Smashing Security podcast #275: Jail for Bing, and mental health apps may not be good for you

Oh my god, they didn't kill him, did they? Well? Oh, shut up! Oh, crutchie! No, shut up!

No, no, they didn't kill him. Smashing Security, Episode 275, Jail for Bing, and Mental Health Apps may not be good for you with Carole Theriault and Graham Cluley. Hello and welcome to Smashing Security episode 275. My name's Graham Cluley and I'm Carole Theriault and this week Carole we're joined by a returning guest, someone who's been on the show several times before. It's Dr Jessica Barker. Hello Jess.

Hello, hello. Thank you for having me back. I'm like a bad penny.

I love it, I love it you're back. Have you anything to share with us, anything amazing?

You want to tell our audience, have you been anywhere wonderful? Seen anything terrific?

Since we last spoke, I've been back to Dubai and Abu Dhabi, got to see the end of the Dubai Expo, which was great and amazing. And then I've also started horse riding again.

Horse riding in the desert. It sounds absolutely horrific. You poor thing, what a horrible experience. No, what a horrible experience that must have been. One struggles on. Okay. Yeah. We're going to stop him right there and thank this week's sponsors. Collide, Rumble and Good Access is their support to help us give you this show for free.

I'm going to be looking at how companies point the finger at suspected hackers. Okay. Okay. Mysterious. What about you, Jess?

I will be talking about malware as a service sold by Telegram.

And I will be sharing the privacy lowdown on some popular mental health apps. Plus, we have a great featured interview with Krish Kirsch. He is the co-founder and CEO of Rumble.run. All this and much more coming up on this episode of Smashing Security.

Now, chums, chums, have you ever felt unlistened to in the workplace?

I'm sorry. I'm sorry. Did you say something?

Have you ever felt Chicken Little, warning the company of impending doom and disaster, no one taking you seriously?

Yes, definitely. I have worked at places where I'm saying, I really think you guys need to do this. I really think this is important. And they're, yes, yes, yes, it's on the list.

We shouldn't do this IT vigilante thing. We shouldn't dress him up in orange latex, produce a series of videos. Did you warn something dread was going to happen, and then discover to your horror that you'd been thrown into a Chinese jail for seven years. Had that ever happened to you? No. No, okay. No, but I can remember. Not that you can remember. Well, they might have wiped your mind, mightn't they? That might have been part of the torture process. It's always possible. I have to ask myself all the time, what might have happened yesterday that I've had wiped in a sort of men in black scenario from my brain? It's

going to work in my advantage, actually.

Let me tell you the story of a man, a man called Han Bing. He is a database administrator. And he worked for a real estate company in China called Lianjia, formerly known as Homelink. And in his job, he had some security responsibilities. He had admin rights and so forth. And he discovered what he believed were some problems with the security, the computer security at his company. And he wanted to bring them to the attention of senior members of the firm.

Right. So he's oh, this looks a bit not good for us. Let me just tip it off. Yeah.

We need to fix this. There's a problem here or something needs to be patched or reconfigured or we need to throw some budget at the wall and see if it sticks.

Kind of what you want ideal employees to do.

Yeah. Yeah. Yeah. Sounds great. Sounds good. I said, have you ever been in that situation where you've kind of gone, guys, I think we've got a problem, Houston. I think. And everyone's, shush, shush, shush, shush. Will you stop distracting us from what we really want to focus on with all your, oh, there's a security problem. There's some sort of-

Yes, we're trying to design the sales service to be slicker. Please stop telling us about vulnerabilities.

Yeah, vulnerability with the landing page or did you realize this page you've created allows you to send spam text messages to anyone in the world for free or something that. Not that that's ever happened at any companies we've ever worked at.

Write to the chiefs. I'm going to explain the problem to them. They're going to reward me with riches. They're going to be so grateful that I've brought this to their attention. And maybe my boss will get the boot because he isn't taking this problem seriously. But you feel strongly about it. Yes, exactly. It's exactly a scenario, isn't it?

Can I just bring it even a bit further? I suspect many people like me, after announcing, I would always do it in writing, right? And then I would print with the metadata of the email that I sent and keep a copy of said email just in case they erase the whole server or my emails from the server saying, and no, you never did tell us.

And then in case they break into your home and burn your printed copy, you have it tattooed on your left buttock.

That's right. Well, we've talked about tattooing stuff like this.

The ultimate backup, in fact. There it is on your backside.

I feel this was a conversation the last episode that I joined you on. Your tattoo artists are busy.

Well, Oxford, you know. So Han Bing, with another database administrator who he got on board, he presented his evidence to the bosses and he waited for their response. You can imagine the scene, the flip charts, the PowerPoint slides, the rolled up sleeves, the expectance of backslaps, congratulations, the opening of champagne, instant pay rises all round. We're going to fix the problem. You are a hero. You saved the company. That's what they're imagining.

