When Ubiquiti suffered a hack the world assumed it was just a regular security breach, but the truth was much stranger… why are police happy that criminals keep using end-to-end encrypted messaging systems… and why is the Apple Watch being accused of crying wolf?
All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Mark Stockley.
Plus don’t miss our featured interview with SecurEnvoy’s Chris Martin.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
So Ubiquiti was clearly knocked off by Krebs' reporting, right? And it coincided with a $4 billion decline in Ubiquiti's market cap. So it had an effect on their share price.
Not too good.
Not too good.
Wow, Krebs, that's a bit of market muscle.
It's a bit similar to us, Carole, here at the Smashing Security podcast. Smashing Security, episode 308.
Jailbreak.
Ransomware Fail, Criminal Messaging Apps, and Wolf Crying Watches with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 308.
My name's Graham Cluley.
My name's Graham Cluley.
And I'm Carole Theriault.
And Carole, who do we have in the hot seat this week as our special guest?
Well, don't you know, Graham? It's Mark Stockley.
Hi.
Fave returnee. Hi, Mark.
Thank you very much.
Welcome back. Thank you very much for being here.
I'd just say what a polite intro that was.
Thank you very much.
And nobody insulted me, which just made me very suspicious.
Do you want to share one tidbit of information before we kick the show off?
So tidbit of information. I've been conducting a little experiment this year. So on the 1st of January, I deleted the Twitter app from my phone.
I haven't stopped using Twitter, but I deleted the app.
I haven't stopped using Twitter, but I deleted the app.
Yeah.
I did it because I basically lost the ability to read books completely. I read, I think, two books last year.
And I wanted to see, 'cause I think I was spending about 23 hours a day on the Twitter app, achieving nothing. And I have deleted the app and I'm—
And I wanted to see, 'cause I think I was spending about 23 hours a day on the Twitter app, achieving nothing. And I have deleted the app and I'm—
So what are you doing now, Mark? Are you printing out tweets in order to read them? Have you stapled them together?
He's using Scrabble boards to create, recreate them.
Well, those are much better than the real answers. What I'm doing is I'm mostly ignoring Twitter and I'm reading books instead, and it's going really well.
So I'm just here to sell you Delete that app.
So I'm just here to sell you Delete that app.
Thanks for joining us, Graham.
Whoa, whoa, whoa, hang on. You've come onto our podcast in order to promote an alternative medium of entertainment. That's a pretty low thing to do, Mark, frankly, isn't it?
We don't really want people coming onto this podcast talking about books. And shouldn't you stop doing other things like reading Twitter or listening to podcasts?
We don't really want people coming onto this podcast talking about books. And shouldn't you stop doing other things like reading Twitter or listening to podcasts?
We don't want readers. This is not the podcast for readers.
Graham, Graham, why don't you just give yourself a little hug there? Just give yourself a little hug there in your studio, and I'll crack on with the show.
But before we kick off, let's thank this week's sponsors, Bitwarden, SecureEnvoy, and NordLayer. It's their support that helps us give you this show for free.
Now, coming up on today's show, Graham, what do you got?
But before we kick off, let's thank this week's sponsors, Bitwarden, SecureEnvoy, and NordLayer. It's their support that helps us give you this show for free.
Now, coming up on today's show, Graham, what do you got?
Oh, I'm going to be talking about whistleblowers and ubiquitousness.
Okay, Mark, what about you?
I've got some really important advice for anyone who's thinking of turning to a life of crime.
Fantastic. And I will be talking about the watch that cried wolf. Plus, we have a fabulous interview with Chris Martin.
He is the Head of Solutions Architecture at SecureEnvoy, and he's going to talk about identity and access management.
All this and much more coming up on this episode of Smashing Security.
He is the Head of Solutions Architecture at SecureEnvoy, and he's going to talk about identity and access management.
All this and much more coming up on this episode of Smashing Security.
Now, chums, chums, let me take you back in time, not too far, just about two years, because my story begins in January 2021. Have either of you heard of Ubiquiti? Yes.
The tech company?
The tech company?
Nope.
Okay. Ubiquiti are— they're sort of a high-end, flashy, prosumer Wi-Fi, IoT routers, security cameras, access points. You're paying over the odds, but it's meant to be quality.
Is that right, Mark? Quality sort of IoT gear?
Is that right, Mark? Quality sort of IoT gear?
I believe so.
Yeah. I think that's it.
It's not YubiKey. That's what I was thinking initially.
No, not YubiKey. Ubiquiti.
Ubiquiti.
Different. Yes. And so if you wanted a Wi-Fi hotspot in your business or in your home and you want to cover a big area, they're one of the people you might consider.
And they contacted their customers about two years ago saying that there had been, dun dun dun, a security breach. Oh my goodness.
They said that somebody had accessed data at a third-party cloud provider that they used to host some of their infrastructure.
And as a consequence, a whole bunch of data, gigabytes of data had been accessed.
Customers' email addresses, their names, hashed and salted passwords, addresses, phone numbers, et cetera, et cetera.
And they said, change your passwords, they said enable two-factor authentication, they said. And you know, it was pretty big news at the time.
It was embarrassing for them, obviously. And the cybersecurity journalists wrote this up as a sort of typical breach.
And they contacted their customers about two years ago saying that there had been, dun dun dun, a security breach. Oh my goodness.
They said that somebody had accessed data at a third-party cloud provider that they used to host some of their infrastructure.
And as a consequence, a whole bunch of data, gigabytes of data had been accessed.
Customers' email addresses, their names, hashed and salted passwords, addresses, phone numbers, et cetera, et cetera.
And they said, change your passwords, they said enable two-factor authentication, they said. And you know, it was pretty big news at the time.
It was embarrassing for them, obviously. And the cybersecurity journalists wrote this up as a sort of typical breach.
Right.
But some thought that maybe Ubiquiti were perhaps, you know, maybe sort of being a little bit vague as to exactly what had happened, and maybe they were covering up the details.
I mean, I would just stop you here and say a lot of companies do that, right? Right. Advanced persistent threat. Details to follow as we research it. And then you never hear anything.
Sophisticated state-sponsored hacker, therefore—
Right, yeah.
We couldn't have been expected to stop it.
I like the third-party cloud provider. That crops up a lot these days. It's like, hang on a minute, hang on a minute. Did you choose the third-party cloud provider?
Did you invite them to be part of your infrastructure? 'Cause if you did, it's a bit like saying, "It was Dave in accounts." But he works for you, right?
Did you invite them to be part of your infrastructure? 'Cause if you did, it's a bit like saying, "It was Dave in accounts." But he works for you, right?
Exactly. So cybersecurity sleuth Brian Krebs, of course, no stranger to listeners of this podcast, he received a tip-off from a guy called Adam.
He called himself Adam, who claimed to be an anonymous whistleblower inside—
He called himself Adam, who claimed to be an anonymous whistleblower inside—
Real name, Dave from accounts.
Inside Ubiquiti. And this Adam chap told Krebs that he had tried to raise the alarm about security inside the company. He'd contacted the internal whistleblower hotline.
He'd been in touch with European data protection authorities.
He'd been in touch with European data protection authorities.
Internal whistleblower hotline?
Yeah.
What is that?
Oh, this actually is an increasingly common thing inside companies, sometimes to avoid whether someone's been bribed or something to give money or to, you know, to choose a particular third-party cloud provider rather than another one.
In fact, I was just reading today, Tutanota, who are sort of a ProtonMail competitor, they've just developed a service because I think in Austria and Germany, if you have a company of more than 50 people, you have to now have an internal whistleblower hotline.
In fact, I was just reading today, Tutanota, who are sort of a ProtonMail competitor, they've just developed a service because I think in Austria and Germany, if you have a company of more than 50 people, you have to now have an internal whistleblower hotline.
Okay, so you use this line to say— I would call up the internal whistleblower hotline, call up Dave in HR and say, "Psst."
Yeah, well, yeah, you probably wouldn't phone them up or go, "Psst." Instead, you might want to use some anonymous service to contact them.
Anyway, Ubiquiti, it turns out, did have this sort of hotline inside the organization. And this Adam chap said he'd contact them, he'd contact European Data Protection Authorities.
He said that there'd been a catastrophic breach security failure inside the company.
And he said that Ubiquiti had not only downplayed the hack to minimize the hit to its stock price, but also when they said it was a third-party cloud provider, that claim wasn't true.
He said that there'd been a catastrophic breach security failure inside the company.
And he said that Ubiquiti had not only downplayed the hack to minimize the hit to its stock price, but also when they said it was a third-party cloud provider, that claim wasn't true.
As Mark predicted.
Uh-huh.
Right.
Okay.
It was Dave and accounts on this USB stick. That's where they'd put all the data. No, no, no.
So Adam also told Krebs that the hackers had sent Ubiquiti a $2 million ransom demand, obviously in cryptocurrency, saying, "Look, pay up and we'll keep quiet about the breach and we'll tell you about all the backdoors we have into your systems."
So Adam also told Krebs that the hackers had sent Ubiquiti a $2 million ransom demand, obviously in cryptocurrency, saying, "Look, pay up and we'll keep quiet about the breach and we'll tell you about all the backdoors we have into your systems."
Cheap.
So Ubiquiti refused to pay the ransom demand, right? They refused to play ball with the hacker.
