Fingerprints and DNA records have been deleted from the UK’s police database, the SolarWinds hack continues to wreak havoc and raise questions, and we have some advice for how to fall in love safely under lockdown…
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Professor Alan Woodward.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
There are people that have that special person that they can't see or they're not living with, and how do you do that? It's time to reach out, but what do you do, send an emoji?
Well, I quite like Diana Rigg, so I'd have to hold a séance, I suppose. So that isn't going to work for me.
Smashing Security, episode 214: Lockdown Ransomware and Love Scams, SolarWinds and a Data Deletion Bungle with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 214. My name's Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 214. My name's Graham Cluley.
And I'm Carole Theriault.
And Carole, we are joined this week by somebody who's brand new to the show, but not new to the pages of cybersecurity.
If you've ever read the headlines on the BBC and elsewhere, you will no doubt have seen our guest commenting. It's Professor Alan Woodward. Hello, Alan.
If you've ever read the headlines on the BBC and elsewhere, you will no doubt have seen our guest commenting. It's Professor Alan Woodward. Hello, Alan.
Hello, though.
Welcome to the show.
It's very nice to be here.
So for folks from further afield who may not have seen you before, Alan, can you describe what you do?
I suppose if you ask my family what it is I do, they would say I make computers do things that they're not supposed to do.
And when I've learned how to do that, I teach others to do it.
So I'm actually a visiting professor at the University of Surrey, where we do a lot of research, and I have some students, MSc students, people like that.
And then I also advise various government departments in the UK and actually overseas as well, people like Europol.
And then every so often, large organizations that want to know a little bit about how they should be acting more securely in cyberspace.
And when I've learned how to do that, I teach others to do it.
So I'm actually a visiting professor at the University of Surrey, where we do a lot of research, and I have some students, MSc students, people like that.
And then I also advise various government departments in the UK and actually overseas as well, people like Europol.
And then every so often, large organizations that want to know a little bit about how they should be acting more securely in cyberspace.
Fantastic. Well, we all need a bit of that, don't we?
So let's thank this week's sponsors, 1Password. Its support helps us give you this show for free. Now, coming up on today's show, Graham, what do you got?
I'm gonna be talking about the mystery of the disappearing fingerprints and some other data as well.
Ooh, mysterious. Alan, what about you?
Well, I want to talk a little bit more about the ever-ongoing story of SolarWinds. It's a story that keeps on giving.
And I'm doing the lockdown Valentine's special with romance scams. All this and much more coming up on this episode of Smashing Security.
Now, chums, have you ever made a mistake? At work?
Nope.
Carole, I used to work with you, so—
Never made a mistake. If ever you disagreed, it was because you got it wrong. Of course.
Alan, as a visiting professor at the University of Surrey, have you— would you own up to any goofs?
Yes, I would say I quite often make mistakes. But I'd like to think of mistakes as an opportunity to learn.
Ah.
That's what I tell the students anyway.
Now, unfortunately, yes, I've made— and part of it is one of the very reasons I want to talk about what we're going to talk about later on, which is that you make certain assumptions as you're analyzing various incidents, for example, you base it on a certain amount of information.
And as you learn more, you realize that you were mistaken.
It's not so much that you were mistaken, but that you jumped to conclusions and you learn very quickly that you really shouldn't do that.
Now, unfortunately, yes, I've made— and part of it is one of the very reasons I want to talk about what we're going to talk about later on, which is that you make certain assumptions as you're analyzing various incidents, for example, you base it on a certain amount of information.
And as you learn more, you realize that you were mistaken.
It's not so much that you were mistaken, but that you jumped to conclusions and you learn very quickly that you really shouldn't do that.
Ooh, hurry along, Graham. We got to get to this.
Well, now, I used to be a computer programmer. I don't know if either of you have ever programmed computers or anything.
Yes, you do. I haven't really ever.
You haven't even done a 10 PRINT Carole is cool?
Yes, I've done that. That's not programming, really.
Alan, have you ever made any programming mistakes?
Oh yes, quite a few. In fact, in some of the earliest programmes I wrote, I mean, you have to go back a long way to find the machines that I first worked on.
Was it punch cards? Were you sort of punching out the wrong hole on a—
It was. No, you joke, but it was hole with cards where you would submit them to some high priestess through a hole. And 3 days later, you'd get the results back.
You learned very quickly not to make a mistake because you'd have to go through the whole thing again. So you actually became very, very assiduous with your programs.
These days, people make a mistake and they can just recompile it and away they go. But no, in those days, it was very much, you had to be so careful.
So the first half dozen, you always make a mistake in.
You learned very quickly not to make a mistake because you'd have to go through the whole thing again. So you actually became very, very assiduous with your programs.
These days, people make a mistake and they can just recompile it and away they go. But no, in those days, it was very much, you had to be so careful.
So the first half dozen, you always make a mistake in.
Well, I certainly remember making some mistakes in my early days of programming. One of my first jobs was to "Write the Windows version of Dr.
Solomon's Antivirus Toolkit." And the way in which we worked in those days is we actually had no computer viruses at the office.
All of the computer viruses were in Alan Solomon's spare bedroom at his house.
Solomon's Antivirus Toolkit." And the way in which we worked in those days is we actually had no computer viruses at the office.
All of the computer viruses were in Alan Solomon's spare bedroom at his house.
Safe, secure.
Well, it was more secure than having them in the office, because the last thing we wanted to ever do was ship them to anyone.
But that meant that when I did programming on the virus-finding engine, I didn't actually have anything to test it against.
So I remember once I was given the source code and the challenge of speeding it up a little bit.
And I did some work on it for a few days and I brought it back and I said, you know, it's a fair bit faster now. I think I've increased its speed by 20% or something.
So Alan took it back to the viruses and he said, well done. Yes, you have sped it up. Unfortunately, it no longer detects any malware at all. So it had a 0% detection rate.
But that meant that when I did programming on the virus-finding engine, I didn't actually have anything to test it against.
So I remember once I was given the source code and the challenge of speeding it up a little bit.
And I did some work on it for a few days and I brought it back and I said, you know, it's a fair bit faster now. I think I've increased its speed by 20% or something.
So Alan took it back to the viruses and he said, well done. Yes, you have sped it up. Unfortunately, it no longer detects any malware at all. So it had a 0% detection rate.
So it was super fast. Excellent. Well done, Graham. Good thing you're a podcaster these days.
Exactly, yes. Nothing as dangerous as programming. So coding cock-ups can happen. And I want to talk to you about something along those lines.
Now, in the United Kingdom, we have a supercomputer system called the Police National Computer System, the PNC, which stores and shares information and criminal records between forces across the country.
So, if police are investigating something, rather than looking at old cards in a filing cabinet or anything like that, they can actually use the computer instead, and they can quiz the computer.
And even officers can use it for real-time checks.
So if they stop someone in the street, they can call in, someone will look up on the Police National Computer if you're wanted in relation.
Now, in the United Kingdom, we have a supercomputer system called the Police National Computer System, the PNC, which stores and shares information and criminal records between forces across the country.
So, if police are investigating something, rather than looking at old cards in a filing cabinet or anything like that, they can actually use the computer instead, and they can quiz the computer.
And even officers can use it for real-time checks.
So if they stop someone in the street, they can call in, someone will look up on the Police National Computer if you're wanted in relation.
I got him! I got him!
Right, exactly. Carole, you know all about being in trouble with the law.
Next.
Yeah, okay. Not gonna tell that story this week, right?
Well, last month, it became headline news that some of the records stored on the Police National Computer databases had been unfortunately lost.
Well, last month, it became headline news that some of the records stored on the Police National Computer databases had been unfortunately lost.
What do you mean lost?
Well, I don't mean lost down the back of the sofa.
Okay.
