Smashing Security podcast #315: Crypto hacker hijinks, government spyware, and Utah social media shocker

Maybe we won't get people involved. Maybe we won't put a lot of effort into trying to identify who you were. Maybe in a few weeks' time we'll have left open that vulnerability. We'll give you a job. And you can have another go. Yes, or maybe you can work in our security team. You can join our non-exec team. We'll send you a T-shirt.

The delivery man might be wearing blue and have a pointed cap. Smashing Security. Episode 315. Crypto hacker hijinks. Government spyware and Utah social media shocker with Carole Theriault and Graham Cluley.

Hello, hello and welcome to Smashing Security episode 315. My name's Graham Cluley.

And I'm Carole Theriault. And Carole, we're joined this week by who exactly? By the wonderful Iain Thomson of The Register. Hello sir.

Hello there, good morning from I would nearly say sunny California, but it's chucking down outside at the moment.

Yeah, I keep reading about horrific weather in California. Has it been wacky crazy for you?

It has been a very wet winter, but bring it on, say I. The reservoirs are filling up nicely. We've got snowpack, record snowpack, in fact, in some areas. The only thing is it's sometimes a bit too snowy.

Not used to shoveling?

Well, no. Obviously, we don't get it down in the Bay Area, but a friend of mine drove up to Tahoe and they had to stop and put snow chains on, but there were people getting stranded in the Donner Pass. And you'd think Donner Pass, you know, that name means something. It's if there's a cafeteria along there, check your food.

Yeah, yeah, yeah, yeah. Do they serve Donner kebabs in the Donner Pass? You cannot get a decent kebab over here for love and money.

Well, before we kick off, let's thank this week's sponsors Bitwarden, Collide and hCaptcha. It's their support that helps give you this show for free. Now, coming up on today's show, Graham, what do you got?

I'm going to be telling a chaotic chronicle of crypto crime.

Ooh, that's hard to say.

It is. I'm just going to say, don't do that with a skinful. The Biden administration has kind of banned commercial spyware, but not really.

And I'm going to see what's shaking in Utah. All this and much more coming up on this episode of Smashing Security.

Now chums, chums, I've got a tale of cryptocurrency crime. I don't know if you are crypto investors. I somehow I doubt that you are, but you know, surprise me.

No, no, haven't touched it. I thought crypto was dead. Is crypto still...?

No, no, no, no, no, no, no, no. Lots of people are very, very keen. Maybe there's a reason why some people are a little bit skeptical about it. I don't know. Perhaps there is. A couple of weeks ago, hackers managed to steal, I think it was 197 million US dollars worth of cryptocurrency from a lending platform called Euler Finance. Not that big a deal, $200 million. According to some records, the 26th largest crypto theft ever. Isn't that kind of shocking?

We have to say this is not real money. Can we agree on that?

Well, in some cases, it's real money, isn't it? I mean, if it's converted, but at the same time, it's kind of understandable this is happening because to use the oft-misquoted quote from over here, that's where the money is.

Anyway, it does seem hackers managed to steal around $197 million worth of cryptocurrency from Euler Finance, and it sent its investors into a blind panic. Anyone who had their money hidden away over there, almost 100% of user deposits were found to be under the hacker's control. And you hear these kind of stories all the time, don't you? Of crypto firms losing the money or suffering a vulnerability, or wallets being emptied. It's every few days there'll be another one of these.

For the people who've lost the cash, it's a big effing deal, right?

Right. Yeah, it is a big deal. But normally when these stories happen, you hear about the theft and that's pretty much the end of the story. Maybe the company goes bust. That's true. You know, it's well, whatever happens to that, it's just replaced by another story of cryptocurrency theft. But no, not in this case. This wasn't the end of the story because a few days after the hack, Euler Finance sent out a message on the old blockchain saying that the hacker could keep 10% of the $200 million that they'd stolen if they would do them the pleasure of returning the rest of the money within 24 hours. So they said, look, we'll let you keep 10%.

Please, please, pretty please. Does that mean we won't report you and we won't get the cops involved if you do this?

I imagine they probably haven't identified this person. They have a means of speaking to them via the chain. They can chat to them that way, send them encrypted messages. But they haven't really got a clue who did it. But they're just sort of saying, look, keep some of it, but give the rest back to us. Otherwise, we're done for.