Okay.
But what they did do is they responded to Brian Krebs.
In the form of a lawsuit alleging that he had defamed the company by accusing them of a cover-up when he reported the whistleblower's claim.
In the form of a lawsuit alleging that he had defamed the company by accusing them of a cover-up when he reported the whistleblower's claim.
He wrote about it and they were, screw you, Brian Krebs. You've just ruined our reputation.
They're saying that we've covered up the breach and that we've lied about this and etc., etc.
And he was basing this on a secret—
Dave from account.
Informant. Dave from account.
Adam.
So it's probably the person that did the hack.
Mark.
Mark.
What?
What? What?
Just hold your horses.
Hold your horses.
It's kind of how it works.
So Ubiquiti was clearly knocked off by Krebs' reporting, right? And it coincided with a $4 billion decline in Ubiquiti's market cap. So it had an effect on their share price.
Not too good.
Not too good.
Wow, Krebs, that's a bit of market muscle.
It's a bit similar to us, Carole, here at the Smashing Security podcast.
Because that was the thing that didn't really tie up for me earlier when you said that they were covering up this ransomware because they didn't want it to affect their share price.
Because I thought that hacking and things like that famously doesn't affect your share price.
It's one of the really inexplicable and slightly depressing things about cybercrime that people seem to be able to get away with. I'm afraid we've lost all of your data.
Because I thought that hacking and things like that famously doesn't affect your share price.
It's one of the really inexplicable and slightly depressing things about cybercrime that people seem to be able to get away with. I'm afraid we've lost all of your data.
Yeah, our customers are still happy.
Yeah.
So meanwhile, they are working hard to close any security holes. Of course, they've been doing that.
They've been looking into whether other hackers might have breached their systems, whether there are vulnerabilities.
They're bringing in all the eggheads, all the brains inside the company.
They've been looking into whether other hackers might have breached their systems, whether there are vulnerabilities.
They're bringing in all the eggheads, all the brains inside the company.
What does Nick mean? Is he a new character in this story?
No, well, we haven't mentioned him before, but Nick runs— Oh, okay, you just talk about it with such fondness. I was like, who's Nick?
We've got Eric the Egghead, we've got Bob the Brainstrust, we've got Nick who runs the cloud team.
He runs a third-party cloud. Very good.
Exactly.
He's definitely the guy to fix this problem.
Right, okay.
So they're not only hoping they can work out what happened and why, but maybe also find out who this whistleblower is inside Ubiquiti. Now, this is a bit of a tangent here.
Have either of you ever seen that movie No Way Out with Kevin Costner and Gene Hackman?
Have either of you ever seen that movie No Way Out with Kevin Costner and Gene Hackman?
Yeah, but 20 billion years ago.
Yeah, right.
You're gonna ask me about plot? I don't know. Frick.
Well, it's— Kevin Costner. I enjoy—
Come on.
Dances with Wolves, just, you know, come on.
JFK?
What's wrong with Dances with Wolves?
Oh, just don't.
I mean, apart from the hair.
What, the hair on the wolves? What's your complaint?
It's a brilliant Western with some very, very strange contemporary '80s hairstyles.
No Way Out, though, is a great thriller. Bit of a twist in it. But essentially, Sean Young, if you remember her, she's murdered. And a blurred photograph is found.
And that could be evidence of who the murderer is. So, using 1987 computer technology.
And that could be evidence of who the murderer is. So, using 1987 computer technology.
Enhance, enhance.
Exactly. They're trying to enhance that. And it's taken days and days to slowly unravel who this might be a photograph of. It's a great fun movie.
And it reminds me of the Ubiquiti case because the guy they brought in to investigate the breach, Nick, from the cloud team, was actually the person behind the breach himself.
And it reminds me of the Ubiquiti case because the guy they brought in to investigate the breach, Nick, from the cloud team, was actually the person behind the breach himself.
How do they find that out?
Well, Nicholas Sharp had exploited his access to the company's systems to steal Gigabyte's data from its GitHub and AWS Amazon web servers.
He thought he could cover his tracks because he had a VPN. He had a Surfshark VPN account to hide his home IP address. So he was stealing all this data in the dead of the night.
He thought he could cover his tracks because he had a VPN. He had a Surfshark VPN account to hide his home IP address. So he was stealing all this data in the dead of the night.
And rubbing his palms together going, "They will never find me." Okay, right.
And for one reason or another, the VPN briefly sort of barfed out and stopped working.
No, we've talked about this happening before.
Which, even if it hadn't, this story may have gone the same way. Just—
Yeah, same person.
Stopped the concept of invisibility.
So the FBI had gone to question him, and he said, it's nothing to do with me. He said, sure, that Surfshark VPN account was paid for with my PayPal account.
You have me mixed up with some other Nick. I'm the Nick the Cloud guy.
His argument was someone else must have used my PayPal account.
Someone else has phished my PayPal account and then bought a Surfshark VPN in order to steal data from the company that employs me.
But having had the visit from the FBI, who were presumably a little bit skeptical of his story, he subsequently, after the FBI had been round to his house, he then went to Brian Krebs pretending to be Adam, saying, I'm a whistleblower inside Ubiquiti.
Let me tell you what's been going on there.
Someone else has phished my PayPal account and then bought a Surfshark VPN in order to steal data from the company that employs me.
But having had the visit from the FBI, who were presumably a little bit skeptical of his story, he subsequently, after the FBI had been round to his house, he then went to Brian Krebs pretending to be Adam, saying, I'm a whistleblower inside Ubiquiti.
Let me tell you what's been going on there.
And did Krebs write it up with saying Adam?
Yes.
Yeah.
Yes.
Adam Krebs wrote, I think, two or three stories about this, which, of course, upset Ubiquiti enormously, who were working with the FBI, who suspected this guy was behind it but couldn't say anything.
Adam Krebs wrote, I think, two or three stories about this, which, of course, upset Ubiquiti enormously, who were working with the FBI, who suspected this guy was behind it but couldn't say anything.
But he did have a VPN, to be fair.
Yes. Oh yes, that's true. He had a VPN. Yes. So Krebs has since removed the stories from his website.
He realizes, you know, recognizes that his source was not entirely trustworthy and was actually involved in the crime itself when he was claiming, oh, they've been incompetent.
That's why they got hacked.
Nicholas Sharp, he's now pled guilty to wire fraud, making false statements to the FBI, Oh, it was my PayPal account, but it's someone else who paid for it.
And transmitting malicious code as well. He faces a total of 35 years in prison. That's the maximum because it's America, of course. And he is scheduled to be sentenced in May.
He realizes, you know, recognizes that his source was not entirely trustworthy and was actually involved in the crime itself when he was claiming, oh, they've been incompetent.
That's why they got hacked.
Nicholas Sharp, he's now pled guilty to wire fraud, making false statements to the FBI, Oh, it was my PayPal account, but it's someone else who paid for it.
And transmitting malicious code as well. He faces a total of 35 years in prison. That's the maximum because it's America, of course. And he is scheduled to be sentenced in May.
You know, if someone was gonna knife you in the back, right? Wouldn't their name be Nick Sharp?
Oh.
Right?
The Sharp that gave a nick.
Well, I'm just saying.
Sharpie, maybe.
Just tattoo you.
It was Nick from the third-party cloud team all along.
It was him all along. What a naughty boy he was. So here, as normal, is my tip for any budding cybercriminals out there.
Use a VPN. Always use a VPN.
Use a VPN.
Definitely use a VPN.
Don't set it up to cut off the internet connection if the VPN connection dies for any reason. Definitely don't have a kill switch like that.
And always, always use a PayPal account connected to your genuine email address. That's a good idea as well. Mark, what have you got for us this week?
And always, always use a PayPal account connected to your genuine email address. That's a good idea as well. Mark, what have you got for us this week?
Well, I have, I've got some very important advice for anyone who is considering a life of crime.
Oh, good.
Now, you're educated and informed cybersecurity folks, so you'll know that for several decades, and the last few years in particular, various governments and police forces around the world have been insisting that the increasing use of encryption is stopping them from doing their jobs.
Yes, yes, the Snooper's Bill.
Mm-hmm. So encryption, as you know, is used to secure communications in apps like WhatsApp and Signal.
And so things like wiretaps don't work because while the police can still intercept conversations, those conversations don't make any sense.
It's just random noise and there isn't enough computing power or time in the universe to decrypt them.
And so things like wiretaps don't work because while the police can still intercept conversations, those conversations don't make any sense.
It's just random noise and there isn't enough computing power or time in the universe to decrypt them.
Okay.
The only way to defeat this encryption, say the police, is with backdoors. I mean, backdoor's not a great description. It's more like a master key.
So if you imagine, you know, you need a key to encrypt and decrypt information.
If the police had a master key, they say, they could use that and they could unlock any conversation and they could do things like wiretaps.
So if you imagine, you know, you need a key to encrypt and decrypt information.
If the police had a master key, they say, they could use that and they could unlock any conversation and they could do things like wiretaps.
100%.
And what could possibly go wrong with that?
Well, although these requests come from a good place, because, you know, I don't doubt for a second that the police are trying to stop organized crime and terrorism and terrible things like that.
