kind of basic human failing that I think we're going to be seeing again and again.
So basically we're here to feel sorry for you because you have to write about these every month or every few times a month, right? Well, I mean, poor Iain, everyone.
Come on. I mean, unless we keep on hammering away at this, then nothing's going to change.
And yes, okay, it may be a bit rich for me to whinge about having to write about this, but for God's sake, people, get it together.
And yes, okay, it may be a bit rich for me to whinge about having to write about this, but for God's sake, people, get it together.
See, I'm with you. I'm with you. And it's embarrassing for the military as well. I mean, and the thing is, the information they're making available is not their private information.
It's the information of, probably kids, you know, who don't know better about how to protect their Facebook pages or their other social media accounts.
It's the information of, probably kids, you know, who don't know better about how to protect their Facebook pages or their other social media accounts.
So, Iain, do you have any ideas as to what Amazon should do to defend these buckets better?
I mean, they do have these warning messages, like you said, they've put together advisories and things on their site.
I mean, they do have these warning messages, like you said, they've put together advisories and things on their site.
Enforce 2FA.
I agree with you totally. It should be two-factor on everything all the time without question and, you know, head for three if you possibly can.
But there are times, of course, it's understandable that people might want to temporarily open up some of these data vaults for sharing with colleagues and so forth.
And I wonder whether there should be an option for make it public for an hour or, you know, and after an hour, then it goes back to private or something like that.
I mean, I wonder if that would be a good safety net for some of these organizations.
And I wonder whether there should be an option for make it public for an hour or, you know, and after an hour, then it goes back to private or something like that.
I mean, I wonder if that would be a good safety net for some of these organizations.
I think that's an excellent idea. The idea of a timed session works very well indeed.
I mean, I spoke to Chris Vickery, who's been finding a lot of these over at UpGuard, and he was saying the only solution really is to enforce a total lockdown.
You can't leave open buckets, but that would cut into massively into Amazon's profits and would piss off a lot of users. So the timed session is a great idea.
Two-factor is a must, an absolute must.
I mean, I spoke to Chris Vickery, who's been finding a lot of these over at UpGuard, and he was saying the only solution really is to enforce a total lockdown.
You can't leave open buckets, but that would cut into massively into Amazon's profits and would piss off a lot of users. So the timed session is a great idea.
Two-factor is a must, an absolute must.
And I have another one to add on that. So what about the default settings?
A lot of times default settings in these situations tend to be less than what I would recommend as secure, just to simplify the installation and getting up and running.
A lot of times default settings in these situations tend to be less than what I would recommend as secure, just to simplify the installation and getting up and running.
I think that's a very good idea indeed. I mean, it's all about trying to minimize the stupidity of humans.
And you know, we get lazy, we get sloppy and, you know, get the defaults in, just insist on a certain level of security.
A lot of companies are worried that this is going to turn people away from their services, but I think once they see the benefits, you know, it's why companies hate spending on IT security because, you know, when it's going well, nothing happens.
And you know, we get lazy, we get sloppy and, you know, get the defaults in, just insist on a certain level of security.
A lot of companies are worried that this is going to turn people away from their services, but I think once they see the benefits, you know, it's why companies hate spending on IT security because, you know, when it's going well, nothing happens.
Okay, well, thanks for that, Iain. Carole, we'll go over to you.
Okay. So we all know that websites track us. You know, who hasn't searched online for something only to soon see an ad about it in their social media feed or something?
But I bet most of you've never realized how much websites actually can track you. So let me introduce you to a type of third-party script known as session replays.
So session replays are tools that are traditionally used by web developers to help improve the page during testing phases.
So tools can help you audit or fix a bad or confusing webpage, specifically pages forms where you would input sensitive information, or you might make a purchase.
Pages are considered quite important and you want to make sure that you get them right. But what would happen if these session replay tools were used on a live site?
So session replays effectively record everything that occurs during a session. It's almost a live recording of everything that happens on your screen.