If that's what they're imagining, they're certainly mistaken. Even half that is, you know, just thanks, we'll look into it, is the best one should be able to hope for, in my experience anyway.

Maybe they've not been through this before.

Maybe not. Maybe they're a little naive. Well, it didn't quite go down how they planned because people had their noses seriously put out of joint by what Han Bing said.

Because he was insulting someone else's code?

Well, the thing was, there were arguments between him and the other database administrators. Maybe they thought it made it look like they hadn't been on the ball. Maybe they had been lax in the security. They had maybe introduced problems or not dealt with issues. And here was this whistleblower kicking up a stink, making them look bad. And of course, the boss as well, he's been sort of undermined by Han Bing going to the big bosses.

Oh, my God. They didn't kill him, did they?

No, no, they didn't kill him.

Good, Graham.

But I prefer your story. I mean, we could say he got killed at that point, if you like.

No, no, no, no, no.

Something happened to him which was even worse than death. He had his office relocated. He was moved.

Oh, dear. Near the toilets? That's the worst.

Probably near the toilet, maybe on the back of a 737. There was some cockroach class. I don't know. But they moved his office and he felt sad. He thought, no one likes me at this company anymore. I'm undervalued. I try to do something amazing and here I am sitting near the bugs. And according to the Chinese reports, the reports which come out of China, which have been translated with the help of online services for me to understand, he became passive and sluggish, often late and early and there was absenteeism. So he wasn't quite as enthusiastic as he used to be. Because he felt well, no one cares about me, little old me. Okay, so he's disgruntled. He is disgruntled. Either he had completely ridiculous, out-of-proportion thoughts as to how well he would be rewarded, or maybe he was just a bit of a grumpy old misanthrope in the first place. Bit of a git.

Why not both? Maybe both.

Possibly both. Quite possibly both. Often does combine, doesn't it? You feel the people who are grumpiest feel they deserve the most.

That's so true. And it's the way you communicate these things. If you're saying, Captain, I found a problem and George did it, that's going to cause a bit of frack out in the group. But if you're kind of hey, I think we can tighten our security even further.

It sounds like going for a full on presentation and finger pointing. It may not have been the way to go.

So what happened next is where the company's problems really started, because on June the 4th, 2018, someone using admin privileges and a root account accessed financial information on the servers at this company, the NGIA, and they deleted the data. In fact, they didn't just delete the data, they wiped it. They overwrote it multiple times with garbage to try to prevent the data from being recovered.

So all their financial data, all their stuff, all their accounts, gone?

All gone. Large parts of their operations were impacted.

Were they in debt? Just out of interest. I'm just, my conspiracy hat's on.

Well, just checking.

Tens of thousands of employees went without salaries for an extended period of time. And it cost them tens of thousands of dollars to restore the data and get things back up and running again. But they think there were much more costs than that. And so the company initiated an investigation and they thought, well, who could possibly have accessed this root account and used these admin privileges to access this database? And by a process of elimination, well, they came down to a list of the five database administrators who they employed. And they were, of course, Han Bing, Gary Google, Peter Pornhub, Arthur Altavista and Dudley Dogpile. Dudley Dogpile? You don't remember Dogpile? No. Oh, Carole, how old are you? Dogpile was a search engine. It still is.

For real? Is it? This is a new one to me.

Not a very popular one.

Is it shit? Is that the whole point?

It was a bit like Ask Jeeves, but with dogs as their logo instead.

I've never even heard of it. There you go. Not the best name.

I know, but how crazy is Google or Bing and all the rest of them? So they asked these five people, they said can you hand over your laptops, we want to take a look at them. And four of them said sure, no problem, go ahead, forensically examine as much as you want. But Han Bing, he went oh whoa whoa whoa whoa what, no, hang on. He said I've got some private data on my laptop and if anyone wants my password it has to be the police. I'm not going to help you. You know, I can enter my password myself and I'll be present while you're doing any checks, but I'm not going to hand this over.

Okay. I think that's a fair response, whether he's guilty or not guilty. Right. I know people, Graham, you know, people as well, that there's no way they'd hand their passwords over.

Yeah. And you can understand his reluctance, certainly. Yeah. And he's saying he's happy for them to check it. He just wants to be there. Maybe he'll do the typing. Maybe he'll delete any suspicious folders.

Of course, I mean all their financial data is gone. It's not oh someone said that the CEO yogurt when he hates it, it's a big deal.

Exactly, yeah exactly. And done in such a way that they can't get it back and all that disruption and the morale for people not receiving their salaries, it must have caused a whole host of problems.

Yeah, absolutely. And one of the clues they said they found was that Bing's MacBook laptop had the host name Yggdrasil, the giant tree of Norse mythology. And on one of the server logs they had, a computer with that name had connected to their server.

