Smashing Security podcast #298: Housing market scams, Twitter 2FA, and the fesshole

In the interest of debate, so you buy a new house, you go in, you say, I don't like this wallpaper. I'm going to take it down, don't you? You do that. But when I take

down wallpaper, I don't do it by smashing down the walls as well. That's okay, good point. And the roof falling on my head. Hello, hello, and welcome to Smashing Security, episode 298. My name's Graham Cluley.

And I'm Carole Theriault. And, Carole, this week we're joined by a special guest. Who have we got? We've got a co-host of sorts from the Cyber Wire, Dave Bittner. Mr. D-Dog, how are you?

I'm doing well. It's nice to be back.

Hello, Dave. Or should I say welcome data comp, perhaps? Does that ring a bell?

Yes. Vaguely, it does. Half a lifetime ago.

I don't know what you're talking about.

So what happened was this, Carole. I was vanity searching myself on Reddit to see what scurrilous rumors I could find out about myself.

When was this?

Oh, just a couple of weeks ago.

Okay.

And this thing comes up to me and someone goes, you should check out this post on Usenet by Graham Cluley where he promotes his CompuServe channel. And I thought, okay, so this is from the archives from 1995. December 1995, and it took me to a thread on the Usenet group altcomp.virus, where I was answering somebody's question because this person had had a problem with their Mac computer. It was acting bizarrely. And here's the funny thing. That person was Dave Bittner.

No way.

Yes, it was. Wow. So Graham sent me the message and said, this couldn't possibly be you. And I said, yeah, actually, that was me. And what's funny is I was actually talking to someone in the past year about this.

Explain what was happening on your Apple Mac, which caused you to post this message, Dave.

So what was happening was every couple of minutes, if your computer was sitting idle, up on the screen would come a text string that said, welcome data comp out of the blue. That was it. And so had no idea what was causing it, where it was coming from, thought maybe we had a virus on the system. So I put this up on Usenet, which is what you did back in the day, and a very helpful chap from across the pond named Graham Cluley wrote up a custom response.

Well, I took a cut and paste. I took something from the FAQ. It wasn't very personal. But what it was, was there was a particular third-party Mac keyboard where the people who developed it had programmed this practical joke into it. So if you left it unattended for a certain length of time, it would just output text. It would type, welcome.

What a bloody thing to do with a keyboard.

Right. You have to remember, these were the days where you bought things from a catalog. You had a mail order catalog. Right. This was really before you were buying things online. There was no Amazon yet. And so we ordered these keyboards, I suspect because they were cheaper than Apple's. But I do recall when after I got this message from you calling the catalog company and saying, hey, we need to return these keyboards. And they're like, yeah, just send them back, please. Just send them back right away. We will replace that for you. No problem. Please send them. So they knew something was up. So I was 26 years old when this happened, Graham. So this is literally half a lifetime ago for both of us. We crossed paths. Little did we know. Yeah, I was only 11 at the time.

Yeah, that's right. Yeah, Carole hadn't even been born yet. She wasn't even a gleam in her parents' eye.

Maybe we should get on with the show. Perhaps. Stop geeking out about our pasts. But before we kick off, why don't we thank this week's sponsors, Bitwarden, Pantera, and Collide as their support that help us give you this show for free.

Twitter 2FA.

Twitter 2FO. Twitter 2... So bored with Twitter. What about you, Dave?

I have Google agreeing to the largest settlement ever when it comes to privacy and location data.

Ooh. And I've got a scheme to get us rich, guys.

Nice.

Plus, we have a featured interview with Pantera. I speak with Shaquel Ahmed from Pantera on how they automate continuous cyber defense validation for their users. Super interesting stuff. Anyway, all this and much more coming up in this episode of Smashing Security.

Well, chums, chums. It's that time of the week, the part of the week where we like to return and find out what's going on. What's the very latest in the soap opera that is Twitter?

When you say we, I think we talked earlier today and you said, I think I'm going to do this now. I was like, please, No. Well, Carole, I think it's quite fascinating. It's clinically fascinating what is going on at Twitter. I don't know what that means. It meant that just to display on the screen the latest things in your timeline, it was making all of these calls. It was over a thousand, he said.

I was going to ask, to what degree does this fall under Elon's areas of expertise? Well, he is quite the expert, it turns out, at least in his own mind. Now, that's fair enough.

Yeah, right. Okay. And it works all right. Giveth with one hand, taketh with the other.

I want him to remove my check. I don't want him to remove my Starlink because then I'm going to find it difficult to connect to the internet where I live. Yeah, podcasts will be a little difficult. So the only problem with him saying that the app was slow and him blaming the poor programming is some people thought that perhaps this guy who just spent $44 billion buying Twitter didn't know what the f he was talking about. And some of the people who thought he may not actually have got this completely right were actually Twitter employees, including Twitter software engineers who worked on the app.

But had been fired? Because that happened too at this stage. So among those who didn't agree with Elon's assessment was a Twitter software engineer called Eric Fronhofer. And he said, hey, I've been working on the Twitter for Android app for around about six years, and I can tell you that you're wrong. Oh, OK. Yeah, yeah. Yeah, well, so I can understand.

