There’s been a cybersecurity goof in the wake of the presidential elections, the US fingers the hackers responsible for disrupting the Winter Olympics in South Korea, and we take a long hard look at long hard legal mumbojumbo…
All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Jack Rhysider from Darknet Diaries.
Plus don’t miss our featured interview with Mimecast’s Danielle Papadakis.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Hey everybody, it's Carole Theriault from Smashing Security. This is a shout-out to just a handful of our incredible Patreon supporters.
This week's shout-out goes to Dimitir, Brendan Cawhey, Glenn Wilson, Harry, Bravo Whiskey, Wesley van de Kamp, Anders Hansen, Ray Redacted, Graham's Delicious Cucumbers, and Dave.
Thank you all for your support. It means the world, and it helps us create this show week in, week out. And we love you.
If you want to join these amazing Patreon supporters, visit smashingsecurity.com/patreon, and you'll get all sorts of goodies like stickers and episode bonuses and even a letter from Graham and I.
Now let's get this show on the road.
This week's shout-out goes to Dimitir, Brendan Cawhey, Glenn Wilson, Harry, Bravo Whiskey, Wesley van de Kamp, Anders Hansen, Ray Redacted, Graham's Delicious Cucumbers, and Dave.
Thank you all for your support. It means the world, and it helps us create this show week in, week out. And we love you.
If you want to join these amazing Patreon supporters, visit smashingsecurity.com/patreon, and you'll get all sorts of goodies like stickers and episode bonuses and even a letter from Graham and I.
Now let's get this show on the road.
No, you gotta balance it. Should we have a big tech company collecting all the data? They'll do it bona fide.
Or should we just roll it ourselves and just put our flag to the wind and say, oh, we've never done this before, but let's give it a try.
It's not like the whole world might start attacking it.
Or should we just roll it ourselves and just put our flag to the wind and say, oh, we've never done this before, but let's give it a try.
It's not like the whole world might start attacking it.
Smashing Security, Episode 204: Green Buttons, Olympic Attacks, and an Apology with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 204.
My name is Graham Cluley, and I'm Carole Theriault, and this week we are joined by a returning guest. It is a star of, well, a superstar podcast.
It's Jack Rhysider from Darknet Diaries. Hello, Jack.
My name is Graham Cluley, and I'm Carole Theriault, and this week we are joined by a returning guest. It is a star of, well, a superstar podcast.
It's Jack Rhysider from Darknet Diaries. Hello, Jack.
Hi, it's also such a trip to be here because just 3 years ago, I used to just listen to your show and read your blog.
I was in a totally different league than you and here I am with you. It's so weird.
I was in a totally different league than you and here I am with you. It's so weird.
No, no, no.
You're beyond us. You're wearing gold, a gold suit, I bet right now. Yeah, with a diamond tie.
It's very kind of you to say that we're in the same league, but I think that's not quite true anymore.
It's just a trip to be here, but thanks for having me. I'm glad to be here.
I'm sure everybody who listens to Smashing Security has heard of Darknet Diaries, but if you haven't, it's, well, it's a stellar podcast.
You don't have to be into computer security to enjoy it. It's, well, how would you describe it, Jack?
You don't have to be into computer security to enjoy it. It's, well, how would you describe it, Jack?
Yeah, I mean, I'm a slow news junkie, so I'll take a story that was 4 or 5 years ago and say, all right, give me all the updates. Who did this? What happened? What was the punishment?
How did they figure it out? What was the forensics involved? And then I'll cover that from beginning to end. So while you're covering the latest news, I'm covering the oldest news.
How did they figure it out? What was the forensics involved? And then I'll cover that from beginning to end. So while you're covering the latest news, I'm covering the oldest news.
Yeah, I like that. Slow news junkie. I've never heard that sentence before. I like that phrase. It's good.
Very cool. Carole, what have we got coming up on the show this week?
Well, first, let's thank this week's sponsors: Mindcast, Qwil, and LastPass. Their support helps us give you the show for free.
Now, coming up on today's show, Graham tells us about an election vote wrinkle. Jack heads to the courts where 6 Russian operatives might face some cyber heat.
And I will, well, apologize. Plus, we have a featured interview with Danielle Papadakis. She's a project manager at Mimecast.
Now she'll tell us about some sneaky trusted brand hijacking scams and how they can be avoided. All this and much more coming up on this episode of Smashing Security.
Now, coming up on today's show, Graham tells us about an election vote wrinkle. Jack heads to the courts where 6 Russian operatives might face some cyber heat.
And I will, well, apologize. Plus, we have a featured interview with Danielle Papadakis. She's a project manager at Mimecast.
Now she'll tell us about some sneaky trusted brand hijacking scams and how they can be avoided. All this and much more coming up on this episode of Smashing Security.
Now, chums, it may well have escaped your notice, but there's been something going on in the United States.
Are we allowed to talk about it now?
I think we are. We didn't talk about it last week, but I think now it's safe for us to come out, emerge from our shells.
Well, if you give me a fiver, carry on.
Jack, there's been a presidential election, right?
Yeah, I did hear that, yes.
Yeah, and a winner has been chosen. In fact, both sides have chosen a winner. They haven't chosen the same winner, but winners have been declared on both sides.
And of course, it's created quite a kerfuffle about the vote and whether all the votes were legitimate or not.
And as I'm sure everybody around the world has been following with rapt interest or incredible tedium.
The Republican Party, of course, Donald Trump's party, have been claiming that there may have been some shenanigans going on with the voting.
And of course, it's created quite a kerfuffle about the vote and whether all the votes were legitimate or not.
And as I'm sure everybody around the world has been following with rapt interest or incredible tedium.
The Republican Party, of course, Donald Trump's party, have been claiming that there may have been some shenanigans going on with the voting.
I don't believe it.
It's hard to believe, isn't it? It's hard to imagine. But yes, that claim is being made. And as a result, they're claiming that Joe Biden isn't the right guy to be elected president.
So Trump, at this stage, at time of recording, has not basically stood down and said, 'All right, fair and square, Biden, you've won.
You're taking over the reins.' That has not happened yet.
You're taking over the reins.' That has not happened yet.
I don't think that's likely to happen for at least 25 years, to be honest. I don't think even—
Or ever.
No, I don't think even if he had another term, I'm not sure he would ever actually consider himself no longer to be in charge of the place.
But yes, he, at the time of recording, has not said that, 'Yeah, okay, well done, Joe.' Even though all the press has. Well, most of the press have, yes, yes, virtually all of it.
And there's been this focus on particular parts of the United States.
But yes, he, at the time of recording, has not said that, 'Yeah, okay, well done, Joe.' Even though all the press has. Well, most of the press have, yes, yes, virtually all of it.
And there's been this focus on particular parts of the United States.
The swing states.
Yeah, the swing states. And of course, those states are made up of different counties.
And one of the counties which, if you were like me, I stayed up very late here in the UK, which was crazy because I knew we weren't going to get a result that evening, but I stayed up late watching the TV news networks just mocked me when I said I might stay up late.
And one of the counties which, if you were like me, I stayed up very late here in the UK, which was crazy because I knew we weren't going to get a result that evening, but I stayed up late watching the TV news networks just mocked me when I said I might stay up late.
You said, why would you do that? Do you not remember? You're like, I don't know why you do that. It'd be boring. They're not going to find anything out.
Jack, were you tempted to stay up? Did you have a warm cocoa and a duvet?
My theory was to check it 3 times a day, once in the morning, once at noon, and once at night, and then play video games for the rest of the day.
See, he's smart. Totally tune out. Can you tell us what you're playing?
I just started playing Fallout 4 for the first time, which is a post-apocalyptic game, and it's very good training, I think.
If this pandemic really goes south, you're ready.
Yeah, I'm ready. Well, what's happened now is that the Republicans are beginning to file some lawsuits, claiming that naughtiness has gone on.
And one of the places where they've done that is a place called Maricopa County in Arizona, one of these counties which was taking quite a while to come up with the figures.
According to the lawsuit, what was happening was some voters who submitted their completed ballot, because as we've discussed in our previous episode with James Thompson, in America, it's very common to use voting machines.
And so you fill out a little— is this right, Jack? I presume you voted.
If you fill out a form, you sort of cross and tick boxes and it gets spat into a machine and that reads who you voted for.
Because of course, you're not just voting for one thing, you're voting for umpteen different things, right?
And one of the places where they've done that is a place called Maricopa County in Arizona, one of these counties which was taking quite a while to come up with the figures.
According to the lawsuit, what was happening was some voters who submitted their completed ballot, because as we've discussed in our previous episode with James Thompson, in America, it's very common to use voting machines.
And so you fill out a little— is this right, Jack? I presume you voted.
If you fill out a form, you sort of cross and tick boxes and it gets spat into a machine and that reads who you voted for.
Because of course, you're not just voting for one thing, you're voting for umpteen different things, right?
Yeah. You have a little black pen and you fill in the bubble and yep, it goes into a machine.
Goes into a machine and the machine interprets that.
And one of the first things it will do is it will try to work out whether you've made any mistakes on the ballot, 'cause you might have filled in too many holes or you may have written something incorrectly.
And one of the first things it will do is it will try to work out whether you've made any mistakes on the ballot, 'cause you might have filled in too many holes or you may have written something incorrectly.
If it can't interpret it properly, it presumably goes, "Eh-eh." Can I just ask, Jack, are they easy to fill out?
Like, can you see how people might make a mistake in using them, or do you have to be off your face to—
Like, can you see how people might make a mistake in using them, or do you have to be off your face to—
They try hard to make it easy to fill out.
Like, you know, okay, this bubble is for this candidate, but in the past, there's been some weird stuff where the lines didn't line up and the bubbles didn't line up and it looked like you were voting for one candidate, but it was for the other.
This year I haven't seen that yet.
Like, you know, okay, this bubble is for this candidate, but in the past, there's been some weird stuff where the lines didn't line up and the bubbles didn't line up and it looked like you were voting for one candidate, but it was for the other.
This year I haven't seen that yet.
Okay. Interesting.
Yeah.
Yeah.
That would be a problem, wouldn't it?
So according to the lawsuit, what happened on this particular occasion, they say, is that some voters were warned by the voting machine of a facial irregularity.
Now, when I heard the term facial irregularity, I thought, is there a webcam built into these voting machines?
Are they looking at the actual voters and saying, you're too damn ugly to vote? Is there something, you know, have you got a squashed nose or a cauliflower ear?
So according to the lawsuit, what happened on this particular occasion, they say, is that some voters were warned by the voting machine of a facial irregularity.
Now, when I heard the term facial irregularity, I thought, is there a webcam built into these voting machines?
Are they looking at the actual voters and saying, you're too damn ugly to vote? Is there something, you know, have you got a squashed nose or a cauliflower ear?
Were you worried that if you were American, they thought you'd be at risk or something?
Well, according to this lawsuit, a facial irregularity is actually when something is entered incorrectly on the form, right?
So you get a warning, uh-uh, there's a problem with your voting ballot.
But they reckon that what was happening was an error message was being displayed, and they claim this happened frequently when there was an ostensible overvote.
Now, an overvote isn't like an overbite. An overvote is where you voted for too many things, where maybe you filled in too many bubbles, or it looks like that.
So you may have filled in too many.
So you get a warning, uh-uh, there's a problem with your voting ballot.
But they reckon that what was happening was an error message was being displayed, and they claim this happened frequently when there was an ostensible overvote.
Now, an overvote isn't like an overbite. An overvote is where you voted for too many things, where maybe you filled in too many bubbles, or it looks like that.
So you may have filled in too many.
So it looks like you've voted for two candidates in one section when you're only allowed to vote for one.