So it can see what you see, what you type and delete, where your mouse goes, where you click, and what's even displayed on the page.
But I bet most of you've never realized how much websites actually can track you. So let me introduce you to a type of third-party script known as session replays.
So session replays are tools that are traditionally used by web developers to help improve the page during testing phases.
So tools can help you audit or fix a bad or confusing webpage, specifically pages forms where you would input sensitive information, or you might make a purchase.
Pages are considered quite important and you want to make sure that you get them right. But what would happen if these session replay tools were used on a live site?
So session replays effectively record everything that occurs during a session. It's almost a live recording of everything that happens on your screen.
So it can see what you see, what you type and delete, where your mouse goes, where you click, and what's even displayed on the page.
Oh, but that sounds an absolutely wonderful invention. That's exactly what I'd want when I'm browsing the web. I wish every website would do that.
I expect you're going to tell me that hardly any websites are doing this. Is that the story, girl?
I expect you're going to tell me that hardly any websites are doing this. Is that the story, girl?
To be clear, imagine, for example, Graham, you were looking at a mortgage application, right? Or a health insurance page or your credit rating.
So everything that's even dynamically displayed on the page can be recorded as well as anything you input on that page, even if you input something and then change your mind.
So how often has it ever happened to any of you guys that you've put your password into the wrong field in a form or you've pressed paste expecting something to be pasted in and actually you've pasted in something really, really private in a address field, for example, on a webpage.
Does that happen?
So everything that's even dynamically displayed on the page can be recorded as well as anything you input on that page, even if you input something and then change your mind.
So how often has it ever happened to any of you guys that you've put your password into the wrong field in a form or you've pressed paste expecting something to be pasted in and actually you've pasted in something really, really private in a address field, for example, on a webpage.
Does that happen?
Yes.
Well, that gets recorded as well.
It's happened much more to us than we'd to admit.
But the fact that this was even created is just, you know, you can understand the reason for it, but leaving it around for people to use, it's a time bomb just waiting for someone to take it up and run with it.
But the fact that this was even created is just, you know, you can understand the reason for it, but leaving it around for people to use, it's a time bomb just waiting for someone to take it up and run with it.
Well, you're predicting what's happened. Okay. So none of us would this. It's not good. And surely no reputable website would ever have this installed on their live site, right?
Definitely.
Definitely.
No reputable website, no, absolutely none, which is the good news. Sorry.
Three researchers at Princeton Center for Information Technology Policy, or CITP, looked to see if they could find evidence of one or more of the seven most popular session replay companies.
Okay, this is people Yandex, FullStory, Hotjar, User Replay, et cetera.
And to see if they were actually installed on popular live sites, and they found that 500 of the top 50,000 most popular sites, according to Alexa, had session replay scripts installed on the live site.
Now, this list includes some pretty well-known names The Telegraph, Samsung, ancestry.com, AVG, CBS Sports, Skype, WordPress, Microsoft, and Adobe. There's a lot of them.
Okay, this is people Yandex, FullStory, Hotjar, User Replay, et cetera.
And to see if they were actually installed on popular live sites, and they found that 500 of the top 50,000 most popular sites, according to Alexa, had session replay scripts installed on the live site.
Now, this list includes some pretty well-known names The Telegraph, Samsung, ancestry.com, AVG, CBS Sports, Skype, WordPress, Microsoft, and Adobe. There's a lot of them.
AVG, the security and privacy firm.
Yes, wait, wait. Now, there's two things here.
In one, they list both people that have these session replays installed, but they also could detect if the session replay was actually running during their visit to the page.
In one, they list both people that have these session replays installed, but they also could detect if the session replay was actually running during their visit to the page.
Okay.
Of course, it could be installed but not active.
All right. Yes. Yeah.
A website, for example, would maybe not want to test everyone that visits their website. They may just want to test an hour's worth of traffic, right?
Or traffic that comes from a particular geolocation.