So they didn't need to go in at all. They just knew by computer name.

They just knew by some of that information exactly. So Han Bing has now been sentenced. It's finally gone to court and he has been sentenced to seven years in prison and told to pay compensation of $30,000 or the equivalent to his former employer as well. All because he wanted security fixed. And for some reason, and what is this reason? Some reason he chose to sort of, well, I'll show them. I'll prove that it's a big problem. And did this to try and get their attention.

It's the mix, isn't it? Of A, I'll prove them wrong and myself right. But also if he felt, as you said, Carole, if he felt disgruntled, if he felt pushed to one side and he'd been ignored. And maybe there was other stuff. You know, maybe there was a pattern of these. And so he just thought he'd stick it to them, I guess. And he obviously thought he was cleverer than all of them and he'd get away with it.

Yep. And this is why Graham and I and Smashing Security are launching Give Your Data Administrator a Hug Day today. So just to make sure they don't get disgruntled so this doesn't happen to you. Enjoy.

I should stress that it's give your database administrator a hug day today. Yesterday was give your database administrator a personal deodorant day. So as long as you follow all of the...

That's so lame. What? Jeez. When's the last time you've even hung out with a data administrator?

Well, it's not just them, Carole. When did you last give somebody a hug?

When's the last time I put deodorant on? No.

Well, now we're talking. Jess, over to you. What have you got for us this week?

Well, I have been reading research from the dark web monitoring company, Cyble, who have published a report about the Eternity Project malware. Have you read this?

Telegram comes up a lot with these dodgy groups, doesn't it? Doesn't it? It seems to be coming up more and more over the last year.

Forgive me, because I'm not as technically au fait as you guys.

So you buy it, they sell it on an annual subscription model. So you can basically buy the malware and then get the code and be able to customize it with the support of a Telegram bot. I think being able to tell you different things that you can do and how to do it, as I understand it.

Is it expensive to do this? It is not. It's not the cheapest out there, but it is as little as $90 for a miner and $490 for ransomware.

It is pretty cheap when compared to the potential rewards for using this code. And that's the worry, of course, is that these sort of services give the tools to absolutely anyone with a criminal bent so that they can begin to exploit it and make potentially a large amount of money. And I just want to say when Jessica says miners, she does mean crypto miners, not kids. Not Arthur Scargill.

Yeah, I haven't seen if they've responded to this. It's pretty new, this news coming out. I think probably what they would say would be that the onus is on people who stumble across these groups to report them, so they can be shut down. But of course they can pop up within seconds elsewhere.

This is certainly not the first time that we have seen Telegram being used by cybercriminals for all sorts of different things as well. Not just this, selling malware, but being used for cryptocurrency scams, job recruitment scams that I think we've spoken about before on Smashing Security, sharing of nudes, you know, unauthorized, without people's permission. So if you bought that, all you would need to do is just email, for instance, somebody with a link pointing to that executable, telling them it's something like an update or something, and then you would have remote control of their computer and be able to spy on what they were up to. So you can imagine a lot of people out there might be tempted to use a remote access Trojan to snoop on maybe a potential partner or an ex-partner. All kinds of ghastliness there, isn't it? This malware you're talking about, though, the Eternity Project malware. It's a bit of a stupid name, isn't it? Do you call yourself something like Lumpy Troubles? I have lumps, maybe not in the right place. More like sugar lumps. But it's just, I just think sometimes they're a little bit full of themselves. And maybe they need a little bit more sense of humour. It just sounds pompous. You're not pompous. And I'm not pompous. I'm never pompous, am I? No.

I saw it sounds like a Marvel film or some kind of trilogy. The Eternity Project malware. It must be 14-year-old, surely, with a name like that.

I have something super cheery. We're talking mental health.

Because, you know, it's Mental Health Awareness Month. Hang on, it's Hug a Database Administrator Day. Oh, I just called that. That's a TM. Oh, that isn't official. Okay.

Is it too close to pandemic, post-pandemic, pandemic still? Yes, of course it bloody is. Exactly. Maybe just elbow bump or something.

Yeah, elbow bump. So it's Mental Health Awareness Month.

Yeah. And Graham, so how are you feeling? Are you going a bit mental?

I don't think the phrase a bit mental is terribly politically correct. But anyway, I feel all right. Not too bad at the moment. Thank you very much for asking.

That's very good. But there are many, many people out there who are not feeling A-OK or fine at the moment, right? And there are countless reasons why they might be. There's inflation, divisive politics, misinformation, you know, poisoned earth, Will Smith losing his cool, Depp versus Heard. I mean, all these dramas.

What the hell are they? Will Smith hitting someone and Amber Heard and Johnny Depp having a Barney at the court. So you're putting these up alongside climate change. Oh, I see. Okay. All right.