There has been near-universal pushback, just as there was just now, from computer security professionals like you, because the mathematical facts are that there simply isn't a safe and secure way to provide a master key.
Unfortunately, although I'm sure this podcast will change things, up to now, those protests from people like you have largely fallen on deaf ears.
We seem destined for a world where encryption backdoors exist.
There has been near-universal pushback, just as there was just now, from computer security professionals like you, because the mathematical facts are that there simply isn't a safe and secure way to provide a master key.
Unfortunately, although I'm sure this podcast will change things, up to now, those protests from people like you have largely fallen on deaf ears.
We seem destined for a world where encryption backdoors exist.
So what you're basically saying is because we're saying if you have, if somebody has the master key, you know, it's just a question of time before that somehow gets copied.
Yes.
You keep going with the analogy. Exactly. Okay. Yes. I'm with you.
Exactly right. There are, yeah, you can't put a vulnerability in something and then say only these people know about the vulnerability.
Yeah.
Yeah, and what happens when some evil state, for instance, says, well, we'd like to police our population as well, please. So can we have a master key too?
They probably do.
And what if?
In that case.
What if criminals said, we won't follow the law.
Yeah, exactly.
And encryption has got the back door. Because the thing about criminals is they have a different relationship to the law than law-abiding people.
Anyway, the broader point here is that these sorts of objections that we are raising here, sensible, rational objections, are largely falling on deaf ears, unfortunately.
However, there is one group of people that have been doing a really good job of poking holes in the police's argument for encryption-backed calls.
Anyway, the broader point here is that these sorts of objections that we are raising here, sensible, rational objections, are largely falling on deaf ears, unfortunately.
However, there is one group of people that have been doing a really good job of poking holes in the police's argument for encryption-backed calls.
Okay.
And that group is the police.
What?
And it has to be said, criminals. Criminals have also been helping out quite a lot as well. Let me explain.
For the last 8 years or so, there has been a repeating pattern in the use of encrypted devices by organized crime. Now, I'm going to start the story in 2016.
I could probably start it earlier than that. We're going to start in 2016.
For the last 8 years or so, there has been a repeating pattern in the use of encrypted devices by organized crime. Now, I'm going to start the story in 2016.
I could probably start it earlier than that. We're going to start in 2016.
Okay.
In 2016, the Dutch police figured out how to read encrypted messages on BlackBerry phones.
And you're going to hear the words Dutch police quite a lot in this, because for some reason, the Dutch police are really good at cybercrime.
And you're going to hear the words Dutch police quite a lot in this, because for some reason, the Dutch police are really good at cybercrime.
Mm-hmm.
Well, fighting cybercrime.
Sorry, yeah, they are really good at fighting cybercrime.
Anyway, in 2016, Dave from Accounts, in 2016, they figured out how to read encrypted messages on the BlackBerry phones being used by gangsters who were known to be using them for horrendous crimes.
Now, they've come up with a variety of techniques or speculated what sort of techniques they might have used, but it was no doubt that they were reading messages.
So this spooked some of the criminal underworld into looking for an alternative to their beloved BlackBerrys.
Now, some, no doubt, turned to Ennetcom, a company that sold handsets to Dutch criminals for about $1,500, and that couldn't do anything other than sending encrypted messages.
Anyway, in 2016, Dave from Accounts, in 2016, they figured out how to read encrypted messages on the BlackBerry phones being used by gangsters who were known to be using them for horrendous crimes.
Now, they've come up with a variety of techniques or speculated what sort of techniques they might have used, but it was no doubt that they were reading messages.
So this spooked some of the criminal underworld into looking for an alternative to their beloved BlackBerrys.
Now, some, no doubt, turned to Ennetcom, a company that sold handsets to Dutch criminals for about $1,500, and that couldn't do anything other than sending encrypted messages.
Okay.
This turned out to be a mistake.
Although it was used by Dutch gangsters, Ennetcom's infrastructure was in Canada, and it turns out that the Canadian police had been camped out on Ennetcom's servers and managed to decrypt about 3.5 million messages.
Although it was used by Dutch gangsters, Ennetcom's infrastructure was in Canada, and it turns out that the Canadian police had been camped out on Ennetcom's servers and managed to decrypt about 3.5 million messages.
So this is the thing. It turns out that these criminal encrypted messaging services were actually being run by the Canadian cops, is what you're saying, effectively.
Or that they certainly had oversight of them.
Or that they certainly had oversight of them.
It was being run by a company in Canada, and the Canadian cops said, we wouldn't mind a gander. How about we have a look at those servers, sonny?
And so they did, and they managed to decrypt 3.5 million messages, which is probably not what Ennetcom's customers had in mind anyway.
So, as a result of Ennetcom being compromised by the Canadian police, criminals were left looking for a secure phone once again. And some may have turned to Phantom Secure.
And so they did, and they managed to decrypt 3.5 million messages, which is probably not what Ennetcom's customers had in mind anyway.
So, as a result of Ennetcom being compromised by the Canadian police, criminals were left looking for a secure phone once again. And some may have turned to Phantom Secure.
Phantom Secure.
Phantom Secure. Phantom Secure was a Canadian company that provided modified, secure mobile phones that couldn't do anything other than sending encrypted emails.
Okay.
It was used by high-level drug traffickers, high-ranking organised criminals.
That is until March 2018, when the FBI arrested the company CEO, Vincent Ramos, shut down the whole operation, and within three months, Ramos had turned state witness and handed over all the login details to all of the systems for Phantom Secure.
Now, the FBI haven't revealed whether or not they were able to decrypt Phantom Secure's messages, but they did certainly stop all those nasty criminals from using Phantom Secure.
So that particular avenue of crime was brought to a halt.
That is until March 2018, when the FBI arrested the company CEO, Vincent Ramos, shut down the whole operation, and within three months, Ramos had turned state witness and handed over all the login details to all of the systems for Phantom Secure.
Now, the FBI haven't revealed whether or not they were able to decrypt Phantom Secure's messages, but they did certainly stop all those nasty criminals from using Phantom Secure.
So that particular avenue of crime was brought to a halt.
So I guess the criminals had to go and find something else, I suppose.
Well, it's funny you should say that, because once again, criminals were left looking for a secure phone for doing crimes. And some may have turned to EncroChat.
Oh yes.
EncroChat is thought to have been developed with money from Dutch organised crime. And at its peak, it had about 60,000 users, pretty much all of whom were crooks.
It's so funny, right? 'Cause isn't there this adage that you have to blend in, right? If you want to go undetected. Whereas in this case, they all go to the same club.
You know, they're all sitting there in the same shitty club, and everyone's like, "Anyone who's in there is badass." I imagine them all like Dom Joly with a giant button.
You know, they're all sitting there in the same shitty club, and everyone's like, "Anyone who's in there is badass." I imagine them all like Dom Joly with a giant button.
With the name of their super-secret encrypted crime phone written on it. Hello!
What?
No, no, no, no, no! Anyway, so this, EncroChat, 60,000 users, everything was going fine until it wasn't.
When in June 2020, it came to sudden and dramatic close, and it was revealed that the French police had been camped out on EncroChat servers for several months, where they had been able to read messages and also read lock screen passcodes, which is very amusing for anybody who understands how passwords are supposed to be stored.
Because, let's just say, if they were able to read lock screen passcodes, they may have been not as secure as the criminals were thinking they were.
Anyway, the French police were more than happy to share what they'd learned with the fellow European neighbours, and as a consequence, there were about 1,000 arrests.
When in June 2020, it came to sudden and dramatic close, and it was revealed that the French police had been camped out on EncroChat servers for several months, where they had been able to read messages and also read lock screen passcodes, which is very amusing for anybody who understands how passwords are supposed to be stored.
Because, let's just say, if they were able to read lock screen passcodes, they may have been not as secure as the criminals were thinking they were.
Anyway, the French police were more than happy to share what they'd learned with the fellow European neighbours, and as a consequence, there were about 1,000 arrests.
Mark, I'm sensing a trend here where cybercriminals are using encrypted chat messaging systems, which then get taken over by the cops.
You may think that. I couldn't possibly comment. Suffice to say that with the demise of EncroChat, once again, criminals were left looking for a secure phone.
How can we talk to each other? Shut up, Biddy! We don't have a solution!
Well, they did have a solution.
Aha.
And that solution was called Anom.
Ah.
Now, Anom provided modified Android phones that had all the normal telephony and messaging disabled, and a specialist encrypted messaging app installed.
And Anom was distributed through criminal networks, and you basically only found out about it because a gangster kind of approached you and said, you should use this super secure crime phone.
That's for crime. And Anom was extremely successful and very, very widely spread.
And I'm thinking, 'cause you sort of said it in the last part of the story, you're thinking that Anom was infiltrated by the police.
And Anom was distributed through criminal networks, and you basically only found out about it because a gangster kind of approached you and said, you should use this super secure crime phone.
That's for crime. And Anom was extremely successful and very, very widely spread.
And I'm thinking, 'cause you sort of said it in the last part of the story, you're thinking that Anom was infiltrated by the police.
Yes, yes. That's why I mentioned—
Anom was never infiltrated by the police.
Eh-eh. See, Graham? You see, Graham? You shouldn't assume. You shouldn't assume, Graham.
No, it was never infiltrated by the police because it was in fact invented by the police. So, Anom was created and marketed by the FBI.