However, when they were doing their research, they actually found evidence of session recording on Costco, Comcast, HP, iStockphoto, and Norton, that other well-known security company.
Pretty shocking.
Or traffic that comes from a particular geolocation.
However, when they were doing their research, they actually found evidence of session recording on Costco, Comcast, HP, iStockphoto, and Norton, that other well-known security company.
Pretty shocking.
Oh dear, Peter Norton, you've let us down again.
I say Norton lets everyone down the second they use it. It's more pernicious than herpes and it just doesn't do that much.
And over to our sponsors, Norton.
Yeah, there we are. Don't think they'll be calling this up.
Bugger, really? Are they a sponsor?
No. No, no, no, no, no. We can avoid that.
Oh, thank God.
And they won't be in future either.
Okay.
So of course, replay services do offer a combination of manual and automatic redaction tools that allow publishers to exclude sensitive information from recordings.
Well, thank heavens for that, because I imagine these tools are being used completely responsibly and there's no personal or sensitive information being passed on to third parties.
And that—
And that—
That's exactly right. Now there's a few problems here too. Problem number one is why don't you guys take a look here at the default settings for these replay services.
So I've put together, you know, a little chart in front of you to show you.
Now all the ones that are blank is information that by default is sent to third parties when the form is filled in.
Do you see social insurance number is cleared for anyone to see in FullStory, Hotjar, Yandex, and SmartLook.
So I've put together, you know, a little chart in front of you to show you.
Now all the ones that are blank is information that by default is sent to third parties when the form is filled in.
Do you see social insurance number is cleared for anyone to see in FullStory, Hotjar, Yandex, and SmartLook.
Carole?
Yes.
This says the data is sent in the clear as well. So this data isn't being sent in some sort of encrypted form?
Exactly. It is sent in the clear, and that's part of the problem.
Part of the problem? That's a massive, massive problem. I mean, we've been beating up companies about this for years.
Maybe we can tweet out this image as well from these researchers.
But you can see here that name, email, phone number, address, Social Security number, and date of birth is in the clear sent to third parties for 4 of the 7 people they looked at.
But you can see here that name, email, phone number, address, Social Security number, and date of birth is in the clear sent to third parties for 4 of the 7 people they looked at.
Although we have to say, since Equifax, everyone's got everyone's Social Security number anyway. So don't worry about it, guys. Who cares? Anyone who wants it has got it.
The minute you read out this list, I was just like, nope, nope, nope. OK, we're all screwed.
Exactly. Now, there are a few things we can do here. There are a few things.
One thing, since this research has been published, Walgreens and Bonobos, these were two sites that actually were actively collecting information at the time of the testing, have publicly stated, we are getting rid of this and we take privacy very seriously.
So it kind of gives me the impression either they're freaking out because of the PR snafu or they actually didn't realize it was happening.
They didn't actually read the small print.
One thing, since this research has been published, Walgreens and Bonobos, these were two sites that actually were actively collecting information at the time of the testing, have publicly stated, we are getting rid of this and we take privacy very seriously.
So it kind of gives me the impression either they're freaking out because of the PR snafu or they actually didn't realize it was happening.
They didn't actually read the small print.
I think basically both.
Yeah, probably. Now there are a few things that you can do at home. You can use do not track and ad blockers.
So I believe that according to Motherboard, Adblock Plus is now protecting you against all of the listed companies that were doing session tracking.
You might also want to refuse to engage or do any mouse movement at all on non-HTTPS websites because then of course any information that you put in there is not encrypted.
And web developers out there, just check your site. If you're not sure you're running any of these session replays, take a look on your live site.
And if you are, raise the alarm because from a compliance point of view, this is a big no-no and GDPR is around the corner.
So I believe that according to Motherboard, Adblock Plus is now protecting you against all of the listed companies that were doing session tracking.
You might also want to refuse to engage or do any mouse movement at all on non-HTTPS websites because then of course any information that you put in there is not encrypted.
And web developers out there, just check your site. If you're not sure you're running any of these session replays, take a look on your live site.
