Mix TikTok with facial recognition, and you’ve got a doxxing nightmare, T-Mobile users report bizarre behaviour in their accounts, and a Windows flaw provides a new means of infecting users.
All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Paul Ducklin.
Warning: This podcast may contain nuts, adult themes, and rude language.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
I think it was Twitter I logged out of, and I got a message along the lines of, thanks for logging out. You can log back in again later if you like.
And I'm just going, I would never have known if you hadn't told me. You made me create an account. It took quite a while. I got to think up a password and give you my phone number.
Not anymore. They don't do phone numbers, but, you know, for two-factor authentication.
I would never have occurred to me that because I had to log in in the first place to use the account, that I might ever want to log in again.
Smashing Security, Episode 341: Another T-Mobile Breach, Theme Bleed, and Farewell Naked Security, with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security, Episode 341. My name's Graham Cluley.
And I'm just going, I would never have known if you hadn't told me. You made me create an account. It took quite a while. I got to think up a password and give you my phone number.
Not anymore. They don't do phone numbers, but, you know, for two-factor authentication.
I would never have occurred to me that because I had to log in in the first place to use the account, that I might ever want to log in again.
Smashing Security, Episode 341: Another T-Mobile Breach, Theme Bleed, and Farewell Naked Security, with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security, Episode 341. My name's Graham Cluley.
And I'm Carole Theriault.
And Carole, this week we're joined by a blast from the past, someone who's been on the podcast since some of its very earliest episodes and someone we've both worked with for many, many years.
Mr. Paul Ducklin. Hi, Duck.
Hello, folks. Thanks for having me.
Of course.
Strange circumstances, I must admit.
But what are these strange circumstances you refer to? Enlighten our listeners.
What's going on, Duck?
Well, unfortunately, on the very day we're recording, visitors who know me with my Naked Security persona, who visit nakedsecurity.sophos.com, will notice that the site's being archived to the Sophos news site.
And I'm— I hope I don't tear up now. I think I'll be all right. And I'm leaving the company at the end of this very week.
And I'm— I hope I don't tear up now. I think I'll be all right. And I'm leaving the company at the end of this very week.
Crikey.
So it's sort of the end of one era. But as my wife said, actually, it's the beginning of the next great adventure.
And you've been there quite a long time at Sophos, haven't you?
Yes, I was hoping to make 30 years, but I didn't quite get there. 28.5.
Wow. 28 years. Graham, you and I did a long time. How long did you do there?
I think I did about 13 or 14 years, which is nothing compared to Duck, is it?
I did 15. So yeah, I'm half Duck. So you're twice as good. We sound like ex-cons.
Disgusting.
Well, well, pretty much.
Yeah, that's pretty much it.
Yeah, you'll understand. You're just still in shock. Just give it a bit of time. But before we kick off, let's thank this week's wonderful sponsors: Gigamon, Kolide, and Dorata.
It's their support that helps us give you this show for free. Now, coming up in today's show, Graham, what do you got?
It's their support that helps us give you this show for free. Now, coming up in today's show, Graham, what do you got?
I'm going to be discussing how sometimes being hacked can actually look better than the alternative.
Okay, and what about you, Duck?
I am going to be talking about theme bleed, as it was perhaps slightly inaccurately called. And there are lots of lessons we can learn.
Mm-hmm.
And I have a warning for all those who brunch with besties. All this and much more coming up on this episode of Smashing Security.
Now, chums, chums.
Last week, users of the T-Mobile mobile app— that's not me stuttering there— the T-Mobile mobile app for T-Mobile, they started complaining online about something they're experiencing.
So they're going into their mobile phone app to check their account details.
And when they did that, they found they weren't actually accessing their own bills and their own account information. They could see other people's details instead.
Last week, users of the T-Mobile mobile app— that's not me stuttering there— the T-Mobile mobile app for T-Mobile, they started complaining online about something they're experiencing.
So they're going into their mobile phone app to check their account details.
And when they did that, they found they weren't actually accessing their own bills and their own account information. They could see other people's details instead.
You're kidding.
Oh dear.
So what? So I could go in and I'd be looking for my stuff to make sure I have enough data for the train or something. And I can see Duck's, Duck's bill.
Potentially, it may have been Duck. Or whoever. Yeah.
So you could see other people's names, their home addresses, their credit balance, their contact numbers, their device IDs, their credit card information.
So you could see other people's names, their home addresses, their credit balance, their contact numbers, their device IDs, their credit card information.
Wow. Did that include expiry and stuff?
I'm not sure if it did. I'm not sure if it included all of that. And maybe some of it was redacted as well, I'm not sure.
But certainly, it wouldn't make you feel very comfortable about how well T-Mobile was looking after your own data, of course, because if they're showing you other people's, the next logical thing you should be thinking is, could it be that my data is also being shown to other people?
But certainly, it wouldn't make you feel very comfortable about how well T-Mobile was looking after your own data, of course, because if they're showing you other people's, the next logical thing you should be thinking is, could it be that my data is also being shown to other people?
Right.
I think, Graham, you'd be more likely to think, what's the chance that my data isn't being shown to people?
Right. Right.
In a way that I can't predict.
Yeah.
So people were posting up on this on Twitter, for instance, you know, with screenshots of people's account information saying, whoa, why am I seeing this? My name's not Claudia.
They were saying, well, yeah, they didn't have all of the sensitive information there, but enough to show that it wasn't them.
Or Android users were showing information suggesting that they had iPhones connected to their account.
They were saying, well, yeah, they didn't have all of the sensitive information there, but enough to show that it wasn't them.
Or Android users were showing information suggesting that they had iPhones connected to their account.
Oh, that would cause a ruction, wouldn't it? That's almost worse than people knowing your home address. If you're an Android fan and they think you've gone to the dark side, oh dear.
So T-Mobile, they were replying to some of these users on social media. They're saying, well, thank you. Thank you for reaching out with your question about your account security.
Could you send us a DM? We want to ensure your privacy and we'll look at your account and address all of your concerns, they were saying.
But yeah, so some users, some T-Mobile users, they believed when they saw this other information, they thought, whoa, whoa, whoa. Am I a victim of some kind of hack?
Has someone broken into my account, put their details in? Is someone else offering to pay my mobile phone bill each month? Exactly. This must be some kind of scam. Yeah.
T-Mobile support though, they responded and they said to the media that it was actually, it was all the fault. There wasn't a data breach, they said. It wasn't a data breach.
This was the fault apparently of what they called a technology update, not necessarily a technology update which you actually want.
So they said there's no cyberattack or breach at T-Mobile.
Could you send us a DM? We want to ensure your privacy and we'll look at your account and address all of your concerns, they were saying.
But yeah, so some users, some T-Mobile users, they believed when they saw this other information, they thought, whoa, whoa, whoa. Am I a victim of some kind of hack?
Has someone broken into my account, put their details in? Is someone else offering to pay my mobile phone bill each month? Exactly. This must be some kind of scam. Yeah.
T-Mobile support though, they responded and they said to the media that it was actually, it was all the fault. There wasn't a data breach, they said. It wasn't a data breach.
This was the fault apparently of what they called a technology update, not necessarily a technology update which you actually want.
So they said there's no cyberattack or breach at T-Mobile.
Now, we don't have to report this to anybody. Don't worry.
My view is, and I'd be interested in you two, your opinion as well. Is this a breach or not? Because I think it is a breach.
Well, if someone screws up basically in the coding.
If someone's data is leaked. It may not be the work of a hacker, but surely that is a breach, isn't it, Duck?
Well, it's certainly a data leak, and that's covered by things like GDPR and privacy regulations.
If I log into my account, I should see information that I expect to see and I shouldn't be allowed to see, or it shouldn't be possible for me to see other personally identifiable information for other people.
I suppose to try and see it from T-Mobile's side, maybe they're thinking when we say breach, it means that someone steamed in and uploaded gigabytes or petabytes of stuff.
So I think—
If I log into my account, I should see information that I expect to see and I shouldn't be allowed to see, or it shouldn't be possible for me to see other personally identifiable information for other people.
I suppose to try and see it from T-Mobile's side, maybe they're thinking when we say breach, it means that someone steamed in and uploaded gigabytes or petabytes of stuff.
So I think—
Or downloaded and held it for ransom.
Yeah, whatever it is. But I think the difference between a data breach and a data leak, I think that's a little bit of a semantic game.
It's definitely a privacy breach. Yes, I would say someone's privacy has been breached.
For the customer, it is, of course, 100%.
And the weird thing is that in a case like this, it's very difficult to discover what the scale is, isn't it?