Exactly, right, exactly. We've done something like that.
And the lawsuit claims that when this happened to people, the people who were working in the polling station would press a green button, and the green button was marked with the word cast, and that would make the error message go away.
But what it would also mean was that that ballot was automatically disqualified from being adjudicated or reviewed later. Do you see what I mean?
So there would be some sort of confusion as to who you voted for on the ballot, and pressing the green button, as people claim they were told to do, actually said, just go ahead anyway.
And so their vote wouldn't get counted.
Now, the odd thing about this lawsuit from my point of view is presumably this affects people regardless of who you are voting for as president.
And the lawsuit claims that when this happened to people, the people who were working in the polling station would press a green button, and the green button was marked with the word cast, and that would make the error message go away.
But what it would also mean was that that ballot was automatically disqualified from being adjudicated or reviewed later. Do you see what I mean?
So there would be some sort of confusion as to who you voted for on the ballot, and pressing the green button, as people claim they were told to do, actually said, just go ahead anyway.
And so their vote wouldn't get counted.
Now, the odd thing about this lawsuit from my point of view is presumably this affects people regardless of who you are voting for as president.
Oh, okay, exactly.
It doesn't matter what political party you support, you're just as capable, I presume. You know, there's not going to be a difference in your ability to fill in the form.
I would hope not, at least, right?
I would hope not, at least, right?
Sure, absolutely. Everyone who's listening to this podcast is following you.
Okay.
Yeah, you've done good.
Yeah. Right. Now, clearly, what is needed is some sort of evidence to support the claims of voting shenanigans, right?
So there's lots of rumors going around, people are talking, and we've even now seen Bill Barr and others sort of saying, right, we're going to properly investigate this because we believe there may have been some naughtiness going on.
So there's lots of rumors going around, people are talking, and we've even now seen Bill Barr and others sort of saying, right, we're going to properly investigate this because we believe there may have been some naughtiness going on.
Yeah, and I've been in a position where I'm getting some fan mail saying, research this one, Jack, you got to get into this, this is, this one is going all the way to the top.
So there's a lot of people sending me tips.
So there's a lot of people sending me tips.
You're a slow news junkie, you need to wait at least a couple of years for this, I'm sure.
Yeah, that's all I say.
You could look into the 2000 election, though, couldn't you, with the hanging chads? You could do that one.
I was thinking about looking in the 2016 election, but, yeah.
Well, all right, so we need some evidence, and the Republican Party and Donald Trump's reelection campaign, they want some evidence as well.
They want anecdotal evidence from voters that they were pressured into pressing the green button, which may have misconstrued their vote.
And so they have created a website called DontTouchTheGreenButton.com.
Now, as soon as I heard they'd created this website, Don't Touch the Green Button, of course I wanted to go and visit the website, right?
So I tried to visit the website and I got this error message. I got this Amazon Cloud error message. Not a user-friendly message, I have to say.
It just looked like a complete screw-up. And I thought, what have they done with this website? Until I worked out, ah, hang on, I'm trying to access it from the UK.
What if I pretend to be an American? So what I did was I put my spurs on and my big cowboy hat and I jumped on my horse and okay, I just put in a VPN and logged in from America.
They want anecdotal evidence from voters that they were pressured into pressing the green button, which may have misconstrued their vote.
And so they have created a website called DontTouchTheGreenButton.com.
Now, as soon as I heard they'd created this website, Don't Touch the Green Button, of course I wanted to go and visit the website, right?
So I tried to visit the website and I got this error message. I got this Amazon Cloud error message. Not a user-friendly message, I have to say.
It just looked like a complete screw-up. And I thought, what have they done with this website? Until I worked out, ah, hang on, I'm trying to access it from the UK.
What if I pretend to be an American? So what I did was I put my spurs on and my big cowboy hat and I jumped on my horse and okay, I just put in a VPN and logged in from America.
Wow. That's really, that's deep dark web stuff here, Graham.
And so then I could access the website and I was able to find out what they're doing on don't-touch-the-green-button.com.
Now, what they're asking is, they're saying, did you vote in Maricopa County? And if you did, what happened? Did people ask you to press the button?
Was there a problem with your vote?
Now, they don't want just anybody going to that site, clearly, but they also don't want anyone submitting evidence if they weren't actually eligible to vote in Maricopa County.
So what they do, quite sensibly, is they make you jump through a number of hoops to prove that you are legitimate, because you don't want — turns out, Jack, there are some troublemakers on the internet who will take an opportunity like this maybe to tell fibs.
So if you just had an open website which asked for evidence of voter fraud, for instance, you'd either have jokers going there or you'll have people trying to say something happened which didn't, right?
Now, what they're asking is, they're saying, did you vote in Maricopa County? And if you did, what happened? Did people ask you to press the button?
Was there a problem with your vote?
Now, they don't want just anybody going to that site, clearly, but they also don't want anyone submitting evidence if they weren't actually eligible to vote in Maricopa County.
So what they do, quite sensibly, is they make you jump through a number of hoops to prove that you are legitimate, because you don't want — turns out, Jack, there are some troublemakers on the internet who will take an opportunity like this maybe to tell fibs.
So if you just had an open website which asked for evidence of voter fraud, for instance, you'd either have jokers going there or you'll have people trying to say something happened which didn't, right?
Yeah.
Sorry, am I— I may have fell asleep. No, just kidding. Are you saying that the website itself is — is it a fake website?
Or are you saying that people were— it's a bona fide website and people were—
Or are you saying that people were— it's a bona fide website and people were—
It's a bona fide website. It's a genuine, to use American, genuine website.
Yeah.
And what it does, it asks you for some personal information to prove that you're a voter. So it asks you for your name and address and your phone number and your email address.
HTTPS?
And yes, it is. And I've even looked up on the SSL certificates. They're really up to date. Date of birth. And they ask your last 4 digits of your Social Security number.
And if you're worried about entering any of that, right at the top of the page it says, this site is for voters in Maricopa County to submit sworn declarations about their in-person voting.
And it says, any information you give us may be used in litigation. And it says, don't worry, the Republican Party and Donald J. Trump for President, Inc.
will not disclose any personally Identifying Information Inc. Yes, he has— well, there's obviously a campaign company, right? So which has been set up called Donald.
He does like to have his name on things. So Donald J. Trump for President Inc. So he says, you know, we're not going to disclose any information other than what's required by law.
But it asks you all these questions, some really odd questions. Like one of the questions is, did you intentionally vote for too many candidates? For any office.
For example, did you vote for both Trump and Biden, which would be too many presidential candidates? Can you imagine if they were sharing the job?
You know, have one at one end of the desk and the other at the other end. It would be— wouldn't be that good.
And if you're worried about entering any of that, right at the top of the page it says, this site is for voters in Maricopa County to submit sworn declarations about their in-person voting.
And it says, any information you give us may be used in litigation. And it says, don't worry, the Republican Party and Donald J. Trump for President, Inc.
will not disclose any personally Identifying Information Inc. Yes, he has— well, there's obviously a campaign company, right? So which has been set up called Donald.
He does like to have his name on things. So Donald J. Trump for President Inc. So he says, you know, we're not going to disclose any information other than what's required by law.
But it asks you all these questions, some really odd questions. Like one of the questions is, did you intentionally vote for too many candidates? For any office.
For example, did you vote for both Trump and Biden, which would be too many presidential candidates? Can you imagine if they were sharing the job?
You know, have one at one end of the desk and the other at the other end. It would be— wouldn't be that good.
Is that your joke? Was that your joke?
No, I'm just— okay, just checking. I'll let you know when a joke happens. Now, you may be asking yourself, what could possibly go wrong with a website this?
And when I first heard about this website, I thought, oh, people would be putting in fake information or people might be launching a denial of service attack.
Can you think of anything else bad which might happen with a website this?
And when I first heard about this website, I thought, oh, people would be putting in fake information or people might be launching a denial of service attack.
Can you think of anything else bad which might happen with a website this?
Yeah, denial of service on the telephone lines if they have one.
Maybe someone could plant some malware on the page. So if people were going there or something horrible this.
Was there any malvertising on the site?
No, there's no advertising. You know, they missed a trick there, really. They could have put some sort of sponsored by or, you know, get some cheap hotel stay or something.
But what could possibly go wrong? Well, I'll tell you what went wrong, because there is a Reddit thread which comments that this hastily set up website has some flaws.
So for instance, it had a name field, right? One of the very first things it asks you is, what is your name?
But if you start typing in your name, it reveals a list of previous people who have entered their names on the website.
So, so if your name is Dave, for instance, and you hit the D button, you'll also see all the Dereks and all the Donalds.
But what could possibly go wrong? Well, I'll tell you what went wrong, because there is a Reddit thread which comments that this hastily set up website has some flaws.
So for instance, it had a name field, right? One of the very first things it asks you is, what is your name?
But if you start typing in your name, it reveals a list of previous people who have entered their names on the website.
So, so if your name is Dave, for instance, and you hit the D button, you'll also see all the Dereks and all the Donalds.
And that's pretty early, I think, in the testing of website usage, in my experience.
And it also does it with addresses as well. So it will reveal a list of addresses as you type them. As someone said on Reddit, they said this is a monster of a security hole.
Which can be exploited by anyone worldwide.
Which can be exploited by anyone worldwide.
Do we have any idea how many people actually went to this website?
Well, it does appear that thousands have, because someone on Reddit mentioned that they wrote a script to see how easy it would be to pull this data down.
So they started with Arnold Aardvark, and they started with the A's, and they started cycling through.
And by the time they got to the first 5,000 entries, they thought, okay, we've done enough, we've proven our point. That it's possible to extract names and addresses from this.
But that wasn't the only problem with this website. This website also was vulnerable to SQL injection vulnerabilities.
So people could not just pull names and addresses, but also dates of birth and the last 4 digits of your Social Security number.
So they started with Arnold Aardvark, and they started with the A's, and they started cycling through.
And by the time they got to the first 5,000 entries, they thought, okay, we've done enough, we've proven our point. That it's possible to extract names and addresses from this.
But that wasn't the only problem with this website. This website also was vulnerable to SQL injection vulnerabilities.
So people could not just pull names and addresses, but also dates of birth and the last 4 digits of your Social Security number.
And this was a bona fide website.
This is a bona fide, genuine website. Yes, set up by Donald Trump.
And do we know who's running this? Is this this Inc company?
Certainly someone has been asked to do— I mean, they do have a cybersecurity czar in the name of Rudy Giuliani, of course.
You could set up a Google Forms to do all this for you.
Yes.
Oh, yeah, that'd be a great idea.
I don't think they really want the big tech companies, though, collecting all this data. You can imagine a lot of people— you gotta—
No, you gotta balance it. Should we have a big tech company collecting all the data? They'll do it bona fide.
Or should we just roll it ourselves and just put our flag to the wind and say, oh, we've never done this before, but let's give it a try?
Like, you know, it's not like the whole world might start attacking it.
Or should we just roll it ourselves and just put our flag to the wind and say, oh, we've never done this before, but let's give it a try?
Like, you know, it's not like the whole world might start attacking it.
And so has the other side, or the other, you know, the people not behind this, are they saying, guys, don't go to this website? Oh my God, don't go there.
I haven't heard anyone doing that.
I mean, it's quite possible because it wouldn't be hard to spot that something's amiss, is it, when you start entering your name and other people's names begin to appear?
I mean, it's quite possible because it wouldn't be hard to spot that something's amiss, is it, when you start entering your name and other people's names begin to appear?
Oh my God, let's try Geoff Goldblum.
Oh my God, was he voting in Maricopa County or not?
Oh yeah, that's right.
In my fantasy, this website was built by Rudy Giuliani, who of course has got the cybersecurity skills.
