Pygmy hippopotamus bugs, DEF CON’s data slip-up, and phishing fraudsters have their collars felt.
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Naked Security’s Paul Ducklin.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
I've got an admission to make, Duck. I don't think I've combed my hair since I was about 8 years old.
Graham, I don't—
Am I missing out, or are other people just very polite about me not?
How's life going for you, Graham?
Either you're the fashion captain or you're not. And so if you're not, you just don't have to comb your hair. Don't let it bother you. Smashing Security, episode 238.
Fashion Captain, Fraud Family, and DEF CON, with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 238. My name's Graham Cluley.
Fashion Captain, Fraud Family, and DEF CON, with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 238. My name's Graham Cluley.
And I'm Carole Theriault.
And this week on the show, we're joined by a returning guest. Someone who hasn't been on the show for far, far, far too long. Paul Ducklin.
Hello folks. Thanks for having me back.
Paul, what do you want people to know about you? Remind them of 3 things about you.
My barnet is coming along a treat. I couldn't go to the barber when lockdown started.
That means his hair, folks.
Yeah, barnet, hair. And so I just didn't go to the barber. And then it got to the point where I thought, golly, I have to go to the barber.
And then it got to the point when lockdown ended and I could have gone to the barber that I'd got past the point of thinking, this is annoying, I need to go to the barber.
And I figured, I'm going to see what happens. So all I can say is, Dr. Brian May, I'm a big fan of yours. I love your hair, but watch out, my friend.
I'm not bragging, but maybe that's enough for our listeners.
And then it got to the point when lockdown ended and I could have gone to the barber that I'd got past the point of thinking, this is annoying, I need to go to the barber.
And I figured, I'm going to see what happens. So all I can say is, Dr. Brian May, I'm a big fan of yours. I love your hair, but watch out, my friend.
I'm not bragging, but maybe that's enough for our listeners.
Would you send us a new photograph for your—
A nude photograph?
No, no, that's what I heard as well. Thanks to this week's sponsors, 1Password and Offensive Security. Their support helps us give you this show for free.
Now coming up on today's show, Graham, what do you got?
Now coming up on today's show, Graham, what do you got?
DEF CON is what I'm going to be talking about.
Duck, what about you?
I have one of the world's cutest aquatic mammals, the pygmy hippopotamus bug.
This is perfect. And for the trifecta, I am going to the birthplace of the late, the great Eddie Van Halen. All this and much more coming up on this episode of Smashing Security.
Now, chums, DEF CON, the world-famous hacking conference held annually in the seething hell that is Las Vegas. Who's been to DEF CON before? Duck, have you ever been to DEF CON?
No, I've been to Black Hat, but not to DEF CON. You know, I liked my time in Vegas, but a few days was enough.
I've never been to Vegas.
You've never been to Las Vegas?
Super weather.
I have very little interest in going unless someone can change it for me and say, this is why you need to go.
I rather like Las Vegas.
Yes, well, that's one reason why I'm not.
I always wanted to go to the Hoover Dam because Art Deco, but it's running out of water. It's terrible.
Oh, is it?
They've got real drought. Yeah, lowest ever, I think.
Wow. I did go to the Hoover Dam once. I saw a man having an enormous mega slurp.
You sent me that picture.
Yes.
That's awful.
I don't want to know what that means.
They are huge drinks.
Anyway, DEF CON brings together security professionals, researchers, journalists, students, anyone else interested in the weird world of hacking, and they come together each year.
There are multiple tracks of talks, hacking challenges, competitions, capture the flag, fun for all of the family. Well, the nerdy ones at least, in the heat of Nevada.
And yes, DEF CON is happening in Las Vegas next week. And when I say it's happening in August, so they put it in August. Yes, this is when it happens.
There are multiple tracks of talks, hacking challenges, competitions, capture the flag, fun for all of the family. Well, the nerdy ones at least, in the heat of Nevada.
And yes, DEF CON is happening in Las Vegas next week. And when I say it's happening in August, so they put it in August. Yes, this is when it happens.
They do have air conditioning, you know, they're kind of famous.
Yeah, but people like to go outside as well and not melt.
Hackers like to go outside. Okay, I'll take your word for it.
Well, DEF CON really is happening in person this year. Last year, the in-person element was canceled. It was only virtual.
So there are plenty of folks this year who are keen to attend. And there are of course some rules.
DEF CON's telling people they need to bring proof that they are fully vaccinated and they must wear a proper mask at all times.
Would that be enough to lure you to go to DEF CON in Las Vegas this year?
So there are plenty of folks this year who are keen to attend. And there are of course some rules.
DEF CON's telling people they need to bring proof that they are fully vaccinated and they must wear a proper mask at all times.
Would that be enough to lure you to go to DEF CON in Las Vegas this year?
Would an Anonymous mask, a Guy Fawkes mask, be good enough? No, no, no.
I see what you're thinking. No, they've got quite strict rules.
According to the FAQ, that kind of thing isn't acceptable, and neither are scarves, ski masks, balaclavas, bandanas apparently won't suffice.
According to the FAQ, that kind of thing isn't acceptable, and neither are scarves, ski masks, balaclavas, bandanas apparently won't suffice.
Bandanas can actually go across the head, don't they? Not the mouth.
Or a gag, you know, a ball gag. That's not going to be good enough either, even if you plug up your nostrils.
If you ever see someone DEF CON with a ball gag.
I'd be surprised if you didn't see that. But neither will— you know how some people pull up their shirts or their jumpers across their mouth and nose?
That specifically is not— oh, I've seen that. I've seen that.
That specifically is not— oh, I've seen that. I've seen that.
Like, someone picking up their shirt and putting their face down there.
Yeah, they sort of dip their face into it. It's quite bizarre. That's all because they're all hunched up. It looks like they've suffered some kind of absurd rictus.
Anyway, I don't know whether I would be comfortable attending a big conference like DEF CON at the moment. People have been asking me, are you going to be there, Graham? And I'm—
I should hope not.
Well, of course not.
You went to RSA in 2020. I couldn't believe it.
Yeah, that was 2020, Carole.
Yeah, but that was when he was young and foolish.
Yeah, exactly.
Yeah. Well, he's grown up a lot since then, I'd say.
I have. A huge amount. But maybe you don't want to attend DEF CON in person, in which case there is a virtual ticket available.
You can attend it via a Discord channel, which is what all the kids love these days.
You can attend it via a Discord channel, which is what all the kids love these days.
Very cool.
And I think that's probably sensible. I think that's a lot more sensible.
You still get the badge, the famous hackable badge.
I think you can, yes, because that's what they sell, isn't it?
No, they sold out.
Oh, have they?
It says you can't even buy online tickets anymore, online tickets because they've sold out. How do you sell out of space in a Discord channel?
And I'm guessing it's because they only made so many badges and they're all gone. Ah, smart. And what would DEF CON be without the badge, eh?
And I'm guessing it's because they only made so many badges and they're all gone. Ah, smart. And what would DEF CON be without the badge, eh?
Because the badge is really nerdy, isn't it?
Yeah, you can hack it and—
Yeah.
They're the— I was going to say they're the reason people go, but of course they're not. They're one of the excuses that give people a good reason to go, I suspect.
So if you wanted to go to DEF CON, which is happening next week, you—
You have left it a bit late.
Well, you've probably left it a bit late, but the place where you would have purchased your ticket would have been on the DEF CON site.
Right.
And you would imagine that wouldn't pose any problems.
Well, you imagine it would not pose any problems to them. You imagine it might pose a lot of problems to you, like that they might try and hack you, not the other way around.
Yeah, exactly. Whether you trust their website or not as to whether something nasty may happen. They've been holding DEF CON since the early 1990s.
You would think it's a fairly slick operation, how you get your tickets and all the rest of it.
But a security wonk called Brandon Forbes, who goes by the name Reznok, he found a problem when he registered for his DEF CON ticket.
You would think it's a fairly slick operation, how you get your tickets and all the rest of it.