If you know the crooks have been in and they've got absolutely everything, then you can basically fall on your sword and say, look, as far as we can tell, they stole 62 gigabytes and it affected 14.5% of our user base, and we will contact each and every one of those people to tell them what to do next.
But when you know that X could have seen Y's data, and quite a lot of Xs saw quite a lot of Ys, how do you know just how much leakage there was?
And how do you decide how controllable it was by the person who's viewing it? So, you know, Graham, you log in, you see Carole's data, and you think, wow, that's bad.
But if you're more of a sort of Axel type who thinks, wow, something's gone wrong, let me see if I keep logging in, will I get more and more and more? Can I automate this?
Can I scrape data?
If you know the crooks have been in and they've got absolutely everything, then you can basically fall on your sword and say, look, as far as we can tell, they stole 62 gigabytes and it affected 14.5% of our user base, and we will contact each and every one of those people to tell them what to do next.
But when you know that X could have seen Y's data, and quite a lot of Xs saw quite a lot of Ys, how do you know just how much leakage there was?
And how do you decide how controllable it was by the person who's viewing it? So, you know, Graham, you log in, you see Carole's data, and you think, wow, that's bad.
But if you're more of a sort of Axel type who thinks, wow, something's gone wrong, let me see if I keep logging in, will I get more and more and more? Can I automate this?
Can I scrape data?
Right.
Very hard to say. Who saw what?
So T-Mobile did try and clarify a little bit about the scale of this.
They said it was a temporary system glitch related to a planned overnight technology update involving limited account information. And they said for fewer than 100 customers.
And they said we quickly resolved it.
They said it was a temporary system glitch related to a planned overnight technology update involving limited account information. And they said for fewer than 100 customers.
And they said we quickly resolved it.
Oh, so they think they got the lid on it.
That's certainly their message. Yeah.
They think they got the lid on it. They think they did it fairly quickly. They say fewer than 100 customers.
Now, from what I've seen online, it's not fewer than 100 customers who saw other people's information.
It was, according to T-Mobile, fewer than 100 customers who had their information exposed to God knows how many people.
Now, from what I've seen online, it's not fewer than 100 customers who saw other people's information.
It was, according to T-Mobile, fewer than 100 customers who had their information exposed to God knows how many people.
Right.
And some people did say, I logged in every 15 minutes and I was getting different people's information each time when I was logging in.
So I don't know if they would have cycled through 100.
But, you know, again, I think it feels to me T-Mobile are trying to downplay this a little bit, saying, well, not, you know, okay, not a cyberattack. I get that.
It does feel to me it is a breach to my mind.
So I don't know if they would have cycled through 100.
But, you know, again, I think it feels to me T-Mobile are trying to downplay this a little bit, saying, well, not, you know, okay, not a cyberattack. I get that.
It does feel to me it is a breach to my mind.
But credit card details were involved.
Come on.
And people's addresses and their names and, you know, whether they've got an Android or an iPhone, which is, as Duck has explained, is a dangerous thing to know about somebody.
One person on Reddit, they said it wasn't a breach, it was a data exposure due to sheer incompetence. And I think in some ways, this is actually worse than a breach.
Okay, maybe less people have been affected. No, it's not.
And people's addresses and their names and, you know, whether they've got an Android or an iPhone, which is, as Duck has explained, is a dangerous thing to know about somebody.
One person on Reddit, they said it wasn't a breach, it was a data exposure due to sheer incompetence. And I think in some ways, this is actually worse than a breach.
Okay, maybe less people have been affected. No, it's not.
What?
No.
No.
But don't you think? Don't you think?
No, I think it's bad. It's better that they got a lid on it and it wasn't a third party that infiltrated and stole all the data and then is holding it for ransom.
As far as a customer perspective, it still sucks that somebody saw my data and that I don't know who and I don't know how many.
As far as a customer perspective, it still sucks that somebody saw my data and that I don't know who and I don't know how many.
But how could something this happen?
Well, you can imagine lots of different ways, can't you?
At least it doesn't sound what do they call it, an IDOR, or was it insecure direct object reference where there's /55 in the URL and when you put 56, you get the next customer and 57 and 58, 'cause then I bet you somebody would've scraped as much as they could.
But it does sound as though some kind of database index in the backend got corrupted so that Graham Cluley's account pointed at Carole Theriault's account or whatever.
At least it doesn't sound what do they call it, an IDOR, or was it insecure direct object reference where there's /55 in the URL and when you put 56, you get the next customer and 57 and 58, 'cause then I bet you somebody would've scraped as much as they could.
But it does sound as though some kind of database index in the backend got corrupted so that Graham Cluley's account pointed at Carole Theriault's account or whatever.
Yeah, the thing is though, you understand, Duck, is that Graham never screws up, right? So it's unfathomable to him that this could happen anywhere.
It's obviously just sheer incompetence.
It's obviously just sheer incompetence.
I also wonder how long this problem was present for because some people on Reddit were claiming, "Well, I've been seeing this for over two weeks."
And I've said nothing?
Oh, well, no, they say, "I told T-Mobile security team, but didn't get a response." And I was interested in that.
I thought, "Well, hang on, what's going on in T-Mobile security team?" So I did a little bit of searching.
In middle of August, T-Mobile announced it was laying off 5,000 members of staff, mostly working in corporate back office and technology roles.
So I wonder, is this why a bug like this managed to creep out there and was rolled out in this, quote, technology update?
I thought, "Well, hang on, what's going on in T-Mobile security team?" So I did a little bit of searching.
In middle of August, T-Mobile announced it was laying off 5,000 members of staff, mostly working in corporate back office and technology roles.
So I wonder, is this why a bug like this managed to creep out there and was rolled out in this, quote, technology update?
Hard to say.
Some people actually, when the layoffs were announced, if you look back on some of those reports in mid-August, there were cynical journalists who said, "Well, I wonder if there are going to be more data breaches which follow because T-Mobile does have something of a poor history when it comes to securing data."
Some people actually, when the layoffs were announced, if you look back on some of those reports in mid-August, there were cynical journalists who said, "Well, I wonder if there are going to be more data breaches which follow because T-Mobile does have something of a poor history when it comes to securing data."
Did you say cynical journalists?
Yes, because I know it's—
It's a sort of tautology.
It's like military intelligence. It's the same kind of thing.
Cynical or not, it is a good question. Like, will it have an effect? And I guess you'll never know, right?
You don't know for certain, but it certainly didn't help them in this occasion, did it? I've been writing since 2018 about T-Mobile data breaches.
Smashing Security, where hackers have stolen millions of customer details, names, phone numbers, billing addresses. It's happened in 2018, happened in 2019.
They stole employees' information and their emails and their customer account information in 2020, in 2021.
Smashing Security, where hackers have stolen millions of customer details, names, phone numbers, billing addresses. It's happened in 2018, happened in 2019.
They stole employees' information and their emails and their customer account information in 2020, in 2021.
Are you a preferred customer of theirs or?
No. There was, there've been a couple of instances this year as well, actually. They exploited a weakness in the API. They stole 37 million T-Mobile customer details in January.
In April, and now this, now T-Mobile wants to set the record straight on this one.
In April, and now this, now T-Mobile wants to set the record straight on this one.
In April, there were stories that T-Mobile had suffered another hack involving employee details and names and Social Security numbers.
And T-Mobile came out quite loudly and said, "Nothing to do with us.
It's actually a third party called Connectivity Source." And it was their customers and their employees who've had their names and socials and all that kind of detail stolen.
Now, I went to Connectivity Source's website to find out more about them.
And T-Mobile came out quite loudly and said, "Nothing to do with us.
It's actually a third party called Connectivity Source." And it was their customers and their employees who've had their names and socials and all that kind of detail stolen.
Now, I went to Connectivity Source's website to find out more about them.
And if you go to Connectivity Source, either on Twitter or on their website, try and tell me that they're not T-Mobile because all they've got are photographs of T-Mobile stores and staff wearing T-Mobile shirts.
If you did business with Connectivity Source, you would think you were dealing with T-Mobile.
So yes, maybe it technically wasn't T-Mobile who was breached in that case, but I think many of their customers may have imagined the company was actually T-Mobile.
If you did business with Connectivity Source, you would think you were dealing with T-Mobile.
So yes, maybe it technically wasn't T-Mobile who was breached in that case, but I think many of their customers may have imagined the company was actually T-Mobile.
So maybe if you're a T-Mobile user, you want to look at your Ts and Cs, you know?
Well, maybe, maybe do a bit more than that.
Maybe.
And you certainly want to keep a closer eye than ever on your bank statements, just in case.
You should always review them so you can complain whether you get money going out or coming in that you didn't expect.
But if you think you're at potentially higher risk than usual, just make sure that if you see something, you say something, because the sooner you point it out, the more quickly it will be sorted.
