A hacker bursts the bubble of inflatable fetish fans, Hollywood celebrities unwittingly record videos in a Kremlin plot, and there’s a particularly devious WordPress-related malware campaign.
All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Paul Ducklin.
Warning: This podcast may contain nuts, adult themes, and rude language.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
You looked around the house of this guy who mouthed off because the hacker posted that.
Well, I was curious as to what the hacker was linking to, and I went and checked it out.
Oh, I've got big air quotes for research purposes only, is this?
Yes, exactly. I didn't break in through his front door and have a poke around or anything like that.
Oh, right. That's what all the hackers say too.
Smashing Security, Episode 352. For research purposes only, with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 352.
My name's Graham Cluley.
My name's Graham Cluley.
And I'm Carole Theriault.
And Carole, this week we're joined by a special guest, someone who's been on the show lots and lots of times before. It is Paul Ducklin. Hello, Duck.
Hello, Graham and Carole.
Thank you for coming on the show, Duck.
Thank you for having me.
Now, Carole, we're running a tight ship today, aren't we? Because you've got a very important phone call to make to your mum.
I do have a very important phone call to make to my mom, which should have been made yesterday. So let's kick this show off.
But first, let's thank this week's wonderful sponsors, Kolide, Push Security, and Vanta. It's their support that helps us give you the show for free.
Now, coming up on today's show, Graham, what do you got?
But first, let's thank this week's wonderful sponsors, Kolide, Push Security, and Vanta. It's their support that helps us give you the show for free.
Now, coming up on today's show, Graham, what do you got?
I'm going to be talking about inflation.
Ooh, okay. What about you, Duck?
I am going to be talking about something that the cyber crooks did that when I saw it, I grudgingly had to think to myself, Ah, 10 out of 10 for style.
And I'll be talking about winning hearts and minds. All this and much more coming up on this episode of Smashing Security.
Now, chums, chums, it's the most wonderful time of the year, isn't it? Is it? I don't know. That's what they sing. Maybe it is. Maybe you got other preferred times of the year.
I'm not sure. But you know what it means this time of the year as the evenings draw in, at least in the northern hemisphere, it means it is party season.
It means it's mince pies and mulled wine, carole singing, ugly jumpers, maybe some fun and games.
I'm not sure. But you know what it means this time of the year as the evenings draw in, at least in the northern hemisphere, it means it is party season.
It means it's mince pies and mulled wine, carole singing, ugly jumpers, maybe some fun and games.
Ugly jumpers? Just festive jumpers.
Graham, have you never stopped to think that in the southern hemisphere, as the days are getting to their longest, that it might even more be party season?
And maybe party season on a beach?
Yes, something like that. Yeah.
In the swimming pool, perhaps. Yeah. What kind of games do you like to play, Duck, when you are having a little party? What's your preference?
I'm not really a party animal, Graham. You could afford me. I do put Christmas lights on my bicycle at this time of year, and I have them on.
And that's one thing nice when the nights draw in, because when you go for a ride, all the kids look at the bike, and you can hear what they're saying.
Daddy, Daddy, I want those for my bicycle.
And that's one thing nice when the nights draw in, because when you go for a ride, all the kids look at the bike, and you can hear what they're saying.
Daddy, Daddy, I want those for my bicycle.
It sounds dangerous. You must have one hell of an extension lead. Anyway, so there are some fun games to play. I was wondering if you've ever played Fuzzy Duck.
Have you ever played the Fuzzy Duck game?
Have you ever played the Fuzzy Duck game?
Yes, with you, I think.
It's a drinking game.
I don't drink, Graham, like you. So no, I haven't played it, but I know that something bad is coming. I can just feel it in my liver.
I can enjoy Fuzzy Duck even if I haven't been drinking. I think anyway, maybe some of our listeners will like to play Fuzzy Duck. I'll put a link in the show notes.
Is that because you like the discomfiture of others?
Well, what is a party— of course I do. What is a party without balloons? Not baboons, balloons.
What, those big plastic things that are polluting the Earth?
Latex rubber is what they're made out of. And that is, you know, you get balloons in different shapes. You get your tedious old round balloon.
You know, that's the sort of bog-standard sort of balloon. Or the ones that look like a sausage. They're quite fun. Some people like to have a lot of fun with balloons.
Friend of the show, Geoff White, author of The Lazarus Heist, used to be a professional body— No, not a professional bodybuilder.
