Has new UK prime minister Liz Truss been careless with her mobile phone, and hear the most extraordinary story of corporate cyberstalking.
All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by nobody for reasons that will become obvious.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Are these guys 12? Are they 12 years old?
You don't have the balls to talk to me. Stop hiding behind your computer screen, you fuck. Your fat husband needs to be put in line.
I think we've got it.
I think we've got it. You got the— Yeah. Thank you. Smashing Security, episode 292, Trusturflux. Ransomware and eBay Stalking with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 292. My name is Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 292. My name is Graham Cluley.
And I'm Carole Theriault.
And Kroll, this week in the hot seat, who've we got joining us?
Oh, a very lucky person, Mr. Nobody.
Mr. Nobody. And there's a good reason why we don't have a guest this week, isn't there?
Well, things have got complicated, yeah.
Complicated, yeah. Go on then, tell them.
No, no, you go on, you go on, you tell them.
Well, first of all, we are speaking at NISC, which is a security conference happening up in the north of England or Midlands this week.
And so we have to dash off for that, which means a little bit less.
And so we have to dash off for that, which means a little bit less.
Well, it's not just that we were speaking there. We were actually going to do a live Smashing Security show.
That's right. We're going to perform live Smashing Security on the stage for the lucky attendees there. And so that was the plan. But then something else happened.
Yep, we got it all ready. We got it all ready, dotted the i's, crossed the t's. And yesterday my husband came down with COVID so he is locked in the bedroom feeling pretty poorly.
And I'm nursemaid.
And I'm nursemaid.
You are nursemaid.
And quarantined.
So you don't have COVID yet as far as we know.
As far as we know, I'm okay. Yeah.
But there's always a chance you could be carrying. So you're not going to be going to NISC. I'll go to NISC.
Yes.
And maybe you can join us virtually if we can.
That's what the plan is. We'll see if we pull it off.
We'll see if we manage that.
But that doesn't mean that we can't do this fantastic show, right?
Correct.
So let's kick off by thanking this week's sponsors, Bitwarden, Kolide, and Akamai. It's their support that help us give you this show for free.
Now, coming up on today's show, Graham, what do you got? I'm going to be talking about company need loyalty.
Ah, and I am going to be talking about whether or not it's cool to have Liz Truss on speed dial. All this and much more on this episode of Smashing Security.
Now, coming up on today's show, Graham, what do you got? I'm going to be talking about company need loyalty.
Ah, and I am going to be talking about whether or not it's cool to have Liz Truss on speed dial. All this and much more on this episode of Smashing Security.
Now, chum chum, I've got a question for you. Have you ever been part of a group that really means something? Have you felt really loyal to it?
Have you had a sense of belonging, a sense of purpose?
Have you had a sense of belonging, a sense of purpose?
What, a company, you mean?
It could be a company, could be a scout group or a cult or a swimming group or, you know, whatever.
Yeah, no, maybe. Yeah, yeah, I was a big athlete, right? So when I was a kid, yeah, probably as a swimmer, my swim team.
I was probably, yeah, I would definitely say I was very identified with that.
I was probably, yeah, I would definitely say I was very identified with that.
Would you do anything to defend your fellow members, you know, make sure that the group wasn't damaged or harmed in some way. You'd feel a sense of—
I was 12. So, yes.
Yeah. So I imagine raging hormones.
You don't need to talk about my fucking raging hormones. Thanks though.
Well, I want to tell you today about a group that had loyal members and they had a sense of belonging.
But one day they realised that they had enemies, people they didn't like, people who weren't fans of their particular group.
But one day they realised that they had enemies, people they didn't like, people who weren't fans of their particular group.
Okay.
People who needed to be silenced. And word came down from the top of this group that the leaders of the group were displeased.
Sorry, sorry, when you say silenced, do you mean go swim with the fishies? Or—
Well, yeah, that kind of message. So the message which came down from on high was, I want to see ashes as long as it takes, whatever it takes.
I can manage any fallout if the plan goes south. Doesn't matter. But we need to stop them. So word has come down that somebody has to be stopped.
I can manage any fallout if the plan goes south. Doesn't matter. But we need to stop them. So word has come down that somebody has to be stopped.
Okay. If someone texted me that, I would be WTF?
Well, maybe you would, Carole. Maybe you would. But maybe you're just disloyal. Maybe you don't feel like a proper member of the team.
Someone has to be silenced is the message which has come down from the top of this group. And maybe the person who you are targeting is on Twitter.
And so maybe you'll do what this particular group did, which is it created a phony Twitter handle and it started posting threats telling the people they were targeting to stop reporting about their organization.
Someone has to be silenced is the message which has come down from the top of this group. And maybe the person who you are targeting is on Twitter.
And so maybe you'll do what this particular group did, which is it created a phony Twitter handle and it started posting threats telling the people they were targeting to stop reporting about their organization.
Creating a phony Twitter handle is— yeah, I don't know if I would say that's above board.
It's slightly cowardly, isn't it?
I can understand why some people might want to remain anonymous, but in this particular instance, it sounds like you're using it for nefarious purposes.
I mean, that's the sort of lead-in, isn't it? If you're making threats, yeah, it doesn't sound cool. What also doesn't sound cool would be to do other things.
Now, this is a list of things which this group may have done to the people they were targeting, and you have to say which one of these you think they did and which ones they didn't.
So I'll just read out a few of them. What if I would send you some live spiders and fly larvae? What if I were to send you cockroaches?
I can understand why some people might want to remain anonymous, but in this particular instance, it sounds like you're using it for nefarious purposes.
I mean, that's the sort of lead-in, isn't it? If you're making threats, yeah, it doesn't sound cool. What also doesn't sound cool would be to do other things.