Nice little sideline for them, to be honest. I mean, if funding is a problem, it seems there are lots of criminals looking for a decent encrypted messaging service.
Fishing system, well, not so much, is it?
Fishing system, well, not so much, is it?
Right?
Why shouldn't the FBI get involved?
If I were a criminal, I'd give this 1 out of 5 stars based on everything I'm hearing here.
Well, as I understand it, the encryption in An0m was perfectly good. The problem was that every time you sent a message, a copy of the message was also sent to the FBI.
Well, An0m, in the end, An0m was being used by about 10,000 gangsters in 100 countries and it shared 27 million messages with the FBI.
Well, An0m, in the end, An0m was being used by about 10,000 gangsters in 100 countries and it shared 27 million messages with the FBI.
So, did this cause a denial of service at FBI headquarters where their email box was getting full?
Smoke coming out of the sides.
On the 8th of June, 2021, 800 people were arrested in 16 countries as a result of this An0m phone that had been invented by the FBI.
And not for the first time, criminals were left looking for a secure phone and some, no doubt, turned to XClue.
Now, on its website, which I visited yesterday, XClue says it uses the most sophisticated encryption protocols in the world to ensure that no one gets access to your data.
And not for the first time, criminals were left looking for a secure phone and some, no doubt, turned to XClue.
Now, on its website, which I visited yesterday, XClue says it uses the most sophisticated encryption protocols in the world to ensure that no one gets access to your data.
XClue?
XClue.
XClue sounds like one of my old girlfriends or something. What's—
Are you saying that she's behind a criminal enterprise?
Wow.
Quite secure, but they're criminals.
Doesn't say a lot about dating you either, right?
Ask your legal team.
Carry on, Mark, you're doing great.
Okay, thank you very much.
Anyway, website says it uses the most sophisticated encryption protocols in the world to ensure that no one gets access to your data and what it should have said is that no one gets access to your data apart from the Dutch police.
Anyway, website says it uses the most sophisticated encryption protocols in the world to ensure that no one gets access to your data and what it should have said is that no one gets access to your data apart from the Dutch police.
'Cause we created it and—
The Dutch police announced on Friday that it had been camped out on XClue servers and reading 3,000 criminals' messages for the last 5 months.
Wow. Is there any criminals left? I'm just wondering, you must be able— This is a big net, isn't it? Because they all have to talk, right, if they're all using these apps.
I've a horrible feeling that it just hints at how many criminals there are.
Well, maybe the politicians are right, Carole, and they're all now using WhatsApp and Signal. And that's why we need a backdoor into WhatsApp and Signal.
Yeah, that's exactly what will be the— Thanks for giving them their marketing campaign.
So anyway, there've been about 50 arrests so far and not for the first time, criminals are once again left looking for a secure phone.
So if my bicycle gets stolen and the police say, oh yeah, you're alright, we'll make a log of it, but they don't come round to investigate the scene of the crime, is it because they're actually busy reading these messages or setting up their own encrypted messaging system to market to criminals?
That's what I'm interested in.
That's what I'm interested in.
That's what I like to believe.
I feel a bit better about it now. Fantastic. So do you have any advice, Mark, for any criminals out there?
Yes, I do. I do.
If somebody approaches you on the quiet and says, "Hello, hello, hello." What's going on here then?
Somebody in a very large blue hat approaches you and suggests that you use a brand new super secret skunkworks phone that you've never heard of, that's just for doing crimes.
Use it.
Use it.
Carole, what have you got for us this week?
I am talking about watches.
Because you probably know over the last several years, Apple, the smartwatch market leader, added new features to the watch such as fall detection and crash detection.
Okay, so one of their ads when they launched this in Apple, I think it was 7 Series, it was called 911, this ad.
And it used basically live audio from 3 real-life emergency calls to illustrate the various ways that Apple Watch, you know, could make a difference between life and death. Right?
So in one of them, the audio is of a woman who flipped her car, right?
And she desperately, she contacts and she's telling the emergency line that her car is starting to fill with water up to her neck, right?
And another one, there's a paddleboarder who's drifted out to sea. And each caller is unable to reach their mobile phone, but because they have their Apple Watch, huzzah!
And it's the help with their watch that these people, Jim, Jason, and Amanda, were rescued in minutes, says the ad.
Because you probably know over the last several years, Apple, the smartwatch market leader, added new features to the watch such as fall detection and crash detection.
Okay, so one of their ads when they launched this in Apple, I think it was 7 Series, it was called 911, this ad.
And it used basically live audio from 3 real-life emergency calls to illustrate the various ways that Apple Watch, you know, could make a difference between life and death. Right?
So in one of them, the audio is of a woman who flipped her car, right?
And she desperately, she contacts and she's telling the emergency line that her car is starting to fill with water up to her neck, right?
And another one, there's a paddleboarder who's drifted out to sea. And each caller is unable to reach their mobile phone, but because they have their Apple Watch, huzzah!
And it's the help with their watch that these people, Jim, Jason, and Amanda, were rescued in minutes, says the ad.
The reason why these are cool is if you do flip the car, if you move in an unusual way, such as being upside down, and maybe are knocked unconscious by the crash or are incapacitated in some fashion, then your phone can alert someone and say, whoa, something really bad has happened here, and could contact the authorities, et cetera, et cetera.
Exactly. Exactly. And that's how they're marketing it as well. This is a really useful thing.
So I was looking around for a few, you know, real stories that hit the headlines once this came live. And there was the scariest one that I found.
Was the Seattle couple that were in the midst of a divorce. And then things went really south. And the woman managed to contact 911 using her Apple Watch, right?
Saying, you know, her husband was trying to kill her. And it seems in his blind rage, he ended up putting her into a shallow grave after stabbing her.
So I was looking around for a few, you know, real stories that hit the headlines once this came live. And there was the scariest one that I found.
Was the Seattle couple that were in the midst of a divorce. And then things went really south. And the woman managed to contact 911 using her Apple Watch, right?
Saying, you know, her husband was trying to kill her. And it seems in his blind rage, he ended up putting her into a shallow grave after stabbing her.
What?
Before the authorities arrived. So she was literally underground.
Oh my goodness.
And one of the more avoidable ones where this guy was power washing the bricks on his house and he decided to stand on the windowsill as a stepping stone to reach just a little bit higher to get that little bit up.
I think we know where this is going to end up. Yeah.
Anyway, after a few minutes, after falling right in the window well on the bottom of the house, he stood up and there was a cop, right? And he was, how are you here?
And he was, your phone.
And he was, your phone.
I'm just trying to imagine that Apple marketing team wrestling with story you told.
Oh, yes. Yeah, yeah. It's, should we give him a Darwin Award? So this has been selling hotcakes. Apple Watch Series 8, iPhone 14 now both boast improved crash detection.
And because users now can connect with emergency services when cellular and Wi-Fi coverage is not available.
This would all be fantastic if things didn't sometimes go a little bit wrong.
Over the past few months, we've seen a kind of growing concern and increasing complaints from really annoyed 911 responders.
And because users now can connect with emergency services when cellular and Wi-Fi coverage is not available.
This would all be fantastic if things didn't sometimes go a little bit wrong.
Over the past few months, we've seen a kind of growing concern and increasing complaints from really annoyed 911 responders.
Ah, so people's Apple Watches are calling the cops when they shouldn't be. They're false alarming, thinking something bad has happened.
Yeah.
And it seems to happen mostly when people are doing snow sports skiing or snowboarding.
OK, makes sense. Well, snowboarding, it has sort of got built into it, hasn't it? Falling from a great height or being upside down, tumbling. Yeah, jumping on walls. Yes.
Tumbling.
Yes.
I think, to be fair as well, the Apple Watch is probably right on a lot of occasions. Yeah.
This person has crash-landed.
Yeah.
And so what happens is if the device detects a crash, it then sends the user a message or an alarm to find out if they're actually in a crash.
So the user can then dismiss the message and say, no, no, no, I'm fine, I'm fine.
But if 10 or 20 seconds pass, the feature then sends an automated message with the user's GPS coordinates and a callback number to the closest emergency call center.
So the user can then dismiss the message and say, no, no, no, I'm fine, I'm fine.
But if 10 or 20 seconds pass, the feature then sends an automated message with the user's GPS coordinates and a callback number to the closest emergency call center.
This confuses me because shouldn't the police be busy creating encrypted messaging systems rather than helping people who've fallen off their snowboard?
Well, you've got ski patrols, right? And they're really important, if there's avalanches and all kinds of things, but they're getting inundated with calls.
So some people reporting a 50% uptick in the last year.
And also, if you think about it, if you're bombing down a hill, right, you're hitting the moguls, you know, the wind zipping past your earmuffs, you might not hear or feel your watch.
So some people reporting a 50% uptick in the last year.
And also, if you think about it, if you're bombing down a hill, right, you're hitting the moguls, you know, the wind zipping past your earmuffs, you might not hear or feel your watch.
No.
And that would lead to incidental calls, wouldn't it?
I think it's because you have to wear so many clothes.
Oh, yeah.
Because it's chilly up there.
Do you know, seriously, as a Canadian, when I was a kid, I downhill skied, and the first day in the new year where the sun was out and it was just maybe close to zero or near zero Celsius, we would all put shorts on and ski in shorts.