Used to be a professional balloon modeller back in the day.
You know, that's the sort of bog-standard sort of balloon. Or the ones that look like a sausage. They're quite fun. Some people like to have a lot of fun with balloons.
Friend of the show, Geoff White, author of The Lazarus Heist, used to be a professional body— No, not a professional bodybuilder.
Used to be a professional balloon modeller back in the day.
Is that where they twist them into dogs and fairies and—
Yes.
And go-karts? And worse. And worse.
Duck, you weren't at the Smashing Security podcast Christmas party a few years ago. Where Geoff was videoed doing his not-safe-for-work balloon trick.
But I have found it on the internet. So again, I will put a link in the show notes for anyone who wants to see someone having a lot of fun with balloons.
And there's lots of people who like to have fun with balloons. And what they do is they like to seek out other people who enjoy good, clean fun with balloons.
And there is an online community called InflateVids which describes itself as the website for looners.
But I have found it on the internet. So again, I will put a link in the show notes for anyone who wants to see someone having a lot of fun with balloons.
And there's lots of people who like to have fun with balloons. And what they do is they like to seek out other people who enjoy good, clean fun with balloons.
And there is an online community called InflateVids which describes itself as the website for looners.
What's a looner?
I think, I think a looner, L-O-O-N-E-R rather than L-U-N-A. I think a looner is someone who enjoys the company of balloons.
Oh, not loons the bird, right?
No, no, no, no, no, no. So, it's the website for looners and inflatable lovers to upload their videos.
And they say if you go there, you can every day watch new inflatable and balloon fetish videos.
And they say if you go there, you can every day watch new inflatable and balloon fetish videos.
Oh, fetish, there we go.
That's what you were waiting for.
That was a long and very cautious introduction to bring us to that dread word.
Yeah. That's why you got all precious when I said plastic. You're like, no, no, no, latex rubber.
Oh no.
Latex rubber. Latex rubber. These people are purists. They want the proper material.
So they run a website. What have they done, Graham? Tell us.
Well, well, they haven't done their security properly.
Who would have thought?
On the InflateVids website, because a hacker who calls himself Thrax.
Thrax. That's powerful.
Has broken into the website. He has defaced its homepage over the weekend, but that's not the worst of it. He has also, it appears, exfiltrated data.
That's a long word for stolen, right?
So he's taken data and he has posted about it on a breach online forum, along with an animated GIF, actually, of the data being wiped from the server, presumably after he's taken it.
He claims he's got usernames, IP addresses, email addresses, hashed passwords.
According to InflateVids, Rik at InflateVids, he has posted up on Patreon to his community because he can't use his website at the moment.
He's basically shut down the entire website. He said, rest assured, he said that ID verification wasn't taken. So I've done a little bit of research into InflateVids.
He claims he's got usernames, IP addresses, email addresses, hashed passwords.
According to InflateVids, Rik at InflateVids, he has posted up on Patreon to his community because he can't use his website at the moment.
He's basically shut down the entire website. He said, rest assured, he said that ID verification wasn't taken. So I've done a little bit of research into InflateVids.
First time, right?
Yeah, yeah, yeah. Totally. Totally. Never been there before.
Right.
Too late to sign up, Graham. They've burst.
So when you try and create an account on Inflatevids, it looks like you are asked to scan in some formal ID, like your driving licence, identity pass, something like that.
Something which has your date of birth on it before granting you access to their site. I think that's right.
Certainly you have to verify your age before you can upload any balloon videos involving nudity.
Something which has your date of birth on it before granting you access to their site. I think that's right.
Certainly you have to verify your age before you can upload any balloon videos involving nudity.
We talked about this just a few weeks ago, that the laws changed where people are going to have to provide things like maybe a passport. Remember what the Ofcom—
Oh, yes.
Yeah.
Oh, but that's with pornography sites, Carole. This is good, clean inflatable fun.
You say fetish though.
Well, you know, that's how they describe themselves. One man's fetish is just another man's trouser press, isn't it?
Well, if they're asking for people to be over 18, seems to me it might be a little dangereux.
Well, yeah, certainly they're saying if you want to upload some nudity, so if you're engaged in some activity with an inflatable or with a balloon and there's some nipple-age or something like that on show, then yeah, you have to prove that you're over 18.
I just want to say I've got my eyes closed talking into the microphone now, and it is not helping because you're painting quite a vivid picture.