And if you are, raise the alarm because from a compliance point of view, this is a big no-no and GDPR is around the corner.
So, and because it's always possible, of course, that some past web developer put this onto your site.
Now he may have left the company and it's just been lurking there for months or years and you're unaware that it's running in the background and doing all these things.
You know, some marketroid may have years ago convinced the IT team to install it and it's been long forgotten about.
Now he may have left the company and it's just been lurking there for months or years and you're unaware that it's running in the background and doing all these things.
You know, some marketroid may have years ago convinced the IT team to install it and it's been long forgotten about.
Exactly. So the responsible thing right now is to go check. And if you do have it running, remove it because it's just really a big no-no.
And I just want to hat tip these researchers at Princeton Center for Information Technology Policy. I think the research is great. And this is part one of the research.
So we're looking forward to seeing what else they have to tell us in the next upcoming weeks.
And I just want to hat tip these researchers at Princeton Center for Information Technology Policy. I think the research is great. And this is part one of the research.
So we're looking forward to seeing what else they have to tell us in the next upcoming weeks.
Boy, oh boy. Well, that's a stonker of a story, Carole.
It's really fascinating research. And it's these little legacy bits of code that were obviously a good idea at the time but have been left in.
We've seen this with the DDE vulnerabilities with Microsoft as well.
It's all about cleaning up code and, you know, getting rid of stuff which seems on one level quite useful, but when it's—and it is for the short term, but when it's left in for the long term, it can be a major security headache.
We've seen this with the DDE vulnerabilities with Microsoft as well.
It's all about cleaning up code and, you know, getting rid of stuff which seems on one level quite useful, but when it's—and it is for the short term, but when it's left in for the long term, it can be a major security headache.
Absolutely.
All right, well, thank you, Carole. I think I need some cheering up. I think it's time to find out who our sponsors are this week.
Are you worried that your website might be the backdoor through which hackers can access your information and steal data? Well, if so, you'll be interested in our sponsor today.
NetSparker is a web application security scanner. It can automatically find the flaws in your website security and fix them before hackers can exploit them.
You can try it out right now. Download a demo from www.netsparker.com/smashingsecurity. Smashing Security. On with the show. Bling, bling, bling, bling, bling, bling. And welcome back.
And it's that part of the show which we like to call Pick of the Week.
Are you worried that your website might be the backdoor through which hackers can access your information and steal data? Well, if so, you'll be interested in our sponsor today.
NetSparker is a web application security scanner. It can automatically find the flaws in your website security and fix them before hackers can exploit them.
You can try it out right now. Download a demo from www.netsparker.com/smashingsecurity. Smashing Security. On with the show. Bling, bling, bling, bling, bling, bling. And welcome back.
And it's that part of the show which we like to call Pick of the Week.
Pick of the Week.
Pick of the Week.
Yes, it's the part of the show where we all choose something we like.
Could be a funny story, a book we've read, a TV show, a movie, a record, an app, a website, a podcast, whatever we like. Doesn't have to be security related necessarily.
It can be, but it doesn't have to be.
Could be a funny story, a book we've read, a TV show, a movie, a record, an app, a website, a podcast, whatever we like. Doesn't have to be security related necessarily.
It can be, but it doesn't have to be.
No, it should not be.
And my pick of the week this week. You know, guys, often there'll be a great movie which will be followed up by a less than terrific sequel, right? I'm thinking Speed.
You remember Speed?
You remember Speed?
Except Shark Attack 3. That was pretty good.
Was it? I haven't seen that one, Carole.
Yeah, you did. I bought it for you.
Oh, the one with John Barrowman?
Yeah, with the great line in the middle.
Oh my goodness. Okay, we'll link to the YouTube clip if it's not safe for work. Speed was followed by Speed 2 Cruise Control.
Sorry, I'm getting triggered by your mention of Speed 2 because Speed 2 Cruise Control, are you a fan of Speed 2 Cruise Control?