He's the cyber czar.
He's the czar. He's close to Trump. He would have been able to pull this together with his team quite quickly.
Bash bash bash, no problem, guys, I got it.
And it's not like there haven't been stories in recent weeks about Trump's own passwords.
There was that Dutch researcher, it's fascinating, that Dutch researcher who claims that Donald's Twitter password a while back was 'You're fired.' And then just a week or two ago—
There was that Dutch researcher, it's fascinating, that Dutch researcher who claims that Donald's Twitter password a while back was 'You're fired.' And then just a week or two ago—
Well, hold up, before the— you say claims, but it is clearly that in the LinkedIn data breach, it was 'You're fired.' So it was 'You're fired' in the LinkedIn data breach.
But he got much safer, didn't he, in the next try?
Well, then he made it MAGA2020!
I know, well, why not have your hashtag be your password? That way you don't forget it. Brilliant.
Smart, smart. So I love the idea that Rudy is in charge of this. 2020's been a rough year, right, for many people. And I want to thank Rudy Giuliani for what happened the other day.
What, for showing up?
When he held that press conference at the Four Seasons Total Landscaping Company.
I loved it.
So for anyone who hasn't heard, Donald Trump announced— there may be some people— Donald Trump announced that they were going to have a press conference about vote rigging at the Four Seasons in Philadelphia.
And then there was a follow-up tweet.
And then there was a follow-up tweet.
He was off golfing though, right?
Yeah, yeah, he was off golfing. There was a follow-up tweet about half an hour later saying, oh, it's actually the Four Seasons Total Landscaping Company.
Which is way out of the city, 30-minute drive out of the city.
In its parking lot between the sex shop and the crematorium. Anyway.
Whoever booked that, you know, it's funny.
If you haven't seen any of this, there's a marvellous tweet by Ross Atkins, who's a BBC journalist, who put together a little 3-minute package all about the Four Seasons crematorium.
We'll put it in the show notes.
We'll put it in the— basically, the gardening company are now selling merchandise with phrases like "Lawn and Order" and "Rake America Great Again," which I think—
Yeah, that's brilliant.
It was a lovely little bit of lightness amidst all the gloom. For those people who are unhappy about how the election may have unfolded, I thought that was quite fun.
So good for them, I thought. Oh, bless him. Okay, onwards, onwards. Jack, what's your story for us this week?
So good for them, I thought. Oh, bless him. Okay, onwards, onwards. Jack, what's your story for us this week?
All right, so let's back up a minute, right? I want to go back to 2017, and in June 2017, NotPetya hit the world. Do you remember this?
Yes, this was an attack on Ukraine that was ransomware, which took down a lot of the national infrastructure of Ukraine.
You know, schools, libraries, federal buildings were hit with ransomware. The ATMs weren't spitting out money, grocery stores weren't able to process transactions. It was a big deal.
Yes, this was an attack on Ukraine that was ransomware, which took down a lot of the national infrastructure of Ukraine.
You know, schools, libraries, federal buildings were hit with ransomware. The ATMs weren't spitting out money, grocery stores weren't able to process transactions. It was a big deal.
It was spread via a malicious update, some accounting software, wasn't it?
You got it. Yeah, so it spread all over because everyone needed to do their taxes with their software. So that's how it was able to spread so fast.
Now it spread outside of Ukraine and it hit Merck and Maersk. So Maersk is the biggest shipping company in the world.
So that global shipping just ceased for the day, or actually a couple weeks, right? Everything was just wiped in their whole inventory and database. Everything was just not working.
But Merck is a major pharmaceutical company in the US and they make drugs. So they were hit.
So when the US got hit, then the US Department of Justice started researching this, right? So that was 2017.
At the end of 2017 were the Winter Olympics in South Korea, and at the opening ceremony of the Winter Olympics, the infrastructure of the Olympics was hacked and everything taken down.
AD servers, the Wi-Fi, that little phone app for where do you go when you're here at the Olympics? Here's your digital pass to get into all the venues, right? It's all gone.
Nothing was working during the opening ceremony. Something hit them. Well, as it turns out, the DOJ announced three weeks ago they know who did it.
Now it spread outside of Ukraine and it hit Merck and Maersk. So Maersk is the biggest shipping company in the world.
So that global shipping just ceased for the day, or actually a couple weeks, right? Everything was just wiped in their whole inventory and database. Everything was just not working.
But Merck is a major pharmaceutical company in the US and they make drugs. So they were hit.
So when the US got hit, then the US Department of Justice started researching this, right? So that was 2017.
At the end of 2017 were the Winter Olympics in South Korea, and at the opening ceremony of the Winter Olympics, the infrastructure of the Olympics was hacked and everything taken down.
AD servers, the Wi-Fi, that little phone app for where do you go when you're here at the Olympics? Here's your digital pass to get into all the venues, right? It's all gone.
Nothing was working during the opening ceremony. Something hit them. Well, as it turns out, the DOJ announced three weeks ago they know who did it.
Three weeks ago they announced this?
Yeah, three weeks ago. So October 19th, 2020, the DOJ indicted six Russian hackers for both of these attacks, NotPetya and the Winter Olympics.
And I think this is a big deal because the Winter Olympics, whoever hacked them... this is a peaceful event. Whoever's doing it should get a firm slap on the wrist.
Hey, you don't hack the Olympics, dude. If this is a government entity—
And I think this is a big deal because the Winter Olympics, whoever hacked them... this is a peaceful event. Whoever's doing it should get a firm slap on the wrist.
Hey, you don't hack the Olympics, dude. If this is a government entity—
You're not a dude if you do that.
Why would someone hack the Olympics?
Well, so there's a few theories. So first of all, it's South Korea. So who's enemies with South Korea? North Korea, right?
So North Korea could definitely say, we want to show you how much we hate you, we want to make you embarrassed, and hack you, right? So there's that.
But there was one country that was banned from the Olympics that year.
So North Korea could definitely say, we want to show you how much we hate you, we want to make you embarrassed, and hack you, right? So there's that.
But there was one country that was banned from the Olympics that year.
Right.
And that was Russia.
And the reason why they were banned was because when they had the Winter Olympics before that in Sochi, they were doping, or actually, they were faking the doping results, all right?
So they had drug testing, and then somebody was on the inside and said, okay, cut that.
And the reason why they were banned was because when they had the Winter Olympics before that in Sochi, they were doping, or actually, they were faking the doping results, all right?
So they had drug testing, and then somebody was on the inside and said, okay, cut that.
Totally clean, totally clean, you can play.
You got it. Yeah, totally clean, even though we didn't actually test them.
So a couple years later, after the Rio Olympics, the news came out that these drug tests were faked and we don't know if they were actually clean or not.
So a couple years later, after the Rio Olympics, the news came out that these drug tests were faked and we don't know if they were actually clean or not.
Yeah.
And so the International Olympic Committee banned Russia from the next Olympics, which would have been Winter Olympics in South Korea 2017.
So Russia was not allowed to come to the Winter Olympics in 2017. So this could be a culprit as well. So that's exactly what the DOJ said.
They said the Russians were the ones behind both NotPetya and the Winter Olympics, and they went so far as to give pictures of the 6 men who did this, as well as their names and I think even rank in the GRU, which is their intelligence unit in Russia.
And yeah, I think this is a big deal because if a government entity hacks the Olympics and doesn't get a slap on the wrist, like, look, we know you did it, you got to stop this, then what is that going to do for the next Olympics, right?
If there's no repercussion whatsoever. And so I think this is a big deal for the DOJ to say, hey, we caught you.
Now, of course, they didn't actually catch these hackers because they're in Russia, but for them to say, look, we know you did it, stop it, I think is going to be quite a deterrent.
So Russia was not allowed to come to the Winter Olympics in 2017. So this could be a culprit as well. So that's exactly what the DOJ said.
They said the Russians were the ones behind both NotPetya and the Winter Olympics, and they went so far as to give pictures of the 6 men who did this, as well as their names and I think even rank in the GRU, which is their intelligence unit in Russia.
And yeah, I think this is a big deal because if a government entity hacks the Olympics and doesn't get a slap on the wrist, like, look, we know you did it, you got to stop this, then what is that going to do for the next Olympics, right?
If there's no repercussion whatsoever. And so I think this is a big deal for the DOJ to say, hey, we caught you.
Now, of course, they didn't actually catch these hackers because they're in Russia, but for them to say, look, we know you did it, stop it, I think is going to be quite a deterrent.
And quite an interesting time for them to do it as well, wasn't it?
So this was sort of mid to late October that this announcement was made, which of course was only a few weeks before the election.
Do you think there was maybe some ulterior motive of doing it then, perhaps to tell Russia hands off, don't mess around too much during the election as well?
So this was sort of mid to late October that this announcement was made, which of course was only a few weeks before the election.
Do you think there was maybe some ulterior motive of doing it then, perhaps to tell Russia hands off, don't mess around too much during the election as well?
It was great. They gave a 45-minute-long press conference of the different people involved with this investigation.
And that was one of the questions was, why is this 3 years after the fact that you're now finding out who did this and coming out with this news?
And they said, you know, we didn't have a full picture before and now we do.
And now that we can firmly point our finger and have enough evidence, you know, and what this indictment means is if they could bring these people to court, they have enough evidence that they think they can find them guilty.
And so, you know, they say now we have enough evidence to do this. So they're just saying they didn't have enough evidence before that and there wasn't any extra story behind it.
And that was one of the questions was, why is this 3 years after the fact that you're now finding out who did this and coming out with this news?
And they said, you know, we didn't have a full picture before and now we do.
And now that we can firmly point our finger and have enough evidence, you know, and what this indictment means is if they could bring these people to court, they have enough evidence that they think they can find them guilty.
And so, you know, they say now we have enough evidence to do this. So they're just saying they didn't have enough evidence before that and there wasn't any extra story behind it.
It must be hard because, you know, there's a lot of people saying, oh, but it's the Russians. It's something you read a lot of in the press.
And I imagine in these cases, to pull all that evidence together can't be simple, it can't be straightforward.
I'm sure people are covering their tracks if— were it the Russians, right?
And I imagine in these cases, to pull all that evidence together can't be simple, it can't be straightforward.
I'm sure people are covering their tracks if— were it the Russians, right?
Yeah.
Or North Korea, for that matter.
They're— yeah.
And they're—
It's like a 45-page indictment, so there's lots of evidence in there.
And, you know, the thing is that the DOJ has access to extra information that an independent security researcher wouldn't.
So the whole security community thought this was Russia that hacked NotPetya and the Winter Olympics, but there was no firm finger-pointing from the US government.
And, you know, the thing is that the DOJ has access to extra information that an independent security researcher wouldn't.
So the whole security community thought this was Russia that hacked NotPetya and the Winter Olympics, but there was no firm finger-pointing from the US government.
Mm-hmm.
And so what the NSA and US Cyber Command has is the ability to hack the hackers and get into their computer.
And some of these pictures actually look like they could be webcam shots.
And some of these pictures actually look like they could be webcam shots.
Yeah.
And in fact, there was the time they actually mentioned this in the press report that after NotPetya was hit and all of Ukraine was down, the Russian hackers were celebrating.
And it's really interesting they said that because how did they know that these hackers celebrated?
And it's really interesting they said that because how did they know that these hackers celebrated?
Yes.
Does NotPetya mean anything? I can't, I seem to remember it did, but I can't remember what it, for the life of me, what it was.
Well, there was another piece of ransomware called Petya, wasn't there?
Mm-hmm. Yeah. Oh yes.
Yes. Initially there was confusion as to whether it was Petya, which was hit in Ukraine.
Yeah.
And is that right?