So according to Inflatevids, that doesn't matter anyway. They say because they always delete that ID verification data which gets uploaded.
Smart.
Is this a special kind of deletion where you can go in with a utility afterwards and undelete it?
Mm-hmm.
Who knows? So Rickett Inflate Bids, he said, the other problem is that sadly my website was using an outdated hashing technique, SHA-1.
So that is not the best way of hiding your passwords. It's not the best way to obfuscate them from someone else coming along and descrambling them.
So they say they're going to fix that and they're going to add some salt in the passwords. That's what you should do.
You should hash and salt or salt and hash actually is the correct order to do these things in the future.
But the problem is that people who were using a particular password for Inflatevids may also be using the same password on other websites that they're members of.
So that is not the best way of hiding your passwords. It's not the best way to obfuscate them from someone else coming along and descrambling them.
So they say they're going to fix that and they're going to add some salt in the passwords. That's what you should do.
You should hash and salt or salt and hash actually is the correct order to do these things in the future.
But the problem is that people who were using a particular password for Inflatevids may also be using the same password on other websites that they're members of.
Oh no.
And I'm guessing— I haven't done much searching, but I imagine there are other websites of a similar vein.
Or maybe just their banking password, or maybe their eBay password, or their email password could be the same.
Or maybe just their banking password, or maybe their eBay password, or their email password could be the same.
I think you're right, Graham, because what I've heard a lot of people say is, well, I've gone out of my way to think up one really extra super complicated password.
I'm not taking shortcuts, no cats' names. And now I've got that memorised because it's so secure, why don't I just use it for everything? And I think you just explained why not.
I'm not taking shortcuts, no cats' names. And now I've got that memorised because it's so secure, why don't I just use it for everything? And I think you just explained why not.
Yeah. Hate to burst your bubble.
Yeah. If there's any websites that you really wanna keep private, you know, I think up with the phishing. All of them. Yeah, all of them.
But you may care less if someone broke into your New York Times subscription or something, because you're not putting any information in there.
But you may care less if someone broke into your New York Times subscription or something, because you're not putting any information in there.
But it's just a good habit, isn't it?
If you just have the habit of always using a unique password, one that's been randomly generated, maybe by your password manager or something like that, rather than by your brain, then you're never going to accidentally use a dumb password.
Or what may happen is you may create an account on an online site at some point, which seems fairly harmless, and then later use it for some more serious purpose, but you're still lumbered with that daft password you initially chose.
If you just have the habit of always using a unique password, one that's been randomly generated, maybe by your password manager or something like that, rather than by your brain, then you're never going to accidentally use a dumb password.
Or what may happen is you may create an account on an online site at some point, which seems fairly harmless, and then later use it for some more serious purpose, but you're still lumbered with that daft password you initially chose.
Absolutely. And actually my example was stupid because of course, if you have a subscription, they've got information on you and you have to pay for that some way.
And so if that information got taken, you would be screwed a bit.
And so if that information got taken, you would be screwed a bit.
There's also the issue that even if it's, you know, just some local news site where you don't have to pay, if someone's got your password, they can jump in and put inflammatory, racist, derogatory, abusive remarks in and just sit back and go, "Ha ha ha ha ha, I've got you," because the finger's pointing towards you when that happens.
Yeah, attack the reputation. Yeah. So did he publish these usernames, IP addresses, email addresses, trying to sell them? What's he want?
It looks like he's made them available to download for free.
That's a bit douchey, right?
So he's posted this up on this website. And from what I've seen, some of the members of Inflatevids aren't terribly happy.
So I was looking at this thread where the breach has been sort of announced.
So I was looking at this thread where the breach has been sort of announced.
They're bubbling over. Yeah.
And one member of that community, a guy called Inflatamer... My eyes are closed again. Has told Thrax he's super stupid, childish.
He said we should fight, quote, Russian pigs, not inoffensive people who like inoffensive things, even if it's maybe a little bit strange.
And Thrax, the hacker, was obviously a bit riled by that.
He went and looked up in the database for Inflatayma, found him, then posted his address and even what looks like to be a link to his property in Florida.
I checked out the property listing.
He said we should fight, quote, Russian pigs, not inoffensive people who like inoffensive things, even if it's maybe a little bit strange.
And Thrax, the hacker, was obviously a bit riled by that.
He went and looked up in the database for Inflatayma, found him, then posted his address and even what looks like to be a link to his property in Florida.