It's ridiculous.
Do you know, seriously, as a Canadian, when I was a kid, I downhill skied, and the first day in the new year where the sun was out and it was just maybe close to zero or near zero Celsius, we would all put shorts on and ski in shorts.
It's ridiculous.
I'd definitely have called the police at that point.
So what happens when these things happen, right, is that dispatchers are required to either send first responders, that's the normal protocol, send first responders to the location unless the person can confirm it was a mistake.
And, you know, there's lots of problems with that because there's wasted resources, there's people in real danger that are not, maybe not being prioritized appropriately.
And what's happening is that some first responders are now making a judgment call, right? Because there's too many watches that are crying wolf.
So they might be going, "Ah, you know, we called back, they're not responding. They're probably still skiing and fine.
Let's not worry about that one." I mean, Mark, I know you're a skier. How would you judge? 'Cause skiing is seriously dangerous. You can die, right?
There's loads of things that can lead to that.
And, you know, there's lots of problems with that because there's wasted resources, there's people in real danger that are not, maybe not being prioritized appropriately.
And what's happening is that some first responders are now making a judgment call, right? Because there's too many watches that are crying wolf.
So they might be going, "Ah, you know, we called back, they're not responding. They're probably still skiing and fine.
Let's not worry about that one." I mean, Mark, I know you're a skier. How would you judge? 'Cause skiing is seriously dangerous. You can die, right?
There's loads of things that can lead to that.
Oh, 100%. Yes. Yeah. I've tried to die many, many times when skiing. I think the answer here is very obvious that Apple have just got to go the whole hog.
They've just got to leave the camera on the whole time. Live feed to the first responders.
Obviously the first responders are going to have to buy new equipment so that they can see the live feed.
They've just got to leave the camera on the whole time. Live feed to the first responders.
Obviously the first responders are going to have to buy new equipment so that they can see the live feed.
Well, there's media reports out there of responders saying, hey, skiers, do you mind just turning off this feature if you're going skiing?
Yeah, turn off this life-saving feature.
Yes, exactly!
That could save your life in the event of a crash.
Yep.
Exactly.
The minute you put some skis on, particularly if you put a snowboard on, then essentially you've said, "My life is worthless. I don't care if I die."
I wonder if you go to a theme park, to one of those roller coasters which spin you upside down and do horrific things to you, a bit what was it called?
That mountain thing we went on in Euro Disney.
That mountain thing we went on in Euro Disney.
Space Mountain.
Oh my God, that was horrendous. Anyway, so I just wonder if something like that could set them off as well, or whether—
I don't know, why don't we do a test, Graham? You've got an Apple Watch.
Oh, you know, I'd rather not.
Go hit the roller coasters.
No, not for me, thank you.
There you go.
So there's no solutions to this basically other than Apple getting together with the emergency responders and trying to figure out a solution that suits them both, which is apparently what they're doing now.
Seems a little late. You'd think they were involved very early on.
So there's no solutions to this basically other than Apple getting together with the emergency responders and trying to figure out a solution that suits them both, which is apparently what they're doing now.
Seems a little late. You'd think they were involved very early on.
I don't know. I feel we've managed to get this far. You know, there's 8 billion people on the planet now. We've been doing okay. Population doubled since about 1970.
We've managed to do okay without our watches calling the police for us. I accept that there are rare occasions where we might be buried alive where that could be useful.
But what if we just didn't have this feature?
We've managed to do okay without our watches calling the police for us. I accept that there are rare occasions where we might be buried alive where that could be useful.
But what if we just didn't have this feature?
Well, Mark, that's all very well for you to say, but the people who die or the people who get buried alive, they aren't having their voice heard, are they?
So they might be particularly—
So they might be particularly—
Literally, you can't hear them with all the snow over them.
Yeah. They might have a very strong opinion about this. It's all very well for you as a survivor to say, well, do we really need this?
But, you know, what about the people who are in a pickle?
But, you know, what about the people who are in a pickle?
And that's the thing. You've got to make your decision before you get yourself in a pickle, right? You've got to know to wear the watch.
It seems to be the health elements of the watch that everyone loves, all kinds of different automated alerts that happen.
It seems to be the health elements of the watch that everyone loves, all kinds of different automated alerts that happen.
Do you know, can I tell you a true story? I was at a chess tournament a couple of months ago.
You're a chess player. This is news.
And I had my Apple Watch on me. And at the end, later on, it sort of did a bleep and said, oh, do you realise that your heart rate was elevated for about 13 minutes?
There was a particular tense point where clearly my heart was getting very, very stressed about what was happening. Really? Yeah, for real.
There was a particular tense point where clearly my heart was getting very, very stressed about what was happening. Really? Yeah, for real.
It's almost exercise then, huh?
Almost. Yeah, chess is.
Yeah, yeah, yeah.
Get a sweat on.
Is this elevated for a chess player, or is this— are we, what's the baseline for elevated here?
Oh no, no, let me— look, my chess opponents are not people who are likely to get me all hot and bothered.
It's more what's going on on the board rather than what's sitting opposite me. Today's podcast is brought to you by NordLayer.
Now, NordLayer safeguards your company's network, but it's much more than just a VPN for business.
As you already know, business networks today are more vulnerable than ever due to remote work, ransomware attacks, data leak incidents.
Well, NordLayer secures and protects remote workforces as well as business data, and it can even help you ensure security compliance.
Simply go to nordlayer.com/smashingsecurity and get 1 month free. NordLayer is easy to start at. It takes less than 10 minutes to onboard your entire business on a secure network.
NordLayer is easy to combine as it's hardware-free and compatible with all major operating systems.
And finally, NordLayer is easy to scale as you can choose a plan unique to your business requirements and your rate of growth.
So if you want to secure your business network, go to nordlayer.com/smashingsecurity to get your first month free. And thanks to NordLayer for supporting the show.
It's more what's going on on the board rather than what's sitting opposite me. Today's podcast is brought to you by NordLayer.
Now, NordLayer safeguards your company's network, but it's much more than just a VPN for business.
As you already know, business networks today are more vulnerable than ever due to remote work, ransomware attacks, data leak incidents.
Well, NordLayer secures and protects remote workforces as well as business data, and it can even help you ensure security compliance.
Simply go to nordlayer.com/smashingsecurity and get 1 month free. NordLayer is easy to start at. It takes less than 10 minutes to onboard your entire business on a secure network.
NordLayer is easy to combine as it's hardware-free and compatible with all major operating systems.
And finally, NordLayer is easy to scale as you can choose a plan unique to your business requirements and your rate of growth.
So if you want to secure your business network, go to nordlayer.com/smashingsecurity to get your first month free. And thanks to NordLayer for supporting the show.
If you are looking for a multifactor authentication solution, look no further than SecureEnvoy.
This is for companies that take authentication seriously because SecureEnvoy takes MFA to another level.
See, the thing is, there's no room to be complacent with the growing cybersecurity threats.
Everyone in your organization needs authentication tailored to their specific access needs and risk profile for their role.
But maybe your employees and partners and contractors all need different types of MFA. Some might prefer SMS, some might prefer YubiKey, others a smartphone app.
SecureEnvoy can handle all this for you. Do you want to learn more? Of course you do. Check out SecureEnvoy's free data guide available at smashingsecurity.com/secureenvoy.
That's S-E-C-U-R-E-N-V-O-Y. And thanks to SecureEnvoy for sponsoring the show.
This is for companies that take authentication seriously because SecureEnvoy takes MFA to another level.
See, the thing is, there's no room to be complacent with the growing cybersecurity threats.
Everyone in your organization needs authentication tailored to their specific access needs and risk profile for their role.
But maybe your employees and partners and contractors all need different types of MFA. Some might prefer SMS, some might prefer YubiKey, others a smartphone app.
SecureEnvoy can handle all this for you. Do you want to learn more? Of course you do. Check out SecureEnvoy's free data guide available at smashingsecurity.com/secureenvoy.
That's S-E-C-U-R-E-N-V-O-Y. And thanks to SecureEnvoy for sponsoring the show.
So there's probably a lot of Smashing Security listeners out there who might be concerned after hearing about the data breach which recently occurred at LastPass.
Now, that allowed hackers to steal customers' password vaults, and unfortunately there were parts of those password vaults which were astonishingly unencrypted.
There's no doubt a lot of questions users are going to ask LastPass about how that could have happened and why some of that data was left in that insecure state.
But one password manager that isn't making that mistake is our sponsor Bitwarden.
Customers of Bitwarden know that their vaults are entirely end-to-end encrypted with zero-knowledge encryption, including unlike LastPass the URLs for the websites which you have saved passwords for.
You can learn more about that in the Bitwarden Help Center and at bitwarden.com/privacy.
And if you happen to be looking to switch password managers right now, well, Bitwarden makes it easy.
They support importing from lots of other solutions, and there's even a LastPass migration guide available. Learn more at bitwarden.com/migrate. That's bitwarden.com/migrate.
And stay safe. And welcome back and enjoy us at our favorite part of the week, the part of the show that we like to call Pick of the Week.
Now, that allowed hackers to steal customers' password vaults, and unfortunately there were parts of those password vaults which were astonishingly unencrypted.