Yes. Yes, absolutely. All these dramas have no doubt played a very significant part in making us feel either depressed or lonely or anxious or annoyed or frustrated. All the things that maybe a therapist could help us unpack.

Yes. I suppose so. Maybe. When the pandemic hit, the need for therapy skyrocketed for probably mostly obvious reasons, right? And the irony was that therapists weren't allowed to see their patients because remember lockdown? So online video, text and phone sessions slowly normalized. And those of us that didn't have a therapist pre-pandemic found ourselves suddenly in need. We were all out of luck, right? Therapists were booked solid, taking no new patients.

I don't think that's a therapy issue. But anyway, what do you do?

Could all be in your head, right? Maybe you just think. Oh, maybe, maybe. Yeah. OK, so what do you do? What do you do? You can't find a therapist or you've gone through the phone book. You know, you've looked around neighborhood. Everyone's, sorry, totally booked. What do you do?

Are you going to suggest? Because I remember a few weeks ago you were talking about getting yourself a virtual boyfriend via an app, which was AI controlled. Are you talking about an AI therapist? I know the way your mind works now.

Close, close. You may have heard ads or promos, right, for online therapy, right? Where therapists are vetted and whatever your problem, they will align you with a professional who can help. So these online app services, for example. Is there any name actually that comes up when you think about it? I'm a big pod listener, right? So there's two that come up in my head immediately of these online services that have been being touted recently over the last few years.

Oh, I have heard one advertised, but I can't remember the name. Is it BetterHelp?

Oh, yes. Yeah, yeah. BetterHelp is one. I'm going to talk about BetterHelp. And you may have heard of Talkspace as well. That's another one that I hear all the time. So you go to Talkspace website and it says, feeling better starts with a single message. That's their strapline at the moment on their homepage. And they say, look, we need to do a brief assessment. So basically answer a few questions about your preferences. Pick a provider. We'll give you a selected, we'll give you a list of recommendations. You go ahead and pick which one sounds good for you and just start your therapy and begin the journey towards a happier you.

And this will be online therapy with a real living therapist?

Yes. So someone they've vetted. It's a Zoom call or something. Yeah, it's a Zoom call. Maybe you can get text messages, right? You can leave phone, answer phone, voicemail type things.

Yeah, I think I've seen these on Instagram where you exchange messages and stuff.

Yeah, exactly. So Talkspace and BetterHelp are both known to have done a very huge advertising campaign during the pandemic because people, there was basically a mental health crisis. And they can step in and be helpful so BetterHelp have that on their home page it's you deserve to be happy and answer a few questions to find a therapist who fits your needs and preferences so same idea but they then make a big deal about tapping to the largest network of licensed professional board certified providers

Okay so good professional yeah certified

Both sites look slick right and there's full of quotes from people saying oh my god my life's so much better now that I've done BetterHelp.

So this is a good news story. This is a good news story. Yes. Yes. Excellent. Oh, well, thanks very much.

And, you know, they're very professional websites because if you think about it, right, some mental health issues are basically something you don't want to, you want to keep it entre-nous, right? It's a private thing. If I go to a therapist with an uncontrollable, embarrassing tick, for example, I don't want people around me to know about it. Graham, for example, who'll just mock me every time he sees me.

Yeah, it's sensitive. It's potentially really sensitive stuff that people don't just want to talk to anyone about. They want professional experience certified.

That was a bit mean. Who? Jessica's mean to you? I think you were just a bit mean to me there. I think you've hurt me there. Get a therapist. I might know an app that can... Yeah. Well, maybe you want to listen a bit more before you advertise this one. Oh, no. So as this is a security podcast, Graham, to your point, let's bring in Mozilla, the power behind privacy not included. And this is a site devoted to assessing product services that are online connected and they give them a privacy rating.

people who make Firefox and Thunderbird. And this little kind of project they do have a team of, I think they must have lawyers in there because they read all the small print. They look at the settings. They do some research online. They reach out to the company for a response.

Two that have been advertising so much through the pandemic. Yes trying to build their you know the number of people that use their services so I'm gonna list out like this is Carole's cliff notes if you want of Mozilla's privacy not included cliff notes on Talkspace. I mean, you can obviously all the links from the show notes. You can go read to your heart's content.

Wow so you're not only paying them for the therapy they're also going to take your data, or at least they have the option, taking your data and sending it to someone else for money as well. Because your subscription isn't enough for them.

Because you're, yes. Talkspace also says, quote, your written authorization will be required for uses and disclosures of psychotherapy notes and uses and disclosures of your protected health information for marketing, which basically says they might give you a, hey, blah, blah, blah, blah, do you allow us to do this? Consent, right? And how many people just click without looking?