Now, this is a list of things which this group may have done to the people they were targeting, and you have to say which one of these you think they did and which ones they didn't.
So I'll just read out a few of them. What if I would send you some live spiders and fly larvae? What if I were to send you cockroaches?
Whoa, okay. Couldn't you just feed the larvae and the cockroaches to the spiders?
A book entitled Grief Diaries: Surviving the Loss of a Spouse. Maybe you received that through your door.
Jeez. Do they send me a horse's head?
Well, no.
Okay.
But what they did send, maybe, is a preserved fetid pig's head. Which costs $59.99 plus $15 post and packing. So which of those do you think I've made up?
Cockroaches.
No, they did do the cockroaches. Guess again.
They've done them all. That's what I'm going to guess. They did them all, didn't they?
Correct. Oh my God. Correct. They did all of them. Yes, they did all of them.
They're obviously not saying loves and kisses from this organisation.
No, they didn't say that. No. These were being sent anonymously to these people who they had a beef against. And they also sent simultaneous Twitter messages from their phony account.
Messages like, "Do I have your attention now, cunt?" "I guess I'm gonna have to get your attention another way, bitch." Are these guys 12?
Messages like, "Do I have your attention now, cunt?" "I guess I'm gonna have to get your attention another way, bitch." Are these guys 12?
Are they 12 years old?
"You don't have the balls to talk to me. Stop hiding behind your computer screen, you fucking cunt." "Your fat fucking husband needs to be put in line, cunt." I think we've got it.
I think we've got it.
You got the—
Yeah.
Thank you. "When you hurt our business, you hurt our families. People will do anything to protect family." That kind of thing. So not very pleasant, those messages, I think.
Not very pleasant for you to edit, I imagine, either, with all those beeps. And they also signed up these people for newsletters about pornography, bondage, animal sex.
Not very pleasant for you to edit, I imagine, either, with all those beeps. And they also signed up these people for newsletters about pornography, bondage, animal sex.
So they're basically the highest order of troll.
Well, yes. I mean, it's worse. I mean, it's not just online troll. Doing things in real life.
Well, what, sending things in the post?
Pretty scary. Oh, and they're not just sending things to the people they're targeting. They're also sending parcels to their neighbours, but addressed to their intended victims.
Do you see what I mean? So the neighbours receive pornography or Hustler, barely legal magazines and jazz mags. So, not good.
Do you see what I mean? So the neighbours receive pornography or Hustler, barely legal magazines and jazz mags. So, not good.
Yep.
Okay. Now, the people who were launching this campaign decided it hadn't really gone far enough. They thought, we have to amp things up a little bit.
Okay.
So after several days of the initial campaign, what they did was they travelled 3,000 miles from California all the way across the United States to Massachusetts.
So they could stalk their intended victims up close.
So they could stalk their intended victims up close.
Oh, great.
They got a black—
Great. This is fantastic. So—
They got themselves a blacked-out van. Rental vehicle. They repeatedly circled the block. They tracked their victims' every move.
They tried to break into their victim's garage to plant a GPS tracking device.
They tried to break into their victim's garage to plant a GPS tracking device.
You better know who these people are by the end of this. This is crazy. Is this a movie?
Is this a movie? They changed their Twitter avatar to be a skull and began publicly posting the home address of their victims along with the death threats.
This is ridiculous.
It's ridiculous.
And illegal, presumably. So presumably—
I imagine so, Carole.
Yeah, right? So isn't the organisation targeted if they reported this? Are they just sitting there taking this and, you know, quaking in their boots?
Oh, no, no, no, no, no. They are petrified. They've installed CCTV cameras. They're even sleeping in separate bedrooms.
So if one of them is attacked in the middle of the night, the other one can hopefully escape and go get help.
So if one of them is attacked in the middle of the night, the other one can hopefully escape and go get help.
Are they lovers or is this just business partners?
It's a husband and wife. Okay, okay, good. So maybe not that unusual for them to sleep in different bedrooms. But the stalkers have got a police scanner.
They're listening in to what the police are saying on their walkie-talkies.
They're listening in to what the police are saying on their walkie-talkies.
And so they know their victims are petrified and are calling the cops every 10 minutes.
And meanwhile, the stalkers have posted the victim's address on Craigslist and other websites. Inviting strangers to the home for sex parties.
And meanwhile, the stalkers have posted the victim's address on Craigslist and other websites. Inviting strangers to the home for sex parties.
Okay, why? Okay, so who is the organisation? Who— what's going on?
What's going on? That's— yeah, exactly. What you're wondering, what have the victims done to upset the stalkers? And have you got any theories?
No, no, I have no theory.
You mentioned a cult. A cult is possible because that would be sort of feverish loyalty, wouldn't it? Or if you were a member of a demonised political party.
Demonised? What?
You know, there are political factions out there who some people think, "Mm, you're a little bit too fervent." You know, it's a— but they're not members of a political party.
They're not members of a cult. What they are are eBay employees.
They're not members of a cult. What they are are eBay employees.
You really buried the lead here. Okay, carry on.
So the people who launched this campaign against this couple were working in fairly senior positions inside eBay.
Okay.
So eBay has been a frequent topic of reporting by a fairly small newsletter and website called eCommerceBytes, run by a husband and wife team in Massachusetts.
Okay. So this is a site where they talk about e-commerce dramas.
But there's lots of eBay discussion on it because obviously eBay is the big one.
Yeah.
Right. But they talk about other things. And in the early days, relations between eBay and the website eCommerceBytes is fairly cordial.
Over 50 eBay executives are signed up for their newsletter. In the early days, eCommerceBytes was invited to interview eBay's management team.