I checked out the property listing.
Great.
I've had a look around the house. He does have a very nice swimming pool, although there aren't any inflatable avocados or flamingos in it.
You looked around the house of this guy who mouthed off because the hacker posted that?
Well, I was curious as to what the hacker was linking to, and I went and checked it out.
Oh, I've got big air quotes for research purposes only, is this?
Yeah, exactly. I didn't break in through his front door and have a poke around or anything like that.
Oh, right. That's what all the hackers say too.
So Rik, Rik at Infla... what are they called? Rik at InflateVids. Rik has said this all happened because he was running off-the-shelf software that used SHA-1 for hashing.
He didn't check, didn't change it. He assumed that everything was going to be fine because he just got something off the shelf.
Obviously, he says that's going to have to change in future.
It doesn't explain how the hackers got in in the first place, but it's how maybe people are now able to find out what their passwords are.
So I don't know if either of you are members of InflateVids or any of our listeners. Bad news is there's no ETA for the website to come back. Rik says it may take months.
I don't know what you're going to do for your inflatable content in the meantime.
He didn't check, didn't change it. He assumed that everything was going to be fine because he just got something off the shelf.
Obviously, he says that's going to have to change in future.
It doesn't explain how the hackers got in in the first place, but it's how maybe people are now able to find out what their passwords are.
So I don't know if either of you are members of InflateVids or any of our listeners. Bad news is there's no ETA for the website to come back. Rik says it may take months.
I don't know what you're going to do for your inflatable content in the meantime.
I do. Change your bloody passwords.
Well, yes, maybe you're going to have to find another source. I found the Instagram account of a Spanish chap who appears to be a member of the site, but his account is private.
His avatar though, Duck, this is just for you, shows him splayed on top of an enormous inflatable football. So seems legit, either that or he's got some sort of other issue.
So there's a lot of this going on. Thrax, by the way, this isn't his first breach. He attacked Fast Company.
He hacked into Fast Company's content management system last year and he pushed out some obscene and racist notifications via Apple News to tens of thousands of subscribers.
So not very nice of him to do that either.
His avatar though, Duck, this is just for you, shows him splayed on top of an enormous inflatable football. So seems legit, either that or he's got some sort of other issue.
So there's a lot of this going on. Thrax, by the way, this isn't his first breach. He attacked Fast Company.
He hacked into Fast Company's content management system last year and he pushed out some obscene and racist notifications via Apple News to tens of thousands of subscribers.
So not very nice of him to do that either.
Another douche move. Yeah.
Yeah, absolutely. So what we're saying to regular users, use unique passwords, obviously.
But also, if you're running a website, even if it seems to be harmless fun like InflateVids, I haven't seen any of their videos. Honestly, I haven't.
So I don't really know what goes on, but I assume it's all fairly harmless.
But also, if you're running a website, even if it seems to be harmless fun like InflateVids, I haven't seen any of their videos. Honestly, I haven't.
So I don't really know what goes on, but I assume it's all fairly harmless.
Maybe we should have a campaign called Hug a Hacker or something. Maybe they just need some love and, you know, we're denying them and then they go and do evil stuff.
Hug a Hacker. Start with hugging IT people, IT security staff.
I do every day.
Do you?
Yeah, I hug my CIO.
Oh, your husband.
The Yeti.
Good luck getting your arms around him. Duck, what story have you got for us this week?
I have a story about a WordPress phish that I investigated.
I didn't have the original email, and fortunately you, Graham, rode to my rescue because you, as a fellow WordPress user— I use the hosted WordPress, you I think run your own, which is why you got chosen— you received an email, and fascinatingly, to your privacy@ account, which I presume was done to give it more vibration, that was, in my opinion, surprisingly believable for a phish and led to a web domain that was astonishingly close to the real WordPress one.
I didn't have the original email, and fortunately you, Graham, rode to my rescue because you, as a fellow WordPress user— I use the hosted WordPress, you I think run your own, which is why you got chosen— you received an email, and fascinatingly, to your privacy@ account, which I presume was done to give it more vibration, that was, in my opinion, surprisingly believable for a phish and led to a web domain that was astonishingly close to the real WordPress one.
So, Duck, what was the content of this email? What was triggering people to click on the link and end up on this fake WordPress site?