But a security wonk called Brandon Forbes, who goes by the name Reznok, he found a problem when he registered for his DEF CON ticket.
Okay.
Because he found a bug in the online registration system.
Of course he did.
And that bug made it possible for anybody to find out the names and email addresses of anyone else who had bought a ticket online.
Ooh, zut alors, that's a little embarrassing for DEF CON, isn't it?
Well, you would think. You'd like to think that's the kind of thing that they've got properly under control.
Or maybe they quite like the idea of saying, you see? Like, hacking shall be free.
Or is it a fake list of names and email addresses just to see who would report it and then give him a big prize, or her a big prize?
Oh, what a lovely competition that would be. Yes. Sounds like an awful lot of effort to go to, but—
Well, it would be a good marketing campaign.
I like the way you're spinning this, Carole. You're thinking of—
TM Crowther.
—like a PR person. So, what did Reznok do? He purchased his ticket online, and he said it was really simple. He went to a web page where the ticket shop was located.
He didn't have to log in. There's no sort of registration involved in terms of an account. He made his purchase.
He didn't have to log in. There's no sort of registration involved in terms of an account. He made his purchase.
Good, good, good. Like the sound of that so far. I hate these sites where you have to create an account to buy one thing, and then you can never delete it afterwards.
So, he made his purchase, and a few moments later, he received in his email the order confirmation with a link to view his order details and tickets.
Sounds all normal. Normal so far.
Right. And the link was something like, DEF CON Merchandise, blah, blah, blah, blah, blah, blah, blah. Orders 3791. And he thought, oh, that was really easy.
And he looked at that link, curious. And he thought, 3791. Is that my ticket number?
And he looked at that link, curious. And he thought, 3791. Is that my ticket number?
Is that how many people are attending? Let me try another number. No. Yeah. No! Oh no!
So let's see who booked just before me.
Exactly. So the first step he took was he took that URL, put it into an incognito window in his browser.
So there are no cookies or tokens in play and saw he could still view his ticket details. So anyone who put in that URL would see his ticket details.
So then just like you've said, he changed the number from 3791 to 3790.
So there are no cookies or tokens in play and saw he could still view his ticket details. So anyone who put in that URL would see his ticket details.
So then just like you've said, he changed the number from 3791 to 3790.
But be fair, Graham, 4 digits, it's a big ask to guess. I mean, how many 4-digit numbers are there? There are loads. Must be possibly as many as 10,000.
So this is what is known, as I'm sure many of our listeners know, an insecure direct object reference vulnerability, also known as IDOR.
No, I think you say "duh," because it should be D-O-H really, shouldn't it?
So this isn't just one of the most commonly encountered problems on poorly designed websites. It's also, of course, really easy for attackers to exploit.
And we've seen quite a few of these over the years. I remember EasyJet and—
And we've seen quite a few of these over the years. I remember EasyJet and—
Okay, but this is DEF CON. So are we kind of thinking, oh, we should be holding them to a little bit of a higher standard? How the heck did this happen?
I think they went out to a third party to do the ticketing and, you know, didn't look at it.
Well, that's it.
Didn't look at it, kind of, or didn't know, or did— yeah, you know how it is. Ink the deal, ticket purchasing website. It's just a ticket. You don't need an account. Meh.
But it turns out that, you know, maybe when you get the ticket, there is a certain amount of personal information you have to put in there, isn't there?
Your name and email address to get the ticket back. Yeah. Maybe DEF CON are thinking, you know, who comes to DEF CON under their real name with a real email address? I mean, come on.
This is an indirect non-object reference, and I know. So I'd love to know how many of those names were Mr. Mickey Mouse. So you're quite right, Doug. Mr. Dead President. Mrs. So-and-so.
Mr. Bobby Tables. Yes, little Bobby Tables to you.
But it turns out that, you know, maybe when you get the ticket, there is a certain amount of personal information you have to put in there, isn't there?
Your name and email address to get the ticket back. Yeah. Maybe DEF CON are thinking, you know, who comes to DEF CON under their real name with a real email address? I mean, come on.
This is an indirect non-object reference, and I know. So I'd love to know how many of those names were Mr. Mickey Mouse. So you're quite right, Doug. Mr. Dead President. Mrs. So-and-so.
Mr. Bobby Tables. Yes, little Bobby Tables to you.
In their defense, DEF CON had farmed out the running of the booking system to a third-party firm called Guest Manager, which, you know, in some ways sort of says, well, that's not their fault, but it kind of also is their fault because you think, well, how did they choose this company and did they actually try it out for themselves.
And with their kind of mindset, wouldn't they have spotted a problem like this?
But also, any other online service which has used Guest Manager as their booking system presumably was vulnerable to the same flaw as well and is likely to be suffering from the same snafu.
And with their kind of mindset, wouldn't they have spotted a problem like this?
But also, any other online service which has used Guest Manager as their booking system presumably was vulnerable to the same flaw as well and is likely to be suffering from the same snafu.
Well, unless it's a special DEF CON only bug. Yeah. Like, it could be— Carole may be on to something.
Well, maybe they were waiting to see who would get the data and where it would resurface.
Well, maybe they were waiting to see who would get the data and where it would resurface.
Well, the good news is Reznock isn't a bad guy. He informed DEF CON, who reached out to Guest Manager, and the problem was fixed within about 48 hours.
They put in some kind of token system which made it a bit more secure.
They put in some kind of token system which made it a bit more secure.
Ah. That suggests that maybe it wasn't a deliberate—
Yeah. I'm surprised it took— So how quickly did they respond once they were told publicly? Like, so once they were told, yeah.
The founder of DEF CON, Geoff Moss, also known as Dark Tangent, he replied to the initial report within 30 minutes. Good for him. Which is pretty impressive, I would say.
And the problem was fixed within 48 hours. And they then just asked the researcher, can you keep quiet about it for a while until we're ready for the public disclosure to happen?
And the problem was fixed within 48 hours. And they then just asked the researcher, can you keep quiet about it for a while until we're ready for the public disclosure to happen?
So basically we don't have to disclose everyone's private details. So no one's details were actually shown to anyone but Reznock.
Well, according to Dark Tangent, he said it's lucky for everyone it was determined that he was the first to discover it and other people, they believe, weren't.
And I actually think that doesn't really paint a very good picture of the typical person who goes to DEF CON because—
And I actually think that doesn't really paint a very good picture of the typical person who goes to DEF CON because—
Yeah, he was the 3,700 and however many. What was it? 3,791. Yeah. Unless they, you know, they could have started at 1,000 or they could, but they're not random, are they?
They're sequential because he was going backwards. Yeah, because when he went forwards, he didn't get the next person hadn't signed up yet and he got nothing.
But when he went backwards, right? Yeah.
The other good thing is, as far as I know, he didn't get— he didn't do what some researchers can't resist doing and say, oh, I'll write a quick Python script that downloads them all.
He kind of did a few and then figured, I think I can infer from this. Yes. And he didn't go and leech all the data to prove that he could leech some of it.
They're sequential because he was going backwards. Yeah, because when he went forwards, he didn't get the next person hadn't signed up yet and he got nothing.
But when he went backwards, right? Yeah.
The other good thing is, as far as I know, he didn't get— he didn't do what some researchers can't resist doing and say, oh, I'll write a quick Python script that downloads them all.
He kind of did a few and then figured, I think I can infer from this. Yes. And he didn't go and leech all the data to prove that he could leech some of it.
Seems like he was a decent chap. He wasn't doing it to show off particularly or, you know, to draw attention to himself.
But yeah, it does cast all those other people who've signed up for DEF CON in rather a bad light that none of them spotted the problem.
But yeah, it does cast all those other people who've signed up for DEF CON in rather a bad light that none of them spotted the problem.
So, well, no, no. All you can say is none of them reported the problem. Yeah.
Well, that's pretty bad as well. Yeah.
No, no, no. I'm not just saying that. Yeah. I don't know which is worse actually. Now you mention it.