Over 50 eBay executives are signed up for their newsletter. In the early days, eCommerceBytes was invited to interview eBay's management team.
You know, everything's going well, but things took a bit of a turn for the worse about 10 years ago when eBay falsely accused and reported eCommerceBytes as a phishing site.
Wah, wah.
Wah, wah.
Okay.
Right. And that was a mistake. That shouldn't have happened. They retracted their report later, but that's around about when the relationship sort of fouled up a little bit.
There was a feeling that maybe eBay didn't particularly like some of the things eCommerceBytes was reporting.
There was a feeling that maybe eBay didn't particularly like some of the things eCommerceBytes was reporting.
Okay.
For instance, there was an article in eCommerceBytes which just observed casually that eBay's then-CEO had received $18 million worth of compensation, which they helpfully pointed out was 152 times more than the average eBay employee.
And of course, if a story gets out like that, the CEO might feel rather uncomfortable going and chatting to, you know, Marge behind reception.
And of course, if a story gets out like that, the CEO might feel rather uncomfortable going and chatting to, you know, Marge behind reception.
Again, it depends how many people are reading this article, right? If this was on BBC News, that's a big difference from it being on a, say, you know, a site with 1,000 readers.
You can pass round these sort of things, can't they? Oh, well, yes, articles can be shared.
I mean, maybe it'd be much easier if it was flagged as a phishing site and so people didn't go there. I don't know.
But anyway, one eBay executive said about the eCommerceBytes website, he said it gives him ulcers. It harms employee morale and trickles into everything about our brand.
I genuinely believe these people are acting out of malice and anything, in caps, we can do to solve it should be explored. Somewhere at some point, someone chose to let this slide.
It has grown to a point that is absolutely unacceptable. It's the blind eye toward graffiti that turns into mayhem syndrome. And I'm sick about it. Whatever it takes.
They put a full stop behind each, after each word there.
I mean, maybe it'd be much easier if it was flagged as a phishing site and so people didn't go there. I don't know.
But anyway, one eBay executive said about the eCommerceBytes website, he said it gives him ulcers. It harms employee morale and trickles into everything about our brand.
I genuinely believe these people are acting out of malice and anything, in caps, we can do to solve it should be explored. Somewhere at some point, someone chose to let this slide.
It has grown to a point that is absolutely unacceptable. It's the blind eye toward graffiti that turns into mayhem syndrome. And I'm sick about it. Whatever it takes.
They put a full stop behind each, after each word there.
Okay. Just, it's not just that you're stuttering. Okay. So, so.
And so some of the members of staff at eBay decided to take it upon themselves to sort of ramp up their opposition to eCommerceBytes.
Oh my gosh.
And—
Were they getting bonuses if they managed to come back with their heads?
Well, you know, if the boss wants something done, if he wants a problem gone away, he may not ask for the details. He just wants it to be fixed, right?
He doesn't need to worry about the details. He's got enough problems. You know, maybe he's hoping to purchase a Furby, a rare one or something on eBay.
So he's busy waiting for that to click through. He's like, you just deal with the problem. I'm going to snipe in at the last second and get this baseball card or whatever it is.
He doesn't need to worry about the details. He's got enough problems. You know, maybe he's hoping to purchase a Furby, a rare one or something on eBay.
So he's busy waiting for that to click through. He's like, you just deal with the problem. I'm going to snipe in at the last second and get this baseball card or whatever it is.
It doesn't make sense to me. eBay is one of the top 10 websites in the world.
Mm-hmm.
And they are obsessed with a mom-and-pop media outlet.
Right. And so some of eBay's staff began to conspire. And at the meetings, one of the things they did was they played a clip from a movie called Johnny Be Good.
And in Johnny Be Good, two of the characters arranged for a delivery to their football coach's home, a delivery of unwanted items, $283 worth of pizza, an elephant, a male stripper, and Hare Krishna missionaries.
So they watched this video and they thought, we could do that, we'll do something similar.
We'll start— but although they used fetid pigs' heads and they didn't send any Hare Krishna around, as far as I know.
And in Johnny Be Good, two of the characters arranged for a delivery to their football coach's home, a delivery of unwanted items, $283 worth of pizza, an elephant, a male stripper, and Hare Krishna missionaries.
So they watched this video and they thought, we could do that, we'll do something similar.
We'll start— but although they used fetid pigs' heads and they didn't send any Hare Krishna around, as far as I know.
So you're saying these employees had a meeting, made a plan to terrorize these people because they didn't like what they were writing, and then actually instigated it and did these things.
And they got caught. Okay, I just want to know how this got out.
And they got caught. Okay, I just want to know how this got out.
When the police began to investigate this, because obviously these two people who have been harassed and had their garage broken into, I said, who might your enemies be?
It was like, well, there's some people really upset with us who appear to be— don't want us to report on eBay anymore.
It was like, well, there's some people really upset with us who appear to be— don't want us to report on eBay anymore.
What, said, hey, eBay's after us, do something.
So all kinds of craziness was going on at eBay.
They played clips from Meet the Fockers, telling people about the circle of trust, encouraging people not to remember anything if the police came asking questions.
They even went so far, one of the guys there, to have all the employees' personal belongings stripped from their lockers and dumped into trash bags.
They played clips from Meet the Fockers, telling people about the circle of trust, encouraging people not to remember anything if the police came asking questions.
They even went so far, one of the guys there, to have all the employees' personal belongings stripped from their lockers and dumped into trash bags.
Okay, I just want to know how this got out.
The police began to investigate this because obviously these two people who have been harassed and had their garage broke into. I said, who might your enemies be?
And as a result of all this, James Baugh, who was eBay's senior director of safety and security, he has now been sent to prison for 57 months.