Well, no, basically I went out to an aviation security conference in Indonesia, flew back with Air Kuwait where they actually check your water bottle for alcohol before you get on board because it's strictly banned.
And on an 18-hour flight, the only English language film was Speed 2. And I just, it sends me into a cold sweat just to hear the word.
Well, no, basically I went out to an aviation security conference in Indonesia, flew back with Air Kuwait where they actually check your water bottle for alcohol before you get on board because it's strictly banned.
And on an 18-hour flight, the only English language film was Speed 2. And I just, it sends me into a cold sweat just to hear the word.
It's just the idea of a movie about a boat, which is going really quickly. It's terrific.
I can never think of Speed actually without thinking of that Father Ted episode where they have the milk float, which if it goes above 5 miles per hour will explode or something.
Listen to me. There's a bomb on the milk float. A bomb, right? Who's that for? No, you're not supposed to deliver to anyone. It's going to go off and kill you.
Pat Mustard put it there because I got him sacked. When you go under 4 miles an hour, it'll go off. The bomb will go off. Have you got that? Oh God, help!
I don't want to be a milkman anymore. You'll be safe as long as you don't slow down. Oh, Ted, look, it's a big bunch of boxes in the middle of the road. Just stay over 4.
Again, I don't know how our American audience will appreciate Father Ted, but we will.
I can never think of Speed actually without thinking of that Father Ted episode where they have the milk float, which if it goes above 5 miles per hour will explode or something.
Listen to me. There's a bomb on the milk float. A bomb, right? Who's that for? No, you're not supposed to deliver to anyone. It's going to go off and kill you.
Pat Mustard put it there because I got him sacked. When you go under 4 miles an hour, it'll go off. The bomb will go off. Have you got that? Oh God, help!
I don't want to be a milkman anymore. You'll be safe as long as you don't slow down. Oh, Ted, look, it's a big bunch of boxes in the middle of the road. Just stay over 4.
Again, I don't know how our American audience will appreciate Father Ted, but we will.
Father Ted is absolutely gorgeous. Please watch it.
We'll find it. We're putting a link if we can find it. Weekend at Bernie's, Carole, one of your favorite movies. There was a Weekend at Bernie's 2.
Oh, that's another excellent movie.
Have you seen the sequel?
No, I have not. I got everything I needed from the first one.
Apparently has a sort of voodoo zombie element where Bernie comes back to life. I suspect made it slightly not as good.
But anyway, he's back and he's drunk.
But sometimes the sequel is even better, right? There was The Godfather followed by Godfather Part II, which was, you know, pretty good, right? Well, they're both amazing. Yeah.
Toy Story followed by Toy Story 2.
In fact, I would argue that Toy Story, even though it has the voice of Thom Hanks, who I can't abide, is possibly the greatest movie trilogy of all time.
Toy Story followed by Toy Story 2.
In fact, I would argue that Toy Story, even though it has the voice of Thom Hanks, who I can't abide, is possibly the greatest movie trilogy of all time.
Oh, goodness.
Although it's now a quadrilogy or something, isn't it, I think. But my pick of the week is another sequel. Okay. And it's this.
Look, many films these days, there's lots of sex and violence, isn't there? But there's too much of that, some people say. Personally, I can't get enough of it. I love that stuff.
But when I'm fed up with flesh, I'm not afraid to turn to fur. And so I—
Look, many films these days, there's lots of sex and violence, isn't there? But there's too much of that, some people say. Personally, I can't get enough of it. I love that stuff.
But when I'm fed up with flesh, I'm not afraid to turn to fur. And so I—
I knew you were a furrvert. I knew it.
I, this weekend, saw Paddington 2. And I have to report it's rather good.
The first one was good.
Well, I am going to have to disagree with you, Krum, because the first Paddington, although it had the capability of being good, was marred by the character of Nicole Kidman, who wanted to stuff Paddington Bear because she was a taxidermist.
And I thought her character was entirely unnecessary, and it should have been just a simple plot involving a bank robbery or something like that.