I don't mean—
Interesting you bring up sofas. Interesting.
In fact, why wouldn't I bring up Sophos? What are you talking about?
Oh, you'll see later.
Oh, is it? Okay. In fact, over 200,000 records were reportedly deleted from the Police National Computer Database.
Oh, so not misplaced, but actually—
Lost.
Poofed.
Lost.
Yeah. Due to what they described as a technical issue.
Oh, it's such a good term.
Now, I think when you've worked in the field of cybersecurity for a while, when you hear that a company's suffering from technical issues, it's very natural to assume the worst.
It's very natural to assume, oh, maybe they've been hacked, maybe some ransomware's been planted, maybe something malicious has happened.
It's very natural to assume, oh, maybe they've been hacked, maybe some ransomware's been planted, maybe something malicious has happened.
Yeah, you feel like they're downplaying it, right? You feel like they're downplaying the snafu that might have happened.
Maybe not sharing enough detail.
Yeah, yeah, yeah. That's true.
So, the Home Office, they said that the lost data related to people who had been arrested and then released without further action. Okay?
And so you kind of think, well, that doesn't matter too much, does it? Because, you know, if the police decided not to pursue it, then big deal.
But according to the National Police Chiefs' Council, the NPCC, on at least one occasion, a DNA profile which had been taken from a suspect held in custody didn't generate a match to a crime scene.
As a result of this information being lost, and that obviously would impede an investigation. So, I don't know if either of you ever left DNA at a crime scene or anything like that?
And so you kind of think, well, that doesn't matter too much, does it? Because, you know, if the police decided not to pursue it, then big deal.
But according to the National Police Chiefs' Council, the NPCC, on at least one occasion, a DNA profile which had been taken from a suspect held in custody didn't generate a match to a crime scene.
As a result of this information being lost, and that obviously would impede an investigation. So, I don't know if either of you ever left DNA at a crime scene or anything like that?
Inadvertently.
So, are you saying that basically innocent people's DNA has been lost?
Yeah, well, actually what's happened in the UK is there is a law about what the law can do.
Okay.
If you are found either not guilty or you're not charged, when they collect your fingerprints or your DNA, they're not allowed to keep it.
Yeah.
And so what happened in this case was somebody was given a big long list of all those people that were not charged and acquitted and said, "Right, go through the database and weed out," to use their term, "weed out the ones that weren't supposed to be in there anymore." The trouble is they weeded out rather more than the ones they were supposed to.
Overenthusiastic weeding. It's a bit like taking a JCB to your back garden.
Yeah, no, that's happened to me. Overenthusiastic weeding is a very good term. I do do that. It's like, oh no, that's a carrot!
Now, according to the policing minister, whose name is Kit Malhouse, the government hopes that the records haven't been lost permanently, the ones which they did actually mean to keep, and that restoring them, they say, will take about another 12 weeks.
Now, I don't know about you, but that feels like quite a long time.
Now, I don't know about you, but that feels like quite a long time.
Well, okay, look, you always will pad it by at least double.
So, okay, that means they're assuming it's going to take 6 weeks, and then they probably have never had to restore from backup before, so they're buying themselves a few weeks there.
And it probably will take 10 minutes, but at least they get time to put the report together and make the web page and whatever.
So, okay, that means they're assuming it's going to take 6 weeks, and then they probably have never had to restore from backup before, so they're buying themselves a few weeks there.
And it probably will take 10 minutes, but at least they get time to put the report together and make the web page and whatever.
But normally if you're restoring from a backup, it is something you should test and try out, isn't it? Rather than wait until disaster.
You've got to. I mean, absolutely. If you don't test a backup, it's a bit like having a fire drill that you never practice.
You really don't want to have to practice it the first time you really need it.
But I suspect there's more to this in that because of the way the law is written, you shouldn't have a backup of that data.
You really don't want to have to practice it the first time you really need it.
But I suspect there's more to this in that because of the way the law is written, you shouldn't have a backup of that data.
Ah.
And so they will have overwritten the backups. And what they're trying to do is, as we all know, when you delete something, you don't actually delete it.
You simply delete the reference to it. And then whatever media you're using starts to get overwritten and overwritten.
And they're trying to recover all the fragments that may be left. So they'll probably be able to recover some of it, but certainly not all of it.
You simply delete the reference to it. And then whatever media you're using starts to get overwritten and overwritten.
And they're trying to recover all the fragments that may be left. So they'll probably be able to recover some of it, but certainly not all of it.
I guess it depends on how industrious they've been since it happened.
So this is really interesting, Alan. So what you're saying is this is really a data recovery job. This is a bit like— Oh yeah.
When your hard drive ends up in the bottom of the toilet or something like that, you know, it's like—
When your hard drive ends up in the bottom of the toilet or something like that, you know, it's like—
Does that happen often, Graham?
Well, all right, everyone's had a smartphone fall in the bath.
Oh, touché, touché.
Right?
Everyone's had that sort of disaster happen to them, and you think, "Oh, but I need my data off it." So the challenge they have is they need to get back the data they didn't mean to delete.
Yep. But they need to be really careful that the data they did mean to delete remains deleted.
Everyone's had that sort of disaster happen to them, and you think, "Oh, but I need my data off it." So the challenge they have is they need to get back the data they didn't mean to delete.
Yep. But they need to be really careful that the data they did mean to delete remains deleted.
Exactly.
Hence 12 weeks, I guess.
Mm-hmm. But it's a much more complicated exercise than it first looks.
I mean, it's— if anybody's as old as me, they remember things like head crashes on— I mean, in those days, the hard disks we had were sort of 3 feet wide and kept you about 4 megabytes.
But if you had a hard disk crash on one of those, I mean, it really did scratch the surface and you lost a lot of data.
And then you would have to recover different segments, sectors of the disk off and you would then try to see which parts of the file allocation tables could I look at to see where it should have been on the disk?
And you start to sort of literally sellotape and chewing gum, and you're putting all these bits of data back together and hope that that's what was actually meant to be there.
I mean, it's— if anybody's as old as me, they remember things like head crashes on— I mean, in those days, the hard disks we had were sort of 3 feet wide and kept you about 4 megabytes.
But if you had a hard disk crash on one of those, I mean, it really did scratch the surface and you lost a lot of data.
And then you would have to recover different segments, sectors of the disk off and you would then try to see which parts of the file allocation tables could I look at to see where it should have been on the disk?
And you start to sort of literally sellotape and chewing gum, and you're putting all these bits of data back together and hope that that's what was actually meant to be there.
Do you think, just there are vinyl record enthusiasts, there are also people who are enthusiasts for old forms of data storage?
Of course there are!
Yes, of course.
Oh, the data's so much better on this old Western Digital 20-megabyte.
Well, there are people that are still out there for VCRs. I mean, one of the very first systems I worked on was all about collecting masses of data from, actually it was from ships.
And it was all done on VCR tapes. And because they collected so much, that you could collect so much data in that fashion.
Some of the people that I know, they still will say to you to this day, well, when you get video on something like a Betamax tape, oh, it's so much better than all these modern digitized versions.
And it was all done on VCR tapes. And because they collected so much, that you could collect so much data in that fashion.
Some of the people that I know, they still will say to you to this day, well, when you get video on something like a Betamax tape, oh, it's so much better than all these modern digitized versions.
Oh yes.
Unless you can hear the crackles, it's not real music.
Well, police in the meantime are being told to use alternatives. I'm not quite sure. What does that mean?
Well, I don't know if it means they've got their little notebooks or they've got a little black book full of dodgy-looking people, people who wear loud shirts or walk on the cracks in pavement.
Well, I don't know if it means they've got their little notebooks or they've got a little black book full of dodgy-looking people, people who wear loud shirts or walk on the cracks in pavement.
Court sketches.