Yeah. We thought it was Petya at first, but then it turned out to be a variant. So we said, well, it's not Petya.
Yeah. If only we had the automated naming vulnerability naming convention for the— yeah, we could have it for malware as well. It could be called something crazy.
Yeah.
So the question is, now that we know Russia actually hacked the Winter Olympics and they're already banned from the Olympics for— it was a 4-year ban.
Is this going to increase that ban?
Is this going to increase that ban?
Well, I imagine they're not going to be able to actually catch these 6 people.
They're working for the Russian GRU right now.
Yeah, it's like, give me those people or you're going to be banned for 10 years. But there's an international group here that gets to decide, and so far they're saying no Russia.
So I can't see why it wouldn't continue after there's proof.
So I can't see why it wouldn't continue after there's proof.
But I don't know if they should be banned. I think they should be allowed to take part in the Olympics but be humiliated instead.
No, but you know what else? Actually, it's not the athlete's fault. That's the other thing. It's not the athletes.
Oh, oh, oh, Carole, this is what they should do. This is what they should do. Right, so you're quite right, the athletes, it's not their fault.
And they've worked a long, hard, since they were young, young.
Maybe what they should do is they should say to the Russians, you can participate, but you have to send your computer nerds and your hackers to participate.
So they have to be the ones who do the 1500 meters.
So they have to be the ones who do the 1500 meters.
And then they can catch them when they get there. There should be a hack-off at the Olympics.
Crow, what have you got for us this week?
Okay, well, I'm opening with a confession.
Aha, finally.
Do you want to guess what it is, Graham?
There's so much.
I think I've been putting a bit too much pressure on a type of person, the average device user.
You know how I go on and on and on about terms and conditions and everyone should read them.
And, you know, people should take time to take in that information before making a smart tech purchase, you know? Yeah, exactly. Yawn, yawn, yawn. And you know what?
I'm actually sorry. I'm sorry.
My intentions were always in, I think, the right place to this point in time, but I was putting the onus on the user to make sure that a device does what it says it will do.
Like, imagine buying a sandwich, for example, at a corner store, right? And it comes with a leaflet of ingredients.
You'd probably think, well, I'm not allergic to anything, so who cares? It's ham and cheese, rock on.
But what if inside it said in tiny font, you know, 50,000 nanobots are included here and will be activated by stomach acid? You'd want to know, right? You'd want to know.
All I'm saying is people should have the right to expect that something reasonably does what it says it will do without having to read the terms.
You know how I go on and on and on about terms and conditions and everyone should read them.
And, you know, people should take time to take in that information before making a smart tech purchase, you know? Yeah, exactly. Yawn, yawn, yawn. And you know what?
I'm actually sorry. I'm sorry.
My intentions were always in, I think, the right place to this point in time, but I was putting the onus on the user to make sure that a device does what it says it will do.
Like, imagine buying a sandwich, for example, at a corner store, right? And it comes with a leaflet of ingredients.
You'd probably think, well, I'm not allergic to anything, so who cares? It's ham and cheese, rock on.
But what if inside it said in tiny font, you know, 50,000 nanobots are included here and will be activated by stomach acid? You'd want to know, right? You'd want to know.
All I'm saying is people should have the right to expect that something reasonably does what it says it will do without having to read the terms.
All right.
And some new research from a company called Think Money drives the point home rather well. So we're going to have a little quiz.
Okay, quiz. Excellent. We love a quiz on the show.
Yes, we do. So this, it's all about, you know, finger in the air time. How many apps were downloaded worldwide in the past year?
So you're talking about everyone's phone. So maybe if my phone had downloaded 100 apps, that's 100, and everyone else's phone and I don't know if it's just phones.
I think you should just go apps. I think you should go apps.
I'll say 2 billion.
I'm going to say you're wrong and you're too low. So Graham, you have that as a hint.
6 kajillion.
You're a bit high.
Okay.
Or nonexistent. 204 billion apps. 26 times the population of Earth. And £193 billion or $120 billion spent in doing so.
So everyone downloaded the equivalent of 26 apps.
Yes.
Right.
And some people obviously downloading hundreds over that period of time. And they feel that the downloads of these apps have increased dramatically in 2020, up 40% year on year.
And we all know why. And the problem that they have is that, of course, the vast majority of consumers don't read their Ts&Cs, right? Their terms and conditions.
And we all know why. And the problem that they have is that, of course, the vast majority of consumers don't read their Ts&Cs, right? Their terms and conditions.
Of course not.
90% in a study of EU users say they don't read it, and 97% of Americans agree that terms and conditions, you know, they don't, they just bypass.
And the rest of people are just lying about not reading them, right?
Well, except for me. I'm the only one in the whole wide world.
So Think Money, this company, decided to see what the terms and conditions were for the 13 most popular UK apps currently available.
So Think Money, this company, decided to see what the terms and conditions were for the 13 most popular UK apps currently available.
Right, so we've got a list here of how many... 13. These are the most popular downloads, are they?
So these are the 13 most popular apps that are downloaded in the UK.
All right, okay.
Now I put at the top, just for our listeners, right? So at the top we have our kind of social apps. So it's Twitter, Facebook, WhatsApp, YouTube, TikTok, Instagram.
Then we have kind of worker apps. There's a group of Zoom and Google Meet, and then there's Slack, Messenger, Gmail, and Microsoft Teams.
And one that I forgot to put there, there's also Candy Crush.
Then we have kind of worker apps. There's a group of Zoom and Google Meet, and then there's Slack, Messenger, Gmail, and Microsoft Teams.
And one that I forgot to put there, there's also Candy Crush.
Is that still going?
Yep, that's one of the tops.
Goodness.
So of these, which one do you think had the longest terms and conditions?
Let's just take a wee look now.
Facebook.
I'm going to say Slack.
Interesting. So I can tell you that Facebook is one below Slack.
So Facebook includes almost 9,000 words in its privacy and terms and conditions, takes an hour and 9 minutes to read, right?
And Slack is 9,800 words, which takes an approximate 1 hour 18 minutes to read.
So Facebook includes almost 9,000 words in its privacy and terms and conditions, takes an hour and 9 minutes to read, right?
And Slack is 9,800 words, which takes an approximate 1 hour 18 minutes to read.
Okay, so I'm slightly ahead of Jack at the moment.
Yeah. And there's 5 ahead of those.
All right. So we've got to find one which is more than these 2. Okay, so—
I'd love the first 3 if you can get them.
Google Meet.
The lowest of the group. But you know what? I'll give you a hint. I think I know why. Because I think Google, because of the way it works, I think they have an uber agreement.
If you have a Google account—
If you have a Google account—
Right.
Oh, I see.
You see? So I think they get rid of a lot of stuff that way. So I think it's a false representation that Google doesn't have a lot of...
Yeah. So it must be Microsoft Teams then.
Yes. Well done. Number one.
Microsoft has always been convoluted in their messaging.
Yes, I agree. I wouldn't say high on the readability score. So 18,282 words, 2 hours, 27 minutes to read. Number 2, I'm not going to tell you right yet. Number 3 is TikTok, right?
It takes an hour and a half to read. And number 2, last guess anyone? Go wild card.
It takes an hour and a half to read. And number 2, last guess anyone? Go wild card.
Is it Candy Crush?
It is Candy Crush. 1 hour and 53 minutes to read 14,000+ words.
I've never played Candy Crush because I've been— for the same reason I've never taken heroin. I just thought it would be a bad idea. But what on earth can it be warning you about?
Surely it's just a game, isn't it?
Surely it's just a game, isn't it?
There's a lot of money exchanged in Candy Crush.
Is there?
Mm-hmm.
Well, you buy tokens, right? You buy certain— you buy things to allow you to play longer or you get timed out for the day.
Yeah. So I'm sure people have spent thousands of dollars and then called their lawyer and said, listen, this is— this is baloney.
I don't think I should have to pay $1,000 for this game. And then their lawyer says, yeah, the T's and C's.
I don't think I should have to pay $1,000 for this game. And then their lawyer says, yeah, the T's and C's.
Yeah, this is baloney.
If you add up all these 13 apps, right, all their T&Cs and their privacy agreements, it adds up to 128,415 words, which is 3 times the size of a novel and/or 30,000 times more words than J.R.R.
Tolkien's The Hobbit. So put that in your pipe. Then the next thing that they looked at was which ones required the most permissions. Of this list. Do you want to have a crack?
One each.
If you add up all these 13 apps, right, all their T&Cs and their privacy agreements, it adds up to 128,415 words, which is 3 times the size of a novel and/or 30,000 times more words than J.R.R.
Tolkien's The Hobbit. So put that in your pipe. Then the next thing that they looked at was which ones required the most permissions. Of this list. Do you want to have a crack?
One each.
TikTok?
No, no, TikTok's at the lowest with 26 permissions.
That's surprising. Then I'll say Facebook once more.
Oh, good one. Facebook's number 2 with 45. Number 1 is Messenger. What can be done is the question, right?
Because the thought that, you know, what I was thinking when I was reading this is Facebook says, oh, you have to be at least 13 to be a member of our Facebook, you know, society.
And I'm thinking a typical 13-year-old shouldn't be thought that she could understand all the guts of these privacy agreements and service terms in order to say yes.
What can be done? What can be done? So I was doing a little digging and back in 2016, the EU issued a report called the Study on Consumers' Attitudes Towards Terms and Conditions.
That is my heroin, isn't it? It's my crack.
I couldn't believe this exists and I didn't— And they wanted to know whether following would help foster trust and make T&Cs more acceptable.
Because the thought that, you know, what I was thinking when I was reading this is Facebook says, oh, you have to be at least 13 to be a member of our Facebook, you know, society.
And I'm thinking a typical 13-year-old shouldn't be thought that she could understand all the guts of these privacy agreements and service terms in order to say yes.
What can be done? What can be done? So I was doing a little digging and back in 2016, the EU issued a report called the Study on Consumers' Attitudes Towards Terms and Conditions.
That is my heroin, isn't it? It's my crack.
I couldn't believe this exists and I didn't— And they wanted to know whether following would help foster trust and make T&Cs more acceptable.
Okay.
So they tested 1,000 respondents in each EU member state with their new guised-up terms and conditions to see if people would respond better in an A/B test to these tests as opposed to the way it is currently done.
Did they use Comic Sans font?
Yes, that was it. How did you guess? Well, what would you do? What would you like?
Shorter.
Short and simple was one of them. So just simplify the language, shorten the length of the, you know, waffle.
And you gotta make memes out of it.
Yeah.
Maybe some cartoons or some infographics.
They suggested to add what they're calling a quality cue, such as a logo from a national or EU-wide consumer organization, a trusted one that would say these terms and conditions are fair versus, you know, whoa.
Oh, so you are kind of doling out to someone else the responsibility of checking the terms and conditions.
Exactly. Someone who's actually much more au fait with legalese, presumably.
Someone you, Carole, because someone me— that's how I use you. You read the terms and conditions and then you tell me if it's all right or not.
I wish that were true.
But the other cool thing about it was if you force someone to go through the terms and conditions, you know how some people force you to read them as opposed to just say, yes, I've read them without actually looking at them.
But the other cool thing about it was if you force someone to go through the terms and conditions, you know how some people force you to read them as opposed to just say, yes, I've read them without actually looking at them.
Scroll to the bottom.
They actually do. They go and look at them. They actually were much more familiar with them than if they didn't have to do that. So that's interesting.
Maybe they should ask you— maybe you should have a questionnaire. Maybe at the end of the—
You do great. You just call me. I would have to start charging you.
Maybe there should be a multiple choice question you have to answer at the end about the terms and conditions to prove that you read them.
Yeah, my God, I've got some good ideas, haven't I? I hope someone's writing all these down.