His co-conspirator David Harville, the company's director of global resiliency, he's been jailed for two years and also been asked to pay a $20,000 fine.
There's about six other employees at eBay who've also pleaded guilty for their part in the cyberstalking plot, one of whom has already been sentenced as well to 18 months in prison.
So they're getting prison time for this. But it is extra— what are they putting into their Kool-Aid to make employees at eBay so incredibly loyal? And where can we get some?
And as a result of all this, James Baugh, who was eBay's senior director of safety and security, he has now been sent to prison for 57 months.
His co-conspirator David Harville, the company's director of global resiliency, he's been jailed for two years and also been asked to pay a $20,000 fine.
There's about six other employees at eBay who've also pleaded guilty for their part in the cyberstalking plot, one of whom has already been sentenced as well to 18 months in prison.
So they're getting prison time for this. But it is extra— what are they putting into their Kool-Aid to make employees at eBay so incredibly loyal? And where can we get some?
Oh no, or maybe they're just a band of crazy, crazy employees that got together. This is insane. This is— I don't—
When this story first came out, the CEO did leave very promptly afterwards.
The one who'd initially said he wanted something to be done to silence these people because of disagreements with the rest of the board.
He, as far as I know, has not been charged with anything in connection with this. But it does sound like incredible loyalty to your boss, all because of an online critic.
So don't always think it's a nutter in a back bedroom who's doing it. It could be a nutter inside a company with a team of other nutters.
The one who'd initially said he wanted something to be done to silence these people because of disagreements with the rest of the board.
He, as far as I know, has not been charged with anything in connection with this. But it does sound like incredible loyalty to your boss, all because of an online critic.
So don't always think it's a nutter in a back bedroom who's doing it. It could be a nutter inside a company with a team of other nutters.
And if your boss sends you an email saying, I want anything to shut these people up, just kind of go, whoa, whoa, calm down.
I want to know if they gave eBay feedback on that fetid pig's head. Lovely quality. Would order again. A-plus. Top seller. Krowe, what have you got for us this week?
It's bad news, I'm afraid. UK as a nation is not a shiny beacon of how a state should be run at the moment. I think we're in a bit of a pickle. We're in a bit of a sticky pickle.
It's what I call a Truster-fluck, I think is the phrase.
Interesting, because we're talking about Liz Truss coming up.
So our glorious new leader. Yes.
But before we get to her, let's just set the scene. So we have the price of electricity going through the roof, yet petroleum companies are boasting about huge bonuses.
We have hospitals with too few beds. We don't have enough teachers, doctors, nurses, or mental health professionals. Inflation is looming and food prices are soaring.
Hey, did you know that supermarkets are now offering loans to people so they can eat?
We have hospitals with too few beds. We don't have enough teachers, doctors, nurses, or mental health professionals. Inflation is looming and food prices are soaring.
Hey, did you know that supermarkets are now offering loans to people so they can eat?
No, I didn't know that. No.
60,000 people have applied for Iceland's microloans in a two-week period, and credit providers say the loans could total $3 million if approved. Did I mention the climate disaster?
Is that still going on? Is that still a problem?
Yes, yeah, yeah, that hasn't gone. It's still headline news.
So meanwhile, this is a huge cluster of garbage, and meanwhile we have Boris Johnson leaving for lying, basically finally gets the boot in the behind, and we are gifted with Liz Truss.
She's not the winner of a general election, right? She was chosen by nearly 200,000 probably extremely wealthy Conservative party.
So meanwhile, this is a huge cluster of garbage, and meanwhile we have Boris Johnson leaving for lying, basically finally gets the boot in the behind, and we are gifted with Liz Truss.
She's not the winner of a general election, right? She was chosen by nearly 200,000 probably extremely wealthy Conservative party.
My dad, apparently. My dad.
Oh, well, there you go. Well, you can thank him. Thank you very much. Yeah, high five to Graham Cluley for that.
He's a member of that particular club.
So we should have a different word for a prime minister if they're elected versus selected.
Yeah.
Don't you think? Yeah. Anywho, Liz Truss is a bit of a controversial choice.
I know you're not a massive fan of Jonathan Pye, but he has recently put together a New York Times opinion and he said, quote, if you take the social awkwardness of Theresa May, cross with Boris Johnson's wild-eyed incompetence, add a sprinkling of Maggie Thatcher's hatred of the working classes, and wipe off any residual charisma with a damp cloth, you're kind of halfway there.
So would you agree with that?
I know you're not a massive fan of Jonathan Pye, but he has recently put together a New York Times opinion and he said, quote, if you take the social awkwardness of Theresa May, cross with Boris Johnson's wild-eyed incompetence, add a sprinkling of Maggie Thatcher's hatred of the working classes, and wipe off any residual charisma with a damp cloth, you're kind of halfway there.
So would you agree with that?
I'm not very impressed by Liz Truss. No, she's a bit weird.
Yeah, she is a bit weird.
The things that are controversial that I've seen in the press is that she doesn't like the idea of taxing the rich to help those in need with social benefits.
And she has vowed a red tape bonfire on EU regulations. This is the title in the Express.
People are worried that this means bye-bye to environmental and privacy and societal protection laws.
The things that are controversial that I've seen in the press is that she doesn't like the idea of taxing the rich to help those in need with social benefits.
And she has vowed a red tape bonfire on EU regulations. This is the title in the Express.
People are worried that this means bye-bye to environmental and privacy and societal protection laws.
And weirdly, about 20-odd years ago, when she used to be a Liberal Democrat, when she was a member of a different political party, she really wanted to do away with the monarchy.
And of course, she did have a meeting with the Queen just two days before. Anyway, it's awful.