Yeah, exactly. He looks like a wrong'un. His eyes are too close together. That kind of thing. I have no idea. Now, no less an authority on sane reaction to breaking news than Mr.
Piers Morgan.
Piers Morgan.
Oh, your favourite, your bud bud.
Friend of the show.
You love him.
Friend of the show. He's called on Home Secretary Priti Patel to resign over this matter. I'm not sure that's going to happen. I don't think Priti Patel is the type to resign.
From everything I've read about her and the way she operates in the office, I think she'd probably need to be very convinced there was some evidence of wrongdoing, or maybe her boss wouldn't.
And maybe the evidence has already been deleted by now. So how did the data disappear?
Well, it's now been revealed, as Alan alluded to, that this was a coding error which is being blamed.
So it's the programmer which did it with a piece of lead piping in the conservatory, or maybe a piece of pizza by the water cooler. Somebody coded this incorrectly.
And when they were told to do the weeding, their algorithm, a bit like my algorithm when I was rewriting Dr.
Solomon's antivirus detection was a little bit too enthusiastic in one area and not in every way that it should have been.
From everything I've read about her and the way she operates in the office, I think she'd probably need to be very convinced there was some evidence of wrongdoing, or maybe her boss wouldn't.
And maybe the evidence has already been deleted by now. So how did the data disappear?
Well, it's now been revealed, as Alan alluded to, that this was a coding error which is being blamed.
So it's the programmer which did it with a piece of lead piping in the conservatory, or maybe a piece of pizza by the water cooler. Somebody coded this incorrectly.
And when they were told to do the weeding, their algorithm, a bit like my algorithm when I was rewriting Dr.
Solomon's antivirus detection was a little bit too enthusiastic in one area and not in every way that it should have been.
It's all about balance.
Yeah. And this goof actually reminds me, do you remember, this is going to take you back. In 2007, we then had a Labour government, just to be fair.
So I've got some balance on the show now.
And they told families to keep an eye on their bank accounts for unusual activity because they lost two CD-ROMs containing the banking details of 25 million individuals, 7.25 million families, which were put in the post and never seen again.
Unencrypted.
So I've got some balance on the show now.
And they told families to keep an eye on their bank accounts for unusual activity because they lost two CD-ROMs containing the banking details of 25 million individuals, 7.25 million families, which were put in the post and never seen again.
Unencrypted.
Those were the old days. You see, we've come a long way.
I mean, that was basically the entire HMRC database they put onto two DVDs. Yeah, put it in an envelope.
Yeah.
I'm not sure they even sent it first class. And you can just imagine what happened to it. I mean, it's just horrifying to think.
And the other thing that really worries me about that is when you think about forward secrecy, that data is still out there somewhere.
And that data, although I know it's 2007, a long time ago, but the details on there are exactly the same for me as they were then. So I just hope somebody never finds those.
And the other thing that really worries me about that is when you think about forward secrecy, that data is still out there somewhere.
And that data, although I know it's 2007, a long time ago, but the details on there are exactly the same for me as they were then. So I just hope somebody never finds those.
It's interesting, isn't it? Because breaches sort of disappear into the mists of the past, but data which was stolen, as you say, years and years ago can still be abused.
The thing is, people don't move that often. And one of the things that's becoming more, ever more permanent is your phone number, is your mobile phone number.
In fact, it's used as a proxy for your identity in many parts of the world.
In fact, it's used as a proxy for your identity in many parts of the world.
Yeah.
In fact, the World Bank uses phone numbers and the number of phone numbers that are issued as a proxy for the population.
'Cause in many parts of the world, they don't issue birth certificates and death certificates, but they know how many phone numbers there are.
So you can start to work out how many people there are. And your phone number these days is who you are.
So if you've got that and a physical address, I mean, I've actually had cards cloned before when all they had to be able to set up the account was the birthday and the address.
And some people will set those up as taking a unique proof of ID, which of course it certainly isn't.
'Cause in many parts of the world, they don't issue birth certificates and death certificates, but they know how many phone numbers there are.
So you can start to work out how many people there are. And your phone number these days is who you are.
So if you've got that and a physical address, I mean, I've actually had cards cloned before when all they had to be able to set up the account was the birthday and the address.
And some people will set those up as taking a unique proof of ID, which of course it certainly isn't.
No. Well, I think it's another case of the public sector possibly doing a worse job of securing our personal information than private companies.
It does seem to be happening time and time. I know it's a low bar.
It does seem to be happening time and time. I know it's a low bar.
I've never heard of a private company having any issues this.
No, I'm not saying they don't, Carole. All I'm saying is, low as that bar is, maybe actually public sector is performing even worse.
Oh, okay. You should get a job at the Daily Mail with common sense.
Well, I'll have to speak to my friend Piers, perhaps.
Yeah, you should.
See if he can—
Thank you, mate.
Oh, me?
Yeah. Alan, what story have you got for us this week?
Well, the one I wanted to talk about was SolarWinds, sometimes called Solorigate, by Microsoft.
It all originated, or at least it appeared to originate, from when the company FireEye detected that there was something rather strange about the SolarWinds software.
SolarWinds is a piece of network management software which is extremely popular.
It's probably one of the most popular pieces of software nobody's ever heard of, but it is literally running all the infrastructure that surrounds us, including in some very large government departments and particularly in America.
So they found that there was something very peculiar in this software in that it had a backdoor in it. So they thought, well, that's not right, shouldn't have a backdoor in it.
But the thing that confused them more is they couldn't find out how it had got in there because it wasn't in the source code.
So if you imagine the build process for this software is some very clever people write the source code, it then gets put into the build process, turned into the object and machine code in a way, and then gets sent out in the update process.
What was happening was it wasn't detectable in the source code, so none of the usual security checks in the source code were finding anything.
But at the other end of the update cycle, in the update path, people were being sent updated software with this backdoor in it.
Now, you know, you've got people like me who bang on like a broken record about you've got to keep your software up to date. It's got to be the latest version.
Yeah, it's one of those mantras, isn't it? And of course, the poor people who actually followed that advice were the very ones that got hit with this.
As it turned out, there was about, I can't remember, about 18,000 of them. And it was from March last year, March 2020, when they did the update then.
So they were trying to work out how on earth did this happen? And it's only recently as they pieced it together.
The other bit that was really strange about this was that when it got to the other end of the update cycle, it was digitally signed. So it had the digital signature attached to it.
This software was really from SolarWinds as far as your Microsoft machine was concerned, it really was from SolarWinds.
It all originated, or at least it appeared to originate, from when the company FireEye detected that there was something rather strange about the SolarWinds software.
SolarWinds is a piece of network management software which is extremely popular.
It's probably one of the most popular pieces of software nobody's ever heard of, but it is literally running all the infrastructure that surrounds us, including in some very large government departments and particularly in America.
So they found that there was something very peculiar in this software in that it had a backdoor in it. So they thought, well, that's not right, shouldn't have a backdoor in it.
But the thing that confused them more is they couldn't find out how it had got in there because it wasn't in the source code.
So if you imagine the build process for this software is some very clever people write the source code, it then gets put into the build process, turned into the object and machine code in a way, and then gets sent out in the update process.
What was happening was it wasn't detectable in the source code, so none of the usual security checks in the source code were finding anything.
But at the other end of the update cycle, in the update path, people were being sent updated software with this backdoor in it.
Now, you know, you've got people like me who bang on like a broken record about you've got to keep your software up to date. It's got to be the latest version.
Yeah, it's one of those mantras, isn't it? And of course, the poor people who actually followed that advice were the very ones that got hit with this.
As it turned out, there was about, I can't remember, about 18,000 of them. And it was from March last year, March 2020, when they did the update then.
So they were trying to work out how on earth did this happen? And it's only recently as they pieced it together.