Especially when people are potentially very vulnerable, like trying to get therapy, trying to get help. They've turned to this solution and maybe they're not in the right frame of mind to be.

100%. 100%. I couldn't agree with you more on that.

If you go for in-person therapy to somewhere and you go and lie on the couch and all the rest of it, and do the therapists then say, oh, thank you very much for telling me about all of your problems. This is going to be very useful. I'm going to be able to use this. Do you mind if I sell it to Coca-Cola? I'm going to sell this to Grazia magazine. I've got a lovely little column I'm going to write about people with weird problems. It's just another way to supplement my income. Oh, great. That'll be $400, please. Sure, of course. So the New York Times reported in 2020 that former employees and therapists at Talkspace told them that anonymized conversations between medical professionals and their clients were regularly reviewed by the company so they could mine them for info. So they're basically saying that idea that you and your therapist are all alone, no one's listening, may not be all it is.

If you don't like it, sling your hook is what they're saying. Well, that is true. I mean, that is ultimately the best advice, isn't it? Is not to use it. I agree. It would be nice if they...

Well, yeah, wasn't that on their homepage? Yeah.

Yeah, exactly. They could have had that on big letters there. Just say, by the way, you don't want to use us.

Great way from Mozilla now. It's such a great site. Seriously, I'm going to recommend that all listeners and you too bookmark that page. Because sometimes you need to buy a new something smart, for example, for the home. You can just go look and see if they've already reviewed it. And if not, you can actually give it to them and recommend that they go review it for you. So it's a very cool site. So again, link in the show notes. Do check it out, guys. It's really good. BetterHelp wasn't much better. They say they collect, use, and store communications between users and counselors on their platform. They also collect a whole lot of personal information from responses on their intake questionnaire, like are you feeling depressed or anxious or are you struggling to maintain relationships, to things like name, age, email address and phone number. And Mozilla say as well that they can use this data they collect on you for personalization, product offerings relevant to your individual interests and targeted ads. So if you had an embarrassing problem like say you were a shoe fetishist or a foot fetishist, oh no, right? What would your eyes be like? Shoes and feet for nail polish.

Yeah, but you'd love it wouldn't you? You'd be happy if you're a foot fetishist to get loads of shoes and feet.

Doesn't help your drama and your therapy.

Maybe you're getting therapy because you can't get enough pictures of shoes and feet and they're actually doing you a favor. Maybe you're thinking well it's just hard to get hold of new material.

Even The Economist again shared a report of one user that said, when I first joined BetterHelp I started to see targeted ads with words that I had used on the app to describe my personal experiences. Wow, it's right.

Wow, no. You're not feeling good, you may be feeling a bit paranoid, you're in this session, you're talking about your deepest hurts and sensitivities, and then you see words that you have used being—

I'm just imagining getting some therapy and suddenly I've got ads for a trombone, a terapine and half a pound of lard appearing because I've shared my most intimate thoughts. It's a horrendous thing isn't it?

When you put it like that, Graham.

See, I would really like it if more products and services, if I'm paying for them, I could have some confidence that is how they're making their money.

I know. We've said that before in the show. We kind of said that, right? Free is not free.

Yeah, it's nice to pay for something, but you then learn to be suspicious if something's free. But when they start charging you and they're also mining you for information or exploiting it in some fashion, then that really feels quite underhand. Because how are you going to spot that unless you read the terms and conditions and all the privacy policies which we know—

Jen Caltrider, she's Mozilla's Privacy Not Included lead, right? She says, quote, the vast majority of mental health apps are exceptionally creepy. They track, share and capitalize on users' most intimate personal thoughts, feelings like moods, mental state, biometric data. Turns out researching mental health apps is not good for your mental health, as it reveals how negligent and craven these companies can be with their most intimate personal information, unquote. That's scathing, right?

Yeah, that is. You can feel the anger of that statement. And yeah, you sort of think as well, I'm obviously naive, but you would think, okay, it's a company making a mental health app. They're making all these statements about how they want people to be happier and healthier. So to then know that behind the scenes, they have made that decision to actually at least open the door on misusing data in that way just feels so sad, doesn't it?

Yes, and what's really gross about it is I have seen many ads from these two particular companies talk about how much cheaper it is to use these services rather than going to a therapist in their office or having a one-on-one with a therapist that you find on your own. And the other problem is Silicon Valley investors are pouring hundreds of millions of dollars into these apps. Insurance companies get to collect extra data on the people they insure. Data brokers are enriching their databases with even more sensitive data. Just wait until you start getting your online therapy in Mark Zuckerberg's metaverse. Do you know what assets are connected to your network? Most organisations don't. For your security programme to be effective, you need an inventory of all your devices so you can make critical decisions fast. We all know that users these days sometimes have to connect from an unsecured network using any device they have at hand, and companies have no control over the device, applications, clouds, and the infrastructure that connects it all together. This rapid shift in online work created security gaps that bad actors use to the full. And most importantly, companies need to emphasize the reduction of risk of a data breach if a user's credentials are stolen. Collide sends employees important timely and relevant security recommendations for their Linux, Mac and Windows devices right inside Slack. Collide is perfect for organizations that care deeply about compliance and security but don't want to get there by locking down devices to the point where they become unusable.