It's a bit like when politicians get together. So when diplomats get together and they describe themselves as having a full and frank discussion of the issue, which means there's a bit of argy-bargy going on.

But I would make the case that for engineers, diplomacy is often not their strongest suit. And maybe it's not Elon Musk's either. But feel sorry for Elon. Oh, do you?

So you feel sorry for him because of the people he hasn't fired are telling him he's great in order to keep their jobs.

Yes. And he doesn't have a view on reality, he doesn't have a handle on it. He thinks he does.

So it sounds like you have more pity for him than, say, empathy. Yes. Okay.

Pity. Yeah. No, definitely not feeling him at all.

Okay, what's the solution then, Carole?

The solution is to get off Twitter, I think. No, for Elon I mean, Elon get some therapy you know. Okay yeah so anyway obviously there was a bit of argy-bargy and you will be surprised to hear that the next thing that Elon Musk tweeted was that he had fired Eric Frohnhoefer after they'd had this little spat. He said well he's gone now, he's fired. And of course that meant that Frohnhoefer wouldn't have a chance to make any of those improvements which he thought could be made. And fixing it himself and saying, I fixed everything, guys. Don't you worry. Who knows? Maybe he'd rolled his sleeves up.

I mean, you don't actually need all four chambers of your heart.

I suppose, no, to keep on working. So it's all right to turn off some things. Right.

You know that he has expressed a lot of admiration for Kanye West. Has he? Just saying. Really? Yes. Because they're both moguls, right? Well, a number of changes were being made, he announced. They were turning off things at Twitter. They'd already turned off the HR department because they didn't have any more staff to look after. And they turned off a lot of the programmers and the customer support and all kinds of departments who are dealing with trust and safety.

Maybe somebody on their way out the door who just got their walking papers.

Yeah, I don't know how you fire someone without an HR department either. I'm sure that guy has now, you know. Well, Frohnhoefer says he's not been officially told he's fired, but what's happened is he can no longer log into his email. So he's assuming he's gone. And of course, Elon has tweeted that he's gone as well. So maybe he's just shutting people off from their email left, right and center. That's fine. You know what? I see a win-win because you're going to bring them back as consultants. And they should say, well, actually, my salary has now changed times three and I can help you out.

Yeah. Well, it does send a bit of a chill down the spine because this random, chaotic, erratic behavior. Now, there've been a number of advertisers who've been concerned about Twitter in the last few weeks because, well, their brands are being ridiculed by people creating fake accounts and posting all kinds of unpleasant stuff under other people's names.

Yeah, brands have lost billions of dollars in market value because of alleged parody accounts pretending to be them.

Yeah, and really horrible offensive things and some very funny things, let's be honest, have been posted as well.

And do you blame Elon for that because of his numptiness, or do you blame the twits that are trying to take advantage?

Well, the twits couldn't have taken advantage if he hadn't messed around quite so much in a sort of move fast, break as many things as you possibly can kind of fashion. In the interest of debate.

So you buy a new house. You go in, you say, I don't like this wallpaper. I'm going to take it down, don't you? You do that.

But when I take down wallpaper, Carole, I don't do it by smashing down the walls as well.

Aha, that's okay. Good point. And the roof falling on my head. Right. So I think there's a concern here for regular Twitter users as well as brands, because although most of what we do on Twitter is public in terms of tweeting, you do have direct messages. I've got direct messages going back to about 2017 or something. I don't know how many years. And I'm having to go through one by one deleting them because quite frankly, I'm not sure how much longer Twitter is going to be secure. And I don't want things like that. Who knows? No, it's true. You've covered it three weeks in a row. I'm just surprised that you haven't yet figured it out.

Well, it's taken me a while to delete them all.

But when you delete them, they're not actually deleted. They're just hidden from your view. The person that you were conversing with still has a copy of it. They have a copy. And there was a story a couple of years ago saying that even when you do delete the messages...

Right. Set visibility to zero. Twitter still has an archive of them. Unless you actually completely eradicate your account. And let's hope then. But who knows if all that stuff's still working as well.

I've seen some fraying around the edges. And I've seen some engineers talking about this. For example, right now, the indicator that tells you how many alerts you have, if someone's mentioned you or something like that, it will alert you when that happens. But it no longer tells you how many. Evidently, that little microservice is not working as well. So, and people were talking about this, how it probably won't be that we're going to suddenly start seeing fail whales again, that we're going to start see things fray around the edges. It seems like that's exactly what's happening. Maybe that's it. Yeah, I think you're right. Maybe just sort of gradually begin to crumble away, which is a shame because I quite liked Twitter. But we didn't know that. Anyway, Smashing Security is now on Mastodon. Yeah. Go and follow us there. Well, as we are recording here today, the hot news is that Google has agreed to pay nearly $400 million over deceptive location tracking practices. I'm referring to a story. This is over from The Record from our friends at Recorded Future. Jonathan Grieg wrote this.