The other bit that was really strange about this was that when it got to the other end of the update cycle, it was digitally signed. So it had the digital signature attached to it.
This software was really from SolarWinds as far as your Microsoft machine was concerned, it really was from SolarWinds.
And the checks happened, the checks that you expect to happen happened and they came back with the answers you expected so you wouldn't worry, you wouldn't go digging.
Users would be reassured it hadn't been tampered with.
Yeah.
Absolutely.
And then when they dug a bit further, what they found that was happening was somebody had managed to get into the build servers of SolarWinds and they had managed to get a script in there that injected their bit of code, a relatively small piece of code, into the SolarWinds code.
And it was pretending to be a particular DLL such that when it was built, it went through the build process, it was all digitally signed by SolarWinds.
So it got injected just at the right point that nobody would have spotted it.
It just snuck in under the door, got signed, and out it went into the out process so that it went to the updates.
And then when they dug a bit further, what they found that was happening was somebody had managed to get into the build servers of SolarWinds and they had managed to get a script in there that injected their bit of code, a relatively small piece of code, into the SolarWinds code.
And it was pretending to be a particular DLL such that when it was built, it went through the build process, it was all digitally signed by SolarWinds.
So it got injected just at the right point that nobody would have spotted it.
It just snuck in under the door, got signed, and out it went into the out process so that it went to the updates.
Yeah.
No checks would have picked it up at the SolarWinds end. No checks would have picked it up at the receiving end because it was signed, etc.
And then, you know, a lot of intrusion detection systems, for example, will look for unusual activity on your network. But this bit of software was clever.
It went to sleep for two weeks. Once it got in, it went to sleep for two weeks. And only after that did it dial home.
It dialed home to the command and control servers and said, "Right, I'm here. I'm active.
What do you want?" And it would allow them to come in and do— take files off, or just to come in as a general backdoor, actually, and implant other software as well.
And then, you know, a lot of intrusion detection systems, for example, will look for unusual activity on your network. But this bit of software was clever.
It went to sleep for two weeks. Once it got in, it went to sleep for two weeks. And only after that did it dial home.
It dialed home to the command and control servers and said, "Right, I'm here. I'm active.
What do you want?" And it would allow them to come in and do— take files off, or just to come in as a general backdoor, actually, and implant other software as well.
Yeah. Anything they wanted, basically.
Yes. But then came a slightly mysterious twist.
There's been all sorts of twists and turns in this tale, in that what became clear was that Microsoft had been hit and they weren't sure whether Microsoft had been hit because they had installed SolarWinds that had a backdoor in it, or was it that Microsoft's 365 product had somehow been infiltrated and that was used to get the credentials to then go and attack SolarWinds' build servers?
And that's all still a bit up in the air at the moment.
So nobody quite knows what came first, the chicken or the egg here, but it's looking that somehow something was involved outside of SolarWinds that allowed them to get the credentials to go into that build server.
Either way you put it, it's SolarWinds that are now squarely flagged with having had this problem, as you can tell from their share price.
There's been all sorts of twists and turns in this tale, in that what became clear was that Microsoft had been hit and they weren't sure whether Microsoft had been hit because they had installed SolarWinds that had a backdoor in it, or was it that Microsoft's 365 product had somehow been infiltrated and that was used to get the credentials to then go and attack SolarWinds' build servers?
And that's all still a bit up in the air at the moment.
So nobody quite knows what came first, the chicken or the egg here, but it's looking that somehow something was involved outside of SolarWinds that allowed them to get the credentials to go into that build server.
Either way you put it, it's SolarWinds that are now squarely flagged with having had this problem, as you can tell from their share price.
Do you think it's one of the more clever attacks that have happened because there's so much thought put into how to sneak around?
Yes. In the good old days, tradecraft, as they call it, was sort of the benchmark of all the espionage we ever did. And this had an enormous amount of tradecraft in it.
This wasn't just building something that was sophisticated, very clever.
As with most things, I mean, it exploited what's called the picnic problem, as in the problem's in the chair, not in the computer.
So you get the person to do something that then lets something else happen, that lets something else happen. And it's these chained exploits that are the really clever ones.
I mean, you know, you see some 16-year-old breaking into TalkTalk using a SQL injection tool that they can get on Kali Linux.
This wasn't just building something that was sophisticated, very clever.
As with most things, I mean, it exploited what's called the picnic problem, as in the problem's in the chair, not in the computer.
So you get the person to do something that then lets something else happen, that lets something else happen. And it's these chained exploits that are the really clever ones.
I mean, you know, you see some 16-year-old breaking into TalkTalk using a SQL injection tool that they can get on Kali Linux.
Yeah, and you're yawn.
Yeah, yeah, yeah. But this, no, this was really thought through. This must have taken a couple of years.
Now, obviously, many thousands of companies and organizations will have been running this compromised version of SolarWinds and potentially would have been vulnerable to attack.
But it wasn't really an attempt to compromise thousands and thousands of companies, was it? It appears that they had particular targets in mind.
But it wasn't really an attempt to compromise thousands and thousands of companies, was it? It appears that they had particular targets in mind.
This is again one of the really interesting parts about this in that if you look, I suspect a lot of companies were caught in the crossfire.
Because we were then able to identify the command and control servers, so the indicators of compromise were very definite for where information had been exfiltrated from organizations.
You could actually go and look and see using passive DNS, for example, you could see who had been not just attacked, but that attack had then been used to suck information out.
And it turned out to be relatively few. A lot of them were large government departments in the US. In the UK, far less so. There was a mild, I think slightly knee-jerk reaction.
It's quite interesting that the US took the approach that rip it out, and they basically issued this emergency order to rip it out of everywhere.
The UK, the National Centre for Cybersecurity didn't say that. They said, well, first of all, find out if you're subject to it. Secondly, look for these indicators of compromise.
And then thirdly, close them off. So no data could be exfiltrated, and then you can clean house whilst, you know, nobody can get anything out.
So it was a much more measured approach.
Because we were then able to identify the command and control servers, so the indicators of compromise were very definite for where information had been exfiltrated from organizations.
You could actually go and look and see using passive DNS, for example, you could see who had been not just attacked, but that attack had then been used to suck information out.
And it turned out to be relatively few. A lot of them were large government departments in the US. In the UK, far less so. There was a mild, I think slightly knee-jerk reaction.
It's quite interesting that the US took the approach that rip it out, and they basically issued this emergency order to rip it out of everywhere.
The UK, the National Centre for Cybersecurity didn't say that. They said, well, first of all, find out if you're subject to it. Secondly, look for these indicators of compromise.
And then thirdly, close them off. So no data could be exfiltrated, and then you can clean house whilst, you know, nobody can get anything out.
So it was a much more measured approach.
How unusual.
Whereas the Americans, it was just kind of rip it out.
But the trouble with the rip it out approach is these things are so interconnected these days, you don't always know the full ramifications of ripping it out of your system.
But the trouble with the rip it out approach is these things are so interconnected these days, you don't always know the full ramifications of ripping it out of your system.
It's a bit of an odd name for a company though, isn't it? SolarWinds.
Yes, well, SolarWinds, an awful lot of their names are sort of astronomical.
I suspect whoever set it up ended up as an astronomy buff because actually the product that was affected was called Orion.
So yes, they seem to, but then I guess we're running short. We've gone through most of the fruits like apples and acorns and all the rest of it.
So, but maybe we're now onto astronomical metaphors.
I suspect whoever set it up ended up as an astronomy buff because actually the product that was affected was called Orion.
So yes, they seem to, but then I guess we're running short. We've gone through most of the fruits like apples and acorns and all the rest of it.
So, but maybe we're now onto astronomical metaphors.
Carole, if you set up a software company, would you name it after Uranus? That's just a cheap schoolboy joke. And I apologize for that.