You should always review them so you can complain whether you get money going out or coming in that you didn't expect.
But if you think you're at potentially higher risk than usual, just make sure that if you see something, you say something, because the sooner you point it out, the more quickly it will be sorted.
Well, I think they've got a bad track record when it comes to data breaches.
And that wasn't clear at all in your commentary.
Well, but you know, also how many incidents don't we know about?
How many times has this sort of thing happened and it hasn't been made public, or maybe even T-Mobile itself doesn't know about it?
If it's happening with this regularity, you have to say to yourself, well, you know, am I sensible being a T-Mobile customer? Would I be wiser to go elsewhere?
How many times has this sort of thing happened and it hasn't been made public, or maybe even T-Mobile itself doesn't know about it?
If it's happening with this regularity, you have to say to yourself, well, you know, am I sensible being a T-Mobile customer? Would I be wiser to go elsewhere?
Will T-Mobile be sponsoring the next podcast?
Yes, most likely not. Duck, what have you got for us this week?
Well, as I said at the top of the show, ThemeBleed, which is the latest Wayne bug with an impressive name, you know, where someone decides instead of just calling it CVE-long string of digits that no one ever remembers, let's give it a fancy name.
Now, I'll start by saying it probably wasn't a great choice of name because when you say something, something, something bleed, everyone thinks of Heartbleed, which is that infamous bug from what, 2014, I think it was, where OpenSSL leaked data.
And so I like to reserve that word bleed for bugs where you can't really control it.
It's just that data comes out in the wash, and if you milk that leaking data systematically enough, eventually you end up with a giant bucket full of stuff that you can milk for potential secrets.
Now, this is a little bit different because it relates to a specific vulnerability that fortunately Microsoft patched this Patch Tuesday, and it goes around Windows theme files.
Now, I'll start by saying it probably wasn't a great choice of name because when you say something, something, something bleed, everyone thinks of Heartbleed, which is that infamous bug from what, 2014, I think it was, where OpenSSL leaked data.
And so I like to reserve that word bleed for bugs where you can't really control it.
It's just that data comes out in the wash, and if you milk that leaking data systematically enough, eventually you end up with a giant bucket full of stuff that you can milk for potential secrets.
Now, this is a little bit different because it relates to a specific vulnerability that fortunately Microsoft patched this Patch Tuesday, and it goes around Windows theme files.
What is a Windows theme? Does that affect how Windows looks on your computer?
Yes. So it says, I want this particular backdrop, I want this sort of color contrast, I want buttons to look like that.
So, you know, it's the kind of thing that if you're a Linux user where these things are more flexible and more competitive, if you like, there's a whole world of themes out there, ones where the contrast is so terrible that only hardcore hackers can read, you know, brown text on a black background because why make life easy?
All of that sort of stuff.
And I guess Microsoft puts a lot of effort into making its own themes look quite neat, but even on a default Windows 11, you can go in and you can say, well, I want to re-theme my computer.
So instead of everything looking bright and high contrast, I want it a slightly darker theme, or I want lower contrast or whatever.
And these themes are controlled by files that imaginatively have the extension .theme. Theme, right? Right.
And if you go to the right place on Windows, you can just search for a file called Aero, Aero.theme.
And if you open it up, not by double-clicking on it, but say open it in Notepad, you'll be amazed to find, and you'll love this, Graham, from your early days as a Windows programmer, it's a good old .ini file.
So, you know, it's the kind of thing that if you're a Linux user where these things are more flexible and more competitive, if you like, there's a whole world of themes out there, ones where the contrast is so terrible that only hardcore hackers can read, you know, brown text on a black background because why make life easy?
All of that sort of stuff.
And I guess Microsoft puts a lot of effort into making its own themes look quite neat, but even on a default Windows 11, you can go in and you can say, well, I want to re-theme my computer.
So instead of everything looking bright and high contrast, I want it a slightly darker theme, or I want lower contrast or whatever.
And these themes are controlled by files that imaginatively have the extension .theme. Theme, right? Right.
And if you go to the right place on Windows, you can just search for a file called Aero, Aero.theme.
And if you open it up, not by double-clicking on it, but say open it in Notepad, you'll be amazed to find, and you'll love this, Graham, from your early days as a Windows programmer, it's a good old .ini file.
Oh, lovely.
Yeah. You know, square bracket, section name, load of settings like color equals 3, background equals 2. Path equals whatever.
And so you think it's just a text file, it should be mostly harmless.
And the idea is that that theme file, which is just text, so it can't execute, it's not a script, can contain a line that says path equals, and then it gives a file reference to, if you like, the secondary part of the theme.
And so you think it's just a text file, it should be mostly harmless.
And the idea is that that theme file, which is just text, so it can't execute, it's not a script, can contain a line that says path equals, and then it gives a file reference to, if you like, the secondary part of the theme.
Right.
Which is a file format called amazingly.exe. MSStyles. I think it's Harry's brother, or maybe it's his cousin, I'm not sure. Arf, arf. Sorry.
And so MSStyles files, weirdly, well, not weird, it's not weird what they contain.
They contain things like Windows resources, text strings for localization, little buttons and, you know, all the widgets and gadgets and smidgets that you need to theme the appearance of the computer.
And you think, well, maybe they'll put it in a zip file or maybe they'll put it in an MSI file or some kind of well-known archive.
Amazingly, these MSSTYLES files are stored as Windows executables, so-called PE or portable executable files, but files that have no executable code in them, which is really weird, but obviously, it is weird.
And so MSStyles files, weirdly, well, not weird, it's not weird what they contain.
They contain things like Windows resources, text strings for localization, little buttons and, you know, all the widgets and gadgets and smidgets that you need to theme the appearance of the computer.
And you think, well, maybe they'll put it in a zip file or maybe they'll put it in an MSI file or some kind of well-known archive.
Amazingly, these MSSTYLES files are stored as Windows executables, so-called PE or portable executable files, but files that have no executable code in them, which is really weird, but obviously, it is weird.
So that means you could inject code into it and it wouldn't— it's in the right place. Is that right?
That's what I thought. That obviously that's a dumb idea. It's going to be because it's— they've chosen the executable format. That's obviously the bug.
Now, Graham, I thought weird when I heard that, but when you think about it, it's not such a crazy idea because as you remember from your Windows coding days, the nice thing about Windows executables compared to the old DOS-style ones is that you didn't just have to have executable code.
You could pack in your icons and your resources and your text strings and all that stuff.
Now, Graham, I thought weird when I heard that, but when you think about it, it's not such a crazy idea because as you remember from your Windows coding days, the nice thing about Windows executables compared to the old DOS-style ones is that you didn't just have to have executable code.
You could pack in your icons and your resources and your text strings and all that stuff.
Yes, that's true. Yes.
In separate sections. And there's no rule that says you have to have executable code in there. You just don't have an executable section.
And it's fairly easy to validate that a program doesn't have an executable section.
And so it means that that file can then be processed with normal Windows processing functions to get out things like resources, string names, buttons, bits of bitmaps, all of that sort of stuff.
And of course, because it's a Windows executable file, it can be digitally signed using the same technology and checked with the same API calls that a program would.
So actually, amazingly, the bug wasn't caused by the fact that this style file is a thinly disguised executable.
It's caused by a secret feature that a researcher called Gabe_K discovered when he was decompiling the theme processing part of the Windows operating system.
He discovered that when it's reading this file, one of the things it asks the file for is, what's your version number?
And, you know, themes haven't evolved much, it seems, in Windows, even on Windows 11. The version number you'd expect today is 4.
So I presume it started at 1 and it's gone up exactly 3 times. Great.
But in the code, there was this weird bit that said, if the version number is 999, which coincidentally is the UK emergency telephone call number for our overseas listeners, then hey, do this special thing.
And this special thing is run off, find a DLL with a weird name. It's _vrf.dll. I've no idea what it stands for.
Maybe it's version revision function or version revitalization feature. Who knows?
So by poking this weird undocumented secret version 999 into this executable file that isn't an executable file, you trick the system into going and fetching a DLL and running it, presumably so that you can, as an emergency way of handling new file types before they're built into the operating system, fully or something.
Now—
And it's fairly easy to validate that a program doesn't have an executable section.
And so it means that that file can then be processed with normal Windows processing functions to get out things like resources, string names, buttons, bits of bitmaps, all of that sort of stuff.
And of course, because it's a Windows executable file, it can be digitally signed using the same technology and checked with the same API calls that a program would.
So actually, amazingly, the bug wasn't caused by the fact that this style file is a thinly disguised executable.
It's caused by a secret feature that a researcher called Gabe_K discovered when he was decompiling the theme processing part of the Windows operating system.