Yeah, I'm not— no conspiracy theory there, but I'm just saying, funny old thing, isn't it?
And of course, she did have a meeting with the Queen just two days before. Anyway, it's awful.
Yeah, I'm not— no conspiracy theory there, but I'm just saying, funny old thing, isn't it?
So why am I talking about our newest unelected Prime Minister of the United Kingdom, Liz Truss?
Well, according to the Mail on Sunday, the Prime Minister's mobile phone number was found to be available online for the big old price of £6.49.
So about 2 cents in US dollars at the moment. And this data trove did not only have the phone number of the PM, it also had her personal information like email and passwords.
Well, according to the Mail on Sunday, the Prime Minister's mobile phone number was found to be available online for the big old price of £6.49.
So about 2 cents in US dollars at the moment. And this data trove did not only have the phone number of the PM, it also had her personal information like email and passwords.
To be fair, Carole Theriault, though, I know what Liz Truss's address is. I don't have to look it up on the internet.
So the data also included stolen info on 25 other cabinet ministers. Now, you read a lot about politics, don't you?
A little bit.
So you're going to show off right now. We're going to put you on the spot, okay? What is the name of the Chancellor?
Oh, Kwasi Kwarteng. Yes.
Kwarteng, yeah. Okay, Defence Secretary?
Oh no, it was Ben— I don't know who they put.
Yes, Ben Wallace.
Okay. Oh, was it still Ben Wallace? I thought they'd got rid of him.
Yeah. Foreign Secretary?
They didn't give it to Suella Braverman, did they?
No, she's Home Secretary. Home Secretary. Foreign Secretary is James— Cleverley?
Oh yes, James Cleverley, yes.
Yeah.
They've only had the job about a week, haven't they? I mean, it's hard to— they keep on turning them around so quickly.
And of course, we have the opposition leader.
Yes, Keir Starmer.
There we go. Very good. So this website described only as shady, but not named by The Sunday Paper, boasts data stolen in cyberattacks going back more than a decade.
And this site claims to have more than 14 billion files of compromised assets, on this searchable database.
So the Mail on Sunday, after paying for £6.49 or $0.02 US, got access to the site for a week, and it took them seconds to find the Prime Minister's personal mobile number, they write.
And the Cabinet Office said that it was investigating, that some of the information was old, but the data haul reportedly contained 26 current phone numbers for the cabinet, including Mrs.
Truss. And now this is what I found interesting.
And this site claims to have more than 14 billion files of compromised assets, on this searchable database.
So the Mail on Sunday, after paying for £6.49 or $0.02 US, got access to the site for a week, and it took them seconds to find the Prime Minister's personal mobile number, they write.
And the Cabinet Office said that it was investigating, that some of the information was old, but the data haul reportedly contained 26 current phone numbers for the cabinet, including Mrs.
Truss. And now this is what I found interesting.
Oh, so it's still her working phone number, is it?
This is my big point. So apparently Mrs. Truss has used the same number since 2011.
Oh my goodness. What's going on at MI5? You can't be allowing this. If someone's become Prime Minister, change their bloody phone number. Yes.
Even though they probably won't want it, because otherwise you get Uri— St. Peter's Square.
Even though they probably won't want it, because otherwise you get Uri— St. Peter's Square.
Yes.
Sending through some dodgy zero-day to infect her phone, weren't they? And get inside her WhatsApp.
You just would think that you would do a review, right?
A government security group would do a review to make sure your digital stance is secure, or maybe look at how it could be improved.
Do you think Meghan Markle has the same phone number she had before she got married to Harry?
A government security group would do a review to make sure your digital stance is secure, or maybe look at how it could be improved.
Do you think Meghan Markle has the same phone number she had before she got married to Harry?
But you know what? This is actually the problem. There's no one in charge of these people. So people can make recommendations.
People can come along and say, "I think you want to be a bit more careful." But if you've managed to bubble up, float up, as it were, to this high in the political world, you think Kwasi Kwarteng that you're some kind of genius.
But in fact, you've got arrogance coming out of your ear holes because of your Eton upbringing and all the rest of it. And so you think, "Well, I know best.
No, I don't want to change my phone number because that's how all the hedge fund managers get in touch with me." So it'll be really inconvenient.
So don't think I'm stupid enough to click on a dodgy link or believe a text message.
This is one of the many troubles with politicians is they can be quite arrogant and sometimes a bit weird and dim.
People can come along and say, "I think you want to be a bit more careful." But if you've managed to bubble up, float up, as it were, to this high in the political world, you think Kwasi Kwarteng that you're some kind of genius.
But in fact, you've got arrogance coming out of your ear holes because of your Eton upbringing and all the rest of it. And so you think, "Well, I know best.
No, I don't want to change my phone number because that's how all the hedge fund managers get in touch with me." So it'll be really inconvenient.
So don't think I'm stupid enough to click on a dodgy link or believe a text message.
This is one of the many troubles with politicians is they can be quite arrogant and sometimes a bit weird and dim.
I've known a number of CEOs pull this prank as well. So, just saying, it's not only politicians. So the paper came out on Sunday, tried to track down the owners of the shady website.
The address was registered in a kind of down-and-out part of Las Vegas, and they went down there and it was a front.
They found, quote, scruffy prefab used as a service address for hundreds of companies.
The address was registered in a kind of down-and-out part of Las Vegas, and they went down there and it was a front.
They found, quote, scruffy prefab used as a service address for hundreds of companies.
Yeah.
So what could go wrong? What could go wrong with people being able to buy very important people in the UK's personal contact details?
A former British intelligence officer and cyber expert said the amount of business that is done by ministers and opposition leaders on WhatsApp groups and other phone apps means that mobile phones are a weak point of entry for Britain's enemies.