Well, there's the incentive, isn't it? That's the prize. Who cares about the politics? It's "oh, we can get $400 million." I mean, I imagine those states aren't going to then deal out the $400 million to the people who live in those states, are they? What do they plan? Here's your 20p. Here's your 20p.

And it's not really a lot of money to any individual state. For example, $15 million goes to Oregon, 12 goes to Nebraska. So it's not going to make a big difference to any of these states' bottom lines. But as part of the agreement, Google is going to change their wicked ways.

Hang on. Have we been here before? When they told last time to do that. And now they've been fined $400 million, but now they're really promising to do it, are they?

Well, right. Trust us this time. What's funny is in Google's response here, they say, the investigation is based on outdated product policies that we changed years ago. So nothing to see here. We dealt with that a long time ago, and we're just going to give you this money because it's a nuisance, and we want this to go away and that sort of thing. So to your point, to what degree do we believe that Google has really changed their ways here? I certainly am going to remain skeptical. This is not the only lawsuit that Google has faced here. They settled with Arizona back in October for eighty five million dollars.

This is a change for them. I'm looking here. A search on Google says that Google's net worth as of May 2022 was $1,135 billion.

Yeah. This article points out that they made just under $55 billion just in the third quarter of this year. Right.

So toilet paper costs is probably higher. Right. It's not going to affect Google's day-to-day operations, but I think as the largest privacy settlement ever, it does draw attention to it. And I think it puts other companies on notice that the states are willing to band together and go after them. Oh, my God. Maybe Google could save everyone by being an enemy. I almost said enema there, which is really interesting.

I think Facebook have got the common enema role of enema. Carole, what have you got for us this week?

Okay, guys, guys, guys. You have to huddle, huddle, huddle, huddle. Because I have learned of a way for us to make some serious money. Not this chump change that you're talking about. Some serious money. Oh, right. Yeah. Okay. Because, you know, we're all suffering from a heated inflation, right? It affects food costs, petrol costs, house prices. Yes. And we're fast approaching our 300th episode. So what happens after that? Where do we go from there?

301. Yeah. Okay. Exactly. Not rocket science.

The thing is, with our skill set, the three of us, I think we could walk away in sexy Louboutin knee-high boots with a few million to spare each. And before you ask, of course, we'll split it super fairly, right? 30, 30, 40.

Okay. Yeah, sounds fair. Yeah.

Sure. So it's all about real estate. Real estate is where we're going. And people, it seems, are desperate to either move from their current house or just to get their foot on the housing ladder. And this has been going on for more than a decade. Problem is there isn't enough houses out there to go around. We saw this ourselves 2021, 2022, where house prices went through the roof and even rental market was insane. I heard renters having to prove that they could front 12 months rent before they could sign the lease. Or houses being sold only to cash buyers. Right, it's insane. Yeah, yeah, yeah. But what if we could locate houses in this hot hot housing market? Nice beautiful expensive houses and then show them to prospective buyers and maybe even hold a few open houses. Right? Yes. I could maybe be the greeting person, right, showing them in. Yeah. And I'd hand over to you or Dave, right, Graham or Dave. One of you would do the house tour. Maybe I should test you out in this role a little bit.

All right. Okay. Yeah. All right. I've included

A picture in our shared document of an interior and I want you to try and sell it to our listeners as though they were prospective buyers.

Graham, you choose which one you want to do and I'll do the other one.

Yeah, I think I'll do the one in the picture beneath. So maybe if you go first, Dave. All right. Well, this is a lovely, cozy home. It certainly reflects the previous owner's eclectic taste in art and furniture.

All right, that's pretty good.

Looks nice. Yeah, looks nice.

You didn't do the Ina Garten thing of like, oh, can you imagine sitting on this sofa? Wouldn't it be amazing? Picture yourself. Yes. Okay, Graham, you go. You go. I was going to say picture yourself on some hellish moonscape somewhere on a moon around Saturn. Here you are looking, gazing beautifully at this cubist monstrosity. Do you see the bathroom there? There's a bath floor. Through the glass. Is there a pool? Oh, that's a pool, is it? That's a pool.

Do you remember the fairy tale about the crooked man who lived in the crooked house? That's what this reminds me of. Yes. Yeah.

Graham, I'm sorry. You fail on this because that would not make me want to buy any of these houses. Dave, you're doing that. Yeah. Graham, you can run around with the canapés and serviettes or whatever.

It's a bit of a Bond villain house, I think. Yeah. It is. It is. Yeah.

I looked up to get this. I searched for stupidest looking house. That's when it came up. All right. So back to my little scheme here. Okay. So we get, you know, we're going to get lots of interest, you know, because we're the dream real estate team. Right. And we're offering houses at rock bottom prices. Right. And we get some bids in. So we're doing these little shows, these open houses. And this is the scammy bit. Okay. This is where we get some money. We accept more than one bid, even though we tell each of them that they're the only ones who are the lucky ones to own this beautiful, beautiful house.

Oh, hang on. Are we going to get more than one person to buy our house? Yeah. So we're taking down payments or deposits? Deposits.

But maybe we could actually convince people to give us all their money because, you know, this is a very, very competitive market. And if you want to make sure you've got this, maybe don't just leave the deposit. Why not pay the whole thing since you got some cash?