He discovered that when it's reading this file, one of the things it asks the file for is, what's your version number?
And, you know, themes haven't evolved much, it seems, in Windows, even on Windows 11. The version number you'd expect today is 4.
So I presume it started at 1 and it's gone up exactly 3 times. Great.
But in the code, there was this weird bit that said, if the version number is 999, which coincidentally is the UK emergency telephone call number for our overseas listeners, then hey, do this special thing.
And this special thing is run off, find a DLL with a weird name. It's _vrf.dll. I've no idea what it stands for.
Maybe it's version revision function or version revitalization feature. Who knows?
So by poking this weird undocumented secret version 999 into this executable file that isn't an executable file, you trick the system into going and fetching a DLL and running it, presumably so that you can, as an emergency way of handling new file types before they're built into the operating system, fully or something.
Now—
It sounds like something a programmer built in for their own purposes, maybe.
It does, oh golly, we might need this, so let's just keep 999 up our sleeve for when the emergency call comes in.
Now, the good news is, of course, the programmers didn't go, okay, we require that the style file gets digitally signed, but we'll let you feed it any DLL.
So the DLL, when it comes back, is checked for a valid Microsoft digital signature. But it has what is known in the jargon, it's one of my favorite names for a bug.
It sounds like a character out of Tintin comic or something. It's called ToCToU, which is time of check to time of use. Basically, the code goes like this.
Open the file, read in the DLL, verify its digital signature, close the file, then load the file. And there's many a slip 'twixt the cup and the lip.
Because it turns out you can actually put the path name to be somewhere remote so that when Windows calls home to get the file, if the attacker controls the server that's serving up the file, they can determine, ah, it's the first time they're asking for the magic DLL.
Let's feed them a Microsoft-signed file. You can actually, it seems, just feed back a style file, even though it doesn't have executable code in, it's got a valid signature.
And then immediately afterwards, you see a second call coming in saying, hey, send me the file again. And guess what? You just feed it whatever you want.
You feed it a rogue DLL and poof, pwned.
Now, the good news is, of course, the programmers didn't go, okay, we require that the style file gets digitally signed, but we'll let you feed it any DLL.
So the DLL, when it comes back, is checked for a valid Microsoft digital signature. But it has what is known in the jargon, it's one of my favorite names for a bug.
It sounds like a character out of Tintin comic or something. It's called ToCToU, which is time of check to time of use. Basically, the code goes like this.
Open the file, read in the DLL, verify its digital signature, close the file, then load the file. And there's many a slip 'twixt the cup and the lip.
Because it turns out you can actually put the path name to be somewhere remote so that when Windows calls home to get the file, if the attacker controls the server that's serving up the file, they can determine, ah, it's the first time they're asking for the magic DLL.
Let's feed them a Microsoft-signed file. You can actually, it seems, just feed back a style file, even though it doesn't have executable code in, it's got a valid signature.
And then immediately afterwards, you see a second call coming in saying, hey, send me the file again. And guess what? You just feed it whatever you want.
You feed it a rogue DLL and poof, pwned.
That's very sneaky.
So it's a tremendous warning not to embed hidden features in your code, because while I understand the need for it sometimes, it's the kind of thing that, oh, if variable name equals 999, then weird extra thing.
It's the kind of thing that code reviewers go, oh, it's too hard, I don't want to ask.
It's the kind of thing that code reviewers go, oh, it's too hard, I don't want to ask.
Yeah. And I don't think it's company necessarily approved. I know many a developer that would do this just as a CYA move. Right?
You know, I'll be able to get in and jiggery-pokery about it if I have a secret route in.
You know, I'll be able to get in and jiggery-pokery about it if I have a secret route in.
Well, it wasn't supposed to be a secret route in 'cause it still checks for the digital signature.
It just didn't check in the way that if you were doing it in mainstream code, you'd probably do it because it—
It just didn't check in the way that if you were doing it in mainstream code, you'd probably do it because it—
Yeah.
So they tried to do the right thing, but maybe you're right.
It's just a coder thinking, you know what, I've got the specifications, I'm gonna do it like this, but I know what's going to happen.
It reminds me, you know, the very early days of development of the Apple Macintosh.
Apparently Steve Jobs had this religious zeal that said, you must not allow more than 100 and what was it, 128 kilobytes of RAM. I don't want this thing overheating.
I don't want too many RAM chips in there. It will never need more than 128K. And the developers just knew because the operating system was gonna be quite big, it wasn't enough.
And they secretly enabled it to be able to take up to half a megabyte, and nobody noticed except them. They kept it a secret.
And when it came out and people were complaining, oh no, there's not enough RAM, guess what? They had some headroom and it saved the day. So yeah, I guess code 999, folks.
If there's something that people want in themes or something that doesn't work, we can feed in this VRF, version revision feature.
And my advice is, even with the best will in the world, if you're a coder, don't do that. Your intentions may be entirely honorable, but is it the play Julius Caesar?
The evil that men do lives after them, the good is oft interred with their bones. And you know, that's sort of what happens, right?
It's just a coder thinking, you know what, I've got the specifications, I'm gonna do it like this, but I know what's going to happen.
It reminds me, you know, the very early days of development of the Apple Macintosh.
Apparently Steve Jobs had this religious zeal that said, you must not allow more than 100 and what was it, 128 kilobytes of RAM. I don't want this thing overheating.
I don't want too many RAM chips in there. It will never need more than 128K. And the developers just knew because the operating system was gonna be quite big, it wasn't enough.
And they secretly enabled it to be able to take up to half a megabyte, and nobody noticed except them. They kept it a secret.
And when it came out and people were complaining, oh no, there's not enough RAM, guess what? They had some headroom and it saved the day. So yeah, I guess code 999, folks.
If there's something that people want in themes or something that doesn't work, we can feed in this VRF, version revision feature.
And my advice is, even with the best will in the world, if you're a coder, don't do that. Your intentions may be entirely honorable, but is it the play Julius Caesar?
The evil that men do lives after them, the good is oft interred with their bones. And you know, that's sort of what happens, right?
There's a lot of Shakespeare. There's a lot of Shakespeare today.
Is there?
Maybe you should head to drama. Maybe that could be your new foray.
We're doing a lot of Shakespeare. What was the other Shakespeare we had?
Wasn't there many's a slip between the— I can't remember what it was. There was a bit. There was something dramatic.
Yeah, it's not a Shakespeare quote if you don't actually say, "as Shakespeare said," then it's just talking.
Krow, what's your story for us this week?
Okay, so imagine that the three of us are at a little eatery, maybe in Oxford town.
It's a city, don't call it a town, people get annoyed and then you have to listen to them for hours about it.
And we're having a little chat about the good old days working together. And casually, as I stir my flat white, I mention—
I presume you're gonna bleep out that name, are you?
Of course I'm gonna do all the bleeping.
Okay, all right, okay, yes.
And I say, "God, do you remember that guy?" Do you guys remember that?
Yeah, I remember.
Well, you don't have to say his name very often.
Okay. You don't wanna bleep out?
No, no.
Okay.
Do you remember that guy? Do you remember that guy? And you guys might go—
Oh, is that a prompt? Oh, is this, are we role-playing here?
If we could, it'd be nice.
The pathological liar. That guy.
Okay, maybe that could be a word, but just, and perhaps we'd natter about this for a few minutes, right? And Duck would make us double over with laughter with the kind of improv.
Yeah, he's enjoying the conversation so far about—
Yeah, he's enjoying the conversation so far about—
I don't know how this works. So I'm just listening to you guys. It's fascinating because it's going to burst into a sort of cybersecurity bubble in a minute.
To be honest, I'm actually imagining that Carole's sitting there and has got the flat white, which means I've probably got, if we're at the right coffee shop, my favorite place in Oxford to get an Americano, and I'm just enjoying it.
To be honest, I'm actually imagining that Carole's sitting there and has got the flat white, which means I've probably got, if we're at the right coffee shop, my favorite place in Oxford to get an Americano, and I'm just enjoying it.
I've got a sparkling water.
Not a cranberry juice anymore, Graham? Have you grown up now?
No, no, no. Too many calories. Yeah.
Really?
You know, we move on to new topics, you know, having our little separate drinks, right?
Having satiated our appetites for remembering the not so good old days, as well as the fab ones. And, you know, that should be that.
However, unbeknownst to us, imagine that we have been gossip TikTok'd. What is that, you say? I know you're dying to know.
Having satiated our appetites for remembering the not so good old days, as well as the fab ones. And, you know, that should be that.
However, unbeknownst to us, imagine that we have been gossip TikTok'd. What is that, you say? I know you're dying to know.
What's gossip TikTok'd?