So, Duck, what have you got to talk to us about this week?
I have a little hippopotamus, a pygmy hippo. I need to look one of these up. They're very cute. They're from West Africa. They're sadly very endangered.
But there's a security researcher whose real name I believe is Gilles Lionel, but he goes on Twitter by Topotam77.
And as in topotam, that's he obviously likes hippopotami and He found this flaw, another Windows flaw.
This one didn't get the Nightmare handle like PrintNightmare and HiveNightmare.
He decided to call it PetitPotam, which I presume is a nod to the pygmy hippo because he seems to love hippos.
But there's a security researcher whose real name I believe is Gilles Lionel, but he goes on Twitter by Topotam77.
And as in topotam, that's he obviously likes hippopotami and He found this flaw, another Windows flaw.
This one didn't get the Nightmare handle like PrintNightmare and HiveNightmare.
He decided to call it PetitPotam, which I presume is a nod to the pygmy hippo because he seems to love hippos.
I like it when vulnerabilities get named. Do you remember the Poodle bug? I thought that was very cute as well.
I think that's much better than these bugs which suggest some kind of Eternal Hell or something, you know, really dark and horrible.
I think that's much better than these bugs which suggest some kind of Eternal Hell or something, you know, really dark and horrible.
Yes, in the way that we had PrintNightmare, and maybe it was a bit of a nightmare.
So when the next one came along that involved insecure ACLs on registry hives, instead of just calling it Hivebug, well, let's use Nightmare again.
So at least we didn't get here, SmallNightmare, we got PetitPotam.
And it's sort of not a bug, it's kind of a misfeature that sadly could affect many networks because lots of Windows networks still use NTLM, the LAN Manager Authentication System, which Microsoft itself basically deprecated more than a decade ago saying don't use it anymore, folks.
It was an older, less wise cryptographic age when we designed NTLM.
And in particular, the way it does password hashing makes them vulnerable to brute force attacks because there's no salting.
And it's also vulnerable to, I guess for a similar reason, to manipulate or what used to be called man-in-the-middle attacks, where you trick someone into authenticating with you instead of the real authentication system.
And then you can use the information the client has naively shared with you to kind of finish the login in their name and they don't realize.
And the more modern authentication system in Windows is Kerberos 5, which is what you're supposed to use. You're supposed to turn off NTLM altogether.
But there are so many legacy apps and tools and administration things that need it that kind of a lot of people sort of never got round to it.
So when the next one came along that involved insecure ACLs on registry hives, instead of just calling it Hivebug, well, let's use Nightmare again.
So at least we didn't get here, SmallNightmare, we got PetitPotam.
And it's sort of not a bug, it's kind of a misfeature that sadly could affect many networks because lots of Windows networks still use NTLM, the LAN Manager Authentication System, which Microsoft itself basically deprecated more than a decade ago saying don't use it anymore, folks.
It was an older, less wise cryptographic age when we designed NTLM.
And in particular, the way it does password hashing makes them vulnerable to brute force attacks because there's no salting.
And it's also vulnerable to, I guess for a similar reason, to manipulate or what used to be called man-in-the-middle attacks, where you trick someone into authenticating with you instead of the real authentication system.
And then you can use the information the client has naively shared with you to kind of finish the login in their name and they don't realize.
And the more modern authentication system in Windows is Kerberos 5, which is what you're supposed to use. You're supposed to turn off NTLM altogether.
But there are so many legacy apps and tools and administration things that need it that kind of a lot of people sort of never got round to it.
What's interesting is it gives a kind of argument for software as a service a bit, right? Because if you were hosting this, you could say, look, we are pulling this offline.
This will no longer work in whatever year X. And so, you don't get legacy systems operating.
This will no longer work in whatever year X. And so, you don't get legacy systems operating.
Yes, I think that's an argument that a lot of cloud services do and have used, but even that doesn't always work.
Remember recently when the pandemic really got going, a whole load of government portals in the US, it turned out they hadn't upgraded the encryption algorithms they were using on their websites.
And they were supporting a hash function that had been deprecated and it was about to be blocked by all the major browsers. And they said, "Oh, golly, we haven't done those updates.
We're sorry.
It's we're a few years out of date." But if you implement this blocking in your browser, which obviously then users just won't be able to get to services that aren't up to scratch, people won't be able to get to government portals.
And they're more important than ever. And they had to delay for a while. I don't even know whether they've got here yet. So that's the problem.
Sometimes it's the kind of client side that shouts loudly. And you say, I am going to refuse any connection unless it uses TLS 1.3.
You think that websites would be in a position to do that now.
And then it turns out that actually a significant proportion either of your paying customers or of people in general would take umbrage at that and say, no, I want to— I'm still using Windows XP and Internet Explorer and I won't be able to get to your website.
And sadly, when those people are a significant enough minority, unfortunately, even a cloud service sometimes can't pull the plug on outdated cryptographic technology and has to let it linger on as a sort of necessary evil.
Remember recently when the pandemic really got going, a whole load of government portals in the US, it turned out they hadn't upgraded the encryption algorithms they were using on their websites.
And they were supporting a hash function that had been deprecated and it was about to be blocked by all the major browsers. And they said, "Oh, golly, we haven't done those updates.
We're sorry.
It's we're a few years out of date." But if you implement this blocking in your browser, which obviously then users just won't be able to get to services that aren't up to scratch, people won't be able to get to government portals.
And they're more important than ever. And they had to delay for a while. I don't even know whether they've got here yet. So that's the problem.
Sometimes it's the kind of client side that shouts loudly. And you say, I am going to refuse any connection unless it uses TLS 1.3.
You think that websites would be in a position to do that now.
And then it turns out that actually a significant proportion either of your paying customers or of people in general would take umbrage at that and say, no, I want to— I'm still using Windows XP and Internet Explorer and I won't be able to get to your website.
And sadly, when those people are a significant enough minority, unfortunately, even a cloud service sometimes can't pull the plug on outdated cryptographic technology and has to let it linger on as a sort of necessary evil.
So going back to the pygmy hippopotamus, because I quite like the idea of that.
I don't get why it's a pygmy hippo, but I do love the idea.
Right. So this French chap, Gilles Lionel, he's published some code which exploits this misfeature. Is that what you called it? A misfeature of—
Well, it's not really a vulnerability because Microsoft kind of can't patch it because they've already said, don't use NTLM if you possibly can avoid it.
Because 10 years ago, they said stop using it because the way it was designed, it has these kind of implicit built-in weaknesses about things like how hard it is to hack or crack passwords and protection against manipulator-in-the-middle attacks.
So is it a vulnerability? Well, sort of.
I guess what Microsoft has done over the years to keep NTLM alive, make it ever safer, is they keep adding protections into various protocols on the network that might use NTLM authentication at some point.
But the problem is they obviously haven't been able to go and identify every little place in the network or every protocol where an authentication using the outmoded cryptographic style might be possible.
Because 10 years ago, they said stop using it because the way it was designed, it has these kind of implicit built-in weaknesses about things like how hard it is to hack or crack passwords and protection against manipulator-in-the-middle attacks.
So is it a vulnerability? Well, sort of.
I guess what Microsoft has done over the years to keep NTLM alive, make it ever safer, is they keep adding protections into various protocols on the network that might use NTLM authentication at some point.
But the problem is they obviously haven't been able to go and identify every little place in the network or every protocol where an authentication using the outmoded cryptographic style might be possible.
So if you're a system administrator worried about pygmy hippopotami racing around on your network, the real answer is to remove any legacy apps that are still reliant on NTLM and replace them.
But that's a big ask.
Well, more importantly, what you need to do, because of course a crook could use what's called BYOB, bring your own bug, and bring an application that's still— or malware that uses NTLM authentication to achieve this result.
Really, you need to stop accepting NTLM authentication attempts anywhere on your network. And Microsoft has a little article that shows you how to do that. It's surprisingly easy.
You just, you can go to your domain controller and say, I don't want NTLM at all.