What? Is this true? This is the best we've got?
A former British intelligence officer and cyber expert said the amount of business that is done by ministers and opposition leaders on WhatsApp groups and other phone apps means that mobile phones are a weak point of entry for Britain's enemies.
What? Is this true? This is the best we've got?
Yeah, there's a lot of political hobnobbing which goes on via things like WhatsApp, which also has a problem of these messages not necessarily being stored, whereas you might have rules in place to archive communications which are going on via email or telephone and the rest of it.
But you can have disappearing messages on messaging systems. But yeah, absolutely, it is a target.
But you can have disappearing messages on messaging systems. But yeah, absolutely, it is a target.
Right.
And could be highly embarrassing.
Well, exactly. So the thing is, you have all this kind of stuff, right? And I mean, we all remember Pegasus.
So if you can get access to the phone without the owner knowing, you literally know everything about them, where they are, what they're doing on their phone, everything.
But of course, don't worry, because a Cabinet Office spokesman said, we take cybersecurity extremely seriously.
So if you can get access to the phone without the owner knowing, you literally know everything about them, where they are, what they're doing on their phone, everything.
But of course, don't worry, because a Cabinet Office spokesman said, we take cybersecurity extremely seriously.
Ah, that's a good line. Someone else should use that.
And they say that ministers receive regular security briefings and advice, including advice on protecting their personal data and mitigating cyber threats.
Yeah.
So, I don't know, I just think maybe we need to think sometimes about refreshing our digital footprint.
Like, I've, you know, people have had the same email addresses for decades and decades.
Like, I've, you know, people have had the same email addresses for decades and decades.
Yeah.
And we do that because of this treasure trove of crap that we don't really want anyone to get their hands on, except how often do we dig in there to get something?
Couldn't we put it on a backup drive that's not connected to the internet at all times, perhaps?
Couldn't we put it on a backup drive that's not connected to the internet at all times, perhaps?
Yeah. Yep. Well, certainly there should be some sort of onboarding process, shouldn't there, for leading politicians? Some, you know, maybe put them through some kind of device.
Yeah.
To say, you will now change your vote. Because this is what they do in America, isn't it? They didn't let Barack Obama keep his favorite smartphone.
You know, you get a locked-down device.
You know, you get a locked-down device.
Didn't Trump have his own device, though?
Was he really ever president, or did I just dream that? I was wondering if I had a nightmare for a few years. Ah! Oh my God, it was true.
If you're considering a third-party audit like SOC 2 or ISO 27001, then you should be prepared to answer some tough questions about endpoint security.
Auditors want to know that you have a system in place to monitor and maintain compliance across your fleet, which means showing that your staff are using things like disk encryption, screen locks, password managers.
If you're not quite sure how you'd go about proving all that, then you need Kolide.
Kolide's an endpoint security tool for Mac, Windows, and Linux devices that gives you the visibility you need to meet your third-party and internal compliance goals.
Best of all, Kolide doesn't resort to spying on workers or locking down devices.
Instead, it works with end users to resolve issues and relies on their cooperation and informed consent.
You can meet your security goals and pass your audit without compromising on privacy. Visit kolide.com/smashing to find out how.
If you follow that link, they'll also give you a goodie bag just for activating a free trial. That's K-O-L-I-D-E dot com. Bitdefender.com/smashing.
If you're considering a third-party audit like SOC 2 or ISO 27001, then you should be prepared to answer some tough questions about endpoint security.
Auditors want to know that you have a system in place to monitor and maintain compliance across your fleet, which means showing that your staff are using things like disk encryption, screen locks, password managers.
If you're not quite sure how you'd go about proving all that, then you need Kolide.
Kolide's an endpoint security tool for Mac, Windows, and Linux devices that gives you the visibility you need to meet your third-party and internal compliance goals.
Best of all, Kolide doesn't resort to spying on workers or locking down devices.
Instead, it works with end users to resolve issues and relies on their cooperation and informed consent.
You can meet your security goals and pass your audit without compromising on privacy. Visit kolide.com/smashing to find out how.
If you follow that link, they'll also give you a goodie bag just for activating a free trial. That's K-O-L-I-D-E dot com. Bitdefender.com/smashing.
Smashing Security listeners, did you know that Bitwarden is the only open-source cross-platform password manager that can be used at home, on the go, or at work?
Bitwarden's password manager securely stores credentials spanning across personal and business worlds.
And every Bitwarden account begins with the creation of a personal vault, which allows you to store all your personal credentials.
These are unique and secure passwords for every single account you access, and it's easy to set up. It's easy to use. I honestly love Bitwarden.
I use it at home, use it at work, use it on the go.
Get started with a free trial of a Teams or Enterprise plan at bitwarden.com/smashing, or you can even try it for free across devices as an individual user.
Check it out at bitwarden.com/smashing. And thanks to Bitwarden for sponsoring the show.
Bitwarden's password manager securely stores credentials spanning across personal and business worlds.
And every Bitwarden account begins with the creation of a personal vault, which allows you to store all your personal credentials.
These are unique and secure passwords for every single account you access, and it's easy to set up. It's easy to use. I honestly love Bitwarden.
I use it at home, use it at work, use it on the go.
Get started with a free trial of a Teams or Enterprise plan at bitwarden.com/smashing, or you can even try it for free across devices as an individual user.
Check it out at bitwarden.com/smashing. And thanks to Bitwarden for sponsoring the show.
Every day, billions of people around the world connect with their favorite brands online through shopping, gaming, banking, learning, and more.
Every second, the internet gets more chaotic, more cyber threats.