Yeah, and they are lovely canapés after all. So why wouldn't you do that?

That's right, all right? And the way we would do this, of course, we would just simply list them on real estate websites and market them as short sale opportunities, right? Because the thing is, is maybe these houses aren't even actually for sale. Maybe the owners have no idea that you're doing this.

Are these on Airbnb or something?

No, no, no. They're like on real estate, like, you know, whatever, like, I don't know, Zillow or whatever, the real estate. Yeah.

Redfin or, yeah. But in order to do a house tour, is it the case that the scammers have rented the house for a weekend and are pretending it's

Theirs? Very clever, Graham. So we're not exactly clear. So that was a bit scuffy in the news reports I saw. So I didn't see, but I was thinking they might go up and go, hi, we're from Architectural Digest. We love your house. Can we do a show here and do some, we'll have the guys in. Can we have the house for a few days? Or maybe we're filming a movie here, right? Filming a movie, so a movie scene. Or yeah, Airbnb. Why not? So okay, so let's say they've totally done social engineering to get the houses from the owners so they can do these tours, they're collecting money from people. You can tell that this has actually happened, right? We're following someone else to do this but they got caught so this is what I want to know from you: how do we get out of this? So the hiccup is the people that tried this before, Adolfo Chaniki, okay he's a middle-aged guy and his sister Bianca, they tried this in South Bay, USA. Earlier this year, Adolfo pleaded guilty to federal criminal charge for participating in this with his sister. And it involved listing homes without the owner's consent and collecting the money from multiple would-be buyers for each of the not-for-sale homes. So how much money did he manage to make? Apparently collected $12 million from 750 victims. Wow. What? 750? Yes. So the money would be apparently rolling in and they got their employees to open up bank accounts to shove the money in and then told their employees, take the money out and put it somewhere else. The money trail was horrific because it was just scattered everywhere like a spray gun.

Not the most clever money launderers in the world.

A few weeks ago, Adolfo was sentenced to nine years in the clink in the Central District of California. But I'm sure he's not as clever as we three. So can you see a way not to get caught in this scam? The version I've seen of this scam that I think is probably a little more common has to do with rental properties, because in that case, you've got people who are coming in from out of town. So they're looking at a place like Craigslist, for example. And people are willing to put the money forward before they sign anything.

Doesn't matter if they sign anything. Yeah. I mean, I can send you all the fraudulent paperwork in the world. I'm all in on the crime part. So that doesn't bother me at all. But what happens is the people come to town with their moving truck. They knock on the front door to get the keys and there's someone else living there. So here they are, all of their possessions in a van, expecting to walk into this place they're going to live on. Someone else is living there and they have nowhere to stay. And someone has taken off with their several thousand dollars of first and last month's rent.

So that's, yeah. So what's different in this one is because it's a purchase, they would get the deposit and then they would say, oh, there's trouble with the processing because it's a short sale. We'll get there. There's trouble. There's trouble. Meanwhile, just shoving that money into different personal accounts all over the place.

Yeah. It seems like the one with the sales is more elaborate and potentially more money per hit. Yeah. But also more complex because I suspect, as we've seen, it's probably easier to get caught.

So I'm wondering as a homeowner what I can do to avoid having my house sold when I pop out to the shop, or if these scammers come round, you know, while I'm on holiday. Well, your house isn't sold in this case, right? Well, no, but what I don't want, what I don't want is some poor innocent person paying money for my house, right? So I'm trying to think of ways in which I can make the house tour less successful.

Just shit in every corner.

Well, you know, Carole, that's what I was thinking. Wow. I was thinking, but I'm not sure that'd be nice to permanently arrange in the house. This escalated quickly. If you just had one bathroom, which you never entered because you had prepared it, but on the tour, that would be the one which they'd go into and be like, oh, gee. Would you not buy a house because there was a log in the loo? You know what? We sold a house once. We sold the log. No. When I was 13 years old, we sold a house and the people who bought the house, one of the requirements was that we had to replace every toilet in the house because they did not want to do their business in toilets that other people had done their business in. Show sponsor Pentera has taken a whole new approach to penetration testing, allowing every organization to continuously test the integrity of all cybersecurity layers, including against ransomware and leveraging leaked credentials by emulating real-world attacks at scale, all day, every day. This approach helps security teams across the globe to cope with one of today's top security challenges, the growing digital footprint of the enterprise. To help out, Pentera's security experts are sharing with us a few tips on how to identify your exploitable attack surface. So here is tip number one. Pentera recommends always taking the adversarial perspective. The best way to find exploitable vulnerabilities is to, well, exploit them. From here, security teams can hand over remediation requests to IT that are based on true business impact. Find out more by going to smashingsecurity.com slash pentera. That's smashingsecurity.com slash p-e-n-t-e-r-a. And thanks to Pentera for sponsoring the show.