Because I took young children to see the original Paddington. They did not like that at all.
And I thought her character was entirely unnecessary, and it should have been just a simple plot involving a bank robbery or something like that.
Because I took young children to see the original Paddington. They did not like that at all.
Oh, they were a bit too young for it?
They were possibly a little bit too young for it. And I just thought it— I didn't enjoy it either. I was a bit, you know, a bit scared. But Paddington 2 has a great cast.
It's got Hugh Grant, who's playing a part without umming and erring his way clottishly through his usual character. And he's doing something a little bit different.
It's got fantastic cinematography, great production design. There's nothing scary going on about it. I mean, family-friendly, apart from the bit where—
It's got Hugh Grant, who's playing a part without umming and erring his way clottishly through his usual character. And he's doing something a little bit different.
It's got fantastic cinematography, great production design. There's nothing scary going on about it. I mean, family-friendly, apart from the bit where—
Did you fall asleep?
No, I didn't fall asleep.
Not once?
No, not once.
Did you close your eyes for a ridiculously long time and call it just blinking?
I did actually fall asleep. But I only fell asleep for a small part of the movie. But I enjoyed everything which I saw, and then I made a concerted effort to stay awake.
And it was all great stuff for the kid as well, because apart from the bit where Paddington almost drowns, which is probably only suitable for kids rather than middle-aged podcasters.
And it was all great stuff for the kid as well, because apart from the bit where Paddington almost drowns, which is probably only suitable for kids rather than middle-aged podcasters.
Okay, let's stop giving away the plot.
But anyway, I loved it. I think it's a really good movie, much better than the first one.
I've got one little quibble about it, which if you guys haven't seen, you can probably still chip in on. Aunt Lucy, who appears in the movie, calls Paddington Bear Paddington.
And my understanding is that Paddington Bear only gets that name after he's discovered at Paddington Station in London. Surely Aunt Lucy calls him or something like that.
I've got one little quibble about it, which if you guys haven't seen, you can probably still chip in on. Aunt Lucy, who appears in the movie, calls Paddington Bear Paddington.
And my understanding is that Paddington Bear only gets that name after he's discovered at Paddington Station in London. Surely Aunt Lucy calls him or something like that.
This is why I hate movies made about Paddington Bear.
As a child of the '60s, I grew up watching this on TV and to have it turned into an animated movie, I haven't even dared watch it because so many times Hollywood has taken a big steaming dump on my childhood and I just wasn't prepared to let that happen again.
As a child of the '60s, I grew up watching this on TV and to have it turned into an animated movie, I haven't even dared watch it because so many times Hollywood has taken a big steaming dump on my childhood and I just wasn't prepared to let that happen again.
I'm kind of sympathetic with that. I mean, that is an attitude I normally take, Iain. And the Paddington TV series voiced by Michael Hordern is tremendous.
Yeah, I mean, it is a masterpiece. And if anyone gets the chance to see the Paddington special where he recreates Singing in the Rain—
Yeah, I mean, it is a masterpiece. And if anyone gets the chance to see the Paddington special where he recreates Singing in the Rain—
Legendary—
It's a wonderful piece of work. But the movie, actually, particularly Paddington 2, not bad at all.
I do dislike sometimes that he isn't wearing his duffel coat and he's effectively naked. I just don't think that's appropriate for a Paddington movie.
I like him to always be wearing it because a man's got to know where his marmalade sandwich is.
But other than that, good movie, and that is why Paddington Bear 2 is my pick of the week. Iain, what's your pick of the week?
I do dislike sometimes that he isn't wearing his duffel coat and he's effectively naked. I just don't think that's appropriate for a Paddington movie.
I like him to always be wearing it because a man's got to know where his marmalade sandwich is.
But other than that, good movie, and that is why Paddington Bear 2 is my pick of the week. Iain, what's your pick of the week?