There's no doubt a lot of questions users are going to ask LastPass about how that could have happened and why some of that data was left in that insecure state.
But one password manager that isn't making that mistake is our sponsor Bitwarden.
Customers of Bitwarden know that their vaults are entirely end-to-end encrypted with zero-knowledge encryption, including unlike LastPass the URLs for the websites which you have saved passwords for.
You can learn more about that in the Bitwarden Help Center and at bitwarden.com/privacy.
And if you happen to be looking to switch password managers right now, well, Bitwarden makes it easy.
They support importing from lots of other solutions, and there's even a LastPass migration guide available. Learn more at bitwarden.com/migrate. That's bitwarden.com/migrate.
And stay safe. And welcome back and enjoy us at our favorite part of the week, the part of the show that we like to call Pick of the Week.
Pick of the Week. Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish.
It doesn't have to be security-related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish.
It doesn't have to be security-related necessarily.
Better not be.
And my pick of the week this week is a service called Inoreader. Have you heard of Inoreader?
No. Do you want to spell that? I have no idea.
Inoreader. Do you remember Google Reader, which was killed off about 10 years ago by Google?
Yeah. RSS feeds, right?
Exactly. It was a great way of aggregating all your RSS feeds, reading the latest news, keeping on top of blogs and things. Google killed it off, much gnashing of teeth.
People were really upset.
People were really upset.
Yeah. Why did they kill it off? Do you remember what the reason was?
There's a webpage listing all the different things that Google has killed off over time. You know, they're doing it all the while, aren't they?
But anyway, since then, I've mostly used a service called Feedly. But I was getting a little bit grumpy about it.
I was paying for it every year and I was thinking, it doesn't really, it's not really satisfying what I want it to do. And so I was looking for an alternative and I found Inoreader.
And with Inoreader, you can not only follow news sites, corporate websites, blogs, anything that has an RSS channel. You can also follow social media accounts if you really want to.
But anyway, since then, I've mostly used a service called Feedly. But I was getting a little bit grumpy about it.
I was paying for it every year and I was thinking, it doesn't really, it's not really satisfying what I want it to do. And so I was looking for an alternative and I found Inoreader.
And with Inoreader, you can not only follow news sites, corporate websites, blogs, anything that has an RSS channel. You can also follow social media accounts if you really want to.
Oh my God.
I don't use it for that purpose.
Reddit, you can follow on it, YouTube channels, newsletters. You can even create RSS feeds for web pages which don't have RSS feeds on them, which again—
Well, I bet there's hundreds of listeners out there going, "That sounds so cool." It is cool.
And Carole, there's a lot, I can see that you're a potential purchaser of this. You're gonna come on board.
And these people are kind of people, heart rates are elevated when they have to make a move at chess.
I like to stay abreast of all the latest developments in this. One thing I can do with Inoreader is I can create customised alerts.
So if there's a particular news source, which rarely writes about cybersecurity, you could precede it with a woo-ka, woo-ka. Well, that is exactly what I do.
So my watch will actually ping if there's a breaking humongous cyber story, which has happened, which has been reported by, I don't know, BBC or something like that, just to tell me, oh, this thing's just happened.
And you can listen to articles. It does text-to-speech. There's also kinds of automation. It's really cool. Really impressed with it.
So if there's a particular news source, which rarely writes about cybersecurity, you could precede it with a woo-ka, woo-ka. Well, that is exactly what I do.
So my watch will actually ping if there's a breaking humongous cyber story, which has happened, which has been reported by, I don't know, BBC or something like that, just to tell me, oh, this thing's just happened.
And you can listen to articles. It does text-to-speech. There's also kinds of automation. It's really cool. Really impressed with it.
Sorry, can I ask how long you took to set it up?
Oh, it didn't take long at all. I just imported my RSS feeds from Feedly in OPML, I think it is, format. And there I was.
And setting up all the rules?
I've only got a few rules there. Mostly it's just, you know, I've got things in different folders. It was really easy to migrate from one service to the other.
There is a free version if you want to try it out. That's ad-supported, but I choose to pay an annual subscription, because I get a few more features.
But I figured, I find this really useful. I use it every day. I like it. And maybe some other listeners would as well. Cool. inoreader.com.
Go and check that out, because it is my pick of the week.
There is a free version if you want to try it out. That's ad-supported, but I choose to pay an annual subscription, because I get a few more features.
But I figured, I find this really useful. I use it every day. I like it. And maybe some other listeners would as well. Cool. inoreader.com.
Go and check that out, because it is my pick of the week.
There we go.
Carole, what's your pick of the week?
Sorry?
Oh, sorry. It's— Mark, what's your pick of the week?
No, you can go straight to Carole if you'd like. Why, why stick to the same routine that you've had for 8 episodes? Mark, please share. My pick of the week is a book.
So you remember at the beginning I said I've deleted the Twitter app to try and get my head into reading and it's worked. Yes.
Well, the second book that I've read this year is called The Social Lives of Animals, which is by Ashley Ward, and it is all about how cooperation between animals works and why it's a wonderful thing.
And it is a beautifully written book. So it sort of goes through a dozen or so different species and explains how they cooperate and why they cooperate.
There's a fantastic opening chapter all about krill. So who knew krill which is, you know, we just think of as being prawns that are eaten by blue whales, actually cooperate.
And there's some fantastic information about the life cycle of krill and what happens when they lay eggs and things. And oh, it's just mind-blowing.
These are particularly interesting.
So you remember at the beginning I said I've deleted the Twitter app to try and get my head into reading and it's worked. Yes.
Well, the second book that I've read this year is called The Social Lives of Animals, which is by Ashley Ward, and it is all about how cooperation between animals works and why it's a wonderful thing.
And it is a beautifully written book. So it sort of goes through a dozen or so different species and explains how they cooperate and why they cooperate.
There's a fantastic opening chapter all about krill. So who knew krill which is, you know, we just think of as being prawns that are eaten by blue whales, actually cooperate.
And there's some fantastic information about the life cycle of krill and what happens when they lay eggs and things. And oh, it's just mind-blowing.
These are particularly interesting.
Graham's going, why would I need to know this? Is it useful in chess? No. Doctor Who? No. My podcast?
No. The chapter's all about these people that are trying to research the life cycle of krill. And it's very hard to research the life cycle of krill, because they live in Antarctica.
So it's very, very cold.
So it's very, very cold.
Or inside the bellies of whales, which is the other place you have to find them.
They're not chilling out in there, Graham. They're not having a party. They're swallowed whole. Sure, but you know.
I presume. Yeah. When they lay their eggs, their eggs sink. So krill will live at the surface of the water. And in order to not get eaten by their parents, the eggs sink.
Geez, you see, we complain about our folks and look, at least we're not being eaten by them.
They sink and they sink and they sink and they sink and they sink and they sink and they end up sinking for about 2 kilometers.
When the krill hatches, it's about the size of a full stop. What font size? And the first thing it has to do is swim 2 kilometres up, bang, to the surface of the water.
So, a month of this dot-sized krill's life is the equivalent of doing a marathon every day.
When the krill hatches, it's about the size of a full stop. What font size? And the first thing it has to do is swim 2 kilometres up, bang, to the surface of the water.
So, a month of this dot-sized krill's life is the equivalent of doing a marathon every day.
And with the end result of getting eaten by a blue whale! Alright!
Life's beautiful. Anyway, it's a wonderful book, and it is beautifully written. So it's full of interesting stories, but it is also— It sounds gorgeous.
Yeah, it is, it is a lovely thing just to read.
Yeah, it is, it is a lovely thing just to read.
Fantastic.
Would it be good for younger readers, what do you think in terms of writing style?
I think some of the subject matter might not be, you know, it's a bit erotic. There's, well, they're going to bonobos. There's a fair bit about bonobos.
I don't know if you know about bonobos. They've got, they're very interesting sex life.
I don't know if you know about bonobos. They've got, they're very interesting sex life.
Okay, very varied. The Social Life of Animals by Ashley Ward, for all your bonobos information.
Crow, what's your pick of the week? I have an unsettling French thriller series as my pick of the week. It's called Les Papillons Noirs, or Black Butterflies.
So, the premise is you've got this gloomy novelist, okay, named Adrian, and he has writer's block. You know, he's trying to write his novel, his great oeuvre.
And to get over his writer's block, he agrees to write the memoir for this dying guy, this old man named Albert.
And Albert starts sharing his stories, right, to honor the love of his life, this woman called Solange.
But the stories really get dark and almost beggar belief, you're not sure if they're real. And the writer guy's like, "This is a little crazy.
I'm out of this." But he ends up getting sucked in because his wife took a peek at the first draft. She's hooked. She thinks it's his best work ever.
And so, despite his better judgment, he continues to visit Albert and record these stories, which get darker and murkier and bloodier. And it's great.
So, the premise is you've got this gloomy novelist, okay, named Adrian, and he has writer's block. You know, he's trying to write his novel, his great oeuvre.
And to get over his writer's block, he agrees to write the memoir for this dying guy, this old man named Albert.
And Albert starts sharing his stories, right, to honor the love of his life, this woman called Solange.
But the stories really get dark and almost beggar belief, you're not sure if they're real. And the writer guy's like, "This is a little crazy.