Oh yeah, that's good. That's all you need to do.
Yeah. Carole, what have you got for us this week?
All right, cue romantic music. Now, this show is being published a few days before Valentine's Day.
And if you have a special someone in your life, I assure you that this is not the year you want to skip on because it's been a pretty bad year for most of us.
And if you're living with this person, they've been putting up with your crap day in, day out, because especially if they've been in lockdown, there's been no respite at all, has there?
And so, you know, and also they'll feel bad if they didn't do anything. So you have the upper hand after that as well.
And if you have a special someone in your life, I assure you that this is not the year you want to skip on because it's been a pretty bad year for most of us.
And if you're living with this person, they've been putting up with your crap day in, day out, because especially if they've been in lockdown, there's been no respite at all, has there?
And so, you know, and also they'll feel bad if they didn't do anything. So you have the upper hand after that as well.
And if you're not— card saying there is no one I would like to spend the rest of my life locked up in one room with than you, couldn't you? Because now I've experienced it.
Way to kill the romance. Now, there are people that have that special person that they can't see or they're not living with. And how do you do that?
How do you reach— you know, it's time to reach out, but what do you do? Send an emoji?
How do you reach— you know, it's time to reach out, but what do you do? Send an emoji?
Well, I quite like Diana Rigg, so I'd have to hold a séance, I suppose. So that isn't gonna work for me. Yeah, good question.
I don't know, I say throw caution to the wind. I say reach out.
Right.
Digitally hug her somehow, the way you can.
But there are some people out there that need to avoid throwing caution to the wind, and that's those that are in brand new online relationships.
They need to be extra careful because this is Valentine's Month, and romance scams are on the rise. Isn't that annoying? You have one day which— did it always exist?
See, I'm showing my ignorance.
But there are some people out there that need to avoid throwing caution to the wind, and that's those that are in brand new online relationships.
They need to be extra careful because this is Valentine's Month, and romance scams are on the rise. Isn't that annoying? You have one day which— did it always exist?
See, I'm showing my ignorance.
Oh my God.
Oh, that's a good question.
Well, there is a Valentine saint, I think, isn't there? There's a saint.
Yes, yes, there is.
Yeah, that's why it's named.
I'm sure there has probably been a celebration for love and buying cheap chrysanthemums at the nearest service station for years and years. I'm sure that's probably been going on.
That's the worst, honestly.
So even Interpol issued warnings a few weeks ago to a whopping 194 member countries, and the notice describes a new modus operandi on dating applications which Interpol says, quote, takes advantage of people's vulnerabilities as they look for potential matches and lures them into sophisticated fraud schemes.
So even Interpol issued warnings a few weeks ago to a whopping 194 member countries, and the notice describes a new modus operandi on dating applications which Interpol says, quote, takes advantage of people's vulnerabilities as they look for potential matches and lures them into sophisticated fraud schemes.
Ooh, well, that'd be quite interesting to know about, because even if you weren't a fraudster, if you were looking for love, if there was a method fraudsters were using to entangle you into a quasi-relationship with them, then if you were a person who was looking for love, you could use that same technique, but just not scam them at the end.
Right?
Right?
Oh, right. Because you're saying they're really successful.
If they're really successful at chatting up people online. That sounds kind of useful to know about, right?
Right, so turn their evil tricks to good and use it for love. Interesting.
The problem is though, Graham, you see, when you actually look at the statistics of those romance scams, it's a numbers game because for every one that you would succeed in, you'd have to do about 1,000 that didn't succeed.
That is what I'm doing. That is what I'm doing at the minute, right?
Most of us would lose heart at that point.
1 in 5,000. If it's 1 in 5,000 replies, that's good.
So the notice here, the Interpol notice says new modus operandi, right?
So let me just describe how this works and you guys tell me, because I found it a bit like, isn't this how they all work? So I guess I was missing the trick.
Okay, so users sign up to a dating app such as Tinder, eHarmony, Bumble.
So let me just describe how this works and you guys tell me, because I found it a bit like, isn't this how they all work? So I guess I was missing the trick.
Okay, so users sign up to a dating app such as Tinder, eHarmony, Bumble.
Bumble? There's one called Bumble?
Yep, there is one called Bumble. Okay, so a user signs up to a dating app and unknowingly ends up matching with a scammer, right? Obviously, they're a scammer.
And once there's a level of trust that's been established, the scam artist will then turn the conversation over to finance or potential investments, encouraging the match to join them in a financial venture.
Right? Like, hey, let's invest in this. I've heard great things. Now, I guess anyone who is meeting someone for new, you'd probably go, oh, sounds interesting.
But to appear genuine, the scammer will give the victim investment tips and lure them down a fake trading app, right?
So they sign up for financial products and they work their way up a so-called— it sounds like, you know, what's that called, that marketing pyramid scheme?
And once there's a level of trust that's been established, the scam artist will then turn the conversation over to finance or potential investments, encouraging the match to join them in a financial venture.
Right? Like, hey, let's invest in this. I've heard great things. Now, I guess anyone who is meeting someone for new, you'd probably go, oh, sounds interesting.
But to appear genuine, the scammer will give the victim investment tips and lure them down a fake trading app, right?
So they sign up for financial products and they work their way up a so-called— it sounds like, you know, what's that called, that marketing pyramid scheme?
Multi-level marketing.
Yes, multi-level marketing, under the supervision of the connection on the dating app. So they're, I don't know, their romance person.
And in order to get the victim to part with their cash, the fraudster will provide incentives, just like promising they will reach gold or VIP status if they follow their advice.
Once the person has been milked for their cash, they're locked out, of course, of their investment accounts and the scam artist goes poof.
It effectively disappears completely, closing down accounts and laughs all the way to the Tesla dealership.
And in order to get the victim to part with their cash, the fraudster will provide incentives, just like promising they will reach gold or VIP status if they follow their advice.
Once the person has been milked for their cash, they're locked out, of course, of their investment accounts and the scam artist goes poof.
It effectively disappears completely, closing down accounts and laughs all the way to the Tesla dealership.
That is quite different. That is quite different from the original ones. The ones that in the last few years that have been happening.
If you look at the data we collect at a place like Europol, what typically was happening is people were being drawn in and building these very intense relationships online.
And the other party was in another country.
And then suddenly they would get an urgent call such as, "I've been in an accident." "I just need £5,000 for my hospital fees or to get home or something like that." "Wire me the money and I'll be—" And then of course you do and you never hear from them again.
So the fact that they're getting them to invest actually sounds quite a new departure for them.
If you look at the data we collect at a place like Europol, what typically was happening is people were being drawn in and building these very intense relationships online.
And the other party was in another country.
And then suddenly they would get an urgent call such as, "I've been in an accident." "I just need £5,000 for my hospital fees or to get home or something like that." "Wire me the money and I'll be—" And then of course you do and you never hear from them again.
So the fact that they're getting them to invest actually sounds quite a new departure for them.
Yes, it's a bit like Crypto Queen meets romance scammers. Yeah, so actually that's a good— let's go through those.
So a few popular romance scams that are apparently still doing the rounds are, you know, exactly as you say, living or traveling outside the country of residence, so the UK or the US, whatever country they're focusing on.
They'll use things like working on an oil rig, or I'm in the military, or I'm a doctor with an international organization. I can't say which, hush-hush.
So a few popular romance scams that are apparently still doing the rounds are, you know, exactly as you say, living or traveling outside the country of residence, so the UK or the US, whatever country they're focusing on.
They'll use things like working on an oil rig, or I'm in the military, or I'm a doctor with an international organization. I can't say which, hush-hush.
You don't even have to claim to be on an oil rig now, and that's why you can't come round, do you? Because you just say it's pandemic.