Well, what would be the incentive for the criminal?

Well, maybe we won't get people involved. Maybe we won't put a lot of effort into trying to identify who you were. Maybe in a few weeks' time, we'll have left open that vulnerability. We'll give you a job. And you can have another go. Yes, or maybe you can work in our security team. You can join our non-exec team. We'll send you a T-shirt. You know, there's all kinds. It's like handing someone the key and say, now you go to the castle and open the door. Okay.

Don't worry about the dragon lying behind. Yep, he's snoozing. So security analysts were curious about it. So they saw this message and they checked out the GitHub repository for this encryption tool. And they saw that it contained a security vulnerability. And the thought was that the Ronin hacker was trying to do a dirty, trying to fish the Euler hacker to get their private key and presumably… Then steal the funds. Steal the funds from them. So it's hacker versus hacker. Meanwhile, Euler Finance is, hello, guys. Well, Euler Finance, who still want their money back. Of course. Or 90% of it. Do you know what they did? They told their hacker that he should be very careful about using that encryption tool. They didn't want their hacker hacked.

But why do you groan, Iain? I mean, I probably wouldn't want two hackers having access to my data if I could try and avoid it. No, but

it's so convoluted and so, I mean. It's ridiculous. We talk about the rewards of sin, but I mean, these people are literally making millions out of this. I find it incredibly frustrating that they couldn't sort of their security out in the first place. But still, that's just me. Crypto firms born out of nowhere, you know, within a few weeks, they're up and running and their security is not well founded. kind of made me think about the Poly Network case. Do you remember that from a couple of years ago? What happened there? Well, basically, it's a very similar scenario. Poly Network got their currency hacked to the tune of 610 million, and then they were passing this stuff backwards and forwards. This guy took all the money, and then they sent him a message via the chain, as in this case, saying, look, return X amount of the funds, and we will pay a bug bounty to you. A significant bug bounty. And declare that this is a white hat action, so the police won't be so interested. That really annoyed an awful lot of people, not only just at the FBI, but also in the security community. It's just, you can't retroactively say this is a white hat situation. No. Yeah, yeah, yeah. So, yeah, in the end, all the funds got returned. And the hacker basically decided this was more trouble than it was worth. Eventually, over the course of 15 days, returned all of the funds. And Poly Network, coming back to my original point, started a bug bounty program and is offering a hundred thousand for new hits. So yeah, sort your security out people, you know, get a bug bounty program in place. So I thought at this point it would be the end of the story. I thought there'd be no more to this. But no, because in another twist in the tale some of the hackers who claim to be involved in the Euler finance exploit have recently been vowing to give detailed information about the other Euler hackers to Euler.

Oh, okay. So it's an inside and inside leak. Exactly, exactly. And there's another person as well claiming to be Euler exploiter number three. And he's posted up an email address and asked Euler to contact them if they want the beans.

Because no one will transfer more than 20 mil at a time. Is that the problem? Well, I don't know if you've ever transferred. Sometimes. Oh, yeah, regularly I shift that kind of thing.

Maybe there are some security checks in place, you know, making it more difficult to move large amounts of funds. Maybe this is as much of a nuisance for the criminals as it is for the rest of us when we try and move money around. I don't know. But for now, that is the end of the story.

Elon Musk is going, use my account. Use my account. Yes.

Although apparently Twitter's now worth half of what it was worth when he bought it.

Yes. Slightly less than half. But he does say that he believes that it'll be worth $250 billion at some point in the future. But we know what Musk is like with deadlines and promises. So, cryptocurrency, have I convinced our review to invest in crypto? I'm going to do it right now. Well, as I say, news from across the pond. President Biden issued an executive order on Monday, which goes by the snappy title of Executive Order on Prohibition on Use by the United States Government of Commercial Spyware that poses risk to national security. Snappy? Yeah, snappy, but also slightly misleading. I mean, basically, the executive order is saying that the US government can't use commercial spyware if it's determined that the spyware is either insecure or it's being run by a company that's hosted in a government which the US considers slightly dodgy, or if it's being used to spy or if the company's products are being used to spy on US citizens. Basically, also, government departments are going to have to drop a list of where they've used this spyware, who they've used it against, and the rest of it. But it's the nationality and the sort of, you know, is it being used against US people ones, which I think this one falls down on. Because that's pretty much every commercial spyware vendor, I would have thought. I mean, NSO Group might be able to get away with it. Israel is considered a friendly country over here at the moment. But, you know, NSO stuff has also been used to spy on US citizens, so that would presumably take it off the list. It's got So many holes running through it. It seems weird. You'd think. It's utterly bonkers.