Yeah, my God, I've got some good ideas, haven't I? I hope someone's writing all these down.
Do you remember when Mikko Hyppönen came on the show?
He came on a few times, but one of his either pick of the weeks— I remember because I bookmarked it right away— was TL;DR Legal, right?
Which stands for Too Long Didn't Read Legal. Now I went and checked it today, and I love the concept of this site.
So basically you would put in a T's and C's that you wanted to know the information on it, and then it would shorten the information, basically it would just kind of say this is what it means in English.
He came on a few times, but one of his either pick of the weeks— I remember because I bookmarked it right away— was TL;DR Legal, right?
Which stands for Too Long Didn't Read Legal. Now I went and checked it today, and I love the concept of this site.
So basically you would put in a T's and C's that you wanted to know the information on it, and then it would shorten the information, basically it would just kind of say this is what it means in English.
Oh, so you're trusting a computer to translate it for you?
I also—
Are you saying you don't trust Mikko?
I'm going to tell Mikko you don't trust him. I have another one like that.
Oh, good, good, because this one hasn't been updated since 2015, so I was going to put the word out asking for a new one.
All right, here we go. So I have the DuckDuckGo toolbar, and when I go to a website, it rates the website A+, B+, C+, whatever.
And it does that by looking at how many trackers are on that website if this is encrypted or not. But then one of the things is, what are the privacy practices of this website?
And if you look at the webs— if you look at it, it'll take you to tosdr.org. So that's terms of service didn't read dot org, tosdr.org.
And if you go to tosdr, they will— I don't know who will, but someone will look at the terms of service of the website and then rate you get. This is a Class E.
So I'm looking at them here. Google gets a Class C, YouTube gets a Class D, Wikipedia gets Class B.
And what they're doing is they're saying this service will publish your content using a free license, or this service will read your private messages.
Pornhub says in their terms of service, you will sign away your moral rights. So they get a real bad rating.
And it does that by looking at how many trackers are on that website if this is encrypted or not. But then one of the things is, what are the privacy practices of this website?
And if you look at the webs— if you look at it, it'll take you to tosdr.org. So that's terms of service didn't read dot org, tosdr.org.
And if you go to tosdr, they will— I don't know who will, but someone will look at the terms of service of the website and then rate you get. This is a Class E.
So I'm looking at them here. Google gets a Class C, YouTube gets a Class D, Wikipedia gets Class B.
And what they're doing is they're saying this service will publish your content using a free license, or this service will read your private messages.
Pornhub says in their terms of service, you will sign away your moral rights. So they get a real bad rating.
I don't think anyone's on Pornhub to read the terms and conditions. That's how they get away with that.
Yeah. So DuckDuckGo is actually listed here with an A rating saying, look, we don't collect any information on you, all this kind of stuff. And therefore they get an A rating.
So this TOSDR site actually will scrutinize. It'll give you a grade rating.
So that, I think, would be another thing that would be really helpful is, yeah, someone else read this for me and rate it for me. And then tell me the bullet points real quick.
And then that's what this site shows.
So this TOSDR site actually will scrutinize. It'll give you a grade rating.
So that, I think, would be another thing that would be really helpful is, yeah, someone else read this for me and rate it for me. And then tell me the bullet points real quick.
And then that's what this site shows.
This is the bomb. This is better than Mikko's. And at least that's better than nothing because right now people aren't looking at anything.
So I'm not saying you have to go read every single word in terms of conditions, just see what are we doing with your information and what are your privacies?
The ones I kind of focus on. But anyway, this site looks amazing. So that's tosdr.org. Thank you, Jack.
So I'm not saying you have to go read every single word in terms of conditions, just see what are we doing with your information and what are your privacies?
The ones I kind of focus on. But anyway, this site looks amazing. So that's tosdr.org. Thank you, Jack.
But hold on. I want to stand on my soapbox out of the box for a second here, because I've built a few websites in my time.
And whenever it gets to the point of okay, I've got to write a terms of service or something, what do I write? There's a blank page in front of me.
What's the first thing I should say here? And am I a lawyer? Do I know enough to say the right thing?
And it's always been very frustrating for me as a website creator to know what to write.
So I'm urging someone the EFF to create a boilerplate terms of service that I can say, the MIT license, right?
So this is a Creative Commons license or something like that where I say, okay, I'm adopting this license for my software. We do that all the time.
I want to adopt a standard terms of service and then follow it.
Say this, we swear we do not store information for more than 90 days that we don't need or something, you know, whatever.
If there is a boilerplate terms of service that I can say, now I have adopted this standard that the EFF has created or something like that, I think that would go a long way with a lot of people who are just trying to wing it out there.
And whenever it gets to the point of okay, I've got to write a terms of service or something, what do I write? There's a blank page in front of me.
What's the first thing I should say here? And am I a lawyer? Do I know enough to say the right thing?
And it's always been very frustrating for me as a website creator to know what to write.
So I'm urging someone the EFF to create a boilerplate terms of service that I can say, the MIT license, right?
So this is a Creative Commons license or something like that where I say, okay, I'm adopting this license for my software. We do that all the time.
I want to adopt a standard terms of service and then follow it.
Say this, we swear we do not store information for more than 90 days that we don't need or something, you know, whatever.
If there is a boilerplate terms of service that I can say, now I have adopted this standard that the EFF has created or something like that, I think that would go a long way with a lot of people who are just trying to wing it out there.
There is a website online. I don't know how good it is, but there seem to be some services which offer to do that.
There's one called termsfeed.com, which claims it will generate terms and conditions for your site. I guess you answer several questions.
I don't know how good it is, so I think there are some maybe out there. I think what a lot of people do though is they actually cut and paste, don't they?
Which is a bit of a daft idea from a site they like and shove it on their site. If you're going to do that, make sure you check what you're doing.
There's one called termsfeed.com, which claims it will generate terms and conditions for your site. I guess you answer several questions.
I don't know how good it is, so I think there are some maybe out there. I think what a lot of people do though is they actually cut and paste, don't they?
Which is a bit of a daft idea from a site they like and shove it on their site. If you're going to do that, make sure you check what you're doing.
Yeah, I would a more standard one the Creative Commons license or something.
I agree. I think that's an excellent idea. I think that's brilliant. I can't even add to that. What would happen if there was a fire in your building?
Probably an alarm alerts you to the danger, emergency operators get you connected so you get help, and firefighters snap into action to put out the flames.
When it comes to Kroll Responder, it's the alarm, the operator, and the fire department all rolled into one.
You see, Kroll Responder merges hunting, detection, containment, and remediation to deliver best-in-class endpoint security.
Kroll responds to over 2,000 cyber incidents every year and is uniquely positioned to bring that capability and expertise 24/7 with Responder.
Learn more about Kroll Responder at smashingsecurity.com/kroll.
Probably an alarm alerts you to the danger, emergency operators get you connected so you get help, and firefighters snap into action to put out the flames.
When it comes to Kroll Responder, it's the alarm, the operator, and the fire department all rolled into one.
You see, Kroll Responder merges hunting, detection, containment, and remediation to deliver best-in-class endpoint security.
Kroll responds to over 2,000 cyber incidents every year and is uniquely positioned to bring that capability and expertise 24/7 with Responder.
Learn more about Kroll Responder at smashingsecurity.com/kroll.
That's K-R-O-L-L. This episode of Smashing Security is sponsored by LastPass.
Now everyone knows about LastPass's password manager for end users, but it's also a great solution for businesses.
In fact, tens of thousands of companies rely upon LastPass to protect themselves.
LastPass Enterprise simplifies password management for companies of all sizes and helps you secure your workforce. So whatever the size of your business, go and check it out.
Go and visit lastpass.com/smashing to find out more. And thanks to LastPass for supporting the show.
Today's show is also sponsored by Mimecast, the number one cloud email security solution for Microsoft 365.
Safeguard your organization with Mimecast's end-to-end phishing, impersonation, and brand exploitation protection service.
It's a layer of email security defense that picks up where Microsoft security leaves off.
Mimecast's innovative service blocks brand attacks before they can launch, stops live cyberattacks in their tracks, and gives you visibility into anyone using your domains without your authorization.
Start today by downloading a free copy of the State of Email Security report at smashingsecurity.com/mimecasthub. And welcome back.
Can you join us at our favorite part of the show, the part of the show that we call Pick of the Week? Pick of the Week.
Now everyone knows about LastPass's password manager for end users, but it's also a great solution for businesses.
In fact, tens of thousands of companies rely upon LastPass to protect themselves.
LastPass Enterprise simplifies password management for companies of all sizes and helps you secure your workforce. So whatever the size of your business, go and check it out.
Go and visit lastpass.com/smashing to find out more. And thanks to LastPass for supporting the show.
Today's show is also sponsored by Mimecast, the number one cloud email security solution for Microsoft 365.
Safeguard your organization with Mimecast's end-to-end phishing, impersonation, and brand exploitation protection service.
It's a layer of email security defense that picks up where Microsoft security leaves off.
Mimecast's innovative service blocks brand attacks before they can launch, stops live cyberattacks in their tracks, and gives you visibility into anyone using your domains without your authorization.
Start today by downloading a free copy of the State of Email Security report at smashingsecurity.com/mimecasthub. And welcome back.
Can you join us at our favorite part of the show, the part of the show that we call Pick of the Week? Pick of the Week.
Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
It could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish.
It doesn't have to be security-related necessarily. Better not be. Well, my pick of the week this week is not security-related.
It is a TV program, but a TV program which isn't on the television anymore. And I wasn't able to find on any streaming service, but I had an urge.
I remembered a documentary which I'd seen a while ago. Now, America, you've got Ozzy Osbourne and you've got the Osbournes, haven't you? You've got the Kardashians.
Well, we here in the UK, we have an idiosyncratic husband and wife team called the Armstrongs, John and Anne Armstrong.
And they were the subject of a BBC documentary about 10 years ago because they run a company called Ufit, which is Coventry's third biggest double glazing company.
Oh, that was ages ago.
It could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish.
It doesn't have to be security-related necessarily. Better not be. Well, my pick of the week this week is not security-related.
It is a TV program, but a TV program which isn't on the television anymore. And I wasn't able to find on any streaming service, but I had an urge.
I remembered a documentary which I'd seen a while ago. Now, America, you've got Ozzy Osbourne and you've got the Osbournes, haven't you? You've got the Kardashians.
Well, we here in the UK, we have an idiosyncratic husband and wife team called the Armstrongs, John and Anne Armstrong.
And they were the subject of a BBC documentary about 10 years ago because they run a company called Ufit, which is Coventry's third biggest double glazing company.
Oh, that was ages ago.
I— we watched that. That's lovely. We watched that, Graham, together. We were actually— we hung out and we watched that.
I have been reacquainting myself with the Armstrongs, courtesy of YouTube.
It's kind of like The Office. Yes. Would you say? But somehow just a bit sadder, just a bit more desperate.
It is a fly-on-the-wall documentary about a very sad double glazing company. Well, third best in Coventry. Well, the third biggest in Coventry, yes.
But it's just, it is like watching The Office, but I don't think it's scripted and I don't think it's being acted.
I think it's real, but it's very hard to tell for sure because you're watching it, you're hiding behind your fingers, just going, no, no, no, no, no, no, this is so bad.
This is so horrendous. Anyone who's ever worked in a company will recognize some of the horrors here.
Basically, Ufit, Coventry's third biggest double glazing company, have fallen on hard times. Things aren't going well, and they're trying to boost the company's fortune.
And they do a number of things.
They hire a Zimbabwean motivational guru called Basil Meany, which, you know, we've seen people close to those that we've elected do something similar.