Well, the thing that drew me in and made me think, hey, maybe they've actually hacked something inside WordPress because it all looks so good, was subject line: Attention: Remote code execution vulnerability detected in your WordPress site.
Dear user, that's perhaps the only giveaway. They probably wouldn't have written that, but might have.
The WordPress security team has detected a remote code execution vulnerability in your site that allows attackers to add malicious code and steal your data, user details, and more.
And then words to the effect of, because we're working on a full-blown official patch to the product still, what we have done, the official WordPress security team, is we've produced a plugin that you can install in the interim, which will work around the vulnerability.
And there's a download button, download plugin.
Dear user, that's perhaps the only giveaway. They probably wouldn't have written that, but might have.
The WordPress security team has detected a remote code execution vulnerability in your site that allows attackers to add malicious code and steal your data, user details, and more.
And then words to the effect of, because we're working on a full-blown official patch to the product still, what we have done, the official WordPress security team, is we've produced a plugin that you can install in the interim, which will work around the vulnerability.
And there's a download button, download plugin.
And it's a professional looking email, isn't it? I mean, it really does look visually like an email from WordPress. You know, there's no spelling mistakes. It's formatted nicely.
It's got their logo. I mean, it looks convincing.
It's got their logo. I mean, it looks convincing.
And it's quite charming and it sounds community orientated. And of course it's spoofed. So the from address is wordpress.org. It claims to come from .
It's come to your privacy email account. So apart from the dear user with a lowercase u and one comma that I didn't like, but that may be a stylistic matter.
It was way, way better than usual. And this is not just some ChatGPT thing that's produced text that meets English grammar rules. It's nicely written.
All you need to do is download, install, and activate the plugin, ensuring a quick and trouble-free protection. That's not quite perfect English, but it's good enough.
It's come to your privacy email account. So apart from the dear user with a lowercase u and one comma that I didn't like, but that may be a stylistic matter.
It was way, way better than usual. And this is not just some ChatGPT thing that's produced text that meets English grammar rules. It's nicely written.
All you need to do is download, install, and activate the plugin, ensuring a quick and trouble-free protection. That's not quite perfect English, but it's good enough.
I know people would just trust this, but I think my first thing, if I had one of those, was go to the WordPress website to see if there's any information, see if there's any press articles on it, because surely if it's affecting tons of people, they're going to be talking about it rather than just sending private emails, right?
Indeed. You're right. If you know your domain and that's what you should do, know where to go yourself in advance in using information you've prepared earlier.
You would probably just go to wordpress.org and start right there. However, I can see why people might go, well, let me click the button. I'm only going to the website.
Presumably my browser's patched. I'm not going to get pwned just by visiting the site. I mean, that can happen, but it's unlikely.
You click download plugin and you end up on a site that will seem targeted perhaps to your region of the world, because what these crooks registered is they got the domains en-au wordpress.org.
That's English Australian flavor. en-ca, which was the link that was in the email that Graham got. en-gb, they got NZ for New Zealand, US, and ZA.
It's a clever, it's a clever move, except they didn't actually get en-ca.wordpress.org because that's the real site. What they got was en-ca wordpress.org. It just looks right.
And I have to admit, when I went through to look at that site and I went through with the Tor browser, I took all my due care just to see what was going on.
When I looked at the page, when the page appeared to me, my immediate thought was, wow, this is WordPress's real site.
The crooks have actually tricked WordPress into accepting a plugin that is bogus, that I'm amazed they didn't spot them malware in it, and I'm amazed it's still up.
And then I looked back and thought, no, hang on, they're wordpress.org, and they're not— they won't have registered a separate domain for each region. They do them as subdomains.
And there it was, just that.
You would probably just go to wordpress.org and start right there. However, I can see why people might go, well, let me click the button. I'm only going to the website.
Presumably my browser's patched. I'm not going to get pwned just by visiting the site. I mean, that can happen, but it's unlikely.
You click download plugin and you end up on a site that will seem targeted perhaps to your region of the world, because what these crooks registered is they got the domains en-au wordpress.org.
That's English Australian flavor. en-ca, which was the link that was in the email that Graham got. en-gb, they got NZ for New Zealand, US, and ZA.
It's a clever, it's a clever move, except they didn't actually get en-ca.wordpress.org because that's the real site. What they got was en-ca wordpress.org. It just looks right.
And I have to admit, when I went through to look at that site and I went through with the Tor browser, I took all my due care just to see what was going on.