But for many networks, good luck with that because something somewhere is going to break, might snap, and you might not notice for a little while.
And then suddenly, you know, people can buy tickets to your fantastic conference, but maybe they can't get them issued afterwards, and then you're really stuck.
Well, more importantly, what you need to do, because of course a crook could use what's called BYOB, bring your own bug, and bring an application that's still— or malware that uses NTLM authentication to achieve this result.
Really, you need to stop accepting NTLM authentication attempts anywhere on your network. And Microsoft has a little article that shows you how to do that. It's surprisingly easy.
You just, you can go to your domain controller and say, I don't want NTLM at all.
But for many networks, good luck with that because something somewhere is going to break, might snap, and you might not notice for a little while.
And then suddenly, you know, people can buy tickets to your fantastic conference, but maybe they can't get them issued afterwards, and then you're really stuck.
Yeah, and the big takeaway for all the listeners that may not even have this problem is think about the legacy stuff that you might have on your home network or on your phone and stuff you don't use anymore that is just sitting pretty, and you could just get rid of it, right?
Delete it.
Delete it.
And have a little house cleaning. That's easier said than done though, isn't it? Because there's always that thing of, well, I never know when I'll need this app again.
Or you can redownload it.
Or you can redownload it.
You can download it again.
Well, you know, maybe if it's— the problem is if it's a legacy app, you might not be able to. It's like if you suddenly decided, I know, I'll just go back.
I want to download Office 97 because I love that more than this ribbon Office.
I want to download Office 97 because I love that more than this ribbon Office.
Good luck. You need to get help if that's the situation. Did that have the paperclip?
You definitely wouldn't want to download that one.
I heard they were coming back, the paperclip.
I heard about that. Right. Me too. And it was just so—
Maybe you can come on the podcast.
Is this supposed to be a family-friendly podcast? Because I think by mentioning Clippy, you've kind of, you're going to create a lot of anxiety. Clippy. I forgot his name.
Everything's gone wrong. Long since David Bowie died, and it feels to me like the re-emergence of Clippy would prove that. Clippy. Carole, what have you got for us this week?
Okay, so we're gonna head to the birthplace of Eddie Van Halen. Do you know where this is?
Somewhere in the Netherlands.
Yes, the land of gouda and clogs and tulips. And I've never been to this particular town of Arnhem. I've been to Amsterdam. I love it, actually.
I've always wanted to live there for a bit. I think it'd be a cool place to live for a while.
I've always wanted to live there for a bit. I think it'd be a cool place to live for a while.
A bridge too far.
But we're going to Arnhem, and the reason we're going there is because Dutch police have arrested a 24-year-old man last week for developing and distributing a phishing framework, or phishing frameworks.
According to Hacker News report, cybersecurity group IB said that this young guy seemed to be tied to the cybercrime syndicate codenamed Fraud Family.
Now, coming back to names and names that we will assign— what was that?
According to Hacker News report, cybersecurity group IB said that this young guy seemed to be tied to the cybercrime syndicate codenamed Fraud Family.
Now, coming back to names and names that we will assign— what was that?
Frog? Fraud. Fraud. Oh, so they were kind of telling it like it was.
Not Freud. Not Freud.
No, not frog. Fraud.
Right. Fraud. Yeah, I think we should have anticipated that given their business venture.
They're more likely— cybercriminals are more likely to be into fraud than into aquatic reptiles, aren't they?
They're more likely— cybercriminals are more likely to be into fraud than into aquatic reptiles, aren't they?
I imagine. I imagine as well. It's not like the hippopotamus. So Fraud Family frameworks are said to include phishing kits, tools designed to steal information, and web panels.
And the whole point is to allow fraudsters to interact with actual phishing sites in real time in order to try and steal banking authentication details.
So here is how it's said to work.
So you get an email, an SMS, a WhatsApp message impersonating a well-known local bank, and it contains malicious links that when clicked redirect expecting recipient to an adversary-controlled payment info-stealing phishing website.
Can you tell it was from the Dutch press release from the cops?
And the whole point is to allow fraudsters to interact with actual phishing sites in real time in order to try and steal banking authentication details.
So here is how it's said to work.
So you get an email, an SMS, a WhatsApp message impersonating a well-known local bank, and it contains malicious links that when clicked redirect expecting recipient to an adversary-controlled payment info-stealing phishing website.
Can you tell it was from the Dutch press release from the cops?
This is Google Translate. Yes, exactly.
So basically it seems to work very similar to any phishing.
You have a malicious link that you don't recognize, you click through, everything looks hunky-dory, and you start entering your information, and someone's grabbing all that from the other side.
They'd also go to classifieds, Dutch classified advertising platforms, to contact sellers, because they obviously want— this is a service that they're providing.
So they create these phishing kits and then want people to buy them. I mean, I don't know how that conversation goes. How does that work?
You have a malicious link that you don't recognize, you click through, everything looks hunky-dory, and you start entering your information, and someone's grabbing all that from the other side.
They'd also go to classifieds, Dutch classified advertising platforms, to contact sellers, because they obviously want— this is a service that they're providing.
So they create these phishing kits and then want people to buy them. I mean, I don't know how that conversation goes. How does that work?
Like, hey, psst. Yeah. Would you like to make money? Yes. Do you really care where it comes from? No. You might like us. Yeah.
So give me 200 quid a month or whatever. Give me whatever their fee structure is. Yeah.
I think that really is how it works, isn't it?
I mean, obviously it may be happening on sort of underground websites and there are darkweb marketplaces where that kind of thing is discussed. Okay, but what?
I mean, obviously it may be happening on sort of underground websites and there are darkweb marketplaces where that kind of thing is discussed. Okay, but what?
But why isn't the question like, dudes, if it's so lucrative and you're gonna make so much cash, why aren't you guys doing this? Why are you selling it?
Because you can only do so much, can't you? I mean, it may be a manpower issue. They may not have enough personnel for the, you know, it's like, we're doing as much as we can.
Oh yeah, we'll take a cut of anything you do as well. Right, exactly. Right, right, of course.
Well, it's sort of like the ransomware, the big-time ransomware crooks, isn't it? We're seeing ransoms of millions of dollars that actually get paid.
Now, the core crooks don't get the millions. They get, iTunes/Google Play-esque 30%. As Graham said, they get 30% of every ransom.
And they don't have to take the risk of being the people who actually have to infiltrate the network, actually have to stay up late, actually have to sweet-talk the admins.
They just, they go, you do the network hacking, we'll give you the malware, so you don't need those skills. We'll handle the bitcoins.
And I guess, as Graham said, it's the same idea that maybe these guys— it's not quite like those, you know, do you want to learn how to make money selling online?
Buy my training course. It's more like, I don't want to be the in-the-face crook, but I'll sit in the background and take— you take the risk, I'll take some of the money.
And I guess the people involved don't even really have to know each other.
So they can't, even if they want to turn informer, it's kind of quite hard for them to give away the other guys because they're just, you know.
Now, the core crooks don't get the millions. They get, iTunes/Google Play-esque 30%. As Graham said, they get 30% of every ransom.
And they don't have to take the risk of being the people who actually have to infiltrate the network, actually have to stay up late, actually have to sweet-talk the admins.
They just, they go, you do the network hacking, we'll give you the malware, so you don't need those skills. We'll handle the bitcoins.
And I guess, as Graham said, it's the same idea that maybe these guys— it's not quite like those, you know, do you want to learn how to make money selling online?
Buy my training course. It's more like, I don't want to be the in-the-face crook, but I'll sit in the background and take— you take the risk, I'll take some of the money.
And I guess the people involved don't even really have to know each other.
So they can't, even if they want to turn informer, it's kind of quite hard for them to give away the other guys because they're just, you know.
Yeah, they've met them on Telegram or whatever and they only have a username.
GiantHippopotamus1294@some random email dot example.
And from what I've seen, Carole, these phishing frameworks produced by the Fraud Family, they're quite sophisticated.