Is there anything that you're going to change in your behaviour should it happen close to your home?

Well, yes. What I'm going to do is not live near a nuclear power plant. Oh, you do though. No, I don't. You do. No, I don't. Oh, no, you don't. No, you don't. You don't. Thank you very much. You're right. Excuse me. So that is my pick of the week. Meltdown Three Mile Island on Netflix. Jess, what's your pick of the week?

Well, mine is also a TV show, but not a documentary, I don't think. But mine is Slow Horses on Apple TV. Have either of you watched this? No, I haven't. It's on my list, though. It is on my list. Oh, it's so good. It's so good. My parents recommended it, and every time I've spoken to them for the last few weeks, they've said, have you watched Slow Horses yet? And I've had to say, no, Mum and Dad, I've not. It's on my list. So finally got to watching it at the weekend and watched it all over the weekend.

Oh I love that that's how good it was.

So good and I saw a YouTube interview about it and someone described it as James Bond without James Bond and I thought that was quite a good description. It's basically about a group of dysfunctional MI5 agents so an office of agents in MI5 who have failed or been sidelined for one reason or another and so they've been put in this unit that is called Slough House and I think the line is something like you know they're so far from the actual work and MI5 that they might as well be in Slough.

Love it. No offence to listeners based in Slough. No offence to Slough at all.

And for listeners that have never heard of Slough, that's just a town outside of London.

Yeah, if you haven't heard of Slough, well done.

It's based on a popular series of books that I've not read, but really want to now, by an author called Mick Herron, Slough House. And it stars Gary Oldman.

Sounds a bit my life.

And one unintentional laugh out loud and I know that pick of the week is not meant to be security but there is a hacker character in amongst them all and there are some inaccuracies. He uses this one sentence you'll know what I'm talking about they're in a cafe and there is buzzword after buzzword none of it makes sense if you know at all anything about hacking and that will blow your mind and that really did make us laugh but so watch for that but also watch because it is very gripping very funny and it really subverts the stereotypes plus there is a season two coming.

Jess, you say I love it the books are called Slough House I believe they are and the series that the TV show is called Slow Horses. I'm wondering is it because Mick Jagger when he sings it sounds a bit Slow Horses is that why they've called the TV show Slow Horses?

I mean I love that theory but no.

No there's another explanation all right there is there is. Basically these dysfunctional agents are described the slow horses they're you know I was part of slow wars for my first horse riding lesson in a couple of decades that horse didn't move very fast. Good pivot. Here we go again, hearing about her riding in the desert on some Arabian stallion. Well, great. When we got onto this call, you said, oh, I just slipped one in before I could get him on the show. No, I meant I'd been on the exercise bike. That's why I'd slipped in.

Oh, well, now you tell us.

Carole, what's your pick of the week?

Well, I'm carrying off my theme of Mental Health Awareness Month because I've been listening to a podcast recommended by my buddy Andy, who is currently studying psychotherapy. And she knows I'm a podaholic and she curates a few good therapy ones for me to check out. And this one called Therapy Uncensored is one that gets my vote. Co-hosted by Sue Marriott and Ann Kelly. And they describe it as a candid, unscripted conversation rooted in attachment and relational science. So Graham, I imagine you're as interested in my pick of the week as I was in yours.

Yeah, yeah, I'm all into that.

But the idea is that they unpack how to improve relationships with others and understand what makes you and those you love emotionally tick. So this is my cup of coffee, my cup of java. You know, if you wanted to learn how to better deal with conflict or improve your compassion, Graham, or whether you want to have a— Why would you do that? Just ask. We will have a discussion. Is that right?

Marvelous. Now, Carole, you've been speaking to Chris Kirsch of Rumble this week, haven't you?

Yes, my friend. I hope I can call him that, Chris Kirsch. It was a really interesting conversation. They're really thinking about security in a pretty unique way. Check it out. So a treat today. We have Chris Kirsch, the CEO of Rumble.run, a company he co-founded with Metasploit creator H.D. Moore to help companies get visibility into everything connected to the network. Welcome back to Smashing Security, Chris. Thank you very much. Now, we are here to talk effectively about knowing thy network, you know, and a big part of that is asset inventory or what we're connecting to the network at any given time. So it sounds to me pretty straightforward. Is there a problem? Am I missing something?