Securing entire ecosystems, clouds, apps, APIs, and users, that grows more complex, causing friction that slows innovation and hampers agility.
With Akamai, cybersecurity can become an engine for innovation and growth.
Whether you want to achieve unmatched security with Akamai's suite of app and API protection, or embrace a zero-trust architecture, Akamai can help.
With insights from the world's most distributed compute platform, Akamai delivers unique security research on the latest attacks and trends on everything from ransomware as a service, gangs like Conti, DDoS attacks, phishing attacks, to help you protect your business.
Where else can you take advantage of insights from 7 trillion DNS queries per day. Learn more about Akamai and their security research. Visit their website, akamai.com/smashing.
That's A-K-A-M-A-I dot com slash smashing. And welcome back. And you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
Every second, the internet gets more chaotic, more cyber threats.
Securing entire ecosystems, clouds, apps, APIs, and users, that grows more complex, causing friction that slows innovation and hampers agility.
With Akamai, cybersecurity can become an engine for innovation and growth.
Whether you want to achieve unmatched security with Akamai's suite of app and API protection, or embrace a zero-trust architecture, Akamai can help.
With insights from the world's most distributed compute platform, Akamai delivers unique security research on the latest attacks and trends on everything from ransomware as a service, gangs like Conti, DDoS attacks, phishing attacks, to help you protect your business.
Where else can you take advantage of insights from 7 trillion DNS queries per day. Learn more about Akamai and their security research. Visit their website, akamai.com/smashing.
That's A-K-A-M-A-I dot com slash smashing. And welcome back. And you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week. Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
It can be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish.
It doesn't have to be security related necessarily.
It can be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish.
It doesn't have to be security related necessarily.
Better not be.
Now, my pick of the week this week is not security related.
Excellent.
In a surprising pivot, Carole, I'm going to take a leaf out of your book and I am going to recommend a recipe.
What? What?
I know, it's sort of thing that you do.
Is this one you've made?
This is something I have actually made. Now, when I say made—
You mean someone made it for you and you ate it?
No, no, I did it. So I've had requests from my son quite often for a soft-boiled egg with soldiers in the morning.
And I've tried this on a number of occasions before taking him to school. And it's been disastrous because either the eggs are too hard or the eggs are all squishy.
And I've tried this on a number of occasions before taking him to school. And it's been disastrous because either the eggs are too hard or the eggs are all squishy.
I am so— Outraged? Surprised you didn't just call me up and go, "Carole, how do I boil an egg?" No, I know how to boil— No, no, soft boil an egg.
I know exactly, anyway, carry on.
I know exactly, anyway, carry on.
Well, I'm going to share my method for soft boiling an egg perfectly every time.
I'm going to link to a YouTube video and I'm going to tell you how I'm doing it because so far it has worked perfectly every time.
And maybe there are other people like me ex-programmers who are struggling with this and would benefit.
I'm going to link to a YouTube video and I'm going to tell you how I'm doing it because so far it has worked perfectly every time.
And maybe there are other people like me ex-programmers who are struggling with this and would benefit.
And don't have a really good friend who's an amazing cook.
Yeah.
Okay. Crack on.
Get yourself a pot. Put about half an inch of water in it. Only half an inch. It's only a little bit of water in it. Right? Boil the water. Put your— so it's bubbling.
That's what boiling means. Put your eggs in. Put a top on the pot. What's that called? A lid. A lid on the pot. It's still boiling. You wait 6 minutes. Don't wait 7 minutes.
You wait 6 minutes. Quick, take it off the hob. Put them in cold water. Those, my friend, are soft-boiled eggs, which you can put your toast soldiers and dip them in.
And I have a very happy son.
That's what boiling means. Put your eggs in. Put a top on the pot. What's that called? A lid. A lid on the pot. It's still boiling. You wait 6 minutes. Don't wait 7 minutes.
You wait 6 minutes. Quick, take it off the hob. Put them in cold water. Those, my friend, are soft-boiled eggs, which you can put your toast soldiers and dip them in.
And I have a very happy son.
Okay, that's totally not how I do it. Isn't that funny?
So it's the steam which actually boils them. It's not the water. Okay, let's hear your method, which won't be as good as mine. My method works every time.
Grab eggs, put them in a pot.
I did that.
Add about an inch of water.
Mm-hmm. Too much.
Put the lid on.
Yes.
Okay. It's cold. Everything's cold right now.
Oh, I'm not doing that.
Yes, I'm—
Carry on.
Can I?
Yes, carry on.
Put the heat on, bring it to a boil. Once it hits the boil, turn it off completely. There's a lid on as well, right? Turn it off completely, leave it for 3 minutes.
Remove eggs, cold water if you're not gonna eat them right away, or slap them in your little egg holder and mummy, mummy, yum, yum, yum, yum, yum.
Anyway, listeners, try your favorite. See what works better for you.
Remove eggs, cold water if you're not gonna eat them right away, or slap them in your little egg holder and mummy, mummy, yum, yum, yum, yum, yum.
Anyway, listeners, try your favorite. See what works better for you.
Okay. All right. Let's have an online poll, maybe.
Yes.
Carole, what's your pick of the week?
Well, interesting, because I have a pick of the week for you, Graham, because mine is a list of what people say are cool Twitter bots. Okay.
So I have a list of a few of them, and I wanted to check them out with you to see if you'd say, yes, that would be totally useful or not interested at all.
So I have a list of a few of them, and I wanted to check them out with you to see if you'd say, yes, that would be totally useful or not interested at all.
Okay. Go ahead.
Does that work? Okay, hold on. Dee dee dee. All right. Number 1, Thread Reader app.
Oh, I've heard of this. Yes. Yeah.