It's not like they're just giving you a phishing web page, is it?
It's not like they're just giving you a phishing web page, is it?
Group IB says the real-time element is what makes these attacks much more believable. Right.
So to quote them here, it says when victims submit their banking credentials, the phishing site sends them to the fraudster-controlled web panel.
This one actually notifies the, you know, the baddies that a new victim is online and the scammers can then request additional information that will help them gain access to the bank accounts, so including the two-factor authentication tokens.
So to quote them here, it says when victims submit their banking credentials, the phishing site sends them to the fraudster-controlled web panel.
This one actually notifies the, you know, the baddies that a new victim is online and the scammers can then request additional information that will help them gain access to the bank accounts, so including the two-factor authentication tokens.
Yes, I was going to say, that's where they'll jump in, right?
Yes, and any PII.
I mean, you see some of these hacking sites, they even have an 'I need help' button.
Yes, like the ransomware guys do, and you click it and you actually, you talk to someone in jolly tech support. Yeah, are you having trouble buying bitcoins?
I can advise you, and they can. It's like insane.
Yes, like the ransomware guys do, and you click it and you actually, you talk to someone in jolly tech support. Yeah, are you having trouble buying bitcoins?
I can advise you, and they can. It's like insane.
Yes, exactly. It's the guy sitting on the couch right next to the first guy.
But in this particular example, where they're putting up these banking pages, you're right.
If you're having trouble logging in or can't work out what the 3 digits are on the back of your card or wherever, you can begin an online chat with someone who you think is in the bank support department and is actually the phishing person.
If you're having trouble logging in or can't work out what the 3 digits are on the back of your card or wherever, you can begin an online chat with someone who you think is in the bank support department and is actually the phishing person.
And you're like, I don't know where my 3-digit— what 3 digits? On the back of your card.
What do they say? Exactly. And they will talk you through that. But it's really clever. And of course, the real-time element of this is interesting.
So it actually displays this sort of 'Please wait, we're connecting you,' interstitial dialogue while the phishing person is being woken up by some bleeper saying, 'We've got another one who's just come in.' Ingenious.
So it actually displays this sort of 'Please wait, we're connecting you,' interstitial dialogue while the phishing person is being woken up by some bleeper saying, 'We've got another one who's just come in.' Ingenious.
You can see how people would fall for this, because if you've already been duped into falling at the first hurdle, I think then if you feel like you're in the bona fide world of your bank, you know, you'd be like, 'Oh God,' even if it was a bit crap, you might think, 'Well, it's the bank.' Anyway, this 24-year-old chap apparently was not working alone, alleged the Dutch police, right, they also arrested a second individual who they believe to be responsible for selling the frameworks, these phishing frameworks, a 15-year-old kid.
Oh dear.
Now he has been since released, but I found it interesting in the police press release, okay, thanks to Google Translate, so forgive, but they say, quote, the developer is the most important link in the phishing process.
No phishing without a developer. Phishing panels, by which I think they mean that these frameworks allow other malicious parties to set up phishing websites.
So they're basically saying the developer is the key in this whole market. And I wanted to know what you guys thought about that.
Oh dear.
Now he has been since released, but I found it interesting in the police press release, okay, thanks to Google Translate, so forgive, but they say, quote, the developer is the most important link in the phishing process.
No phishing without a developer. Phishing panels, by which I think they mean that these frameworks allow other malicious parties to set up phishing websites.
So they're basically saying the developer is the key in this whole market. And I wanted to know what you guys thought about that.
It sounds like phishing for dummies to me.
It sounds like they've made it really simple for anyone who wants to make a quick buck to put together quite a sophisticated phishing campaign because normally— yeah, phishers don't manage to get your two-factor authentication code, or if they do, it's already expired.
But this particular system, it would get that and it would be able to bypass multifactor authentication in many cases.
It sounds like they've made it really simple for anyone who wants to make a quick buck to put together quite a sophisticated phishing campaign because normally— yeah, phishers don't manage to get your two-factor authentication code, or if they do, it's already expired.
But this particular system, it would get that and it would be able to bypass multifactor authentication in many cases.
And I guess those people at the core, they're the ones that the cops want to take down anyway because they're the ones with the big reach, just like the people at the core of the ransomware gangs.
They're the ones who are— without them, there wouldn't be the ransomware that got distributed and everyone would have to invent their own.
And also, I guess, means that somebody who has never coded in their life wouldn't know what HTML looks like, doesn't care, but fancies a go at cybercriminality.
They don't even have to learn how you put a logo on a web page.
The developers at the core of the phishing scamming system will provide that for you in the same way that, you know, in real life you think, oh, I want to build a website.
I'm not going to learn how to load Apache and how to set up httpd.conf files and write HTML and JavaScript. I'll go to a hosting provider and I'll pick a template from a list of 12.
That's a nice one. I'd like the green tinge. I'd like the dropdown menus from the left. Thank you very much. Consider this analogy though, right?
They're the ones who are— without them, there wouldn't be the ransomware that got distributed and everyone would have to invent their own.
And also, I guess, means that somebody who has never coded in their life wouldn't know what HTML looks like, doesn't care, but fancies a go at cybercriminality.
They don't even have to learn how you put a logo on a web page.
The developers at the core of the phishing scamming system will provide that for you in the same way that, you know, in real life you think, oh, I want to build a website.
I'm not going to learn how to load Apache and how to set up httpd.conf files and write HTML and JavaScript. I'll go to a hosting provider and I'll pick a template from a list of 12.
That's a nice one. I'd like the green tinge. I'd like the dropdown menus from the left. Thank you very much. Consider this analogy though, right?
Okay, so I have a car. Let's say my car is busted and I'm gonna take it to the car shop to get fixed. And I know the car shop people are scammers.
Like literally they are scamming everyone and they're proud of it. And that is why I've gone there.
Do I trust them to actually fix my car for the agreed deal that we're making when I know sweet F.A. about the business?
Like literally they are scamming everyone and they're proud of it. And that is why I've gone there.
Do I trust them to actually fix my car for the agreed deal that we're making when I know sweet F.A. about the business?
Well, it depends.
Like, if you're going there because they might issue you an MOT certificate without actually looking at the car, for example, then you kind of figure, okay, I don't care.
I'm going in with my eyes wide open. And I guess here, for the people joining in, you're paying this amount each month.
If the guys screw you over and you don't make your €200 back in the first month, you're just not going to do it again. But if you do and you actually cash the money out—
Like, if you're going there because they might issue you an MOT certificate without actually looking at the car, for example, then you kind of figure, okay, I don't care.
I'm going in with my eyes wide open. And I guess here, for the people joining in, you're paying this amount each month.
If the guys screw you over and you don't make your €200 back in the first month, you're just not going to do it again. But if you do and you actually cash the money out—
Then it's a win-win for everybody involved, therefore carry on.
The thing is that it's not like these cryptocurrency scams where you buy something that genuinely doesn't exist, that's just this mythical pseudo-crypto coin.
You're buying into the phishing campaign you can see that you get woken up. You get, yeah, there's someone online and you can see whether it's working.
You're buying into the phishing campaign you can see that you get woken up. You get, yeah, there's someone online and you can see whether it's working.
Well, it seems to be working because Softpedia reported that at the point of writing— so this was two days ago, their article— no less than 8 Telegram channels run by Fraud Family have been uncovered, and with the channels collectively having 2,000 subscribers between them.
So this is all directed at just Dutch residents and Dutch banks.
So this is really people living outside the Netherlands may not encounter this problem, but I think it just goes to show that phishing is still rife.
You kind of feel like it's so old hat.
So this is all directed at just Dutch residents and Dutch banks.
So this is really people living outside the Netherlands may not encounter this problem, but I think it just goes to show that phishing is still rife.
You kind of feel like it's so old hat.
Yeah. And it's not all about the huge-scale gangs either, right? The mistake people make with ransomware, oh, no one cares about little old me.