Well, in our old person parlance, right, it means someone overhears another separate group blathering away about something, figures out that they're shit slinging, and decides to film it.
What? Exposing them for gossiping about— in our situation, it would be exposing us for gossiping about a guy called—
What? Exposing them for gossiping about— in our situation, it would be exposing us for gossiping about a guy called—
Okay, so we could be sat there having a little fun chat about a former colleague or maybe a rival security podcast.
Sure.
Slagging them off left, right, and center, and someone else is recording us. And what are they going to do with this recording? They're going to put it on TikTok?
Yeah, livestream it perhaps, or just post it to TikTok.
And the idea is to alert the person they're shit talking about to let them know that they shouldn't be friends with these people.
And the idea is to alert the person they're shit talking about to let them know that they shouldn't be friends with these people.
Right. So, well, he wasn't friends with us, was he? So that's fairly easy.
Yeah, we wouldn't care probably a jot in our situation.
But this whole viral — I hate the word — but popular TikTok meme started gaining popularity according to Know Your Meme, right?
Because this TikToker posted a video in September showing a group of women at brunch badmouthing someone named Sarah.
And the TikToker reportedly explained on the video, addressing Sarah, they said that your coochie was out, you dressed sleazy.
And then the TikToker points her camera at the table where the gossiping is going on and says to the viewers, hold on, I'm about to show you exactly who's talking about you, Sarah.
And cue the amateur TikTok sleuths who digitally take flight to try and identify Sarah and warn her.
But this whole viral — I hate the word — but popular TikTok meme started gaining popularity according to Know Your Meme, right?
Because this TikToker posted a video in September showing a group of women at brunch badmouthing someone named Sarah.
And the TikToker reportedly explained on the video, addressing Sarah, they said that your coochie was out, you dressed sleazy.
And then the TikToker points her camera at the table where the gossiping is going on and says to the viewers, hold on, I'm about to show you exactly who's talking about you, Sarah.
And cue the amateur TikTok sleuths who digitally take flight to try and identify Sarah and warn her.
Right. How do they do that then?
Well, they share the message. So this video is reported to have gathered more than 15 million views in 3 days. So that's probably how they're trying to reach her.
Okay. So everyone's resharing it saying, do you know these assholes?
Kind of an exciting kind of feeding frenzy online.
Right.
And it's now known as the help me find Sarah, you know, brunch gossip TikTok. You know, hence a trend is born by people who think, well, hey, I can do that too.
Because these gossip TikToks take few skills and potentially is limitless.
Because according to Rolling Stone, these types of posts tap into every requirement TikTok's algorithm rewards. It gets shares, it gets comments, it gets bookmarks.
Because these gossip TikToks take few skills and potentially is limitless.
Because according to Rolling Stone, these types of posts tap into every requirement TikTok's algorithm rewards. It gets shares, it gets comments, it gets bookmarks.
No, but if it's livestreamed, it's got that, you know, hey, this wasn't a professional trying to game the system. This really happened.
Another example from Rolling Stone, there's a 3-minute video.
A TikToker tells her 160,000 TikTok followers that she's overheard a table of 3 bridesmaids gossiping about their wedding that they were recently in.
And the TikToker says in the video that the gossip went from tame to sinister, describing the women complaining about the bridesmaids' dresses, the wedding flowers, and how they were asked to style their hair.
And she says in the video, you know, so she kind of goads it because she goes in the video and she goes, when I tell you, if I were that friend and I knew that these girls were talking about me like this, I would throw myself into traffic, right?
This is a girl who has 160,000 followers and this was viewed more than 1.2 million times. And what seems to be concerning is the call to action afterwards, right?
So here's the story, find the person.
A TikToker tells her 160,000 TikTok followers that she's overheard a table of 3 bridesmaids gossiping about their wedding that they were recently in.
And the TikToker says in the video that the gossip went from tame to sinister, describing the women complaining about the bridesmaids' dresses, the wedding flowers, and how they were asked to style their hair.
And she says in the video, you know, so she kind of goads it because she goes in the video and she goes, when I tell you, if I were that friend and I knew that these girls were talking about me like this, I would throw myself into traffic, right?
This is a girl who has 160,000 followers and this was viewed more than 1.2 million times. And what seems to be concerning is the call to action afterwards, right?
So here's the story, find the person.
Right.
And it takes it from gossiping to almost policing.
So it's sort of in the end, what do you do? Dox the person, basically make them look bad.
And presumably if you're the kind of person who gets off on making these videos, then you kind of don't even need them to be real, do you?
You can just film people talking about something and then just claim that what they were talking about was X or Y or Z or person A, B, or C, and sort of whip up a frenzy even though the conversation may have been either mostly or wholly innocent and not necessarily even referring to the individual concerned.
And presumably if you're the kind of person who gets off on making these videos, then you kind of don't even need them to be real, do you?
You can just film people talking about something and then just claim that what they were talking about was X or Y or Z or person A, B, or C, and sort of whip up a frenzy even though the conversation may have been either mostly or wholly innocent and not necessarily even referring to the individual concerned.
Because you also hear just a snippet of it and make a whole judgment, right? You're not there for the entire call.
Yeah, there's probably quite a lot of people in, at least in the English-speaking world, called Sarah. Just got this inkling, you know what I mean?
So something like that can go an awful long way.
And with the right sort of hints in the follow-up video, you could trick people into — air quotes, giant inserted here — finding the wrong person if you wanted.
So something like that can go an awful long way.
And with the right sort of hints in the follow-up video, you could trick people into — air quotes, giant inserted here — finding the wrong person if you wanted.
Look, I know you can't assume privacy in a public place.
Yeah.
But thinking if I'm a restaurateur and I allow people to come to my restaurant, I don't see my restaurant as a public place and I wouldn't take kindly to someone eavesdropping on a fellow diner.
You know, to shame my patron. And I wonder if the actual establishment has any recourse.
And of course, what the fuck, like TikTok, do they not have any recourse for this either, to allow this to happen?
You know, to shame my patron. And I wonder if the actual establishment has any recourse.
And of course, what the fuck, like TikTok, do they not have any recourse for this either, to allow this to happen?
So Carole, you're talking about people distributing this video and they're resharing it in the hope that someone will recognize these people.
Right.
And so you're kind of relying on your followers and their followers.
And, you know, it begins to escalate into potentially thousands of people resharing it, say, does anyone recognize these guys or whatever?
But surely there's a potential here, though, as well to use technology because I was reading a story about this this week goes one step further as to what's going on on TikTok.
So there's an article by Joseph Cox.
Joseph Cox was working for Vice and he and some of his mates have left Vice and they've now set up their own organization, 404 Media, where they're doing some great reporting.
And, you know, it begins to escalate into potentially thousands of people resharing it, say, does anyone recognize these guys or whatever?
But surely there's a potential here, though, as well to use technology because I was reading a story about this this week goes one step further as to what's going on on TikTok.
So there's an article by Joseph Cox.
Joseph Cox was working for Vice and he and some of his mates have left Vice and they've now set up their own organization, 404 Media, where they're doing some great reporting.
Nice name, isn't it?
It's a great name.
Yeah.
You sent me to one of their articles recently and you get 404 and you think, oh no, and there's the article.
Yes. So they've got the logo and everything.
Yeah, so, but anyway, they've been looking at this because there are now TikTok accounts where you can actually ask them, identify the person in this video.
And what they will do is they are taking screenshots.
They're grabbing people's faces who could be in the background of videos or could be in the foreground, they're then putting those faces into sites like PimEyes, which we've spoken about before.
So PimEyes is a facial recognition database which spurts back at you people's employment, where they live.
Yeah, so, but anyway, they've been looking at this because there are now TikTok accounts where you can actually ask them, identify the person in this video.
And what they will do is they are taking screenshots.
They're grabbing people's faces who could be in the background of videos or could be in the foreground, they're then putting those faces into sites like PimEyes, which we've spoken about before.
So PimEyes is a facial recognition database which spurts back at you people's employment, where they live.
Social media accounts.
But yeah, it does all of that. And so there have been people who've been finding, you know, they just see someone they fancy in a video.
And so you could take this video you're talking about of these bridesmaids or whatever.
And rather than just, does anyone recognize them, pass them over to these TikTok accounts who are offering to do this for you using facial recognition technology.
And so you could take this video you're talking about of these bridesmaids or whatever.
And rather than just, does anyone recognize them, pass them over to these TikTok accounts who are offering to do this for you using facial recognition technology.
Sort of like crowdsourced Clearview AI.
Yeah. And TikTok isn't doing anything about this.
So these accounts that you appeal to, those are people who set themselves up as TikTokers whose hobby is finding, identifying, doxxing people.
So they don't need to be using facial recognition. They could just have a bevy of followers hoping that one of them knows them.