'I live in Oxfordshire, and I'm not allowed to walk more than 300 metres from my house, because we're bloody locked down here.' And as Alan says, after they build up the rapport, they're going to bring up a problemette, right?
'I live in Oxfordshire, and I'm not allowed to walk more than 300 metres from my house, because we're bloody locked down here.' And as Alan says, after they build up the rapport, they're going to bring up a problemette, right?
Such as, 'Oh my God, sweet cheeks, I'd love to come see you, but I can't afford the plane ticket.' Or as you say, Graham, 'There is a pandemic.' There aren't any planes. Yeah.
There are no planes. How would you get money out then during a pandemic if you can't use the—
There are no planes. How would you get money out then during a pandemic if you can't use the—
Oh, I reckon the one that's going to come up, and it's already started to come up, is in overseas countries.
Is it in order to get my vaccination, they're going to charge them in this country?
Where is you, lucky old thing, you've got the NHS in Britain, they're going to give it to you free.
Over here in wherever it is, in the middle of Africa or something, they're not going to allow that.
You've got to, you know, say, and I can't get out of the country unless I've got a vaccination certificate, please send me $1,000.
Is it in order to get my vaccination, they're going to charge them in this country?
Where is you, lucky old thing, you've got the NHS in Britain, they're going to give it to you free.
Over here in wherever it is, in the middle of Africa or something, they're not going to allow that.
You've got to, you know, say, and I can't get out of the country unless I've got a vaccination certificate, please send me $1,000.
Yes. That's very interesting. I was reading in Private Eye that obviously we've had, you know, a good deal of success vaccinating a reasonable percentage of the population already.
I think we've got over 10 or 12 million now. And they were saying in Africa, in total, the number of people who've been vaccinated is 25. And it's like, well— Yes.
I think we've got over 10 or 12 million now. And they were saying in Africa, in total, the number of people who've been vaccinated is 25. And it's like, well— Yes.
Because there was a bidding war, right?
They're probably the presidents of the various countries as well.
No, this is a global problem. We can't just vaccinate ourselves. We all have to be vaccinated to stop this becoming a problem.
So yeah, so I mean, that's— That sounds quite plausible.
So yeah, so I mean, that's— That sounds quite plausible.
You're going to be put to work as soon as you're vaccinated, right? It's, you know, in the airplanes, put your own mask first.
Well, it's quite interesting.
When I got the text through, because I've had my vaccine, my first vaccination, and I got the text through and it said, here's a link, and I'm always suspicious of SMS messages that have a link in them anyway, and the first thing it said was, this, we will never ask you for your, for details other than your date of birth and your name to prove who you are.
If anybody in any of this chain asks you for bank details, for example, then stop and phone the police. So the NHS obviously can see it's happening somewhere.
And we've heard stories already in the UK of people just turning up at the doorsteps with old vulnerable people and saying, pay us £90 and you can have your vaccination.
God knows what they're being vaccinated for.
When I got the text through, because I've had my vaccine, my first vaccination, and I got the text through and it said, here's a link, and I'm always suspicious of SMS messages that have a link in them anyway, and the first thing it said was, this, we will never ask you for your, for details other than your date of birth and your name to prove who you are.
If anybody in any of this chain asks you for bank details, for example, then stop and phone the police. So the NHS obviously can see it's happening somewhere.
And we've heard stories already in the UK of people just turning up at the doorsteps with old vulnerable people and saying, pay us £90 and you can have your vaccination.
God knows what they're being vaccinated for.
Probably been injected with bleach. I heard that. I heard an expert on the topic expounding the virtues of that.
We don't even have to talk about that anymore.
Oh no, he's gone, right? He's gone, right?
Gone but not forgotten. The thing is, what I find amazing about romance scams is how can they be so attractive?
Because the amount of legwork you have to do and the number of people you have to effectively woo, you know, is huge. But it turns out the returns are hugely sweet.
Because the amount of legwork you have to do and the number of people you have to effectively woo, you know, is huge. But it turns out the returns are hugely sweet.
They also are teams of people.
So you may see a picture, because you'll note one of the things they don't do in those dating, those sort of online romance scams, is they never have videos with you.
You'll see pictures of some very handsome gentleman or some very pretty lady. But actually, you typically, people are interacting with them by text.
So you never hear their voice and you never see them moving. So it's actually a team of people. It's like a boiler house.
So you've got, you know, you're interacting with what you think is one person, or thousands of men might be interacting with what they think is one pretty lady, and yet it's a team of people behind there who are interacting back with them.
So you may see a picture, because you'll note one of the things they don't do in those dating, those sort of online romance scams, is they never have videos with you.
You'll see pictures of some very handsome gentleman or some very pretty lady. But actually, you typically, people are interacting with them by text.
So you never hear their voice and you never see them moving. So it's actually a team of people. It's like a boiler house.
So you've got, you know, you're interacting with what you think is one person, or thousands of men might be interacting with what they think is one pretty lady, and yet it's a team of people behind there who are interacting back with them.
I just can't imagine you wouldn't notice. I can't imagine not kind of going, "Okay, that's a weird turn of phrase," or, "They don't usually write like that."
You would think. You would think, wouldn't you? Scripts. You've got to remember as well that part of this is that they are preying on people who are desperate for romance.
And people will overlook all sorts of things when they get into that situation. I mean, I feel desperately sorry for them.
And one thing I think is really important— sorry, I'll get my stern hat on here— I believe it, you know, you mustn't victim shame because it is so easy in different circumstances to get drawn in.
I once wrote an article called The Seven Deadly Sins, which was about that there are the seven human traits which are exploited by all these people, and one of them is the quest for love.
I mean, it's, you know, people want to be loved, and if they think there's someone and they're saying the right things, it's just— it's horribly easy to exploit them.
And people will overlook all sorts of things when they get into that situation. I mean, I feel desperately sorry for them.
And one thing I think is really important— sorry, I'll get my stern hat on here— I believe it, you know, you mustn't victim shame because it is so easy in different circumstances to get drawn in.
I once wrote an article called The Seven Deadly Sins, which was about that there are the seven human traits which are exploited by all these people, and one of them is the quest for love.
I mean, it's, you know, people want to be loved, and if they think there's someone and they're saying the right things, it's just— it's horribly easy to exploit them.
The only thing I want more than love is a decent broadband connection. Don't get me going.
Don't we all? Don't we all?
I think I traded my wife for that.
And just one point, we often think romance scams just affect women, right? That women are the ones that are targeted. And whilst that is true, men have also fallen for romance scams.
There was this guy just a few weeks ago, Andrew Marvin, lost £38,000 after he was scammed from 3 separate accounts, all 3 posing as single women.
So guys, don't play the field online too much there. The problem was that he was grieving, coming to terms with the death of his mom.
And so he was perfectly ripe for the romance scammer because they probably, as soon as they found that out, you know, when he probably posted it, and then they had a perfect in to go and listen to him.
There was this guy just a few weeks ago, Andrew Marvin, lost £38,000 after he was scammed from 3 separate accounts, all 3 posing as single women.
So guys, don't play the field online too much there. The problem was that he was grieving, coming to terms with the death of his mom.
And so he was perfectly ripe for the romance scammer because they probably, as soon as they found that out, you know, when he probably posted it, and then they had a perfect in to go and listen to him.
And the other thing, they get found out as well, because what happens is that on social media, we'll— I mean, generation overshare.
That it's possible to look for people that, you know, have lost parents, have lost loved ones, and they're gonna be in a vulnerable position.
Or some other life-changing event has happened and they will find that they're in a vulnerable position. So those are the ones that they go after.
That it's possible to look for people that, you know, have lost parents, have lost loved ones, and they're gonna be in a vulnerable position.
Or some other life-changing event has happened and they will find that they're in a vulnerable position. So those are the ones that they go after.