And did you say they also have to create a list of who they've used the spyware against?

No, they've got to create a list of which commercial spyware they've used. So they're not going to have to identify targets. But it is going to have to be assessed as to which departments are using this on a commercial spyware basis.

And are they going to keep that list in a secure fashion so it doesn't fall into the wrong...

Well, I've got to say, when I read through this yesterday, my first thought was FOIA request. Get it done there. Yeah, right.

I don't understand how anyone would know where their spyware actually comes from. Well, I mean, it was commercial then. NSO is based in Israel.

Would it be helpful if there was a law which insisted that commercial spyware, upon boot-up, upon starting your computer, played the national anthem of the spyware that was operating on your computer? It wouldn't be very good spying, though. I was going to say it's a bit of a giveaway, that one.

It's like, why is my computer playing the Saudi Arabian national anthem? Oh, no, I don't know if you're Formula One fans, but it was the Saudi Grand Prix last weekend, and they played the national anthem, and it was amateur hour. I mean, I don't know who they got to do this, but it looked like the local misfits who didn't know how to play instruments.

Just in case any members of the Saudi royal family are listening to the podcast today, we'd like to explain that those were the views of Iain Thomson, not of the hosts of the podcast. I've spent a week there and I'm never going back. They'll come to you, Iain.

And do you think people, these companies, just getting back to your story, do you think people know what spyware they have used in the past? Like they have their own list?

Yeah. I mean, presumably they've got invoices. This is the US government. They've got paperwork for everything.

And couldn't US government start using non-commercial spyware to do certain things just to bypass the law?

If they are, they're not going to tell us about it. I think it's one of these things where, you know, if you have to admit that it's there, then that's half the battle lost already. I mean, I have absolutely no doubt that they've got their own stuff.

Well, I suppose if they can't buy commercial spyware to use, they can always ask their nephew, Kevin, or something. Maybe you could. You're good at computers. Could you write us some spyware because we need to spy on so-and-so? That would work. I don't know. I think it would have worked a while back, the heuristics. So your view is that this legislation is...

It's a lovely piece of PR. It may help. And frankly, I don't think the US government should be using commercial spyware because there's a dual risk there. You know, you're trusting the spyware by saying, no, no, no, our code only spies on the people that you choose and doesn't have any backdoors to these highly sensitive government servers, which we're running off. But that's just me. I'm sneaky.

Why would a government want to use it, do you think, other than FBI and that kind of ring? Do you use it for bossware? You know, does that fall into this?

Oh, I wouldn't have thought so. I mean, I think this is basically for targeting intelligence targets, maybe domestic. It gets tricky if they're actually looking at US citizens, but you'd need a warrant for that. But you know, the courts are usually perfectly happy to pass those warrants out, even if they have to be got after the spying went on. There is a certain amount of delay that you can build into the process so that intelligence agencies can do the spying and then retroactively ask for permission. And it's usually granted.

So for the regular person in the street who might be worried that they're being spied on, whether it be by their government, another government or, you know, Freddy next door, whoever it might be, it's the usual rules that apply. Keep your computer up to date with security patches, patch against vulnerabilities. Be careful what you run on your computer. Run security software. Don't run attachments.

Turn your machine off and unplug it from the internet. Put it in the fridge.

Oh no, microwave, always the microwave. It really cleans out those chips. Ladies and gentlemen, that was a joke, Carole.

What have you got for us this week?

Well, interesting that you talked about legislation because you know I'm regularly advocating for more legislation around social media. You know, I'm always thinking these giants need to be forced to be more accountable for their actions, right? That's my view.

I would like to see some controls on it. I just don't see how they're going to be implemented. Honestly, social media is largely a bad thing, but it has its uses. I do find the growth of TikTok to be particularly worrying, but still, that's another story.