Well, it's— I don't get out to the cinema as often as I should, but I did see an utterly fantastic film, which has not only given me a bunch of annoying earworms for the last couple of weeks because the soundtrack is so good, but also it has ruined me for car chase movies forever.
It's Edgar Wright's Baby Driver, and it's— they've stuck the first 6 minutes up on YouTube, and I can quite understand why because it's an amazing scene, but it just blew me away.
It takes all the best epic parts of Spaced, of Shaun of the Dead, and chucks it into an action movie format. And beautiful visual scenes as well.
I sincerely recommend people check this out.
It's Edgar Wright's Baby Driver, and it's— they've stuck the first 6 minutes up on YouTube, and I can quite understand why because it's an amazing scene, but it just blew me away.
It takes all the best epic parts of Spaced, of Shaun of the Dead, and chucks it into an action movie format. And beautiful visual scenes as well.
I sincerely recommend people check this out.
Okay. It's definitely on my list now. It sounds perfect.
I've heard Baby Driver's good, but I don't know anything about the movie. What's the basic premise of the film?
It's your standard robbery flick gone wrong. There's a teenage driver who has tinnitus and so has to listen to music the whole time.
But it's that melding of soundtrack and visual effects.
If you remember Shaun of the Dead, when they're in the pub and the Queen comes on the jukebox and they're trying to kill the zombies.
Imagine that spread over 120 minutes of car chases and robberies, and you've got a pretty good idea of where you're going, and it's well worth the trip.
But it's that melding of soundtrack and visual effects.
If you remember Shaun of the Dead, when they're in the pub and the Queen comes on the jukebox and they're trying to kill the zombies.
Imagine that spread over 120 minutes of car chases and robberies, and you've got a pretty good idea of where you're going, and it's well worth the trip.
Sounds fantastic. Well, I think we've covered both ends of the movie genre there, haven't we, with Paddington 2 and Baby Driver as well.
I'm looking forward to it appearing on Netflix or something that, because I think it's no longer at the cinemas here in the UK. But I'd to catch up with it soon.
Carole, what's your pick of the week?
I'm looking forward to it appearing on Netflix or something that, because I think it's no longer at the cinemas here in the UK. But I'd to catch up with it soon.
Carole, what's your pick of the week?
I had a birthday recently, and one of my presents was a flash from the past, people, a Mathmos lava lamp. And it's a real classic beauty. I love it.
Like you, Carole. Like you.
Ah, thanks.
You charmer, you.
Now it seems I am not alone in my love for the lava lamp. Cloudflare earlier this month issued a video where they use lava lamps to help them generate random numbers.
They've got this wall of lava lamps called the Entropy Wall, and they video the lava lamps' movement and then turn the images into unpredictable data, which helps them create keys that encrypt the traffic on the Cloudflare network.
Kinda cool.
They've got this wall of lava lamps called the Entropy Wall, and they video the lava lamps' movement and then turn the images into unpredictable data, which helps them create keys that encrypt the traffic on the Cloudflare network.
Kinda cool.
Oh, that is cool. 'Cause it's always difficult, of course, making up random numbers, isn't it?
Well, yeah, 'cause lots of people are, why don't you just write an algorithm? But then algorithms could potentially be hacked, right? It's not.
Well, it may not be random enough, but if you have some sort of natural element which is helping to seed the random number generator, then that sounds a pretty cool thing to do.
It's amazing how nature can provide these kind of randomness that we can use in everyday science.
I mean, if you look at sort of the emissions of pulsars or quasars and, you know, the way that this can be used to help augment the GPS system, nature, it seems, still has the edge on technology in some regards.
I mean, if you look at sort of the emissions of pulsars or quasars and, you know, the way that this can be used to help augment the GPS system, nature, it seems, still has the edge on technology in some regards.
Oh yeah. When it comes to randomization, definitely. They should just use snowflakes. I guess they'd melt though. They'd have to be in a really cold room.
It wouldn't really work at all.
It wouldn't really work at all.
But other than that, perfect.