Yeah, basically don't have any secret romances online. Tell at least one person you trust because that's the worst. Two brains are much harder to dupe than one.
And it's the whole "Don't tell anyone, but," or, "This is our secret little affair," or all that kind of garbage. Can lead to a lot of trouble. Anyway, there you go.
So, you know, don't be duped this Valentine's Day. And if you have someone you do love and trust, you know, hail they on Valentine's Day.
And it's the whole "Don't tell anyone, but," or, "This is our secret little affair," or all that kind of garbage. Can lead to a lot of trouble. Anyway, there you go.
So, you know, don't be duped this Valentine's Day. And if you have someone you do love and trust, you know, hail they on Valentine's Day.
There you go. Wonderful. Last week, more than 3 billion unique sets of login credentials were shared online in what's likely to be the largest data breach of all time.
Even though it appears no new login details were exposed, the sharing of so much data increases the risk that previously exposed credentials could be used to gain access to your online accounts, particularly where passwords have been reused.
1Password's Watchtower feature can check for passwords that have been affected by breaches and tell you when a password has been reused. Don't wait for a data breach.
Check out 1Password at 1password.com. And thanks to them for supporting the show.
And welcome back, and you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
Even though it appears no new login details were exposed, the sharing of so much data increases the risk that previously exposed credentials could be used to gain access to your online accounts, particularly where passwords have been reused.
1Password's Watchtower feature can check for passwords that have been affected by breaches and tell you when a password has been reused. Don't wait for a data breach.
Check out 1Password at 1password.com. And thanks to them for supporting the show.
And welcome back, and you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week.
Oh, sorry. Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security related necessarily.
Better not be. Well, my Pick of the Week this week is not security related, but it is— Good. A board game, a board game made digital.
Now, regular listeners to the show will know that I'm rather obsessed with chess. And that is, of course, the greatest game in the universe.
However, there are some other games which I think are rather fun. And one of them is the game of Scrabble. I love a game of Scrabble. I'm quite a demon on a Scrabble board. Are you?
I'm not bad, Crow. I'm really not bad. There's quite a lot of strategy that goes on. It's not just going for the biggest number of points.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security related necessarily.
Better not be. Well, my Pick of the Week this week is not security related, but it is— Good. A board game, a board game made digital.
Now, regular listeners to the show will know that I'm rather obsessed with chess. And that is, of course, the greatest game in the universe.
However, there are some other games which I think are rather fun. And one of them is the game of Scrabble. I love a game of Scrabble. I'm quite a demon on a Scrabble board. Are you?
I'm not bad, Crow. I'm really not bad. There's quite a lot of strategy that goes on. It's not just going for the biggest number of points.
Maybe I should put you against, you know, the old Chewbacca that I married.
The old Wookiee. The old Wookiee.
All right. Well, he's pretty shit hot as well.
Maybe we'll do that sometime. Now, one of the problems with Scrabble is, of course, now I'm locked away and there are limited opportunities to play a game of Scrabble.
So I'd have to play online. And the official Scrabble app is an utter abomination.
In fact, Zoe Kleinman, friend of the show, has even written on BBC News an article all about how Scrabble fans hate the official Scrabble app and just how dire bloody awful it is.
Because it is ghastly. And they've added all these jewels and pop-ups and stupid things.
So I'd have to play online. And the official Scrabble app is an utter abomination.
In fact, Zoe Kleinman, friend of the show, has even written on BBC News an article all about how Scrabble fans hate the official Scrabble app and just how dire bloody awful it is.
Because it is ghastly. And they've added all these jewels and pop-ups and stupid things.
I tried. I tried. I paid money for it. It's awful. I took it off my phone.
It's awful. And I kept on thinking, why has no one done a decent game of Scrabble online that I can play? And I think it's all tied up with copyright.
Yeah, it's all tied up with rights and things. And so no one can do it. And then finally I found one. It's been doing the rounds for a few years. It's called Lexulous.
Yeah, it's all tied up with rights and things. And so no one can do it. And then finally I found one. It's been doing the rounds for a few years. It's called Lexulous.
Lexulous.
And they somehow have got away. I think they used to call themselves something which sounded more Scrabble-y, and they probably were told to stop using that name.
It is available on the web. It's also available for your iPhone, Android, and even BlackBerry.
It is available on the web. It's also available for your iPhone, Android, and even BlackBerry.
And it is— It's getting propped up now by Wall Street, isn't it? So, you know, who knows?
And it is a pretty good replica. I mean, there are some very minor changes with the scoring of some of the letters. And I think you get one more tile in your rack.
So they've made a couple of minor changes so that they don't get sued to oblivion.
So they've made a couple of minor changes so that they don't get sued to oblivion.
But the essence is there. It feels good.
Oh yeah, because it's not trying to be anything which it isn't.
You can pay a couple of quid for the paid version, which I did, because you don't want the ads popping up and things like that.
But it's a great game of Scrabble, and you can play it for free entirely online. Not Scrabble.
You can pay a couple of quid for the paid version, which I did, because you don't want the ads popping up and things like that.
But it's a great game of Scrabble, and you can play it for free entirely online. Not Scrabble.
Lexulous. Lexulous.
Don't give them a copyright issue. And that is why it is my pick of the week. Fair enough. Alan, what's your pick of the week?
My pick of the week is, well, I have to say it's probably become something of an obsession now in that I like things to take my mind off of other things.
My mind gets too intense when I'm thinking through some of these, the various problems to deal with every day. And so I quite like playing games on my iPad or whatever.
I've been looking for simpler and simpler games to play, things where I don't have to think very much. And I've come across one called Bubble Breaker, and I can't stop playing it.
My mum loves it too.
My mind gets too intense when I'm thinking through some of these, the various problems to deal with every day. And so I quite like playing games on my iPad or whatever.
I've been looking for simpler and simpler games to play, things where I don't have to think very much. And I've come across one called Bubble Breaker, and I can't stop playing it.
My mum loves it too.
Your mum knows this as well? Yeah, yeah.
And you just keep going for a higher and higher score, and you think, how high can I go?
And you get to the point where you're just about, and then suddenly it all collapses, and you think, oh God, no, I'll do it next time, I'll do it next time.
And you get to the point where you're just about, and then suddenly it all collapses, and you think, oh God, no, I'll do it next time, I'll do it next time.
Isn't it kind of like Tetris but in reverse? Would you agree with that?
Yeah, it is. Absolutely. You have to ping away the bubbles, and you have bubbles of all the same colour, you need as many of those to pop at the same time.
And gosh, I mean, but I find it now, even because I've got it on my phone as well as my iPad now. So even if I'm off waiting somewhere, I'll sneak the phone out.
And that's what— if you see me on my phone, I'm probably playing Bubble Breaker, I'm afraid.
And gosh, I mean, but I find it now, even because I've got it on my phone as well as my iPad now. So even if I'm off waiting somewhere, I'll sneak the phone out.
And that's what— if you see me on my phone, I'm probably playing Bubble Breaker, I'm afraid.
So if this was a real-life game, you'd have to imagine yourself inside one of those playpens at IKEA where they start throwing the balls at you.
The yellow balls and the blue balls, and your job is just to catch the one color ball as much as you can. And when you switch, you lose points, you see.
So yeah, and it comes faster and faster, more and more.
The yellow balls and the blue balls, and your job is just to catch the one color ball as much as you can. And when you switch, you lose points, you see.
So yeah, and it comes faster and faster, more and more.
And you convince yourself that there are strategies that are gonna work.
And none of them do. Is it a game which basically goes on forever until you fail? Like Tetris, for instance? Right, okay. Yeah, wow.
But then it says, "Oh, good score, nearly there." And it draws you in to say, "Just one more and you could have done it." So all you're doing is playing yourself.