Smashing security listeners, did you know that Bitwarden is the only open source cross platform password manager that can be used at home, on the go, or at work? Bitwarden's password manager securely stores credentials spanning across personal and business worlds. And every Bitwarden account begins with the creation of a personal vault, which allows you to store all your personal credentials. These are unique and secure passwords for every single account you access. And it's easy to set up. It's easy to use. I honestly love Bitwarden. I use it at home, use it at work, use it on the go. Get started with a free trial of a Teams or Enterprise plan at bitwarden.com forward slash smashing. Or you can even try it for free across devices as an individual user. Check it out at bitwarden.com forward slash smashing. And thanks to Bitwarden for sponsoring the show. The challenge with endpoint security has always been that it's difficult to scale, and when remote work took over, that challenge got exponentially harder. You need visibility into your fleet of devices in order to meet security goals and reduce service desk tickets. But how do you get that visibility when different parts of your company run on Mac, Windows and Linux? Well, you get Kolide. Kolide is an endpoint security solution that gives IT teams a single dashboard for all devices, regardless of operating system. Kolide gives you real-time access to your fleet's data and can do things that traditional MDMs can't. And instead of installing intrusive agents or locking down devices, Kolide takes a user-focused approach that communicates security recommendations to your workers directly on Slack. You can answer every question you have about your fleet without intruding on your workforce. Visit kolide.com slash smashing to find out how. If you follow that link, they'll hook you up with a goodie bag just for activating a free trial. That's K-O-L-I-D-E dot com slash smashing. And thanks to Kolide for sponsoring the show.

Maybe, maybe not. What if I was looking for the phrase, welcome data comp? Yeah, right, right. Now, the only problem is that regex, as it's known, or regular expressions, they have completely unintelligible syntax. And when I say completely unintelligible, it will be easier for you to learn Klingon and for you to learn regex. So to validate a US phone number, for instance, it would be like Chevron forward slash bracket star forward slash D curly bracket three, close bracket three, forward slash. I'm not going to carry on. I can't wait to see where this is going.

I'm editing this bit as well. I'm going to land it. You're going to land it, Graham. You're going to land it. So I've spent months of my life running a website, sometimes needing a bit of regex, a bit of regular expression. And it's just a nightmare. It's a nightmare. And that is why I am pleased to announce that my pick of the week is a website called thetypingoftheregex.com. Thetypingoftheregex.com, which is an online game where it will give you regex challenges. It will give you some words, a clump of text and some words. All you have to do is write the regex to find the word. That's all you have to do. Just get the syntax right. And if you're a nerd, or if you're a sysadmin, or if you're a programmer, or if you're a guy with a neck beard, this probably is something you're gonna be able to do in your sleep. I can't get past about level three. It's utterly impossible. And it's done against the clock as well. And I would love for our nerdier listeners to go to the typing of the regex.com and tell me what level they managed to get to. And that is my pick of the week. Wow, that is specialized.

I feel like I've just moved to Mars. Have you tried the

website, Carole? Have you tried playing the game?

No, I don't even know how to type it. No, because she has a life. Yes. Because she has dignity and self-respect. I can't. I don't even know what you're talking about. I'm sure it was very interesting.

It's a beautifully presented website. It's just a shame that the game is impossible.

Oh, it's a game? I didn't even get that. What? Oh,

God. There are going to be people who will go crazy for this. Trust me.

Okay. Well, let's crack on. Yeah. Let's crack on. We'll trust you. Okay.

What's your pick of the week? Well, my pick of the week is a Twitter account in the waning days of Twitter. This is something that I enjoy. It is called Fesshole, F-E-S-S-H-O-L-E. Oh, yeah. And it is a place for people to confess their sins anonymously to see if the Internet will absolve you. It is very British, evidently comes from your side of the pond. And you can tell by the way that the confessions, they talk about things like loos and, you know, cars having bonnets and things like that. So you can tell it's British, but quite funny. And it's exactly as described. It's people who are anonymously confessing horrible things that they've done or they've been thinking about doing or things they're thinking about their loved ones. And some of them are heartbreaking. Some of them are hilarious as a whole gamut of things. So I thought it would be fun as a demonstration of this, how entertaining it to be. I emailed both of you ahead of time and I asked you to go on Fesshole and choose two confessions for the other one to read. So, Graham, you have chosen two for Carole. Carole, you have chosen two for Graham. Neither of you know ahead of time what the other one is going to read. So we'll all be experiencing this live on the show as it happens. And so why don't we start off with Graham, you have your picks for Carole. She just pasted them into our show document here. Start off with the first one here. Graham, the floor is yours.

Okay, well, I was going to confess that I had a very poor pick of the week, which the rest of the team were very impressed with to do regular expressions. But instead, okay so this is a confession that Carole has shared with me. All right, so Fesshole, it says three years ago I pre-programmed 15 different love messages that an automated script sends to my wife every week telling her I love her or that she is the light of my world etc. I always forget that they're sent but she answers back every time grateful that I'm thinking of her. That's actually really quite clever, isn't it? I thought you would enjoy that one. Yes. That's quite tempting. Put that in your back pocket. Yeah, yeah.