No, but it's part of the social media family, isn't it? I'll introduce you to Spencer Cox. He's the current governor of Utah. And he describes himself as a centrist, moderate, liberal Republican. Okay, this is from Wikipedia. And this is a stance that has apparently earned him some critics, probably based more on the righty side. But his recent actions have afforded him a much different spotlight. And for this story to have context, you kind of need to know a few things about Utah. One, it's kind of known as the home of Mormons.

Church of the Latter-day Saints, as they prefer to be called.

Oh, sorry. Okay. Home of the Church of Latter-day Saints. And they make up a large proportion of people who live in Utah and drinking is frowned upon in this church. And maybe that's why the state has some of the most stringent alcohol laws in the land. Like you can't drink until you're 21. No alcohol can be sold later than 1am under any circumstances. And beer sold at convenience stores, grocery stores, is capped at 4%.

It used to be the case that if you wanted to go to a pub, you had to pay a $5 membership fee because it was only allowed in members clubs, which, yeah, it's a very strange sight. Great skiing, then.

I've never been there. Is it good, Iain? Are you a fan of Utah?

Oh, yeah. I mean, I've got friends out there, up in Park City, and it's literally Olympic-class skiing. They did have the Winter Olympics there, I think. And it's an odd sort of a place because it's very clean, there are very few homeless, but then you do go to things like the Mormon shopping mall which is just for Mormon shops. So I had to go in there and look around and the bookshop is — I mean the science fiction section was just basically Orson Scott Card because he's the only really well-known Mormon writer or something and it was just like what the hell.

Okay. Now, Gov Cox has a bee in his bonnet about social media. He tweeted recently, more than once, actually, that protecting young Utahns from harms of social media is one of our top priorities, exclamation point, he says. And he writes Utahns. So U-T-A-H-N-S.

Yep. It is a strange state.

Yeah. We all know that protect the kids messaging is nothing new in political campaigns, right? And often resonates well with exasperated parents and guardians. So see what you make of this, because back in January, Gov Cox held a press conference. And at this conference, he made many statements disparaging social media, things like, we know that social media causes harm, we know that social media can lead to cyberbullying. He said mental health was taking a beating and that social media platforms know this but are doing nothing. And I think, you know, I would agree with that. And certainly in my echo chamber, that's what I see, right? Oh, yeah. And I'm not on it. So I can't really, you know, say from a user point of view, but I stay off it because of those concerns. Gov Cox reportedly said that the situation requires action. And late last week, action was taken in the form of a sweeping social media bill. And he says, these are the first of their kind bills in the United States. That's huge, he says. So these two laws are collectively known as the Social Media Regulation Act, and they are to take effect on March 1st, 2024, so in less than a year. The first bill, SB 152, requires social media companies to verify the age of any Utah resident with an account on their services. Okay. How are they going to do that? Actually, that's still very nebulous. Listen to this. One of the stipulations is that under 18s will have to get permissions to sign up for an account. It's the first state law in the nation that will prohibit social media service from allowing users under 18 to have the accounts, you know, without explicit consent of their parent or guardian. But how do you do that without asking everyone their age? Now at the moment under COPA law which is the child protection or privacy laws you have to basically ask the user how old are you and if they say I'm 56 then you have to believe them, that's you know that's fine. So this is going to demand people probably handing in proof of age, probably driver's licenses, passports, credit cards.

And all this creates an enormous vault of information, which is just what hackers are looking for.

Right. And it also creates a lot of legit information, which may be useful to social media companies, because a lot of people spoof information there, don't they? Oh, yes. Yes, that's true. Yeah. As you can imagine, there's a lot of privacy advocates that are very much against this, because they're saying, well, you're basically taking away the right to be anonymous online. Yep. Right? Also part of this law is parents can see everything you post. So say they agree, they say, okay, you can have an account. Parents can see every post and message. What do you think about that? Because these are kids. These are people that are not considered adults.

Yes. I mean, I do think there are some things parents shouldn't know about what their children get up to online, but I can see parents loving it, certainly.

No, but I'm kind of thinking so say, you know, five kids have diaries. I'm sure one or two parents are going to snoop and read it. And I'm sure the other three would never dream of doing that unless there was a mega problem. Yeah.

But as you said, snoop. This is the essential side of it. Yeah.