It's like the REvil guys, they're only interested in $70 million ransoms, like as happened in that Kaseya hack. And it isn't.
There are plenty of smaller-time crooks who figure they don't want to be in that massive spotlight.
They're just— and, you know, if you're a 15-year-old kid, you're just thinking, I want some new trainers.
It's like the REvil guys, they're only interested in $70 million ransoms, like as happened in that Kaseya hack. And it isn't.
There are plenty of smaller-time crooks who figure they don't want to be in that massive spotlight.
They're just— and, you know, if you're a 15-year-old kid, you're just thinking, I want some new trainers.
You know what I liked about this story, Carole?
Was that the Dutch police infiltrated the Telegram groups where they were chatting, you know, where the fraud family and their affiliates were working, and they posted their press release about the arrest of the gang members so everyone would see that they were on to them.
Maybe they'll get some details as to who else has been buying stuff from them as well. I guess we'll have to wait and see whether more arrests will be made.
Was that the Dutch police infiltrated the Telegram groups where they were chatting, you know, where the fraud family and their affiliates were working, and they posted their press release about the arrest of the gang members so everyone would see that they were on to them.
Maybe they'll get some details as to who else has been buying stuff from them as well. I guess we'll have to wait and see whether more arrests will be made.
Yeah, there may be people, some of them who aren't very old, who suddenly realize that actually, worse than the cops knowing, someone's going to tell their mum.
And then it's going to be really bad. Don't tell mummy!
And then it's going to be really bad. Don't tell mummy!
Cybercrime is at an all-time high and it's not slowing down. So why should you?
This August, you are invited to Security Summer School, a brand new webinar series hosted by the 1Password team.
Learn from security experts at top organizations, hear about sizzling security trends, and get quick tips for building a culture of security at home and at work.
You can get exclusive perks like 1Password swag for attending events, the chance to network with top security leaders, and much, much more.
Find out more and enroll now at www.onepasswordsummerschool.com. That's www.onepasswordsummerschool, all one word, .com.
This August, you are invited to Security Summer School, a brand new webinar series hosted by the 1Password team.
Learn from security experts at top organizations, hear about sizzling security trends, and get quick tips for building a culture of security at home and at work.
You can get exclusive perks like 1Password swag for attending events, the chance to network with top security leaders, and much, much more.
Find out more and enroll now at www.onepasswordsummerschool.com. That's www.onepasswordsummerschool, all one word, .com.
Smashing Security's new sponsors, Offensive Security, are industry leaders in providing training for your organization.
The training is designed by the same minds behind Kali Linux and OSCP. Oh, now you're paying attention. So Offensive Security offer a number of different programs.
There's the OffSec Flex program, which allows you to train on your own schedule.
There's the OffSec Academy offering industry-leading OSCP certification through dedicated one-to-one mentoring and virtual training.
Or if you want to develop your team's pentesting skills in highly realistic simulated networks, Offensive Security experts have got your back.
See, it comes down to this: the skills gap is increasing, meaning it's more important than ever to train your staff effectively and efficiently.
Learn more about Offensive Security at smashingsecurity.com/offsec. That's smashingsecurity.com/offsec.
The training is designed by the same minds behind Kali Linux and OSCP. Oh, now you're paying attention. So Offensive Security offer a number of different programs.
There's the OffSec Flex program, which allows you to train on your own schedule.
There's the OffSec Academy offering industry-leading OSCP certification through dedicated one-to-one mentoring and virtual training.
Or if you want to develop your team's pentesting skills in highly realistic simulated networks, Offensive Security experts have got your back.
See, it comes down to this: the skills gap is increasing, meaning it's more important than ever to train your staff effectively and efficiently.
Learn more about Offensive Security at smashingsecurity.com/offsec. That's smashingsecurity.com/offsec.
And welcome back, and you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week. Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish. A product.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish. A product.
Come on. I'm pitching myself here. Yours are nothing compared to mine. Mine will revolutionize people's lives.
Excuse me. Let me finish my spiel. It doesn't have to be security-related necessarily. Shouldn't be. That's a relief. Now, my pick of the week this week is not security-related.
It is something rather wonderful, which started as a comic strip, and now you can buy it in volumes and read all the tales in one book or a series of books.
It is the rise and fall of the Trigon Empire.
It is something rather wonderful, which started as a comic strip, and now you can buy it in volumes and read all the tales in one book or a series of books.
It is the rise and fall of the Trigon Empire.
Oh, I've never heard of this ever.
I've never heard of this.
Oh, it's just a Whovian thing, Graham.
It's nothing Whovian. It's not Trekkie. It's not even Columbo. The Trigon Empire was a comic strip that first came out in the mid-1960s.
Words and Pictures by Mike Butterworth and Don Lawrence. I remember it fondly when I was reading the pages of Look and Learn magazine in the 1970s.
Look and Learn was a weekly educational magazine which my parents thought— That's what your mum allowed you.
The best bit was the Trigon Empire, where things went a bit crazy and wasn't about how helicopters work and things like that.
So the Trigon Empire stories, they're based on the distant planet of Electon. It's a strange mixture on Electron.
They have futuristic technology, anti-gravity ships and ray guns, but they also have Roman and Greek architecture and legionnaires and great big battles.
I absolutely adored this comic strip as a young boy, and my son, who's 10 years old, loves it as well.
Words and Pictures by Mike Butterworth and Don Lawrence. I remember it fondly when I was reading the pages of Look and Learn magazine in the 1970s.
Look and Learn was a weekly educational magazine which my parents thought— That's what your mum allowed you.
The best bit was the Trigon Empire, where things went a bit crazy and wasn't about how helicopters work and things like that.
So the Trigon Empire stories, they're based on the distant planet of Electon. It's a strange mixture on Electron.
They have futuristic technology, anti-gravity ships and ray guns, but they also have Roman and Greek architecture and legionnaires and great big battles.
I absolutely adored this comic strip as a young boy, and my son, who's 10 years old, loves it as well.
Does he love it because it's great, or does he love it because he knows what's good for him?
He loves it because it's great. All the things which he knows are good for him.
Dad, it's really wonderful, Dad.
I like Trigon, Dad. He thinks it's great fun. There's lots of battles and good stuff. The Trigon Empire, the rights to it are now owned by Oxford-based Rebellion, who also own—
Oh, that's cool.
I know some people who do that. Oh, don't you? But they also own Judge Dredd, I think. And they make video games and all sorts of stuff. Judge Dredd will never catch on.
Who would need a society like that?
What's very cool about comic strips from the '60s and before is that they were done by hand, right?
So literally done by hand, like painted rather than hammered and watercoloured, not on computers, right? Like it's all hand-drawn and all hand-painted.
And then there's just— it's a lot of work, the amount of times you can't just adjust things, right? You got to redo them and you got to make the final one has to be super clean.
So a lot of work.
So literally done by hand, like painted rather than hammered and watercoloured, not on computers, right? Like it's all hand-drawn and all hand-painted.
And then there's just— it's a lot of work, the amount of times you can't just adjust things, right? You got to redo them and you got to make the final one has to be super clean.
So a lot of work.
Well, you are so artistic, I think you would appreciate this. I will bring around a volume of the Trigon Empire for you to peruse.
I wouldn't mind it, actually.
It's rather lovely, beautiful art, great stories. There are now 3 volumes.
Basically, I think it's been popular in the Netherlands and in Germany, but it's been quite hard to get hold of in English. It's been quite expensive.
Now Rebellion have brought out 3 volumes of The Trigon Empire, affordable. You get all of these stories. It's terrific.
So I will put some links in the show notes, and I strongly recommend The Rise and Fall of the Trigon Empire. Great. And that is my pick of the week.
Duck, what's your pick of the week? It better be good.
Basically, I think it's been popular in the Netherlands and in Germany, but it's been quite hard to get hold of in English. It's been quite expensive.
Now Rebellion have brought out 3 volumes of The Trigon Empire, affordable. You get all of these stories. It's terrific.