It doesn't matter what the technology is that finds the person. They're there acting as unpaid, let's take our revenge on society.
So they don't need to be using facial recognition. They could just have a bevy of followers hoping that one of them knows them.
It doesn't matter what the technology is that finds the person. They're there acting as unpaid, let's take our revenge on society.
It could be that. I think they're gaining most of their followers, however, by simply putting people's pictures through things like PimEyes in order to get all that information.
They then create their own video, which contains at first the original video and then has, it sort of pops up or something, the request from one of their followers.
Can you tell me who this guy is because I fancy him or something? And then up comes their social media profile and everything else and their name. And so.
They then create their own video, which contains at first the original video and then has, it sort of pops up or something, the request from one of their followers.
Can you tell me who this guy is because I fancy him or something? And then up comes their social media profile and everything else and their name. And so.
But that could happen with any picture. Right, from anybody on the street, right? You could walk around with your phone just on video and do that.
Absolutely. Absolutely.
And people are feeling violated because they think they just had an innocent conversation with someone in a, you know, there's one guy who was, who said he was on holiday in South Africa and he, you know, someone just quickly filmed a little interview with him.
Other people saw it and were intrigued as to who he was. And before he knew it, he was getting emails at his work.
And thousands of friend requests and all sorts of things, which he did not want. And he didn't want his name out there.
And people are feeling violated because they think they just had an innocent conversation with someone in a, you know, there's one guy who was, who said he was on holiday in South Africa and he, you know, someone just quickly filmed a little interview with him.
Other people saw it and were intrigued as to who he was. And before he knew it, he was getting emails at his work.
And thousands of friend requests and all sorts of things, which he did not want. And he didn't want his name out there.
Well, there was a cartoon in a recent Private Eye of the two blokes watching the Test cricket against when England were playing Australia.
And the guy sitting with a hat with, you know, proverbial, the big wide-brimmed hat with corks on strings, which is supposed to mark him as an Australian.
And he's leaning over and saying to the guy next to him, "Oh no, I'm not Australian, I'm English.
I just don't want to get recognized by my boss because I called in sick this morning." You're just figuring that in the old days, you might get on television for a moment when the camera panned around the crowd.
And the guy sitting with a hat with, you know, proverbial, the big wide-brimmed hat with corks on strings, which is supposed to mark him as an Australian.
And he's leaning over and saying to the guy next to him, "Oh no, I'm not Australian, I'm English.
I just don't want to get recognized by my boss because I called in sick this morning." You're just figuring that in the old days, you might get on television for a moment when the camera panned around the crowd.
Yeah.
Today, when you're at a sporting event and people are waving their cameras around, how often are you just getting publicized to the world? Probably several times every day.
So yeah, I don't know how you police that though.
So yeah, I don't know how you police that though.
No, and the world is kind of, in my view, quite bonkers. Can I just show you something that I found during my research just to get your take on it before we close? Right.
So it's called the egg crack challenge. Okay. And I've just put a link inside the show notes for you.
So it's called the egg crack challenge. Okay. And I've just put a link inside the show notes for you.
Yeah.
So if you could just take a look at this.
Oh, are you going to Rickroll me back, Carole?
No, I will not.
I'm, I'm, I'm watching a video of someone who's cracking an egg on her young child's forehead.
Right, it's fucking disgusting.
And she's laughing. She's laughing. The baby looks shocked and then bursts into tears.
And the kid's crying.
But it's all right because it's been videoed to put up on TikTok.
And it's humiliation thrums through all scenes. And it started off with people doing it with other adults.
And then someone somewhere thought, hey, why not just do it on toddlers and children and babies? Fun. So, you know.
And then someone somewhere thought, hey, why not just do it on toddlers and children and babies? Fun. So, you know.
You know what?
I've got a solution to both this, both Duck's problem at the cricket match and to the egg crack challenge, which is we should all follow the guidance set by Lord Buckethead.
And I don't know if you remember Lord Buckethead. He is a political candidate who stood in various British general elections with a great big bucket on his head.
I've got a solution to both this, both Duck's problem at the cricket match and to the egg crack challenge, which is we should all follow the guidance set by Lord Buckethead.
And I don't know if you remember Lord Buckethead. He is a political candidate who stood in various British general elections with a great big bucket on his head.
Oh, did he take up the reins of Screaming Lord Sutch?
Yeah, yes. Yeah, he's in that vein. He's in the vein.
So, when Boris Johnson or whoever, when a major political politician is up for election, you'll often get these sort of joke candidates as well.
But if we all wore buckets over our head, that would stop our bosses recognizing us and stop the egg crack challenge.
So, when Boris Johnson or whoever, when a major political politician is up for election, you'll often get these sort of joke candidates as well.
But if we all wore buckets over our head, that would stop our bosses recognizing us and stop the egg crack challenge.
Yeah, good one. Okay.
Well, there's a famous American guitarist. He's a very, very good guitarist indeed, who goes by the name Buckethead. And every time he plays, he plays with a KFC bucket on his head.
God, stink bug. Do you think he asked for clean ones, or do you think he's "Last night's will be fine"?
It's fine." Compliance isn't fun, but neither is a data breach or losing a customer. That's why Drata automated it.
With Drata, you don't have to spend hours collecting evidence, manually testing controls, managing spreadsheets and screenshots. And pestering other teams with requests.
With automated evidence collection, over 85 integrations, and 24-hour monitoring, Drata automates the compliance process and keeps you audit-ready all year round.
Drata supports over 16 frameworks, including SOC 2, ISO 27001, GDPR, and HIPAA. And with an open API and plenty of customization, you can build your compliance program your way.
With over 475 5-star reviews, Drata is the highest-rated cloud compliance platform on G2.
Countless security professionals from companies like Notion, Lemonade, and BambooHR have shared how crucial it's been to have Drata as their trusted compliance partner.
Listeners of Smashing Security can get 10% off Drata and waived implementation fees at smashingsecurity.com/drata. That's smashingsecurity.com/drata.
And thanks to Drata for supporting the show.
With Drata, you don't have to spend hours collecting evidence, manually testing controls, managing spreadsheets and screenshots. And pestering other teams with requests.
With automated evidence collection, over 85 integrations, and 24-hour monitoring, Drata automates the compliance process and keeps you audit-ready all year round.
Drata supports over 16 frameworks, including SOC 2, ISO 27001, GDPR, and HIPAA. And with an open API and plenty of customization, you can build your compliance program your way.
With over 475 5-star reviews, Drata is the highest-rated cloud compliance platform on G2.
Countless security professionals from companies like Notion, Lemonade, and BambooHR have shared how crucial it's been to have Drata as their trusted compliance partner.
Listeners of Smashing Security can get 10% off Drata and waived implementation fees at smashingsecurity.com/drata. That's smashingsecurity.com/drata.
And thanks to Drata for supporting the show.
If you work in security or IT and your company has Okta, this message is for you.
For the past few years, the majority of data breaches and hacks you read about have something in common. It's employees.
Hackers absolutely love exploiting vulnerable employee devices and credentials. But imagine a world where only secure devices can access your cloud apps.
Here, credentials are useless to hackers, and you can manage every OS—even Linux—from a single dashboard.
Best of all, you can get employees to fix their own device security issues without creating more work for IT. The good news is you don't have to imagine this world.
You can just start using Kolide.
Kolide is a device trust solution for companies with Okta, and it makes sure that if a device is not trusted or secure, it can't log into your cloud apps.
Visit kolide.com/smashing to watch a demo and see how it works. That's k-o-l-i-d-e.com/smashing.
For the past few years, the majority of data breaches and hacks you read about have something in common. It's employees.
Hackers absolutely love exploiting vulnerable employee devices and credentials. But imagine a world where only secure devices can access your cloud apps.
Here, credentials are useless to hackers, and you can manage every OS—even Linux—from a single dashboard.
Best of all, you can get employees to fix their own device security issues without creating more work for IT. The good news is you don't have to imagine this world.
You can just start using Kolide.
Kolide is a device trust solution for companies with Okta, and it makes sure that if a device is not trusted or secure, it can't log into your cloud apps.
Visit kolide.com/smashing to watch a demo and see how it works. That's k-o-l-i-d-e.com/smashing.
Gigamon's deep observability pipeline amplifies the power of traditional security and observability tools with actionable network-derived intelligence and insight to eliminate blind spots in hybrid cloud environments, including the threats that may be hiding in encrypted traffic.
Gigamon's latest survey of over 1,000 global leaders reveals the state of hybrid Ransomware and Ransomware Threat Cloud Security and the dangers that free-flowing encrypted traffic poses to organizations.