I just think the kids aren't going to be happy with this. Surely what the kids will do is they'll have an older brother or sister in their early 20s and they'll say, can I borrow your ID? Because I want to create an Instagram account or whatever it may be.

Yeah, but maybe they'll do only one account per ID.

Yeah, could be. Maybe. I think there'd just be a flourishing black market for fake ID. I mean, it's not as though kids haven't got fake ID before to pretend to be older than they really are. Yeah.

Very common over here, yes. It's one of these things where it's kind of mice holding a vote to say, yes, make sure the cat has a bell around its neck. Now, how do we do it? We haven't worked that one out yet. It just seems like one of those, it looks like a PR stunt. And there's also, I don't know if you're going to go onto this, Carole, but the curfew aspect.

Oh, yeah, yeah. So that's the other one as part of SB152 is that basically parents have to allow a kid if they want to do any social media between 10:30 p.m. and 6:30 a.m. when Governor Cox thinks you probably should be in bed.

Oh, so you'll have to get your parents' permission to be on social media in the hours of darkness when all the satanic stuff happens on social media because, of course, nothing bad happens during the day. It's only up to 10 o'clock at night. Although I suppose it's more being done for them to get some sleep, is that the thought?

Yeah, but the bills are signed now. Of course, lots can happen between a bill signing and the actualization of the law, which is, you know, again March 1st next year. And there's no surprise that privacy advocates are pointing out the identity verification rules take away rights to use the services anonymously because you have to verify every user agent. I don't know. Do you think we should have a right to be legally anonymous on social media?

It's a difficult one. I think it'd be terrible to lose anonymity on the internet. There's lots of good stuff and resources people can use, people who have a very legitimate reason to remain private.

On social media sites as well, eh? I think so. This is one of the things I liked about Twitter's verified accounts because they were at least somewhat verified. But I'm with Graham on this one, there is a need for anonymity, even just a desire for anonymity. This is what interests me about this is why is this guy actually doing this? It doesn't feel to me like he's actually going to come up with the answers as to how this will be implemented. It feels to me like he's saying, look, I'm going to do this first of all because it's good for my image. Because the parents who are going to vote for me, hopefully, will be supportive of what I'm saying here is that social media is corrupting our kids, etc, etc. I'm being tough on it. He says he's going to work with them. But I think he's going to be asking them to come up with a solution.

And if they can't, what's going to happen? They're going to get fined or there's going to be some form of action against them, isn't there?

Tell me about the second bill. I want to know if you think it's a sweetener for kids. OK. Second bill, HB 311 requires social media companies to ensure that they are not designed to cause minors to become addicted to them. And it gives Utah minors the right to sue social media companies if they believe they've become addicted or otherwise somehow harmed by a social media platform they have an account on.

Well, this one I'm right behind. I love the idea of all these teenagers now suing the social media companies. Oh, well, I've become addicted to this TikTok nonsense. Yeah. It's going to cripple the social media companies if that's allowed, isn't it?

Well, I mean, the guy from us, Thom Claburn, who covered this for The Reg, he had a lovely line here. When it comes to suing, it's whether letting parents sue social media platforms for ostensibly addicting their kids will improve adolescent mental health or maybe these serve as a college funding option remains to be seen. Keep tapping, Alice. We need 40 more instances of harm to cover your next four years at school. Fantastic. But I mean, also, it's going to be easy enough to prove because the whole point of social media design is to pull you in and make you use more and more and more. That's built into the fundamental essence of the platforms.

Well, understandably, then, maybe they're saying, hey, you better take this seriously. Otherwise, we're going to prohibit kids from using it without parents saying, OK. And they're not alone, right? This is not the only state. Utah is the first one to pass it. But Arkansas legislation is looking to introduce a similar bill that would require social media networks to verify users' ages and obtain explicit parental consent for people under 18. There's one in Texas that's even more stringent. It would ban social media accounts for minors, period.

I've got a question. So they're doing this, right? So parents have to give the kids permission. When are we going to start implementing a system whereby the grown-up parents, the grandparents, have to ask permission, maybe from the kids, maybe from their own children, in order to go on social media? Shouldn't we have some more policing regarding the rest of us? Why aren't we all being protected? You just want some of that sweet Facebook cash, don't you? There's a lot of people who shouldn't be on social media who are reading all that nonsense all the time and could do with taking a break.