I'm out of this." But he ends up getting sucked in because his wife took a peek at the first draft. She's hooked. She thinks it's his best work ever.
And so, despite his better judgment, he continues to visit Albert and record these stories, which get darker and murkier and bloodier. And it's great.
What format is this in, Carole? Is this a podcast, a TV show, a book, a lithograph? What is this?
Oh, I'm sorry. It is on Netflix. I thought I said that. So, on Netflix, and it's kind of series, so probably 6 episodes, I think. And it came out last year.
And it's called Les Papillons Noirs.
Yeah, that's exactly correct. Or Black Butterflies for the rest of you. If only Graham did all the French in the show.
You will find it with both because obviously it's available in different languages, Graham. It is dubbed. So, but yeah, you can find it with Black Butterflies. It's on Netflix.
It's great. You'll enjoy it. It's tense. And there's a really, really serious, serious twist both halfway and at the end.
You will find it with both because obviously it's available in different languages, Graham. It is dubbed. So, but yeah, you can find it with Black Butterflies. It's on Netflix.
It's great. You'll enjoy it. It's tense. And there's a really, really serious, serious twist both halfway and at the end.
Is it as good as the twist in No Way Out with Kevin Costner and Gene Hackman?
I have no idea because I haven't seen that since 1987. What is the twist?
Oh, hey, we can't reveal. It's only been 35-odd years. We can't tell people this soon. Kroll, you've been busy this week. You've been chatting with the folks at SecureEnvoy.
Yes, I have an interview with Chris Martin. He's an expert in identity access management. Listen up, folks. Today, listeners, we have a treat. We have Chris Martin, the Chris Martin.
He is— thank you for being here. Thank you. I was gonna say, I had no idea that you were interested in technology and security.
He is— thank you for being here. Thank you. I was gonna say, I had no idea that you were interested in technology and security.
I have to do something during the day.
Well, this Chris Martin is the Head of Solution Architecture at SecureEnvoy, and he works with lots of different departments and teams to help define, develop, and execute the company's identity access management strategy.
And this is all to make sure that the right people can access your company resources and data, right? Rather than the wrong people. So is that a fair way of putting it, Chris?
And this is all to make sure that the right people can access your company resources and data, right? Rather than the wrong people. So is that a fair way of putting it, Chris?
That's a perfect way of putting it. Yes. It's just making sure that people don't get access to really what they shouldn't be getting access to.
Maybe we should start with you, Chris. Maybe you can tell us a little bit about you and how you found yourself at SecureEnvoy.
So I've been in this industry for a long time now, nearly two decades now, and it's always been a fascinating subject for me that users are people that use computers, but it's, it's a stupid statement, but it's, yeah, you have to stop users from using computers sometimes or accessing data.
So this idea of security is just fascinating to me, and my career has developed, and I'm fortunate to have found a company, SecureEnvoy, that shares my passion.
You say it's a passion and people laugh at you, you awesome geek.
So this idea of security is just fascinating to me, and my career has developed, and I'm fortunate to have found a company, SecureEnvoy, that shares my passion.
You say it's a passion and people laugh at you, you awesome geek.
I was just gonna ask what makes you passionate about it? What is it that you think is the secret sauce for you?
As I said, it's a human problem. You think this issue starts because as human beings, we can't remember passwords.
We can't remember unique passwords or alphanumeric characters despite what Hollywood says. You know, everyone gives super complicated passwords us as human beings can't do that.
So it's a very human problem.
I'm not saying I can make the world a better place by doing identity and access management, but it is solving problems for people, solving problems for companies.
We can't remember unique passwords or alphanumeric characters despite what Hollywood says. You know, everyone gives super complicated passwords us as human beings can't do that.
So it's a very human problem.
I'm not saying I can make the world a better place by doing identity and access management, but it is solving problems for people, solving problems for companies.
Absolutely. Even for tiny companies, you know, and for people like me, for example, right? I still have hundreds and hundreds of usernames and passwords that I have to manage.
There's no way I would be able to do that without help.
There's no way I would be able to do that without help.
It's exactly that. I think on average that a user has somewhere around 15 different applications they use regularly for their job. Yeah.
And you think that could be 15 different username and passwords. Of course, as an industry, we then came along and said, oh, wouldn't it be better if you just had one?
We call it single sign-on. Of course, what that now means is if that credential is compromised, someone now has access to 15 different applications, 100 different applications.
Yeah, there's a lot of challenges to this, a lot of different ways to solve it. There's no right answer, which again fascinates me. That's where sort of my curiosity knows no bounds.
How can we solve this problem? How can we make it better for companies, for better for users. We're not all IT professionals here. Yes, that's right.
And you think that could be 15 different username and passwords. Of course, as an industry, we then came along and said, oh, wouldn't it be better if you just had one?
We call it single sign-on. Of course, what that now means is if that credential is compromised, someone now has access to 15 different applications, 100 different applications.
Yeah, there's a lot of challenges to this, a lot of different ways to solve it. There's no right answer, which again fascinates me. That's where sort of my curiosity knows no bounds.
How can we solve this problem? How can we make it better for companies, for better for users. We're not all IT professionals here. Yes, that's right.
And we're gonna talk here, 'cause I'm really interested in the concept of multifactor authentication and the best strategies for companies. So how is it out there?
Are companies, is this something that everyone has now? Are all companies just MFA'd up to the eyebrows?
Are companies, is this something that everyone has now? Are all companies just MFA'd up to the eyebrows?
You would like to think so, 'cause then it's been around for, you know, a couple of decades now. Used to smart cards, biometrics have been around for a long time.
You would think companies have done this, but still, yeah, in my job I talk to customers and they haven't got MFA. So that I find quite surprising.
We all know the danger of passwords. I keep saying to customers, if you don't know about the danger of passwords, can I come and live on your island, please?
Where have you been for the last 20 years? And no one has yet. So people must be aware. But also it's not just about that. It's companies that have implemented MFA.
You actually find they haven't rolled it out to all of their users, which is quite interesting because I think all users are susceptible.
You would think companies have done this, but still, yeah, in my job I talk to customers and they haven't got MFA. So that I find quite surprising.
We all know the danger of passwords. I keep saying to customers, if you don't know about the danger of passwords, can I come and live on your island, please?
Where have you been for the last 20 years? And no one has yet. So people must be aware. But also it's not just about that. It's companies that have implemented MFA.
You actually find they haven't rolled it out to all of their users, which is quite interesting because I think all users are susceptible.
Oh, that's interesting because I was going to ask you that.
I was going to ask if you can apply this to the 80/20 rule, you know, that often people use, like it's good enough, you know.
Is that something that can exist in the MFA world or no?
I was going to ask if you can apply this to the 80/20 rule, you know, that often people use, like it's good enough, you know.
Is that something that can exist in the MFA world or no?
I think there's difference of opinions there. I believe the answer is no.
If you think there's a term called zero trust, which means trust no one, everyone is a threat, everyone should be protected.
If you take, for example, Edward Snowden from many years ago, he basically stole credentials of people working in offices. You know, for the CIA, I think it was.
He did that using social engineering. He literally asked people for their username and passwords. They gave it to him.
Now, not saying MFA would have stopped all of that, probably would have done, but it just shows how easily, you know, people can be susceptible when they are not protected.
If you think there's a term called zero trust, which means trust no one, everyone is a threat, everyone should be protected.
If you take, for example, Edward Snowden from many years ago, he basically stole credentials of people working in offices. You know, for the CIA, I think it was.
He did that using social engineering. He literally asked people for their username and passwords. They gave it to him.
Now, not saying MFA would have stopped all of that, probably would have done, but it just shows how easily, you know, people can be susceptible when they are not protected.
Yeah, and it's true. I believe security is a bit like a chain, right? You know, I know this is a very clichéd analogy, but you know, the weakest link is where it's going to break.
And that's the issue, isn't it? All they got to do is find that weak link if you don't cover all your bases.
And that's the issue, isn't it? All they got to do is find that weak link if you don't cover all your bases.
It's exactly that. Yeah, it's a weak link.
Now, the interesting thing is last year I did a survey with another company and we approached around about 100 companies throughout the world, different sizes, different types of organizations.
And we said, how many of your users are covered by MFA? Okay, very, very interesting. The stat was actually just a fraction over 50%. Really?
So that means it's 48% of an organization's users aren't covered, are the weak links.
Now, the interesting thing is last year I did a survey with another company and we approached around about 100 companies throughout the world, different sizes, different types of organizations.
And we said, how many of your users are covered by MFA? Okay, very, very interesting. The stat was actually just a fraction over 50%. Really?
So that means it's 48% of an organization's users aren't covered, are the weak links.
And why is that? How is that? Is that because it's too much work or is it because of lack of visibility?
I don't think it's lack of visibility or too much work. It's, you know, MFA technically is a very simple product.
It's because companies basically rolled it out to a set of users, a set of use cases, particularly with COVID in the last two or three years.
I hate talking about COVID it's a dreadful subject, but companies where everyone started to work from home went, oh, I must protect VPN access to my networks because people are home now.
So they gave people who work from home MFA to protect the VPN. Okay, of course, not everyone works from home, right? Or in offices, people work in manufacturing departments.
So where they rolled this out, they were very simple-minded in their approach. They didn't think about all of their different type of users.