I just think 15 is not enough. I think I would do this. I used to have one of those dolls when you were a kid, you know, that you'd pull the string on the back of the doll and I would go, I love cookies! Or whatever it would do. Right? And there would be about 10 or 20 different things it said. And within four hours, you're dead bored. You're like pulling that string nonstop just to get to the one funny one, you know? Yeah. Yeah. Yeah. Let's kill your sister. Holy crap, Dave.

All right. So you chose another one. What's

another one here? Go ahead. Oh, okay. So another one from Carole. As a hormone-ravaged 12-year-old, I would scratch away at the pictures of women in lingerie in my mum's catalogs, thinking it would reveal the lovely 1980s bushy front bottoms underneath.

I love that. That's an English expression, front bottoms. I love it.

Front bottoms. That's a new one to me. Oh, is it? Yes. As opposed to a fanny pack. Yes. I was going to say, I only recently learned that the two sides of the pond have very different impressions of what the word fanny means.

By the way, I never perused the lingerie catalogs. I was rather more sophisticated. I remember I used to look up in the encyclopedias pictures of ancient Greek and Roman statues. That's where I got all my kicks from.

Yeah, yeah. I think I was more of a National Geographic guy myself, you know. Oh my God. All right, Carole, so Graham has selected two for you here. So why don't you start off with that first one there?

Okay. Embittered by having to work night shifts, I roam through the offices, turning all the toasters up to 10. So far two fire alarm activations and mass evacuations give the day shift a reason to get off their fat arses and take the shine right off the whole grain bagels.

I like that one. All right and the second one?

As a guy in my early 20s when I'm at a public urinal next to an older gentleman I try to go as fast as I can to make him question how well his bladder is working nowadays even if it means finishing a tad too early sometimes. What does that mean finishing a tad too early? Oh.

You're very lucky not to know Carole.

Does that mean you put it away and you're not done exactly? Yeah, dribbling. Oh nice, nice.

Yeah I'm telling you the aging process is a series of accumulated indignities.

So I've used this Twitter site before for sticky pickles, of course. Because there's some lovely... Yeah, it was Ollie, a friend of ours, actually a previous guest on the show. He pointed it out to me a few months ago. So it's a secret weapon for sticky pickles.

Oh, very good. Very good. Yeah. I categorize it as a guilty pleasure. And it's one of the reasons I hope Twitter stays around. But who knows? Maybe they have a Mastodon account. But anyway, check it out. Fesshole over on Twitter is my pick of the week. Yeah, good one. Carole, what's your pick of the week?

Keep it clean. My pick of the week is a brand new podcast. A brand new podcast and it's called If Books Could Kill. And the strapline is Airport Best Sellers That Captured Our Hearts and Ruined Our Minds. The concept is so simple. So far they've only done two episodes and the episodes are on the books Freakonomics, which we've all seen if we've been perusing an airport bookshop, or Outliers from Malcolm Gladwell. And they show through about an hour-long episode how they fall way short of the mark they're purporting to be taking. These people are on lots of different podcasts. It's terrible, isn't it, Dave and Carole? Oh, shameful. Yeah.

Who has time for that? It strikes me, Carole, that perhaps the name of this podcast should be, well, actually.

I think you'll find.

I think you'll find. Yeah.

Totally. And it's really interesting because all the podcasts that Michael's been involved with all seem to have a kind of vibe through them where they revisit events or movements or books of the past and then look at it with, you know, 10 years on, highlighting flaws, bad behavior, whatever. Because there's more research on them, I guess. I do have a total friend crush on Michael Hobbs. Friend crush? No. You have a total friend crush on him? A friend crush, a friend crush. Oh, right. I really want to be his friend. I want to walk in a park with him as we flesh out recent findings about whatever we're researching. And then we can suck back, you know, some flat whites. But he doesn't know I exist. So, you know.

Oh, so this is why you're talking about his podcast. You're going to probably tweet him or something. Say, hey, we talked about your book. Oh, yeah. I'm totally going to do that. I'm totally jumping on Twitter right away. That will get me in his Twitter loop, I know. I was just thinking his loss, actually. The thing is, I was a total sucker for these books, right? Pre-streaming era. What else is there to do if you're stuck in an airport, right? Or in a plane, but read something. And I love these airport books with the little science penchant, right? And I would drive my husband and friends mad. I'd be reading a chapter and go, you won't believe what I just learned because did you know? And I would just wax lyrical drinking this stuff like Kool-Aid because I'm not science-y and I just assumed they had done their homework. Turns out, not so much. Hmm. Yeah. All right. I don't know. I couldn't care less if you listen to it, actually, Cluley.

It's really easy to urinate on Elon Musk too, isn't it?

Well, yeah, he does make it easy.

Well, and it's not like the Freakonomics folks were acting in bad faith trying to deceive people. I think they were using the best information they had at the time to put together the things they had.

I would listen to the podcast and see what you think.

Yeah, I'm not saying nothing. Everything's provisional. Everything's provisional. Anyway, Carole, you've been chatting with the chaps from Pantera this week, haven't you?