Find out more. DownloadTheReport.com/Smashing. That's G-I-G-A-M-O-N.com/Smashing. And thanks to Gigamon for supporting the show. And welcome back.
Can you join us at our favorite podcast part of the show, the part of the show that we like to call Pick of the Week.
Gigamon's latest survey of over 1,000 global leaders reveals the state of hybrid Ransomware and Ransomware Threat Cloud Security and the dangers that free-flowing encrypted traffic poses to organizations.
Find out more. DownloadTheReport.com/Smashing. That's G-I-G-A-M-O-N.com/Smashing. And thanks to Gigamon for supporting the show. And welcome back.
Can you join us at our favorite podcast part of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week. Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they like.
It doesn't have to be security related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they like.
It doesn't have to be security related necessarily.
Hmm, might be. What? You've got—
Well, it can be. That's all right. It can be, Carole. That's fine.
It's my rules. Exactly.
I changed my rules for this week. Yeah, doesn't have to be, doesn't mean it can't be. My pick of the week this week, however, is not security related.
My pick of the week this week is a documentary which I watched last night on the old Netflix. It is all about freediving. Have either of you had any experience of freediving?
I mean, have you ever gone to the bottom of a swimming pool and picked up a brick or something else unpleasant on the back of the bottom of a swimming pool?
My pick of the week this week is a documentary which I watched last night on the old Netflix. It is all about freediving. Have either of you had any experience of freediving?
I mean, have you ever gone to the bottom of a swimming pool and picked up a brick or something else unpleasant on the back of the bottom of a swimming pool?
I don't think that really counts as freediving, does it? Isn't freediving if you don't go 100 meters down, you haven't even started?
It's unbelievable. So this documentary is about an Italian freediver called Alessia Zecchini, and she keeps on breaking world records at freediving.
And it tells the story of her and Stephen Keenan, who's an expert safety diver. So they have— because this was the thing, right.
So Alessia and her fellow freedivers, they go down 100 metres or whatever and come back.
But of course, they run out of air, right, because they're going very, very low down on one breath. They may be down for 4 minutes or whatever. Extraordinarily long time.
I was actually reading while preparing for this that the world record, there's some chap who goes freediving and he holds his breath for 24 minutes. It's insane, isn't it?
Absolutely. But anyway, so in this documentary, which is a beautifully filmed documentary, they show some of these people.
And of course, as they're coming back up, which is quite difficult in itself, they're almost out of the water. And quite often at that point they black out.
This is quite a common occurrence. And so there are safety divers there ready in case they black out because they have to revive them.
Because if you black out and your brain isn't getting any oxygen, obviously you could be brain damaged within a couple of minutes or dead.
So it's quite horrific, quite an extreme sport. Anyway, Alessia, this expert safety diver Stephen Keenan, she ends up in a relationship with.
They are training and they are attempting to cross an infamous underwater arch in Egypt, which has claimed over 100 lives. It's very far down. They're going to go under this arch.
And it tells the story of her and Stephen Keenan, who's an expert safety diver. So they have— because this was the thing, right.
So Alessia and her fellow freedivers, they go down 100 metres or whatever and come back.
But of course, they run out of air, right, because they're going very, very low down on one breath. They may be down for 4 minutes or whatever. Extraordinarily long time.
I was actually reading while preparing for this that the world record, there's some chap who goes freediving and he holds his breath for 24 minutes. It's insane, isn't it?
Absolutely. But anyway, so in this documentary, which is a beautifully filmed documentary, they show some of these people.
And of course, as they're coming back up, which is quite difficult in itself, they're almost out of the water. And quite often at that point they black out.
This is quite a common occurrence. And so there are safety divers there ready in case they black out because they have to revive them.
Because if you black out and your brain isn't getting any oxygen, obviously you could be brain damaged within a couple of minutes or dead.
So it's quite horrific, quite an extreme sport. Anyway, Alessia, this expert safety diver Stephen Keenan, she ends up in a relationship with.
They are training and they are attempting to cross an infamous underwater arch in Egypt, which has claimed over 100 lives. It's very far down. They're going to go under this arch.
And come back up at the start. With no air supply?
No air supply, just the breath which you take at the beginning.
Oh, so that means they have to, whatever line they're on, they're going down, they have to unclip to go around the arch and clip back on?
Yes, I think they unclip or they hold it. I don't know what it is. But yes, they have to free swim under the arch and then back up again.
Right at the very beginning, you see this woman descend into deep, deep water. And you just follow her the whole way. It's over 3 minutes.
And in your head, you're thinking, how can she still not have breathed? It's just going on and on and on and on. It's a love story. It's also very emotional. Did you cry?
Carole, you know me. No spoilers, but it's a bit of a—
Right at the very beginning, you see this woman descend into deep, deep water. And you just follow her the whole way. It's over 3 minutes.
And in your head, you're thinking, how can she still not have breathed? It's just going on and on and on and on. It's a love story. It's also very emotional. Did you cry?
Carole, you know me. No spoilers, but it's a bit of a—
You blubbed. Graham blubbed.
Graham, that didn't answer the question, but—
Oh, he fell asleep. No, no, I know he didn't blub. He fell asleep is what happened.
I didn't fall asleep.
So, what's it called?
It's called The Deepest Breath, and it is on Netflix. And that is my pick of the week. Duck, what's your pick of the week?
Well, I'll be very quick. What with leaving Sophos and all that, I've got to tidy up my old email account to make sure that I haven't got personal bills going there.
I'm desperately trying to do the right thing by my soon-to-be former boss who'll get my emails after I've left in case there are any bills left.
Because I've just got so used to, particularly to all the PR spam that you can imagine has built up after however many decades of dealing with journalists.
I've just got used to ignoring it and just mostly hitting delete. But I think some of it, lots of it just gets left behind.
I suddenly actually started looking at a few of them today to see if it was worth unsubscribing.
I realized that maybe this is a newish thing, but I've just missed how truly understandable so many of the communications from people who claim to be communications experts are.
The people who go, "I'm looping this back to the top of your inbox because obviously you didn't have time to look at it" by replying to their own mail, as though you're just thinking whoever fell for that?
I'm desperately trying to do the right thing by my soon-to-be former boss who'll get my emails after I've left in case there are any bills left.
Because I've just got so used to, particularly to all the PR spam that you can imagine has built up after however many decades of dealing with journalists.
I've just got used to ignoring it and just mostly hitting delete. But I think some of it, lots of it just gets left behind.
I suddenly actually started looking at a few of them today to see if it was worth unsubscribing.
I realized that maybe this is a newish thing, but I've just missed how truly understandable so many of the communications from people who claim to be communications experts are.
The people who go, "I'm looping this back to the top of your inbox because obviously you didn't have time to look at it" by replying to their own mail, as though you're just thinking whoever fell for that?
This sounds like a nitpick of the week, doesn't it?
I didn't read it last time because it was horrible. And now you're saying, obviously you missed this because you were just too busy. You're going, I missed? I didn't miss it.
I drove around it really carefully. But then this morning I got one that said, and it was a PR release about, I need to talk to this person.
And I kid you not, I've had to remove some of the words to make it into even into a sentence. But it says our CEO is available to discuss GDPR in NHS, DSPT and DTAC compliance.
And I thought, you know what, when it comes to health services, I'm really just looking for you to recommend some kind of lotion for a little insect bite I got.
I drove around it really carefully. But then this morning I got one that said, and it was a PR release about, I need to talk to this person.
And I kid you not, I've had to remove some of the words to make it into even into a sentence. But it says our CEO is available to discuss GDPR in NHS, DSPT and DTAC compliance.
And I thought, you know what, when it comes to health services, I'm really just looking for you to recommend some kind of lotion for a little insect bite I got.
What does that mean? But Duck, would it be fair? I would say that perhaps maybe during your story, I got lost in all the acronyms that you take for granted.
I didn't put them in the headline. It wasn't the entire thing. That's true. Call us now. At least it's some understandable name. But it's just all letters.
And there weren't too many acronyms, if you think— So what's your pick of the week?
Oh, this is supposed to be something that I pick because it's really great and you should do it too.
And there weren't too many acronyms, if you think— So what's your pick of the week?
Oh, this is supposed to be something that I pick because it's really great and you should do it too.
No, no, it can now be a nitpick of the week. We've established this. If you want to have a nitpick.
Oh, I just picked it because I was so amazed that anyone would bother. I think just before coming, before setting up my mic to come on the show.
Also, another example of this, I think it was Twitter I logged out of in my browser rather than on my phone.
And I got a message along the lines of, I think it goes something like, thanks for logging out. You can log back in again later if you like.
And I'm just going, I would never have known if you hadn't told me. You made me create an account. It took quite a while. I got to think up a password and give you my phone number.