But it's just, it is like watching The Office, but I don't think it's scripted and I don't think it's being acted.
I think it's real, but it's very hard to tell for sure because you're watching it, you're hiding behind your fingers, just going, no, no, no, no, no, no, this is so bad.
This is so horrendous. Anyone who's ever worked in a company will recognize some of the horrors here.
Basically, Ufit, Coventry's third biggest double glazing company, have fallen on hard times. Things aren't going well, and they're trying to boost the company's fortune.
And they do a number of things.
They hire a Zimbabwean motivational guru called Basil Meany, which, you know, we've seen people close to those that we've elected do something similar.
Yes.
Anyway, and so Basil Meany can't be a real name. Welcome to England.
And there he is trying to motivate this very undermotivated salesforce who are just looking at him and rolling their eyes.
And then the Armstrongs have the idea of, let's go to France to sell our windows to French people because they make windows and conservatories. But they don't speak French at all.
They don't let that get in their way. Instead, they use the internet to translate their sales pitch.
And then the Armstrongs have the idea of, let's go to France to sell our windows to French people because they make windows and conservatories. But they don't speak French at all.
They don't let that get in their way. Instead, they use the internet to translate their sales pitch.
Google Translate.
Yes. And so they've got it printed out. Remember, this was 10 years ago. It's not even that good.
They've got their sales pitch printed out and they go into this, they go all the way down to Montpellier where they've got their first meeting with a Frenchman.
And they are trying to sell him their conservatories or conservatoires as they call them, which apparently means music academies in France.
And so you're watching this just going, no, no. Anyway, it's wonderful. And an oldie but a goodie, I'd say. It's an oldie but a goodie.
So I've linked to the episodes in the show notes if you want to enjoy it, but I really found it most entertaining. So that is The Armstrongs. Jack, what is your pick of the week?
They've got their sales pitch printed out and they go into this, they go all the way down to Montpellier where they've got their first meeting with a Frenchman.
And they are trying to sell him their conservatories or conservatoires as they call them, which apparently means music academies in France.
And so you're watching this just going, no, no. Anyway, it's wonderful. And an oldie but a goodie, I'd say. It's an oldie but a goodie.
So I've linked to the episodes in the show notes if you want to enjoy it, but I really found it most entertaining. So that is The Armstrongs. Jack, what is your pick of the week?
A few years ago, I had perio, which perio is a gum disease, I guess, where your gums don't stick to your teeth very well.
And so then you go to the dentist, they check to see how far they can jab a stick down in between your gums and your teeth. And I was 10 millimeters down that they were able to jab.
So it was really bad. So the dentist said, you got to come every 4 months to get treatment for the rest of your life. You've got this problem.
But I was determined to fix it, so I got a Waterpik. But the Waterpik was— have you seen these things where it shoots water out of a little hose and you clean your teeth with it?
But the Waterpik was hard to use because it had a little bucket that you had to put the water in, and when you lean over—
And so then you go to the dentist, they check to see how far they can jab a stick down in between your gums and your teeth. And I was 10 millimeters down that they were able to jab.
So it was really bad. So the dentist said, you got to come every 4 months to get treatment for the rest of your life. You've got this problem.
But I was determined to fix it, so I got a Waterpik. But the Waterpik was— have you seen these things where it shoots water out of a little hose and you clean your teeth with it?
But the Waterpik was hard to use because it had a little bucket that you had to put the water in, and when you lean over—
I have one, it's— mine broke within 3 months or something.
Yeah, it breaks because it's got a little— the motor, there's a motor in there, a little water pump, and you have to lean over the sink, but that doesn't work.
It sprays all over the bathroom floor. It's a big problem. So I've always hated those things.
So what I found was one that attaches to your shower head and then a little hose comes down.
It sprays all over the bathroom floor. It's a big problem. So I've always hated those things.
So what I found was one that attaches to your shower head and then a little hose comes down.
Oh, come on, you're taking the piss!
This is what happens when you hit the highlights. They're the highs of Darknet Diaries, Graham.
Hang on, you attach something to your shower head?
Yeah, to clean your teeth. So it's so much better because there's no motor. It's just taking the pressure out of the water.
Do you have it on when the shower's on?
Do you have any teeth anymore? There's a pressure nozzle, so you can make it very light or very hard. And then when you're making a mess in the shower, it doesn't matter.
It can go everywhere. So I got that, and I used that every day when I took a shower. And 6 months later, I had no perio when I went to the dentist. It was all gone.
And the dentist couldn't believe it. They're like, I think we made a mistake on your last checkup. I said, no, I don't think so. I think you were probably right.
I just took it seriously. But the other thing is, even if you don't have no perio, when you go to the dentist, sometimes your gums bleed because they're poking at it and stuff.
They're like, oh man, I hate it when they guilt me on all this stuff. And so what this can do is within 2 weeks of just using it every day, just 2 weeks, that's not very long.
When you go to the dentist, your gums won't bleed.
It can go everywhere. So I got that, and I used that every day when I took a shower. And 6 months later, I had no perio when I went to the dentist. It was all gone.
And the dentist couldn't believe it. They're like, I think we made a mistake on your last checkup. I said, no, I don't think so. I think you were probably right.
I just took it seriously. But the other thing is, even if you don't have no perio, when you go to the dentist, sometimes your gums bleed because they're poking at it and stuff.
They're like, oh man, I hate it when they guilt me on all this stuff. And so what this can do is within 2 weeks of just using it every day, just 2 weeks, that's not very long.
When you go to the dentist, your gums won't bleed.
So are these guys a sponsor?
They're not a sponsor of mine. They're not a sponsor. So I mean, you can use— there's different products.
I don't care what you use, but the one I use is called Oral-Breeze, and it just connects right into your shower head. And I use it every single time.
I don't care what you use, but the one I use is called Oral-Breeze, and it just connects right into your shower head. And I use it every single time.
I don't understand how it connects to your shower.
I don't understand either. I'm going to look. If I don't want to buy something, Jack, could I just put the shower head in my mouth. It's just too wide.
This is like a high-powered nozzle that shoots like a strong stream concentrated in one spot. Your shower head probably just doesn't do that.
Oh, it's like a white tube with the red nozzle, is that it?
Yeah, so you take the shower head off and then screw on this adapter and then put the shower head on this adapter. And so now it's kind of like a T.
Oh, it looks quite sensible. I was imagining something utterly insane in gold.
Yeah, and so that's what I use.
I'm gonna get one. I think I'm gonna get one because I can't live without it.
They just clean my teeth better than anything. My dad says he cleans his ears with it and stuff, but don't recommend it.
In the shower too, right? I'm hoping.
Can this be used actually to brush your teeth as well?
Well, so I think that's like pick flossing. So I still floss.
So even though this is supposed to clean this stuff between your teeth, I still think that you need to floss on top of this. But yeah, you still need to brush as well.
So even though this is supposed to clean this stuff between your teeth, I still think that you need to floss on top of this. But yeah, you still need to brush as well.
Do you use those little, you know, those little metal wires with like little kind of bristles on it, like a kind of like a bottle cleaner, but teeny weeny?
I don't use those.
No, no, they're English. I don't like them. They're like metal, right? And then it's all— they're really— it scares me. I hate them.
So this is way more— because my dentist keeps saying, use these. I'm like, I don't like them.
So this is way more— because my dentist keeps saying, use these. I'm like, I don't like them.
Yeah. And my dentist approves of this. My dentist says, yep, go for it.
Can I ask how much? Can I ask ballpark figure?
Oh, I think it was like $30 or $40.
Totally affordable. Okay.
Yeah. It doesn't look complicated, does it really?
Cheaper than the pick thing that you— the battery, you know?
You have to plug that into the wall and all this stuff. It's a mess. I highly recommend the ones that go into the shower. So my pick of the week is a Waterpik.
Well, thank you, fresh and minty Jack Rhysider, for that recommendation. Fantastic. Carole, what is your pick of the week?
Mine is a podcast. You may have heard about it. You're Wrong About. Have any of you heard it? No. You too? I've heard of it.
It's won awards. Yeah. Yeah.
So, Graham, I think you'd really like it.
So it's two journalists obsessed with the past kind of reconsider a person or event that, in their opinion, may have been miscast in public imagination, you know, maybe due to unfair media representation, for example, or some shenanigans that came clear afterwards.
So it's two journalists obsessed with the past kind of reconsider a person or event that, in their opinion, may have been miscast in public imagination, you know, maybe due to unfair media representation, for example, or some shenanigans that came clear afterwards.
Was he really bad? Was he so bad? That kind of thing.
Yeah, well, things like, you know, so they covered, you know, the prom mom, you know, the New Jersey teen who killed her newborn and she blamed Metallica, or the O.J.
Simpson case, and Nicole Smith. And currently I'm listening to a 5-part Princess Di series. I don't know anything about Princess Di. I never really followed it when it all happened.
I've learned tons. Okay, can I ask if I'm going to say 3 things I learned?
I want to know if you know them, Graham, because you pay much more attention to— Prince Charles never told Camilla that he wanted to be her tampon.
Simpson case, and Nicole Smith. And currently I'm listening to a 5-part Princess Di series. I don't know anything about Princess Di. I never really followed it when it all happened.
I've learned tons. Okay, can I ask if I'm going to say 3 things I learned?
I want to know if you know them, Graham, because you pay much more attention to— Prince Charles never told Camilla that he wanted to be her tampon.
Well, I think he did, didn't he?
It was warped in the press. It was warped in the press. Really? Yes. Prince Charles— Okay, do you know this one?
Prince Charles, upon breaking his arm during a polo match, as you do, right, wanted to do the press conference pretending he had actually lost his arm completely in the accident, only to reveal, haha, no, it's here, it's simply broken.
Prince Charles, upon breaking his arm during a polo match, as you do, right, wanted to do the press conference pretending he had actually lost his arm completely in the accident, only to reveal, haha, no, it's here, it's simply broken.
That sounds as insane as Donald Trump coming out of the hospital ripping open his shirt and him having a Superman t-shirt underneath, which I heard he wanted to do.
And so he wanted to do this, and he wouldn't hear no. Diana was like, honey, darling, I don't think it's a good idea. Really not a good idea.
And he was like, no, no, no, I know best, I know these things.
And so she got the staff to hide it, and when they arrived at the press conference, they had to do this big like, oh, we didn't— we don't know where it is.
It was here, we swear it was here. So they had to do it normally.
And the other one is that Di would get in trouble if she dared to leave the family country home, Balmoral, without permission from the Queen.
If she wanted to just trot off to the shops or something and not make dinner.
And he was like, no, no, no, I know best, I know these things.
And so she got the staff to hide it, and when they arrived at the press conference, they had to do this big like, oh, we didn't— we don't know where it is.
It was here, we swear it was here. So they had to do it normally.
And the other one is that Di would get in trouble if she dared to leave the family country home, Balmoral, without permission from the Queen.
If she wanted to just trot off to the shops or something and not make dinner.
I don't think the Queen liked her very much.
No, I kind of always liked the Queen, but I gotta say, this series of podcasts made me think, wow, she's not that nice. Anyway, I found it fascinating.
I listened till 3:30 yesterday, so literally I was addicted. I listened to parts 2, 3, and 4 in a row, and they're all an hour, an hour and a half long, right?
Anyway, I think you'd like it. Check it out, podcast You're Wrong About, wherever you get your podcasts.
I listened till 3:30 yesterday, so literally I was addicted. I listened to parts 2, 3, and 4 in a row, and they're all an hour, an hour and a half long, right?
Anyway, I think you'd like it. Check it out, podcast You're Wrong About, wherever you get your podcasts.
That sounds fantastic, Carole. And you know what else I heard? You've got a featured interview.