So I will put some links in the show notes, and I strongly recommend The Rise and Fall of the Trigon Empire. Great. And that is my pick of the week.
Duck, what's your pick of the week? It better be good.
Of course it's good, Graham. My pick of the week, and I've featured it already, I gave them a shout out on the Naked Security podcast and I want to advertise this company again.
I have no connection with them. I don't get any commission. And if I did, I could have earned as much as £8.50. It is the world's best hairbrush. And with my big, I'm challenging Dr.
Brian May hair, I need a good hairbrush. My wife had one of these, and I took to using it when I thought she wasn't looking. And of course, she figured out what was going on.
And one day she said, I'm just nipping out to the shops. And when she came back with the groceries for the day, she said, I bought you a present.
And she presented me with my very own Tangle Teezer. Oh, and it's the best hairbrush you'll ever buy. It's called a Tangle Teezer.
I have no connection with them. I don't get any commission. And if I did, I could have earned as much as £8.50. It is the world's best hairbrush. And with my big, I'm challenging Dr.
Brian May hair, I need a good hairbrush. My wife had one of these, and I took to using it when I thought she wasn't looking. And of course, she figured out what was going on.
And one day she said, I'm just nipping out to the shops. And when she came back with the groceries for the day, she said, I bought you a present.
And she presented me with my very own Tangle Teezer. Oh, and it's the best hairbrush you'll ever buy. It's called a Tangle Teezer.
My niece has one and I regularly de-comb her hair. She's the finest hair in the universe and it's—
It does work.
It's got bristles of two different lengths, I presume, because they— although it's a British-made product and it's festooned with a Union flag and all of good, proud jingoistic stuff.
I guess they want to appeal to a market that's not English-speaking, so they didn't want to spell the word teaser like you spell it in English because the pronunciation isn't obvious.
So you have to search for tangle, which is spelled as normal, and teaser is T-E-E-Z-E-R. And tangle— oh yeah, it's just— it's great.
It's got bristles of two different lengths, I presume, because they— although it's a British-made product and it's festooned with a Union flag and all of good, proud jingoistic stuff.
I guess they want to appeal to a market that's not English-speaking, so they didn't want to spell the word teaser like you spell it in English because the pronunciation isn't obvious.
So you have to search for tangle, which is spelled as normal, and teaser is T-E-E-Z-E-R. And tangle— oh yeah, it's just— it's great.
Now, do you have the one with the handle or just the one that you grip?
No, I have the one with the handle. Right. I have pitched this to people who said, I nearly bought one, but I didn't like the grip it like a comb. I wanted a handle. And now they have.
And my wife didn't realize this. She just bought— they only had one in stock where she bought it.
So the one she bought me without realizing it is actually different colours, different sizes. And she bought the turbo, the large-sized one. That's the one to go for. Absolutely cool.
You don't get sparks, you don't get static electricity, your hair doesn't come out.
It's just like— if you thought that's how a hairbrush should work, take it from me, I'm the fashion captain now.
And my wife didn't realize this. She just bought— they only had one in stock where she bought it.
So the one she bought me without realizing it is actually different colours, different sizes. And she bought the turbo, the large-sized one. That's the one to go for. Absolutely cool.
You don't get sparks, you don't get static electricity, your hair doesn't come out.
It's just like— if you thought that's how a hairbrush should work, take it from me, I'm the fashion captain now.
Is it pink?
Technically, I believe that's the only one they had. They do a blue one and a black one. It's actually called salmon, I think. Oh yeah, so the colour is a little odd. It kind of is.
There's nothing wrong with a bit of salmon in your life.
That's the only thing I don't like. It does look like a rather peculiar set of dentures.
Oh, I've seen one you can get with unicorns on it. I've got an admission to make, Doug. I don't think I've combed my hair since I was about 8 years old.
Graham, am I missing out, or are other people just very polite about me not.
Graham, am I missing out, or are other people just very polite about me not.
How's life going for you, Graham?
Either you're the fashion captain or you're not. And so if you're not, you just don't have to comb your hair. Don't let it bother you. Be what you want to be.
But if you decide that you want to look as cool as I do, the Tangle Teezer is your friend. But my wife's one is off limits now. I'm not allowed to touch that. Now I've got my own.
We keep them separate.
But if you decide that you want to look as cool as I do, the Tangle Teezer is your friend. But my wife's one is off limits now. I'm not allowed to touch that. Now I've got my own.
We keep them separate.
I'm just gonna kick all your big head fuzz out of my thing.
So I suppose it has a sort of a cybersecurity angle in that you can keep your hair free from tangles.
So if you have to rush out to fight a virus out into the street and out to somebody else's computer, and you won't catch your hair on something and trip over, perhaps.
Yes, it's full on if you have that bouffant full 1960s, '70s coiffed look. Or a bit like Jason King, no?
So if you have to rush out to fight a virus out into the street and out to somebody else's computer, and you won't catch your hair on something and trip over, perhaps.
Yes, it's full on if you have that bouffant full 1960s, '70s coiffed look. Or a bit like Jason King, no?
He had big hair.
I'll post a photo, maybe. Ooh!
What about Rik from Rik and Morty?
Like Robert Plant of old, or Iain Gillan, or someone like that. Yes, that wavy — the hair that it doesn't hang long, it just kind of goes out.
It goes — there's enough grab, there's enough weight for gravity to pull it down, so it doesn't just stick out like a geranium.
It goes — there's enough grab, there's enough weight for gravity to pull it down, so it doesn't just stick out like a geranium.
Can you comb it into a man bun?
Would you comb it into a man bun? Of course he would.
I am going to pretend that neither of those questions were asked because they do not deserve an answer.
I'm loving the mental image.
Just because I wear checked shirts and ride a bicycle with a fixed gear does not make me a hipster. I didn't come on this show to be insulted. Actually, no, that's not strictly true.
That wasn't in the —
That wasn't in the —
I love all those things too.
I love it. It wasn't on the list. What, you like man buns?
Sure, they provide much entertainment.
Did you see there was a big Twitter thing that went viral a year or so ago about some guys in Cape Town in South Africa who would drive — they were driving around in a high-powered BMW and jumping out when seeing hipsters at pavement cafes and running up to them and cutting off their man buns.
And the guys would chase after them and a fight was on, and they'd jump in the car and speed off.
And they got this huge reaction and they had to post a video saying, guys, they were our buddies, it was just for fun.
And the guys would chase after them and a fight was on, and they'd jump in the car and speed off.
And they got this huge reaction and they had to post a video saying, guys, they were our buddies, it was just for fun.
See, we protect the man. Good, well, not death threats for cutting off man buns. What if someone came along and cut off all your locks?
Well, it's not quite as easy as with a man bun. It's all gathered into one place, isn't it? So it's one snip, just a quick snip. No, I think I'd fight my corner.
I'll tell you what, I'd wield that Tangle Teezer — lash 'em back with it.
I'll tell you what, I'd wield that Tangle Teezer — lash 'em back with it.
Rescue us, Carole. What's your pick of the week? Oh, mine?
I don't even know if I can follow this. So mine is an Amazon Prime series called Modern Love. And this is based on a New York Times column by the same name.
And the column is where people write in essays about their love strikes or fails or something in between the two. Season 1 has been out since 2019.
But Season 2 is just about to land in early August, which is why I'm covering it today. So there's all types of stories.
Maybe there's one about an unlikely friendship, or, you know, past love resurfaces, or a marriage is at its turning point, or a good date or a bad date or anything that.
And I just the way the stories are told. And I sent Graham one, I pointed my favorite one in your direction. Season 1, Episode 3.
That's right, Take Me As I Am, Whoever I Am with Anne Hathaway. What did you think?
And the column is where people write in essays about their love strikes or fails or something in between the two. Season 1 has been out since 2019.
But Season 2 is just about to land in early August, which is why I'm covering it today. So there's all types of stories.
Maybe there's one about an unlikely friendship, or, you know, past love resurfaces, or a marriage is at its turning point, or a good date or a bad date or anything that.