Not anymore. They don't do phone numbers.
But you know, for two-factor authentication, I would never have occurred to me that because I had to log in in the first place to use the account, that I might ever want to log in again.
So that's my pick of the week is, come on, people. Communication isn't that hard, is it? Not that I feel strongly about it.
Also, another example of this, I think it was Twitter I logged out of in my browser rather than on my phone.
And I got a message along the lines of, I think it goes something like, thanks for logging out. You can log back in again later if you like.
And I'm just going, I would never have known if you hadn't told me. You made me create an account. It took quite a while. I got to think up a password and give you my phone number.
Not anymore. They don't do phone numbers.
But you know, for two-factor authentication, I would never have occurred to me that because I had to log in in the first place to use the account, that I might ever want to log in again.
So that's my pick of the week is, come on, people. Communication isn't that hard, is it? Not that I feel strongly about it.
He's very easy to work with, people. Super easy.
Oh, golly. Oh, thank you, Carole. I forgot about that.
That was satire. Satire. That was satire.
And remember, if we're on the same team, I'm on your side. Right?
Yes, I can guarantee that. Yes, you are. Yes.
Better to have him pissing out. Carole, what's your pick of the week?
Well, you know, my pick of the week's slightly security related. And it's close to our hearts, Duck, Graham, and Mark Stockley's and Anna Bradings'.
And that is Naked Security, which we've talked about already.
And that is Naked Security, which we've talked about already.
Oh God, I'm going to tear up in a minute. Don't go too hard.
It was our cybersecurity news site that we created way back from scratch. When was it, 2011? Is that right?
I don't know. No, it must have been 2010, October 2010. There you go.
And it was really difficult to pull off because we had an extraordinary power play going on in the office.
We had a meager budget, we had little time, but somehow we pulled it off, and it was fun, right? We had some good times, and we took—
We had a meager budget, we had little time, but somehow we pulled it off, and it was fun, right? We had some good times, and we took—
And best of all, it was fun with a really serious side.
Yes, we had it. I remember the dislike campaign we had when Facebook made one of its bullshit moves.
We reported on breaches, arrests, campaigns, widespread malware, proof of concepts, everything.
We reported on breaches, arrests, campaigns, widespread malware, proof of concepts, everything.
That Facebook campaign, remember, our key thing was HTTPS everywhere. Yeah, they delivered it very quickly afterwards.
And I like to think they did it more quickly because we made a keen point about it. And it wasn't drum banging. It was just saying, you guys can do this. You really can.
You know, you're big enough to be able to get everyone across the line. And bless their hearts, love or hate Facebook, they were the first big org to do that, weren't they?
And everyone else followed suit afterwards.
And I like to think they did it more quickly because we made a keen point about it. And it wasn't drum banging. It was just saying, you guys can do this. You really can.
You know, you're big enough to be able to get everyone across the line. And bless their hearts, love or hate Facebook, they were the first big org to do that, weren't they?
And everyone else followed suit afterwards.
I have to say, I've just gone to the Welcome to Naked Security blog post from the 28th of October 2010, which is of course on an HTTPS link.
And my browser says connection not secure. Parts of this page, such as images, are not being transmitted securely. So I don't know, mate.
Duck, I don't know if you've still got any contacts you can speak to. There may be some HTTP maybe on that page these days.
And my browser says connection not secure. Parts of this page, such as images, are not being transmitted securely. So I don't know, mate.
Duck, I don't know if you've still got any contacts you can speak to. There may be some HTTP maybe on that page these days.
I'm sure there is. Yeah, maybe the links to the place where the images live.
Or you could say, not my problem. My point is to say though, right, we did do some great stuff. We even managed to get our flagship software translated into Klingon. Do you remember?
To celebrate the return of Star Trek movies.
To celebrate the return of Star Trek movies.
I want to hear Graham singing YMCA in Klingon right now. We had YMCA in Klingon.
I suspect the video we published of Klingon singing YMCA has been removed, however, by Sophos from its official YouTube channels.
Thing is, guys, we may forget that we were award-winning. We had hits like a million hits a month, 1.5 million a month. And that was way back when.
I think over 2 million some months.
Yeah. So, you know, and at the day of recording, it has been deactivated. The announcement has gone live, terminated, killed off after, what, 13 years? But I'm proud of it, actually.
And I thank both of you for helping us make it. We created it together. We kept it alive. There are other people as well, like Mark and Anna and everyone else who's involved.
And it was cool.
And I thank both of you for helping us make it. We created it together. We kept it alive. There are other people as well, like Mark and Anna and everyone else who's involved.
And it was cool.
And Alice and Charlotte, don't forget those.
And Yogi. Duck's been doing it single-handed the last few years though. He's been doing sterling work.
Yeah, since 2020, it's been article by Paul Ducklin, article by Paul Ducklin, article by Paul Ducklin, article by Paul Ducklin.
My pick of the week, Naked Security, RIP, you'll always be in our hearts.
Onwards and upwards.
Absolutely. Well, that just about wraps Duck Up for this week. I'm sure lots of our listeners would love to follow you online, Duck, and maybe offer you a job.
Anyway, I'm sure lots of our listeners would love to follow you online, Duck. What's the best way for folks to do that?
Anyway, I'm sure lots of our listeners would love to follow you online, Duck. What's the best way for folks to do that?
X/Twitter, I'm @duckblog. You can find me on Facebook, Duck Blog, Instagram, and LinkedIn. I'm P. Ducklin. Look for the little icon of a duck. It's a mallard, my favorite sort of duck.
And yes, if you think that you could do with a fantastic writer, speaker, evangelist, company proselytizer, and person with a cybersecurity social conscience, I am looking for work.
And yes, if you think that you could do with a fantastic writer, speaker, evangelist, company proselytizer, and person with a cybersecurity social conscience, I am looking for work.
And you can follow us on Twitter @SmashingSecurity, no G, Twitter and LastPass have G. We're also on Mastodon. And don't forget to ensure you never miss another episode.
Follow Smashing Security in your favorite podcast apps such as Apple Podcasts, Spotify, and Overcast.
Follow Smashing Security in your favorite podcast apps such as Apple Podcasts, Spotify, and Overcast.
And shout out to this episode's sponsors, Drata, Gigamon, and Kolide. And of course, to our wonderful Patreon community. It's thanks to them all that this show is free.
For episode show notes, sponsorship info, guest list, and the entire back catalog of more than 340 episodes, check out smashingsecurity.com.
For episode show notes, sponsorship info, guest list, and the entire back catalog of more than 340 episodes, check out smashingsecurity.com.
Until next time, cheerio. Bye-bye.
Bye-bye. Bye. Wow. Wow, I think that's our longest episode ever, Graham.
How long was that?
1 hour 40. Jesus. No, we haven't.
No, it says 1 hour. I've got about 1 hour 10 here. We didn't start—
We didn't stop talking until half past the hour because Graham was moaning about it.
Yeah, I think it's because I've had my headphones on for an hour and a half and my ears feel like they're gonna fall off.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Paul Ducklin – @duckblog
Episode links:
- T-Mobile customer reports privacy breach – Twitter.
- T-Mobile US exposes some customer data – but don’t call it a breach – The Register.
- T-Mobile denies new data breach rumors, points to authorized retailer – Bleeping Computer.
- Connectivity Source – Despite appearances, don’t confuse it with T-Mobile.
- ThemeBleed exploit is another reason to patch Windows quickly – MalwareBytes.
- If I Embarrass My Baby on TikTok, Will He Stay My Baby Forever? – New York Times.
- They Gossiped At Brunch. Now There’s a Mob After Them – Rolling Stone.
- The End of Privacy is a Taylor Swift Fan TikTok Account Armed with Facial Recognition Tech – 404 Media.
- Egg crack challenge,the last baby is so cute – YouTube.
- Trailer for “The Deepest Breath” – YouTube.
- “The Deepest Breath” – Netflix.
- Naked Security.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsored by:
- Kolide – Kolide ensures that if your device isn’t secure it can’t access your cloud apps. It’s Device Trust for Okta. Watch the demo today!
- Gigamon – Download the Gigamon Hybrid Cloud Security Survey to learn about the hidden dangers of encrypted traffic.
- Drata – With over 14 frameworks including SOC2, GDPR, HIPAA, and ISO 27001, Drata gets you audit-ready for crucial security standards needed to scale your business. As a listener to Smashing Security you can save 10% off Drata and have implementation fees waived.
Support the show:
You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.
Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!
Follow us:
Follow the show on Bluesky at @smashingsecurity.com, or on Mastodon, on the Smashing Security subreddit, or visit our website for more episodes.
Thanks:
Theme tune: “Vinyl Memories” by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