I do. We have a fast-paced and thought-provoking interview with Danielle Papadakis at Mimecast. Listen here. Here we are with Danielle Papadakis.
She is going to talk to us about how cybercriminals are scamming customers. Danielle, thank you so much for coming on the show.
She is going to talk to us about how cybercriminals are scamming customers. Danielle, thank you so much for coming on the show.
Thank you for having me.
So tell me, you know a lot about this stuff. How are cybercriminals scamming customers and what's changed? Are there any new trends that you're seeing? Well, great questions.
Attackers are increasingly using companies' online brand as bait, and that's by launching lookalike websites in order to try and trick customers, partners, and wider supply chains in order to get sensitive information, credentials, login information, and sometimes they're even looking just for money.
And so it has evolved. We used to think of phishing and scamming mostly by email, and that's very, very true. But nowadays, we see it in text messages that have some type of link.
We see fake Google ads, social media advertisements.
And it's really an incredible type of technique in order to try and lure the customer onto some type of mimicked or cloned website. Okay, so let me make sure I understand.
So what you're saying is scammers are actually targeting businesses, not the end user directly, by trying to pretend to be the brand, and then they're luring those customers towards them so the scammers doesn't realize— they think they're on a bona fide site and in fact they're on a scammer site.
Is that right? Actually, what the scammers have been doing is they've noticed that it's so hard to try and penetrate inside an organization and target a specific company.
So what they're actually doing is targeting the end users themselves by impersonating to that brand.
So you were correct on the fact that yes, they are targeting the end users, not the actual business, but they're trying to impersonate into the business itself.
Yeah, and I guess the big problem with that is reputation from the brand. I mean, they're not victimless here, right? Because your brand gets affected by this? Definitely.
This can cause huge brand damage, a loss of trust, and at the end of the day, there's so many alternatives, right?
There are different organizations offering the same services as you. So what makes you different and stand out? You really need to keep that customer's trust.
Do you have an example of this in action, one that you might have seen? Oh, plenty of times.
You could easily receive an email from a well-known payment portal, for example, or some type of brand, and they can tell you, your password is expiring and there's an urgent need for you to change.
And what they like to do is kind of pressure the end user. "Deactivate it.
You need to do this fast." And the email can look very realistic with the logo, the writings, the colors, the font, everything.
And unfortunately, that is where social engineering really comes into play. Yeah. So, it's really hard to spot.
Have you seen some examples where even with all your knowledge, you would not have spotted it without any technology? Definitely.
I mean, I'm into this field, so I'm always on the look, right? I'm always looking at the domain name, looking to see if there's a certificate.
But sometimes these attacks are so sophisticated that it can just pass by. And, at the end of the day, we have a tendency just to go ahead and click on things.
And so we really have to be careful. So there are some really sophisticated attacks out there.
And I guess what they're doing, and when we were talking earlier about reputation, they're basically piggybacking on that brand's foot in the door, right?
For example, if I always buy, I don't know, Nike shoes, for example, I might be much more willing to open up a promotion from a seeming Nike email or SMS or however they're getting in touch with me.
Exactly. Are these hard attacks to kind of pull together?
Is this something that you'd have to be super, super talented and really devy to do, or is it easy and you might have younger people involved? SPEAKER_03.
So it's not as hard as it looks, but what's happening now these days is hackers are not only understanding cybersecurity and its weaknesses, but they're also understanding the market and what makes consumers tick.
So they're experts at social engineering and they know how to encourage even a tech-savvy person to go ahead and open a malicious email and just click on a suspicious link.
So these attackers can get very sophisticated. They can be little kids, for example. They could be smart.
It's really not that hard to go ahead and impersonate a brand, and it costs them much less money to do that. And still the value that they can get is very big.
And so it has evolved. We used to think of phishing and scamming mostly by email, and that's very, very true. But nowadays, we see it in text messages that have some type of link.
We see fake Google ads, social media advertisements.
And it's really an incredible type of technique in order to try and lure the customer onto some type of mimicked or cloned website. Okay, so let me make sure I understand.
So what you're saying is scammers are actually targeting businesses, not the end user directly, by trying to pretend to be the brand, and then they're luring those customers towards them so the scammers doesn't realize— they think they're on a bona fide site and in fact they're on a scammer site.
Is that right? Actually, what the scammers have been doing is they've noticed that it's so hard to try and penetrate inside an organization and target a specific company.
So what they're actually doing is targeting the end users themselves by impersonating to that brand.
So you were correct on the fact that yes, they are targeting the end users, not the actual business, but they're trying to impersonate into the business itself.
Yeah, and I guess the big problem with that is reputation from the brand. I mean, they're not victimless here, right? Because your brand gets affected by this? Definitely.
This can cause huge brand damage, a loss of trust, and at the end of the day, there's so many alternatives, right?
There are different organizations offering the same services as you. So what makes you different and stand out? You really need to keep that customer's trust.
Do you have an example of this in action, one that you might have seen? Oh, plenty of times.
You could easily receive an email from a well-known payment portal, for example, or some type of brand, and they can tell you, your password is expiring and there's an urgent need for you to change.
And what they like to do is kind of pressure the end user. "Deactivate it.
You need to do this fast." And the email can look very realistic with the logo, the writings, the colors, the font, everything.
And unfortunately, that is where social engineering really comes into play. Yeah. So, it's really hard to spot.
Have you seen some examples where even with all your knowledge, you would not have spotted it without any technology? Definitely.
I mean, I'm into this field, so I'm always on the look, right? I'm always looking at the domain name, looking to see if there's a certificate.
But sometimes these attacks are so sophisticated that it can just pass by. And, at the end of the day, we have a tendency just to go ahead and click on things.
And so we really have to be careful. So there are some really sophisticated attacks out there.
And I guess what they're doing, and when we were talking earlier about reputation, they're basically piggybacking on that brand's foot in the door, right?
For example, if I always buy, I don't know, Nike shoes, for example, I might be much more willing to open up a promotion from a seeming Nike email or SMS or however they're getting in touch with me.
Exactly. Are these hard attacks to kind of pull together?
Is this something that you'd have to be super, super talented and really devy to do, or is it easy and you might have younger people involved? SPEAKER_03.
So it's not as hard as it looks, but what's happening now these days is hackers are not only understanding cybersecurity and its weaknesses, but they're also understanding the market and what makes consumers tick.
So they're experts at social engineering and they know how to encourage even a tech-savvy person to go ahead and open a malicious email and just click on a suspicious link.
So these attackers can get very sophisticated. They can be little kids, for example. They could be smart.
It's really not that hard to go ahead and impersonate a brand, and it costs them much less money to do that. And still the value that they can get is very big.
So yeah, I think the thing that annoys me about all this is I've spent, I don't know, 15, 20 years trying to do education on cybersecurity and all this kind of stuff.
And it seems to me that hackers are taking advantage of that and kind of, for example, the example you gave earlier where it's oh, get in touch with us, change your password, someone might have hacked your account.
So they're taking advantage of this, we are being responsible and security conscious and you should be too, so here's the link you should follow.
And in fact, they're just hacking you. SPEAKER_03. Definitely. So they're looking at trends, they're seeing how they can social engineer their way in, use your name.
It's very interesting as well. You can even purchase a fake social media advertisement and you can slice and dice and choose the exact targeted audience of your choosing.
So if I'm looking, for example, for men between the age of 35 to 45 who live in the UK and like electronics, I'm going to find that exact targeted audience to go ahead and click on my ad.
And a lot of people think that these ads are regulated when they're really not. So very interesting.
And it seems to me that hackers are taking advantage of that and kind of, for example, the example you gave earlier where it's oh, get in touch with us, change your password, someone might have hacked your account.
So they're taking advantage of this, we are being responsible and security conscious and you should be too, so here's the link you should follow.
And in fact, they're just hacking you. SPEAKER_03. Definitely. So they're looking at trends, they're seeing how they can social engineer their way in, use your name.
It's very interesting as well. You can even purchase a fake social media advertisement and you can slice and dice and choose the exact targeted audience of your choosing.
So if I'm looking, for example, for men between the age of 35 to 45 who live in the UK and like electronics, I'm going to find that exact targeted audience to go ahead and click on my ad.
And a lot of people think that these ads are regulated when they're really not. So very interesting.
You're talking about malvertising, that kind of thing. So the ad looks legit. You're on a site that you trust, but somehow the ad is actually a poisoned ad, that kind of thing.
We have a lot of topics right now that almost on a global basis we're paying attention to.
So you have the coronavirus, for example, we have countries having elections, we have Brexit, we have all these big topics.
Is that something that these guys are using to try and get us as well? SPEAKER_03. Definitely. I mean, first of all, customers can be victimized at any time by a fake website, right?
Just tricking them to hand over sensitive data, you know, usernames, passwords, etc.
However, there are specific targets and topics that they can actually use in order to make everything look more realistic.
So if that's Election Day, if that's Mother's Day, Memorial Day, they really know how to take everything together and make things look very realistic.
We have a lot of topics right now that almost on a global basis we're paying attention to.
So you have the coronavirus, for example, we have countries having elections, we have Brexit, we have all these big topics.
Is that something that these guys are using to try and get us as well? SPEAKER_03. Definitely. I mean, first of all, customers can be victimized at any time by a fake website, right?
Just tricking them to hand over sensitive data, you know, usernames, passwords, etc.
However, there are specific targets and topics that they can actually use in order to make everything look more realistic.
So if that's Election Day, if that's Mother's Day, Memorial Day, they really know how to take everything together and make things look very realistic.
Oh yeah, that's a good point. Mother's Day, you can just see getting an email saying, have you bought your mom flowers this year yet? And someone going, oh no, I haven't, I haven't.
And they click on the link and boom. Yeah, exactly. Do you find in a lot of these cases during this trend that they are trying to get people to click before they think, so to speak?
I've seen a lot of scams where they're trying to make people almost panic. So that may be actually what you were saying earlier about your password being hacked. Of course.
SPEAKER_03. They're always using words like urgent, you need to do this, it's really important.
And then people get scared and they have a tendency just to go ahead, click on things without thinking about it. And that's just on a regular day-to-day basis.
But let's take for example Black Friday. Customers are excited to grab a bargain, right?
And there's an urgency on both sides because the retailers, they need to get as many people as possible into their website while the end user themselves, they don't want to miss out on a great bargain, for example.
And they click on the link and boom. Yeah, exactly. Do you find in a lot of these cases during this trend that they are trying to get people to click before they think, so to speak?
I've seen a lot of scams where they're trying to make people almost panic. So that may be actually what you were saying earlier about your password being hacked. Of course.
SPEAKER_03. They're always using words like urgent, you need to do this, it's really important.
And then people get scared and they have a tendency just to go ahead, click on things without thinking about it. And that's just on a regular day-to-day basis.
But let's take for example Black Friday. Customers are excited to grab a bargain, right?
And there's an urgency on both sides because the retailers, they need to get as many people as possible into their website while the end user themselves, they don't want to miss out on a great bargain, for example.
It's like a perfect storm. So you've got, for example, you have a Black Friday thing and you've got, say, a technology store.
You've got hackers pretending to be that technology store, but they're actually using the actual brand's advertising to get people there. It's really clever. So this isn't fun.
If this happened to anybody, this would not be fun. So tell me what companies can do.
I mean, presumably the company really doesn't like this happening because it's hurting their brand and it's hurting their customer base. SPEAKER_03. Very true.
So a lot of companies, obviously they need to first secure their inbound perimeter and make sure that no one penetrates, no one takes data, but the question at hand is, do companies have the right monitoring tools to see everything that's happening outside of their perimeter?