I agree Graham, I agree.

Why did you say Graham there Graham? Was that pointed? No but yes but no.

This episode is sponsored by hCaptcha. Are cyber threats negatively impacting your business? Unleash powerful fraud protection for your online properties with hCAPTCHA Enterprise, the leading security ML platform. hCAPTCHA adapts to detect and block even the most sophisticated attacks, keeping you ahead of evolving threats. Whether your bad actors are human or automated, hCAPTCHA Private Learning is the solution. Easily combine your pre-blinded data with hCAPTCHA's thousands of signals to rapidly find fraud and abuse in real time. hCAPTCHA's privacy-focused design works in every country, giving you worry-free compliance. Visit smashingsecurity.com slash hCAPTCHA, that's H-C-A-P-T-C-H-A, to get started with a free trial today. And thanks to hCAPTCHA for sponsoring the show. Our friends at Bitwarden have been busy this month adding some fab new features to their open source password management solution. Now, did you know that you can log into Bitwarden using a secondary device instead of your master password? smashing. Our sponsor Collide has some big news.

And welcome back. Can you join us at our favourite part of the show? The part of the show that we like to call Pick of the Week. Pick of the Week. Pick of the Week. Pick of the Week is the part of the show where everyone chooses to say, could be a funny story, a book, that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security-related, necessarily. Better not be. Well, two weeks ago, I took you on a trip to Bollywood, and I told you how wonderful a movie from 50 years ago, nearly 50 years ago, Sholay is. Now, I'm not going back as far in time this time. I'm going back to last year. One of the most expensive Indian films ever made. According to The Guardian, one of the best films from any country, which was produced last year. So it's in their top 10 films of the year. And it's called? It is called. Well, I'm not sure what it's called. Oh. I can tell you because I don't know how to say it. It's three letters. It's R-R-R. So is that R? Is it R-R-R? Or is it triple R? I don't know.

I can't help you. Sorry.

But it's the letters RRR, and it is a fantastic action movie. It is set, it's an epic saga set in pre-independent India.

The plot seems pretty straightforward though, no? Even sometimes the simplest plots are the best.

That's true, that's true. These two guys start off as enemies, then become the very best of friends. And then become mortal enemies again. There's a lot of twists along the way. I don't want to give it away because this movie lasts three hours.

Did you stay awake for the whole thing? It's another long movie. I stayed awake and there was even CGI. I even stayed awake during the enormous amount of CGI because there's tigers and animals and crazy action scenes. Best thing is theregister.com for our general stuff. And for at least the next week, I'll be on Twitter. That's Iain Thomson. Well, they're taking away my blue verified tag on April 1st. So I'm just kind of like, should I really still be supporting this site? I don't know, it's all going a bit Pete Tong, to be honest.

I'm pleased they're taking away my verified tag. I don't want them mixing me up with the people who are paying for the verified badge. The mouth breathers. And you can follow us on Twitter at Smash Insecurity. No G, nor any verified tick. Twitter wouldn't ask to have a G. Smash Insecurity also has a Mastodon account. Find it at smashinsecurity.com slash Mastodon. And don't forget to ensure you never miss another episode. Follow Smash Insecurity in your favourite podcast apps, such as Spotify, Apple Podcasts, and Overcast.

And big, massive shout out to this episode's sponsors, Bitwarden, Collide, and Hcaptcha. And of course, to our wonderful Patreon community. It's thanks to you all. This show is free. For episode show notes, sponsorship information, guest lists, and the entire back catalogue of more than 314 episodes, check out smashingsecurity.com.

Until next time, cheerio. Bye-bye. Bye-bye. Goodbye.

You know, Iain, you know you said that going Pete Tong? Yeah. Yeah, so Pete Tong, he's a DJ in the UK for those days, right? What, in the 80s?

He was 90s, still going. I saw him when he was over here last.

My, I don't know what I call it, aunt-in-law? I don't know. She dated him. Really? Yes. Oh, wow. She was his hottie for a bit when she was younger.

That's a celebrity shag you can boast about.

That's pretty close, I've got to say.

I had a girlfriend who the previous person she shagged before me was – I know, I've forgotten his name.