And I just the way the stories are told. And I sent Graham one, I pointed my favorite one in your direction. Season 1, Episode 3.
That's right, Take Me As I Am, Whoever I Am with Anne Hathaway. What did you think?
What'd you think? I thought it was delightful, right? Yes, I thought it was really good.
It's it fakes its cheesiness. You think it might be cheesy, but it's not.
Yeah, there was a— yeah, the twist came about a third of the way through, and you kind of think, oh, 'This isn't quite gonna be what I expected.' Yeah. But it's great. Great.
I'm keen to watch some more episodes, I have to say.
I'm keen to watch some more episodes, I have to say.
Cool. Well, they're great and you're gonna have a whole new series to enjoy. And I think it's really good.
The acting's good, the storytelling is good, and the whole premise of it is nice because we need a bit of love in our lives.
The acting's good, the storytelling is good, and the whole premise of it is nice because we need a bit of love in our lives.
And it's an anthology show, isn't it? So it's not the same people in it each week. Yeah, exactly.
So yeah, you can just dip in, dip out, and that's a nice freedom as well, isn't it?
Can I ask, what are the coiffures? How's the hair in the show?
Well, Anne Hathaway in that particular episode that we were just talking about looks Rita Hayworth. You're welcome. Quit while you're ahead. Yep, I'm not going to say another word.
Nice one. Well, that just about wraps it up, but we have some important news for our listeners, haven't we, Carole, before we tie things up for this week?
Yes, we're taking a fricking break. Yeah, we're going to take a few weeks off for a little holiday. Of each other as well. Yeah, most importantly. But we will be coming back.
So it'll only be a couple of weeks, but yeah, it's August, so we thought we'd have a little vacation.
Yes, we're taking a fricking break. Yeah, we're going to take a few weeks off for a little holiday. Of each other as well. Yeah, most importantly. But we will be coming back.
So it'll only be a couple of weeks, but yeah, it's August, so we thought we'd have a little vacation.
Now that the sun's now decided to go back in and it starts to rain, we're going to take a few weeks off.
And if you're missing us, just go back through the back catalogue and choose a random episode. You've probably forgotten it all by now, whatever we did in 2018.
Go and listen to one of them.
Go and listen to one of them.
So to put not too fine a point upon it, you're all going on a summer holiday. Just for a week or two. Yes. Have a good time.
Duck, I'm sure lots of our listeners would love to follow you online or find out what you're up to. What's the best way for folks to do that?
You can just wander along to nakedsecurity.sophos.com, or you can catch me on Twitter. I am @duckblog.
Fantastic. And you can follow us on Twitter at Smashing Security, no G, Twitter doesn't allow us to have a G. And we've also got a subreddit for Smashing Security as well.
So check us out there and make sure that you never miss another episode, including when we come back in a few weeks' time, by following Smashing Security in your favorite podcast app such as Apple Podcasts, Spotify, and Google Podcasts.
So check us out there and make sure that you never miss another episode, including when we come back in a few weeks' time, by following Smashing Security in your favorite podcast app such as Apple Podcasts, Spotify, and Google Podcasts.
Thanks to this episode's sponsors, 1Password and Offensive Security, and to our wonderful Patreon community. It's thanks to them all this show is free.
And for episode show notes, sponsorship information, guest list, and the entire back catalog of more than 237 episodes, check out smashingsecurity.com.
And for episode show notes, sponsorship information, guest list, and the entire back catalog of more than 237 episodes, check out smashingsecurity.com.
Until next time, cheerio, bye-bye, bye-bye. See you in a few weeks, Graham.
No one's crying. No one's gonna cry. They are.
They're gonna— they're gonna be bereft.
They're gonna be happy to have a fact. We deserve a holiday. Everyone's cool with that. They're all like, guys, have a good time. You've worked hard this year. You deserve a break.
They're going to be at their cabin. They're going to be camping somewhere. It's all cool.
They're going to be at their cabin. They're going to be camping somewhere. It's all cool.
All right, mask up everyone. Stay safe. Don't go to DEF CON.
Okay, Dad. Hey everybody, it's Carole here. Before our little holiday, I just wanted to say a huge thank you to everybody.
You listeners, you sponsors, you Patreon supporters, you reviewers. But you know what? I've forgotten somebody very important.
And that is all the guests that have come on the show and given us their time.
These are the people that present story, have a few laughs with us, and generally manage it so that Graham and I don't kill each other.
Which, you know, is a bonus, 'cause that would be the end of the show. So let's see if I can do this.
Thank you, Adrian, Alan, Alex, Andrew, Anna, BJ, Barry, Brian, Charles, Chris, Claire, Dahlia, Dan, Danielle, Dave, Gary, Geoff, Greg, Helen, Iain, Jack, James, Jamie, Javad, Jenny, Jessica, Joe, John, Kevin, Levi, Lisa, Mary, Maria, Mark, Martin, Max, Michael, Michelle, Miko, Nick, Nina, Ollie, Paul, Peter, Phil, Philippe, Rachel, Ran, Ray, Rik, Rich, Robert, Roger, Ron, Rory, Scott, Simon, Steve, Thom, Tim, Tommy, Troy, Vanessa, Vanja, Yvonne, and Zoe.
And you, dear listeners, can see their bios at smashingsecurity.com/guests. See you in a few weeks.
You listeners, you sponsors, you Patreon supporters, you reviewers. But you know what? I've forgotten somebody very important.
And that is all the guests that have come on the show and given us their time.
These are the people that present story, have a few laughs with us, and generally manage it so that Graham and I don't kill each other.
Which, you know, is a bonus, 'cause that would be the end of the show. So let's see if I can do this.
Thank you, Adrian, Alan, Alex, Andrew, Anna, BJ, Barry, Brian, Charles, Chris, Claire, Dahlia, Dan, Danielle, Dave, Gary, Geoff, Greg, Helen, Iain, Jack, James, Jamie, Javad, Jenny, Jessica, Joe, John, Kevin, Levi, Lisa, Mary, Maria, Mark, Martin, Max, Michael, Michelle, Miko, Nick, Nina, Ollie, Paul, Peter, Phil, Philippe, Rachel, Ran, Ray, Rik, Rich, Robert, Roger, Ron, Rory, Scott, Simon, Steve, Thom, Tim, Tommy, Troy, Vanessa, Vanja, Yvonne, and Zoe.
And you, dear listeners, can see their bios at smashingsecurity.com/guests. See you in a few weeks.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Paul Ducklin – @duckblog
Show notes:
- DEF CON masks and vaccination FAQ.
- Hacking DEF CON 29 — Reznok.
- Tweet by Jeff Moss (Dark Tangent) thanking Reznok.
- PetitPotam proof-of-concept tool — GitHub.
- Windows “PetitPotam” network attack – how to protect against it — Naked Security.
- Fraud Family cybercrime ring under the spotlight as arrests made in the Netherlands — Bitdefender.
- The Trigan Empire — Wikipedia.
- The Rise and Fall of The Trigan Empire: Volume 1 — Treasury British Comics Shop.
- Tangle Teezer — If you want to be a Fashion Captain, like Duck.
- Modern Love trailer — YouTube.
- Modern Love (TV series) — Wikipedia.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsor: 1Password
Cybercrime is at an all-time high, and it’s not slowing down, so why should you? This August, you’re invited to Security Summer School, a brand new webinar series hosted by the 1Password team.
Learn from security experts at top organizations, hear about sizzling security trends, and get quick tips for building a culture of security at home and work.
Get exclusive perks like 1Password swag for attending events, enjoy the chance to network with top security leaders, and much much more.
Find out more and enroll now at www.1passwordsummerschool.com/
Sponsor: Offensive Security
With the skills gap increasing, it’s more important than ever to train your staff effectively and efficiently. Industry-leading Offensive Security provides training for your organization designed by the same minds behind Kali Linux and the OSCP.
Visit smashingsecurity.com/offsec to learn more.
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, Spotify, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