And if you look at a lot of MFA solutions now, they rely on mobile phone authentication, right? We're all used to that.
An SMS text message or a phone call or push notification is so commonplace now. But what about those people who don't have access to a mobile phone?
Yeah, yeah, exactly, for whatever reason. Yeah, if you take healthcare practitioners with sensitive equipment, they can't use a mobile phone. So how do you protect those?
And that's where companies slightly fall down. It's those, I like to say, fringe use cases. They're not, they're half of a company where they don't protect.
It's because companies basically rolled it out to a set of users, a set of use cases, particularly with COVID in the last two or three years.
I hate talking about COVID it's a dreadful subject, but companies where everyone started to work from home went, oh, I must protect VPN access to my networks because people are home now.
So they gave people who work from home MFA to protect the VPN. Okay, of course, not everyone works from home, right? Or in offices, people work in manufacturing departments.
So where they rolled this out, they were very simple-minded in their approach. They didn't think about all of their different type of users.
And if you look at a lot of MFA solutions now, they rely on mobile phone authentication, right? We're all used to that.
An SMS text message or a phone call or push notification is so commonplace now. But what about those people who don't have access to a mobile phone?
Yeah, yeah, exactly, for whatever reason. Yeah, if you take healthcare practitioners with sensitive equipment, they can't use a mobile phone. So how do you protect those?
And that's where companies slightly fall down. It's those, I like to say, fringe use cases. They're not, they're half of a company where they don't protect.
Yeah, and especially if you think the example you just gave, healthcare, that's a pretty big sector that you don't want to ignore, right? Exactly.
And say that they're just, every company you talk to, there's so many different examples of where people are not covered because they're not normal.
Yeah, their use cases just are slightly left of center. And I'm sure that's true for 99% of companies really, right?
Because there's always something slightly different with every different environment there is.
Because there's always something slightly different with every different environment there is.
Yes, yes, and that's again, it's a challenge of it. It's not a technical challenge, and that's sort of a key point I try to make to a lot of customers.
It's not a technical challenge Secure Embroidery. We provide 15 different factors, but people only think they need one. No, no, no, no, no.
Why don't you have text messaging for certain people? And why don't you have biometrics for another? And why don't you have physical tokens for another set?
It's got to be mix and match. There's no right way of doing it.
It's not a technical challenge Secure Embroidery. We provide 15 different factors, but people only think they need one. No, no, no, no, no.
Why don't you have text messaging for certain people? And why don't you have biometrics for another? And why don't you have physical tokens for another set?
It's got to be mix and match. There's no right way of doing it.
So, hey, you must be the perfect person for me to ask this.
Imagine if I were the IT guy or girl responsible in a company, responsible for sorting out MFA and multifactor use within the environment - where would I even start?
Imagine if I were the IT guy or girl responsible in a company, responsible for sorting out MFA and multifactor use within the environment - where would I even start?
It doesn't matter if this is the first time you're doing MFA or you have something already. First stage is really to identify your gaps.
If you're doing this at the start, it's everyone, right?
But if you have a solution already, you need to look how people are accessing computers, how accessing applications, the data they are doing, and you build up a picture of these people.
And it's what's called authentication journeys. You look how they do it, where they do it, when they do it.
And you put all this together and you work out what you need for those people. And really, we call this identification. It is just a manual exercise.
You don't need any technology for this. What you really need is an annoying person who's going to go and ask everyone a lot of questions.
I think I'm grateful that I've worked with a lot of annoying people over the years who've taught me all this stuff to go and ask these questions. So where are these users?
What computers are they using? Just continuously ask these questions.
And once you have that picture, really then the second stage is you work out what is the best factor for these people, the best security you need.
And that's really just simply a matter of protecting those and protecting your infrastructure.
And the final stage, which is often ignored, which again I find so strange, that IT is a living, breathing organism.
Things change, so your security may need to change, your users will change.
So that sort of continuous monitoring, that continuous controlling of how people operate, and it's really just accepting that. So it's all the feedback loop.
If you're doing this at the start, it's everyone, right?
But if you have a solution already, you need to look how people are accessing computers, how accessing applications, the data they are doing, and you build up a picture of these people.
And it's what's called authentication journeys. You look how they do it, where they do it, when they do it.
And you put all this together and you work out what you need for those people. And really, we call this identification. It is just a manual exercise.
You don't need any technology for this. What you really need is an annoying person who's going to go and ask everyone a lot of questions.
I think I'm grateful that I've worked with a lot of annoying people over the years who've taught me all this stuff to go and ask these questions. So where are these users?
What computers are they using? Just continuously ask these questions.
And once you have that picture, really then the second stage is you work out what is the best factor for these people, the best security you need.
And that's really just simply a matter of protecting those and protecting your infrastructure.
And the final stage, which is often ignored, which again I find so strange, that IT is a living, breathing organism.
Things change, so your security may need to change, your users will change.
So that sort of continuous monitoring, that continuous controlling of how people operate, and it's really just accepting that. So it's all the feedback loop.
And that's what SecureEnvoy helps enterprises do, isn't it?
Exactly that. Yes, we do it all the time.
We say the technology is so simple, but it's the processes around that sort of technology that understanding is understanding the subject and the problems for what is such a simple problem of protecting users or trying to remove and protect passwords.
I've just described the problem in 10 seconds there, but the solution can take a little bit longer to understand, but technically it's very simple.
We say the technology is so simple, but it's the processes around that sort of technology that understanding is understanding the subject and the problems for what is such a simple problem of protecting users or trying to remove and protect passwords.
I've just described the problem in 10 seconds there, but the solution can take a little bit longer to understand, but technically it's very simple.
There you heard it, listeners. Chris, is there anything that you'd like to add before we close? No, it's been great talking to you. It's been great talking with you.
This was Chris Martin at SecureEnvoy. He is the head of solution architecture. And you can learn all about SecureEnvoy and its services by visiting smashingsecurity.com/secureenvoy.
That's smashingsecurity.com/secureenvoy. Chris, thanks so much for coming on the show.
This was Chris Martin at SecureEnvoy. He is the head of solution architecture. And you can learn all about SecureEnvoy and its services by visiting smashingsecurity.com/secureenvoy.
That's smashingsecurity.com/secureenvoy. Chris, thanks so much for coming on the show.
Thank you for having me.
Fascinating stuff. Mark, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that?
Well, you can still find me on Twitter @MarkStockley. But I might not pay any attention to you.
And you can follow us on Twitter @SmashingSecurity, no G, Twitter allows to have a G. We've also got a Mastodon account.
Quickest way to find us is go to smashingsecurity.com/mastodon.
And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Overcast, and Spotify.
Quickest way to find us is go to smashingsecurity.com/mastodon.
And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Overcast, and Spotify.
And huge shout out to this episode's sponsors, SecureEnvoy, NordLynx, Graham Cluley, and Bitwarden. And of course, to our wonderful Patreon community.
It's thanks to them all that this show is free.
For episode show notes, sponsorship information, guest lists, and the entire back catalog of more than 307 episodes, check out smashingsecurity.com. Until next time, cheerio.
Bye-bye.
It's thanks to them all that this show is free.
For episode show notes, sponsorship information, guest lists, and the entire back catalog of more than 307 episodes, check out smashingsecurity.com. Until next time, cheerio.
Bye-bye.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Mark Stockley:
Episode links:
- Ubiquiti tells customers to change passwords after security breach – ZD Net.
- “No way out” trailer – YouTube.
- Ubiquiti sues journalist, alleging defamation in coverage of data breach – Ars Technica.
- Man charged with Ubiquiti data breach and extortion was employee assigned to investigate hack – Bitdefender.
- Final Thoughts on Ubiquiti – Krebs on Security.
- Former Employee Of Technology Company Pleads Guilty To Stealing Confidential Data And Extorting Company For Ransom – Department of Justice.
- Dutch Police Read Messages of Encrypted Messenger ‘Exclu’ – Vice.
- Shock and applause for Apple Watch’s chilling real-life emergency call ad – Campaign Live.
- 911 call made from Apple Watch of Washington woman buried alive released – Yahoo! News.
- Apple Watch 8 series save yet another life – Live Mint.
- Some first responders are asking iPhone users to disable Emergency SOS and crash detection due to influx of false positives – 9to5mac.
- Emergency SOS via satellite available today on the iPhone 14 lineup in the US and Canada – Apple.
- Inoreader.
- ”The Social Life of Animals” by Ashley Ward – Amazon.
- Black Butterflies – Netflix.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsored by:
- Bitwarden – Bitwarden vaults are end-to-end encrypted with zero-knowledge encryption, including, the URLs for the websites you have accounts for. Migrate to Bitwarden for a more secure password manager.
- NordLayer – NordLayer safeguards your company’s network, securing and protecting remote workforces as well as business data. It can even help you ensure security compliance. Get your first month free.
- SecurEnvoy – With growing cyber security threats everyone in your organisation needs authentication tailored to their specific access needs and the risk profile of their role. Check out SecurEnvoy’s free guide now.
Support the show:
You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.
Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!
Follow us:
Follow the show on Bluesky at @smashingsecurity.com, or on Mastodon, on the Smashing Security subreddit, or visit our website for more episodes.
Thanks:
Theme tune: “Vinyl Memories” by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