Yeah. So it's when a tweet has too many threads, you just reply with the Thread Reader app, unroll, and the bot will compile it into an easily readable blog-style format.
Yeah. It kind of puts it onto a page, doesn't it? The whole conversation. Yeah, that's cool. I don't use it, but I've heard of it. Yeah, I've seen it. Yeah.
Okay. Quoted replies. Do you want to know other people who have quoted a particular tweet? This is where quoted replies comes to the rescue.
You just have to reply or quote the original tweet with @quoted replies, and then the bot provides you with a link and you can then tap it to view all the quotes that particular tweet where it's shown on Twitter.
You just have to reply or quote the original tweet with @quoted replies, and then the bot provides you with a link and you can then tap it to view all the quotes that particular tweet where it's shown on Twitter.
Don't see what the point of that is.
No. Okay. What about screenshots of old websites? So it's like a Wayback Machine, you know?
And that uses Twitter somehow?
Yeah, so you go @Wayback_Exe and it'll generate screenshots of old websites in old browsers and tweet them to you every 2 hours. That sounds really useful.
Yeah.
Earthquake alerts. @earthquakebot.
Oh, I definitely need that here in Oxfordshire. Yes.
Well, maybe some friends live in places where there are a lot of earthquakes.
And basically the bot tweets about any earthquake with an intensity of 5 or greater as they happen worldwide.
And basically the bot tweets about any earthquake with an intensity of 5 or greater as they happen worldwide.
How does it get that information?
It uses data from the United States Geological Survey, Graham. And also it adds a Google Map link for each location it tweets about.
Can you say I'm only interested in earthquakes in a particular area rather than hearing about ones down here?
Do you think I know the answer to that?
Oh, okay. It doesn't matter.
Okay, last one. Tiny Care. A genuinely helpful Twitter bot that helps you practice self-care.
So it sends you an hourly reminder to take a break from busy work life with gentle advice to take a deep breath or drink water or go listen to music or go out or do things that make you happy.
So it sends you an hourly reminder to take a break from busy work life with gentle advice to take a deep breath or drink water or go listen to music or go out or do things that make you happy.
So what, it fills up your Twitter timeline every hour? Stand up, blow your nose, cut your toenails.
No, it's much nicer. Please remember to take a second to take some deep breaths. Please remember to take a moment to take your meds.
I need that.
Anyway, so I have a link in the show notes to this list of pretty cute bots. You may know of better ones, so feel free to tweet them over to us. Well, that's my pick of the week.
Marvelous. Well, Carole, I think we have survived without a guest. Next week we'll have a guest and maybe we'll do a post-mortem on how the NISC Smashing Security live event went.
That'd be good.
That'd be good.
Fingers crossed for us people.
Folks, you can follow us on Twitter @SmashInSecurity, no G, Twitter won't allow us to have a G. And we're also on Reddit.
Look for us on the Smashing Security subreddit and don't forget to ensure you never miss another episode.
Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Google Podcasts.
Look for us on the Smashing Security subreddit and don't forget to ensure you never miss another episode.
Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Google Podcasts.
And of course, a huge shout out to our episode sponsors, Akamai, Bitwarden, and Kolide. And of course, to our wonderful Patreon community.
It's thanks to them all that this show is free.
For episode show notes, sponsorship information, guest lists, and the entire back catalog of more than 291 episodes, check out smashingsecurity.com.
It's thanks to them all that this show is free.
For episode show notes, sponsorship information, guest lists, and the entire back catalog of more than 291 episodes, check out smashingsecurity.com.
Until next time, cheerio, bye-bye, bye.
8 away from 300. Scary. Oh yeah, 8 more episodes, we're gonna have episode 300.
300. When do we quit? When do we just call it a day? Do we? No? Just keep on going because the public want us to carry on. They love us.
The roar of the crowd, the smell of grease paint, the sniff of the microphone.
The roar of the crowd, the smell of grease paint, the sniff of the microphone.
The end of the episode. Bye everyone!
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Episode links:
- Prison for ex-eBay staff who aggressively cyberstalked company’s critics with Craigslist sex party ads and funeral wreaths – Graham Cluley.
- Two Former eBay Executives Sentenced to Prison for Cyberstalking – US Department of Justice.
- Jonathan Pie: Welcome to Britain. Everything is Terrible – NYT Opinion.
- UK Supermarket’s Loans-for-Groceries Offer Attracts Huge Take Up – Bloomberg.
- Liz Truss’ mobile number is being sold online for £6.49 – Daily Mail.
- How to Cook a Soft Boiled Egg Perfectly Every Time – YouTube.
- 11 Best Twitter Bots to Follow to Boost Productivity – Gadgetshouse.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsored by:
- Kolide – the SaaS app that sends employees important, timely, and relevant security recommendations concerning their Mac, Windows, and Linux devices, right inside Slack.
- Bitwarden – Password security you can trust. Bitwarden is an open source password manager trusted by millions of individuals, teams, and organizations worldwide for secure password storage and sharing.
- Akamai – Make the most of Cybersecurity Awareness Month by connecting with Akamai’s experts on how you can achieve unmatched security. Where else can you take advantage of insights from 7 trillion DNS queries per day?
Support the show:
You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.
Become a Patreon supporter for ad-free episodes and our early-release feed!
Follow us:
Follow the show on Bluesky at @smashingsecurity.com, or on the Smashing Security subreddit, or visit our website for more episodes.
Thanks:
Theme tune: “Vinyl Memories” by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Carole wants a way to denote the difference between Prime Ministers who have been internally selected after some kerfuffle vs. the ones who came to the position as leader of their Party. At least for Liz Truss, I suggest Sub-Prime Minister. Of course, this might continue be useful for anyone in that type of position in the future.