Yes, Shaquel at Pantera, and he describes their whole service and why it works. Take a listen. So, listeners, today we have Shaquel Ahmed, or as I know him as Shaq, because Shaq, we used to work together a while ago. Yes, SPEAKER_02. we did indeed. Nice to meet you again virtually. I know, it's so fun. So Shaq is a senior sales engineer, team leader at Pentara. And I thought we should start with you first. So maybe you could give our listeners a bit about your background and how you ended up at Pentara. That's a really interesting approach, right? So it's like, we all have, say, physical protections. You know, we lock our doors. You know, some of us have alarm systems. So we have lights, all these kind of things. But what you guys are doing is actually saying, let's just see if those things actually work to keep people out, because maybe you've made a mistake somewhere. Maybe you've not thought of a route in that lots of cyber criminals use. Is that what you're saying? SPEAKER_02. Yeah, exactly right. So for us, it's also about automation with the ability to automate these tests or what we call scenarios. It allows us to be able to scale across the entire organization. So imagine a typical organization, you may have 500 employees, you may have multiple devices, endpoints or end user devices, your laptop, your desktop. You may also have servers in a data center. And some of those might sit in a data center somewhere. Some of those might sit in public cloud, in AWS, in Azure. And what we're doing is looking at all of that infrastructure at a network level and at an operating system level. And it allows us to be able to run these kind of tests very quickly and at a large scale and find the outlier. And for us, sometimes the outlier might be that one system that somebody forgot about that isn't being configured or hardened according to best practice, according to all the things that you should be doing. You may have a tick box to say, yes, it must have this configuration. It must have this software installed from a security point. And so for us, when we're stress testing those kind of networks, we're able to throw multiple attacks at the network. And the important thing is that we do this in a safe way. So safety is a key part of this. And a lot of our customers run Pentara in production. The code that we run is designed not to disrupt systems, not to disrupt end users. But at the same time, it allows us to prove a point, right? That we were able to drop some sort of payload onto a device, find something interesting. And for us, something interesting would be some sort of credentials. Those credentials could be stored in a process. So when we get into sort of the technical aspects of an attack and any kind of attack, let's say post-exploit so once somebody has a foothold on a machine is can I find some credentials that allow me to reach the crown jewels and the crown jewels means that I might be looking at things like lateral movement so can I now imagine and in a typical scenario that I run in the demo environment is where we have a user called William and we've seen his credentials floating around across the network so we're looking at that traffic and we find a user hash. Now, as an attacker, there's a number of things that we can do, which is one is pass the hash or impersonate that user. And the other is to take those credentials and then see if we can impersonate that user, see if we can open other doors across the network. That's almost like a spider. You want the biggest web you possibly can have to munch up on all the goodies that you can come across. Yeah, exactly. And I call it the perfect storm. So for me, if we sort of visualize that we've now got some sort of credentials, in order to then propagate an attack, I perhaps need to drop a file of some sort or a payload. I might need to find some privileged account so I can start using William as a user to try and hunt for other credentials on the network. I've got some sort of, let's say, privilege or permission on the network. Now I'm behaving like this user, but I'm saying, is there a way for me now to run additional attacks? Because Windows stores credentials in a lot of different places. So we use all of these common attacks to say, can I get a higher level of privilege, potentially domain admin? It could be a local admin. It could be some sort of privilege escalation and then move further into the network. So, you know, a bit like a spider web, you know, can I expand that? Can I get further and find something more interesting as a prey? But we have dependencies for any kind of attack. And when people think about a vulnerability, they think, okay, you know, I have an operating system or I have a network. It has a vulnerability. Now, from an attacker's perspective, that vulnerability doesn't really mean a lot. It means that it may get me some sort of foothold on the network. But ultimately, I want to get to something interesting, some important data. And especially when we talk about the world of ransomware, it means now that can I find some data that I can start encrypting as part of a ransomware attack? So we have a particular scenario that allows us to, for example, emulate a ransomware attack. But what we can show is lateral movement from point A to point B to point C. And we don't stop, right? We continue as far as we can as an attacker and see what's the maximum damage that we can create. And again, all of this, because it's run safely, it's just proving a point that we can move around the network. We can obtain user accounts. We can access data. And then it becomes quite scary suddenly, very quickly, especially when we run this with a lot of our customers. For them, it becomes an eye-opener because traditionally, I guess from a security hygiene perspective, people think about the obvious things, which are, let's make sure there's a firewall, let's make sure we've got good antivirus or EDR, let's make sure that everything's updated and patched. But from an attacker perspective, even if you have all of those things in place, great. It makes it a bit harder. But there are other interesting avenues to explore from an attacker perspective that occurs at the network level, you know, in terms of how you're detecting an attack, first of all. I love that, though. I really love that because you are effectively thinking like an attacker, it kind of gives you a different breadth of how to approach this type of scenario. And it's eye-opening, I'm sure, because there's a lot of people out there that create very good software, but don't necessarily have that approach or that expertise of how is someone going to actually worm their way in. Yeah well well I guess what the really interesting thing here is that when we run these scenarios how can you prove that that update that patch or that software has been deployed to every system on your network? So for us, you know, going back to this example of finding the outlier as an attacker that's what we're doing, we're finding that lapse in security and we've done this with, you know, customers that are running the best in breed EDR endpoint antivirus, right, you name it, but we managed to propagate a ransomware attack on one of their servers. And so when we looked at it further and we went in to understand why and it was a really simple case that somebody had forgot to deploy the software to that particular server. So it can be as simple as that, right? And that's what the attacker is looking for is, you know, they're looking for that one mistake. Somebody forgot to deploy or for whatever reason it got left out. And in some instances, it can be things like the software is broken, right? How do you guarantee that the software is working across your entire estate? So this is where, you know, the ability to continuously test and test at scale means that you get to find these kinds of misconfiguration and policy that may not have been applied. Somebody assumed it had and it hadn't. So it's about being able to mark your homework in some sense from a cybersecurity perspective. We call it purple teaming. Purple teaming really is enabling the defenders to, you know, test their own security and make sure that they've done everything that they should have, because it's humanly impossible to go and audit everything. So when we have a platform like Pantera that allows us to scale across the network and check all of these things, it becomes really powerful in validating that you've done all the right things. Totally. What I'm hearing you say is you're really literally only as strong as your weakest link because that weak link is so valuable to an attacker. It doesn't matter how seemingly insignificant it might seem, but they are just another platform they can leapfrog off of. Yeah, absolutely. And yeah, I mean, it goes back to this idea that you need, you know, some sort of mechanism to be able to stress test those things and find the anomalies, the problem systems. Yeah. So, Shaq, before we close, why don't you tell us about your one day challenge? SPEAKER_02. Yeah, absolutely. So we have this interesting concept in the UK, we call it a one day challenge, traditionally, you know, as a proof of concept. And we help a lot of organizations in spending a day with running through these scenarios. So, you know, we start in the morning with doing a sort of a scenario where we'll do a baseline of scanning the network and really showcasing the capabilities of the platform in, you know, rather than taking my word for it to show you in your environment what it looks like, right? How we go about as an attacker finding these things and then proving also, you know, the safety aspect of how we do it. As we said, right, our researchers spend a lot of time in making sure that that code is safe to run. It doesn't cause harm. So we have a central sort of tenant on that is do no harm. And we really help bring it to life, right? You know, what an attack looks like. And sometimes it's really interesting in that we've, you know, we've done this kind of one day challenge with customers and we've propagated or run a ransomware attack, for example, and then their alert mechanisms, and it might be a SOC team or whoever's monitoring these things, picks up on it a few hours later and they say, oh, one of the security teams got a call and said, it looks like you've had an attack of some sort. It looks like ransomware. And for them, for the customer, where we're running these kind of scenarios, it's interesting in that we're spending all of this time and effort in trying to monitor and detect attacks, but it sounds like the attack has happened and then we get notified. So this becomes a tuning aspect of your security as well because the response is just as important, right? You want to know when something bad is happening, but how good is that response and how quick is that response? And do we now need to tune our controls and whatever we're using to measure an attack? Does it need some sort of tuning to be able to pick the right things up during an attack. And we can obviously show each stage of that attack from a transparency perspective. So you can then measure that against your controls and say, okay, at this stage, we found some files. At the next stage, we encrypted them. Then we created some sort of remote connection to a bad known server. So all of that telemetry gets fed in and you can use that as a way of being able to measure where the failure or the lapse in your control and response mechanisms isn't working. Yeah, so I think it would sound fascinating to try and see that and just test the systems and set up a scenario. So listeners, if you think so too, you can go to go.pantara.io slash smashing. And that they'll have free demos. You can read about Pantera's approach, what some people call the most perfect continuous vulnerability scanner. So you can find out for yourself at go.pantara.io slash smashing. And Shaq Ahmed, Senior Sales Engineer Pantera, thank you so much for chatting with us. Thank you. Thanks for having me. A pleasure.