You're playing yourself all the time, and you're trying to get higher and higher and higher scores. And it really is, it's addictive. Absolutely.
You're playing yourself all the time, and you're trying to get higher and higher and higher scores. And it really is, it's addictive. Absolutely.
How much psychological information you're giving away, Alan, I cannot even tell you.
Okay, so that's Bubble Breaker. Brilliant.
There you go, two games.
Carole, what's your pick of the week?
Mine is not a game. Okay, so my pick of the week has to do with IKEA and sofas, Graham, which is why you brought them up earlier.
I know a lot of us have pieces of IKEA furniture in our houses. A lot of those people have IKEA sofas.
I, in fact, have two Klippan, which I've had for 10 years, and they were secondhand when I got them.
I know a lot of us have pieces of IKEA furniture in our houses. A lot of those people have IKEA sofas.
I, in fact, have two Klippan, which I've had for 10 years, and they were secondhand when I got them.
That's a type of IKEA sofa, is it?
That's a type of IKEA. Yeah, that's the one problem. You do need to know the type of sofa you have for this pick of the week to work, which is not always easy.
But I obviously don't have the original covers, right?
Because I have a hairy husband and I used to have a very beautiful, fluffy cat, who loved to use it as a scratching post and all that stuff.
And IKEA, of course, do sell sofa covers, but in the UK, at least, there's only maybe 3 or 4 different styles. And that's the problem with IKEA, right?
Not everyone wants to have the same exact sofa that everyone else has. Does that mean you have to go out and buy a new sofa from fancy place? No, no, no, it does not.
You go to BEMZ, B-E-M-Z, okay, website. It is an EU-based store that sells sofa covers specifically for IKEA sofas, all of them, right?
So I would go in there and say, yeah, I'm choosing the Klippan, and yeah, it's the two-seater one.
And then I go and look and there's maybe about 300 different types of covers that I can have. They will make them for me.
They will charge me maybe £100, maybe £200, maybe £300 at the very expensive level, and they sell them in the US as well. In the US, they're actually even cheaper.
So BEMZ people, if you need a little cheap refresh in your house, check out BEMZ.
But I obviously don't have the original covers, right?
Because I have a hairy husband and I used to have a very beautiful, fluffy cat, who loved to use it as a scratching post and all that stuff.
And IKEA, of course, do sell sofa covers, but in the UK, at least, there's only maybe 3 or 4 different styles. And that's the problem with IKEA, right?
Not everyone wants to have the same exact sofa that everyone else has. Does that mean you have to go out and buy a new sofa from fancy place? No, no, no, it does not.
You go to BEMZ, B-E-M-Z, okay, website. It is an EU-based store that sells sofa covers specifically for IKEA sofas, all of them, right?
So I would go in there and say, yeah, I'm choosing the Klippan, and yeah, it's the two-seater one.
And then I go and look and there's maybe about 300 different types of covers that I can have. They will make them for me.
They will charge me maybe £100, maybe £200, maybe £300 at the very expensive level, and they sell them in the US as well. In the US, they're actually even cheaper.
So BEMZ people, if you need a little cheap refresh in your house, check out BEMZ.
And they specialize in covers for IKEA.
Only IKEA. Yeah, they're IKEA partner, but somehow BEMZ offers many, many more options than they offer in store.
So, well, that sounds like a really good pick of the week because loads of people do have IKEA furniture.
Well, thank you very much, Graham.
And if you puke all over the sofa, you—
Do you do that often?
Red wine or something, then you want to fix it, don't you? Very good.
Lots of people at home in the moment wanting to do something for DIY as well, aren't they?
If you can't quite muster up the energy to repaint the kitchen, then changing the sofa covers is probably the next best thing.
If you can't quite muster up the energy to repaint the kitchen, then changing the sofa covers is probably the next best thing.
100%. Exactly. And they're removable, so you can wash them in the washing machine if you don't have a ginormous sofa.
So anyway, check out Bem's They're amazing. To be honest, Alan, you're not going to fix up the kitchen or change the sofa covers. You're going to be playing bubble breaker.
Too true. Too true.
Well, that just about wraps it up for this week. Alan, thank you so much for joining us on the show. I'm sure lots of our listeners would love to follow you online.
What's the best way for folks to do that?
What's the best way for folks to do that?
Oh, I'm most active on Twitter, I suppose, which is @ProfWoodward.
Cool. And you can follow us on Twitter at Smashing Security.
Smashingsecurity, no G, Twitter allows to have a G, and we're also on Reddit, just look for the Smashing Security subreddit.
And don't forget to ensure you never miss another episode, subscribe in your favorite podcast apps such as Apple Podcasts, Pocket Casts, and Spotify.
Smashingsecurity, no G, Twitter allows to have a G, and we're also on Reddit, just look for the Smashing Security subreddit.
And don't forget to ensure you never miss another episode, subscribe in your favorite podcast apps such as Apple Podcasts, Pocket Casts, and Spotify.
And huge thank you to this week's episode sponsor, 1Password, and to our wonderful Patreon community. It's thanks to all these people that this show is free for all.
For episode show notes, sponsorship information, guest list, and the entire back catalog of more than 212 episodes, check out smashingsecurity.com. More than 213, actually.
Yeah, I thought you were going to correct me. I left that for you.
For episode show notes, sponsorship information, guest list, and the entire back catalog of more than 212 episodes, check out smashingsecurity.com. More than 213, actually.
Yeah, I thought you were going to correct me. I left that for you.
You're welcome. Yeah. Until next time. Cheerio. Bye-bye. Bye. Bye.
Now, of course, this show is being published the day before Valentine's Day, and if you have a special someone in your life, I assure you that this is not the year you want to— excuse me, did someone say something?
Sorry, I was It's not coming out the day before Valentine's Day. Valentine's Day is Sunday. Is it?
Yes. Oh, you see, I thought it was on Friday. God, see, I was all panicking. I wouldn't get my stuff.
Sorry, I really tried hard to pull back that nerdy bit of me. Maybe you could say a few days before Valentine's Day.
Oh, hey, novel idea, Graham. Thank you.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Alan Woodward – @ProfWoodward
Show notes:
- Police probes compromised after computer records deleted — BBC News.
- Home Office admits 15,000 people deleted from police records — The Guardian.
- Home Office admits 'coding error' wiped 15,000 police records — IT Pro.
- Boris Johnson adviser quits after being overruled on Priti Patel bullying report — The Guardian.
- UK's families put on fraud alert — BBC News.
- Security Advisory — SolarWinds.
- Suspected Chinese hackers used SolarWinds bug to spy on U.S. payroll agency – sources — Reuters.
- A Second SolarWinds Hack Deepens Third-Party Software Fears — Wired.
- Microsoft: No Evidence SolarWinds Was Hacked Via Office 365 — CRN.
- What You Need to Know About Romance Scams — FTC.
- Interpol warns of romance scam artists using dating apps to promote fake investments — ZDNet.
- Man lost £38,000 to scammers posing as single women on Match.com — Metro.
- Romance scams rank number one on total reported losses — FTC.
- This romance scam tricks victims in laundering federal funds — Better Business Bureau.
- Lexulous.
- Scrabble fans slam 'sparkly abomination' new app — BBC News.
- Best Bubble Breaker — Apple App Store.
- IKEA Klippan, 2 Seater sofa cover — Bemz.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsor: 1Password
Last week, more than 3 billion unique sets of login credentials were shared online in what’s likely to be the largest data breach of all time.
Even though it appears no new login details were exposed, the sharing of so much data increases the risk that previously exposed credentials could be used to gain access to your online accounts, particularly where passwords have been reused.
1Password’s Watchtower feature can check for passwords that have been affected by breaches and tell you when a password has been reused.
Don’t wait for a data breach, check out 1Password
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, Spotify, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