Yeah, so you think that asset inventory is a solved problem, but most companies still use a spreadsheet or at best some home-baked solution. And even when they use a professional solution, often that's called a CMDB, stands for Configuration Management Database, essentially like a database of all the assets on your network, those solutions typically still miss about 10 to 40 percent of devices on the network. That's a lot. Yeah, and it can be as high as 80, I've seen that too. There are a few reasons for that. It mostly depends on what technology they're using, but the root cause is usually that there are unmanaged assets that are no longer managed through drift, through reorgs in the company. Nobody is responsible for them anymore, or they've always been unmanaged because there were just some employee putting out a rogue router on the network or a rogue machine. Or assets that have managed over time, right?

Right, legacy stuff, legacy stuff. Like, you know, that fax machine's been there forever. Yeah, yeah. For those listeners who don't know what a fax machine is. Sorry, go on, go on. So it becomes even worse when you've got things like mergers and acquisitions, right? Then you've got what I call a digital archaeology, where the people who originally set up the network are no longer there. You know, it's a bit like an attic, right? Like, I think I kind of know what's stored up there. But really, probably 80% have no idea, right? And it's like, I would say I know, and I'd say, of course I know where that is. And then it would take me three days to find it. So there's solutions out there to help you figure all this out. Why are they having trouble discovering these devices?

You know, most of the other solutions take very much an IT mindset to the problem. And they're saying, well, if there's a device on the network, then surely I have the ability to log onto it or to install software on it. So they either deploy agents or they use something called an authenticated scan, which is basically connecting to the device, logging in with username and password, and then interrogating the device on what it is. And so vulnerability scanners, for example, are a good case for that, where they try to log onto every device and they do a reasonable job. But there are two things. Number one, if they can't authenticate to a device because it's unmanaged, or maybe it's like a Polycom phone, or it's some kind of HVAC system or something like that, right? Or a developer box that was set up in the corner for testing, that's not on the active directory, right? So those kind of things they really struggle with. And things like vulnerability scanners don't collect the right information for asset inventory. Something might be an IP camera or something, and they will only tell you, oh, it's Linux 2618, something very generic that actually doesn't help you very much in figuring out what something is. Right. Okay. So one good example for that is we did a project with a luxury retailer, the kind of stuff that you and I maybe want to buy but can't afford. And so they had a global retail network, different brands and so on, very fragmented because they'd acquired a lot of different fashion houses over the years. And so we did a bake-off against a major IT service management vendor. And that means what, a bake-off? A bake-off means, you know, like they tried Rumble versus the other product. Right, right. And when they were scanning, especially for their Asian operations, which had a lot of lack of visibility, M&A, different fiefdoms, IT fiefdoms, you know, we found two and a half times as many devices on that network. And the reason for that was that they just didn't have a lot of the credentials and they were also missing network segments. There were some network segments I didn't even know they had, so they weren't scanning them.

So you're looking for these things in a different way, right? So you must have something unique that you're doing. Are you allowed to tell us or is it all secret?

Yeah, I'm happy to tell you just a little bit. I'm just going to give you a peek behind the curtain. Okay, good. In a nutshell, the reason our solution is that good is really thanks to my co-founder. His name is H.D. Moore. And he's the creator of Metasploit. Metasploit is an open source network penetration testing tool. And so when you think about it, a penetration tester is dropped onto a network, either from the outside looking in or on the inside and trying to figure out what's on the network. And then once they figure out, okay, there is active machines here and there, then they need to fingerprint those machines and figure out what they are before they attack them. Because if you don't know what it is, you can't attack it, right? And then Metasploit goes further. It exploits machines. There's post-exploitation, all of that stuff. But H.D. basically had the idea of applying the early phases of a pen test, the network scanning and the fingerprinting, to IT asset inventory. So he says, like, using something really cool and applying it to the most boring thing on the planet, you know? And so by using that approach compared to the IT-focused approach of logging onto machines, you find all the orphaned and rogue devices and all the weird stuff on your network. And that's not just the case for IT, but it's also the case for OT, so operational technology, IoT, manufacturing, hospitals, you know, all of that stuff.