Well, I know they keep server centers fairly cold, but that's going a wee bit too far if you're looking for a password.
It's a cute little video, Carole. It's made by Thom Scott, who's made loads of great geeky videos.
Yes, that's true. I should have said that.
Okay. Well, thank you, Carole Theriault, for that marvelous pick of the week and happy birthday from all of the Smashing Security listeners.
Happy Solar Orbit Day.
Thank you.
No, really, seriously, it's quite an achievement.
Don't keep getting as old as me.
It's quite an achievement reaching 50 and looking this—
Don't go there. Seriously, don't go there, Graham. You know for a fact this is her 20th.
29. I can say I'm closer to 29 than to 50, but thanks, Graham.
Listen, chaps out there, if you want to follow us, you can follow us on Twitter. You can find our Facebook group on surprise, surprise, Facebook as well. And we have swag.
You can buy a t-shirt by visiting smashingsecurity.com/store. Thank you very much, Iain, for joining us on the show today.
Where can people find you and check you out or follow you on social media? What's the best place that people can find out what you're up to?
You can buy a t-shirt by visiting smashingsecurity.com/store. Thank you very much, Iain, for joining us on the show today.
Where can people find you and check you out or follow you on social media? What's the best place that people can find out what you're up to?
Well, you can always find me on the Register. You can get me on Twitter under Iain Thomson, but be aware that my parents were bastards, so it's spelled I-A-I-N-T-H-O-M-S-O-N.
If you know someone else who you think might like Smashing Security, go and tell them about it, and maybe they'll listen as well.
If you don't know anybody else at all in the universe, then just go to Apple Podcasts and leave us a positive review, and we'll be very, very appreciative about that.
And you can catch up with past episodes at smashingsecurity.com. Until next time, cheerio, bye-bye.
If you don't know anybody else at all in the universe, then just go to Apple Podcasts and leave us a positive review, and we'll be very, very appreciative about that.
And you can catch up with past episodes at smashingsecurity.com. Until next time, cheerio, bye-bye.
Stay secure out there, guys.
Always be paranoid.
May I say thank you, Graham? Graham, thank you very much for my Smashing Security mug for my birthday present. I appreciate it.
It wasn't just a mug, was it, Carole?
Oh no, it had Maltesers in it, my Smashing Security mug which I hate. Thank you.
What a prince. Unfortunately, you don't like Maltesers. But I'm sure someone will appreciate it.
Yes.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Iain Thomson – @iainthomson
Show notes:
- Uber paid hackers $100,000 to keep data breach quiet
- HBO offered its hackers $250,000 after attack, leaked email claims
- Game of Thrones stars’ personal phone numbers leaked, as HBO hackers attempt to extort ransom
- Smashing Security 037: Boobs, dragons and data breaches
- Iranian ‘Game of Thrones’ Hacker Demanded $6 Million Bitcoin Ransom From HBO, Feds Say
- Sealed Indictment
- Over 400 of the World's Most Popular Websites Record Your Every Keystroke, Princeton Researchers Find
- No boundaries: Exfiltration of personal data by session-replay scripts
- Data release: list of websites that have third-party “session replay” scripts
- The dark side of Replay Sessions that record your every move online
- Shark Attack 3 – That Famous Line (NSFW!)
- Father Ted: Dougal the Milkman & the Booby Trap
- Paddington 2 – the movie
- Paddington Bear, Singin' in the rain
- Baby Driver – the movie
- Baby Driver – 6-Minute Opening Clip
- Mathmos Lava Lamps
- Tom Scott's How Lava Lamps Keep the Internet Secure
- Smashing Security on Facebook
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsor: Netsparker
Netsparker is a web application security scanner that can automatically find security flaws in your website and fix them before hackers can exploit them.
If you want to automatically check your web applications for cross site scripting, SQL Injection & other vulnerabilities and coding errors that can leave you and your business exposed to malicious hacker attacks, then you need NetSparker.
Try it out now by downloading a demo from www.netsparker.com/smashing
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