Fabulous. And that just about wraps up the show for this week. Dave, I'm sure lots of our listeners would love to follow you online and find out what you're up to. What's the best way for folks to do that?

Well, for the moment, I'm still over on Twitter. It's at Bittner, B-I-T-T-N-E-R, but who knows how long that's going to last. Everything else I do is over at thecyberwire.com.

And you can follow us on Twitter at the moment at Smash Insecurity, no G. Twitter allows to have a G. And that's one of the reasons why we've now created a Mastodon account where Smash Insecurity does actually have a G. But being Mastodon, it has a really complex, long name. So you best go, I think, to our website or to our show notes to get the link for that. And we also have a Smashing Security subreddit. And don't forget, if you want to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Google Podcasts. And massive shout out to our episode sponsors, Collide, Bitwarden, and Pantera. And of course, to our wonderful Patreon community. It's thanks to them all that this show is free.

Until next time cheerio bye bye bye bye bye.

And we have a treat for you for episode 300 not telling. Not telling Yeah.

It's just been arranged, hasn't it? Yes, by me Okay, Carole, yes, by you What? I don't even get it? No, you can have the credit So let me.

Get this straight I come up with the idea I sort out the idea I schedule the idea And I can get the credit I.

Haven't seen my invite yet So I'll wait for that.

Come on, 298 is pretty good Oh yeah, oh yeah Thank you.