Wow, so I'd say I did this, I ran this and I found, you know, I don't know, this plethora of devices connected to my network. What do I do then? Like, you're giving me visibility or are you giving me tools to try and go and look at them as well? SPEAKER_00. Yeah, so typically what you do depends on who you are. We have different types of users using that data and it's really quite interesting. So four different types of users. The first one is the enterprise security team. So they use it for situational awareness. They want to know, you know, most of them scan internally, trying to figure out what do I actually have behind the firewall? Some of them also take an external perspective looking in and saying what is actually exposed outside from the internet that attackers might be able to see from the outside. And then once they have that situational awareness, they can use Rumble in many cases for what I call rapid response for breaking security news. You know, they listen to Smashing Security and they hear about things like Log4j and SolarWinds and, hey, we shouldn't use Kaspersky anymore and all of those things. So how do you find those things on the network? And so with Rumble, we really do things differently because we decouple the scan from the assessment. We scan your network and we collect a bunch of stuff. And then at the moment when you actually need to know a specific thing, then you can say, show me all of the things that are X, right? So for Log4J, we might find you all of the applications that include Log4J. SolarWinds boxes we can fingerprint through certain attributes. And we can even fingerprint Windows devices that are running Kaspersky without authentication over the network. So it goes a lot deeper than most people expect for an unauthenticated scan. Wow. So that's the enterprise security team, right? But then we have the second user group is incident response. And in incident response, really, there are a few other use cases. So people use it both proactively and reactively. So proactive would be something like threat hunting. You know that there are a lot of devices getting attacked. Let's say Schneider Electric had some power supplies that had a security issue. So you try to find all of these devices so that you can patch and update them, right, or to see if they were already compromised, for example.

Yeah, you're trying to race ahead of the potential attack, right? Oh, yeah, yeah. You're giving people the tools to go and find all the little critters in their network.

I bet you pen testers that are listening out there are now downloading fast. Yeah. Okay. And group four, group four.

Now, tell me, listeners are listening to this and they're going, look, can I have a play around with this? I just want to see what's connected to my network. What do You say to that, Chris?

Sure, absolutely. So they can do that. And quite frankly, I'm making some bold claims here. And most people don't really believe that you can do that with an unauthenticated scan until you try it out. And by the way, we then also augment that with API integrations to cloud hosting providers, with integrations with, let's say, CrowdStrike and SentinelOne, where you can figure out, are any of my endpoints missing endpoint protection, for example? That's a huge use case, right? So if you would like to try any of that out, please go to rumble.run. There is a 21-day trial, fully featured. You can go up to 50,000 devices. You can go wild if you want to. Just register and go. Some people start out just with their home network. It's the easiest way to do it because it's a small network. It's somewhere where you don't need to ask others for permission. They get comfortable with that, see the quality of the scan, and then they bring it to work. That's what we see quite often. And if you'd started a trial at the beginning of this interview, you may already be done scanning your home network because it's really quick and easy to get started and to scan the network and then to view your devices. And if you are not in IT or security as a job or you just want to use this at home, we also have a free edition for up to 256 devices. And you can do that either use that for free at home or even in a small business. You can use it commercially. So that's fine as well.

So what happens if you're not technically au fait, some of our listeners may not be, and they want to try this out? Will they be able to get comprehensible information, even if they're not very techie?

Yeah, what most people find is, let's say somebody who's not as technical in scanning a home network. Most people scan their network, and they're quite surprised what they find, because they thought, oh, I know what's on my home network. It's not that big. It's not that complicated. And then they figure out, oh, yeah, that thing, I put that in five years ago, I didn't even remember that. And that thing, oh, yeah, my daughter added that I didn't know that was connected and so on. So it's quite eye opening just to see what's connected. Of course, if you want to dive in deeper and do some of the more funky stuff, that requires a little bit more technical expertise. But we see just, you know, tech enthusiasts and private people using it as up to very large enterprises.

Chris, thank you so much. This is Chris Kirsch, CEO of Rumble.run. Is there anything you'd like to add?

No, just head over to Rumble.run, give the product a try, and thanks a lot for having me.

Listeners, you heard Chris. Run to Rumble.run so that you can see what devices are connected to your network. Chris, thank you so much for coming on the show. Okay. You can say thanks if you want to. I didn't know how you wanted to cut it. You can respond.

And that just about wraps up the show for this week. Jess, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that?

You can find me on Twitter at Dr Jessica Barker and check out sygenta.co.uk to see what we're all about.

Marvellous. And you can follow us on Twitter at Smashing Security, no G. Twitter at the last of a G. And we also have a Smashing Security subreddit. And don't forget to ensure you never miss another episode. Follow Smashing Security in your favourite podcast app, such as Apple Podcasts, Spotify and Google Podcasts.

And again, massive thank you to our episode sponsors, Collide, Good Access and Rumble, and to our wonderful Patreon communities. Thanks to them all, this show is free. And for episode show notes, sponsorship information, guest lists and the entire back catalogue of more than 275 episodes, check out smashingsecurity.com.

Until next time, cheerio, bye-bye. Bye. Bye-bye.

Can I ask you a question, though? What? What's your problem with Slough? Slough? I have very good friends who live in Slough. What's your problem with Slough?

Do you? It's just the word. It's a bit like stains. Slough looks like... Okay, I'll just hang up the phone now. Slough looks like slough and stains just makes me think of dirty underpants. Yet again, a very reasonable explanation.