Because if someone's going to purchase a domain that's similar to your brand, but it isn't your brand, they can obviously break that trust and cause a lot of brand damage.
So the first thing that's very important is for organizations to have some type of 24-hour, 7-day-a-week scanning so that they have full visibility of all of these domains that are similar to their brand and that could potentially impersonate their brand just to see exactly what's going on behind the scenes.
So that's the first thing that I would recommend, a monitoring tool.
The best solutions, of course, use AI because at the end of the day, these hackers are getting more and more sophisticated.
At the beginning, it could be a website with 123 at the end, but nowadays they're buying fake certificates to make the website look secured and legitimate.
They're using non-Latin characters in the domain name to make it look almost invisible to the human eye.
So they're being very sophisticated, and you really need to put the right monitoring tools in place.
You've got hackers pretending to be that technology store, but they're actually using the actual brand's advertising to get people there. It's really clever. So this isn't fun.
If this happened to anybody, this would not be fun. So tell me what companies can do.
I mean, presumably the company really doesn't like this happening because it's hurting their brand and it's hurting their customer base. SPEAKER_03. Very true.
So a lot of companies, obviously they need to first secure their inbound perimeter and make sure that no one penetrates, no one takes data, but the question at hand is, do companies have the right monitoring tools to see everything that's happening outside of their perimeter?
Because if someone's going to purchase a domain that's similar to your brand, but it isn't your brand, they can obviously break that trust and cause a lot of brand damage.
So the first thing that's very important is for organizations to have some type of 24-hour, 7-day-a-week scanning so that they have full visibility of all of these domains that are similar to their brand and that could potentially impersonate their brand just to see exactly what's going on behind the scenes.
So that's the first thing that I would recommend, a monitoring tool.
The best solutions, of course, use AI because at the end of the day, these hackers are getting more and more sophisticated.
At the beginning, it could be a website with 123 at the end, but nowadays they're buying fake certificates to make the website look secured and legitimate.
They're using non-Latin characters in the domain name to make it look almost invisible to the human eye.
So they're being very sophisticated, and you really need to put the right monitoring tools in place.
Right. You can't really know what to do if you don't understand what's going on. So visibility makes perfect sense. What's next? SPEAKER_03.
You need to deploy some type of end-to-end solution. So let's say you do have a monitoring tool in place, but how do you actually take down that threat, right? It's still up there.
So you need some type of end-to-end solution that's not only going to monitor things for you, but the moment they find or we find anything suspicious, phishing, we have the capability to go ahead and take it down for that organization.
Instead of having two complex, different solutions that need to try to work together, it's better to have just one complete solution that's going to take the entire problem off the company's hands.
They have a lot of things to deal with, as I'm sure you know. And so they need some type of solution that's an end-to-end managed service.
You need to deploy some type of end-to-end solution. So let's say you do have a monitoring tool in place, but how do you actually take down that threat, right? It's still up there.
So you need some type of end-to-end solution that's not only going to monitor things for you, but the moment they find or we find anything suspicious, phishing, we have the capability to go ahead and take it down for that organization.
Instead of having two complex, different solutions that need to try to work together, it's better to have just one complete solution that's going to take the entire problem off the company's hands.
They have a lot of things to deal with, as I'm sure you know. And so they need some type of solution that's an end-to-end managed service.
So managed service means you're partnering with an expert in the field, which means you don't have to sit there guessing what config options you need.
You've got an expert right there that can help you. SPEAKER_03. Exactly. At the end of the day, they don't have time to work on these problems.
There are so many different cybersecurity problems. So let just an organization take that off your hands.
And so you have a reliable person that's only looking at this specific problem, which at the end of the day is a huge problem for many organizations that have some type of digital presence online.
Now, what about the end user?
You've got an expert right there that can help you. SPEAKER_03. Exactly. At the end of the day, they don't have time to work on these problems.
There are so many different cybersecurity problems. So let just an organization take that off your hands.
And so you have a reliable person that's only looking at this specific problem, which at the end of the day is a huge problem for many organizations that have some type of digital presence online.
Now, what about the end user?
I mean, they're, as you say, they're really the target. They're the ones who are falling this and they're the ones who are being duped.
So how can an end user better protect themselves against these types of brand attacks? SPEAKER_03. Well, I recommend that daily users take caution.
Of course, the first thing that I would recommend is always to check the URL on the website that you're on.
You know, if you're supposed to be on a specific website, look at the URL, make sure that it's some type of combination that you expect it to be. And that's the same for email.
You just receive an email make sure that you're actually looking at the email itself and not the name that's actually posted on there.
So that's a definitely important recommendation. Don't trust HTTPS alone. So a lot of hackers, they actually buy fake certificates.
You do have an option to click near the padlock symbol and you can see what type of certificate it's issued from.
So there are trustworthy certificate owners and there are also ones that are not. And lastly, be safe on mobile. Okay, it's really easy to get confused on mobile.
The URLs look different. The font looks different. It's a different browser. So I would personally recommend doing most of your things on computer where it's a big screen.
You can see everything if you're doing bank transactions. Those are the big recommendations that I could provide.
But it's important to remember that our customers, the end users themselves, they're not security experts.
And it should be the company's responsibility to provide them some type of protection.
It's always important to be alert, but at the end of the day, the responsibility lies with the company.
So how can an end user better protect themselves against these types of brand attacks? SPEAKER_03. Well, I recommend that daily users take caution.
Of course, the first thing that I would recommend is always to check the URL on the website that you're on.
You know, if you're supposed to be on a specific website, look at the URL, make sure that it's some type of combination that you expect it to be. And that's the same for email.
You just receive an email make sure that you're actually looking at the email itself and not the name that's actually posted on there.
So that's a definitely important recommendation. Don't trust HTTPS alone. So a lot of hackers, they actually buy fake certificates.
You do have an option to click near the padlock symbol and you can see what type of certificate it's issued from.
So there are trustworthy certificate owners and there are also ones that are not. And lastly, be safe on mobile. Okay, it's really easy to get confused on mobile.
The URLs look different. The font looks different. It's a different browser. So I would personally recommend doing most of your things on computer where it's a big screen.
You can see everything if you're doing bank transactions. Those are the big recommendations that I could provide.
But it's important to remember that our customers, the end users themselves, they're not security experts.
And it should be the company's responsibility to provide them some type of protection.
It's always important to be alert, but at the end of the day, the responsibility lies with the company.
Yeah, totally. But I can see there is a bit of a loophole there, isn't there?
Because, for example, I might be targeted because I happen to be, as you said earlier, a 35 to 40 or 45-year-old man in Britain, right, into tech.
But I may never have bought from a particular technology store whose brand is actually being abused, right? So I could, they may not even have a relationship with me at all.
But you're right, for the known customers, they definitely should take responsibility for that and try and help them. Danielle, this has been fascinating.
Thank you so much for your insight in all this. SPEAKER_03. Sure, I'm happy to help.
Because, for example, I might be targeted because I happen to be, as you said earlier, a 35 to 40 or 45-year-old man in Britain, right, into tech.
But I may never have bought from a particular technology store whose brand is actually being abused, right? So I could, they may not even have a relationship with me at all.
But you're right, for the known customers, they definitely should take responsibility for that and try and help them. Danielle, this has been fascinating.
Thank you so much for your insight in all this. SPEAKER_03. Sure, I'm happy to help.
Pretty sage advice from Danielle Papadakis, project manager at Mimecast.
You can learn more about this and other Mimecast research and insights by visiting smashingsecurity.com/mimecasthub. Oh gee, I forgot to ask who she thought was funnier.
You can learn more about this and other Mimecast research and insights by visiting smashingsecurity.com/mimecasthub. Oh gee, I forgot to ask who she thought was funnier.
Well, that just about wraps it up for this week. Jack, I'm sure lots of our listeners would like to follow you online and find out more about Darknet Diaries.
What's the best way for folks to do that.
What's the best way for folks to do that.
Oh man, I think you can do any search engine. I should get an AOL keyword so I can actually claim that's true.
But yeah, just search Darknet Diaries on any search engine and you'll find me. But I am active on Twitter @JackRhysider.
But yeah, just search Darknet Diaries on any search engine and you'll find me. But I am active on Twitter @JackRhysider.
Cool. And you can follow us on Twitter @SmashingSecurity, no G, Twitter must have a G. And you can also join the Smashing Security subreddit as well.
Don't forget, if you want to be sure never to miss another episode, subscribe in your favorite podcast app such as Apple Podcasts, Google Podcasts, Spotify, or Pocket Casts.
Don't forget, if you want to be sure never to miss another episode, subscribe in your favorite podcast app such as Apple Podcasts, Google Podcasts, Spotify, or Pocket Casts.
A shout out to all you guys for listening to us each week, supporting our work. It means the world.
And of course, high five to this week's Smashing Security sponsors, Kroll, Mimecast, and LastPass. Their support helps us big time give you the show for free.
Check out smashingsecurity.com for past episodes, sponsorship details, and information on how to get in touch with us.
And of course, high five to this week's Smashing Security sponsors, Kroll, Mimecast, and LastPass. Their support helps us big time give you the show for free.
Check out smashingsecurity.com for past episodes, sponsorship details, and information on how to get in touch with us.
Until next time, cheerio. Bye-bye. Bye-bye.
Bye.
Oof, marvelous.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Jack Rhysider – @JackRhysider
Show notes:
- Legal complaint on behalf of Donald J Trump for President Inc and Republican National Committee — PDF.
- Don't touch the green button!
- Reddit thread about Donttouchthegreenbutton.com
- Richey Ward's Twitter thread showing how over 163k records were exposed in the Don't Touch The Green Button database — Twitter.
- Trump lawsuit site to report 'rejected votes' leaked voter data — Bleeping Computer.
- Hilarious news report of the Four Seasons Total Landscaping debacle — Tweet by Ros Atkins of the BBC.
- “Yourefired” was Donald Trump’s Twitter password, claim hackers — Graham Cluley.
- Donald Trump’s Twitter password is “maga2020!”, and there’s no 2FA, claims hacker — Graham Cluley.
- Six Russian GRU Officers Charged in Connection with Worldwide Deployment of Destructive Malware and Other Disruptive Actions in Cyberspace — Department of Justice.
- What does your phone know about you? — Think Money.
- Popular app T&Cs 'longer than Harry Potter' — BBC News.
- Study on consumers' attitudes towards Terms and Conditions (T&Cs) — European Commission (PDF).
- Terms of Service; Didn't Read
- TLDRLegal — Software Licenses Explained in Plain English.
- TermsFeed — Generator of Privacy Policy, Terms & Conditions, Disclaimer, EULA.
- Simply Docs — Legal, Business & Property Documents & Templates.
- The Armstrongs Episode 1 Part 1 — YouTube.
- Oral Breeze — Jack’s pick for the best dental irrigator for water flossing.
- You're Wrong About — Apple Podcasts.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsor: LastPass
LastPass Enterprise makes password security effortless for your organization.
LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
Sponsor: Mimecast
Mimecast’s State of Email Security 2020 report helps you understand the most pervasive threats and how they attack organizations at their email perimeters, from inside the organization (through compromised accounts, vulnerable insiders, social engineering), or beyond the organization’s perimeters (the domains they own and their brands via impersonation).
Grab your copy at smashingsecurity.com/mimecasthub
Sponsor: Kroll
Rapidly detecting a threat is meaningless without the ability to respond with confidence. Kroll responds to over 2,000 cyber incidents every year and is uniquely positioned to bring that capability and expertise 24×7 with Responder. Kroll Responder merges hunting, detection, containment and remediation to deliver best-in-class endpoint security.
See how Kroll Responder works at smashingsecurity.com/kroll
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, Spotify, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