When I looked at the page, when the page appeared to me, my immediate thought was, wow, this is WordPress's real site.
The crooks have actually tricked WordPress into accepting a plugin that is bogus, that I'm amazed they didn't spot them malware in it, and I'm amazed it's still up.
And then I looked back and thought, no, hang on, they're wordpress.org, and they're not— they won't have registered a separate domain for each region. They do them as subdomains.
And there it was, just that.
Smart. So don't you think it's a bit shitty that that's even possible?
Yes.
Right? So if you had duck.com as a URL or as a domain—
I wish I could have sold it to DuckDuckGo somebody did and made a small fortune, but it didn't seem important back in the day when 4-letter domains free and easy to get.
I'd have bought Apple shares at the same time, by the way, and mined a few bitcoins, so I don't regret it. Just one of those things I never got around to doing.
I'd have bought Apple shares at the same time, by the way, and mined a few bitcoins, so I don't regret it. Just one of those things I never got around to doing.
But if you did have duck.com, it's kind of shitty if you have to register duck1, duck2, duck, you know, en, duck, you know, all the different types just to make sure no one pretends to be you.
Get all your ducks in order.
Yeah, yeah, good one.
Yeah. You sometimes do wonder why after a domain like this is registered, because of course it's not a subdomain of WordPress.org, it is a separate domain.
I suppose the idea is it's meant to be, you know, a free market.
It's meant to be a place where somebody who's big and rich can't just register duck.com and then say to me, oh, you want paulduck.com? Oh no, no, no, no, you can't.
So you can see why it's kind of liberal.
And I guess the idea is that the powers that be would just rely on WordPress saying, hey, this is clearly domain squatting or clearly the intention of fraud.
But that kind of takedown doesn't happen in minutes or hours or even days, perhaps not even in weeks.
So yeah, you kind of wish that it was easier to control because when you look at it, what were they thinking? Why did the .org registrar allow that domain. It's so obviously bogus.
I suppose the idea is it's meant to be, you know, a free market.
It's meant to be a place where somebody who's big and rich can't just register duck.com and then say to me, oh, you want paulduck.com? Oh no, no, no, no, you can't.
So you can see why it's kind of liberal.
And I guess the idea is that the powers that be would just rely on WordPress saying, hey, this is clearly domain squatting or clearly the intention of fraud.
But that kind of takedown doesn't happen in minutes or hours or even days, perhaps not even in weeks.
So yeah, you kind of wish that it was easier to control because when you look at it, what were they thinking? Why did the .org registrar allow that domain. It's so obviously bogus.
Yeah, it feels to me that there's an irony here with this particular attack, which is that they are actually targeting people who are security conscious, people who actually respond to a notification about what appears to be a critical patch in their WordPress, which they want to apply because otherwise—
You didn't worry about me, did you, Graham?
No, I knew you wouldn't read the email. But you wouldn't take notice of it. But if I was running—
I'm so safe.
An inflatable fetish website, for instance, on WordPress, and I got a notification on that, I'd think, oh crumbs, I need to apply this patch because otherwise my users' data might be exposed.
So there's—
So there's—
Absolutely.
There's this strange thing going on, isn't there? Where actually, if you're security conscious, you may be at a little bit more risk than if you're not.
And I think if you do click the button just to see and you go to the site and you don't notice the dash for dot, because it just looks almost right.
It really does. Yeah, it really does look legit.
If you have ever installed a WordPress plugin before, for example, because you're security conscious, you would glance at that and you would go, that's essentially perfect.
Now, the only obvious screw-up that existed by the time I looked at this, it was a few days after I'd first heard about it, but I didn't have any samples of anything yet, is it seems that the crooks had decided that part of the information they were using was now well known.
So they changed it. And this is another part of the trick that I think you're right, Graham, that if you're privacy conscious, security conscious, would draw you in.
They've included a bogus CVE number, right? It says CVE-2023-45124. And if you go to the MITRE website, or at least when I went there and did, I thought, is that a real CVE?
And I had a look and it's one of those CVEs that this really annoys me about the way MITRE do this CVE allocation is that sometimes their website is almost like your own worst enemy because it says this CVE is real, it's been allocated, but it hasn't been written up yet.
In other words, it exactly matches the story that the crooks pitched you in the email. We're working on a patch for the product WordPress.
In the interim, the CVE has been allocated and here's a workaround, a plugin. And obviously that first CVE, maybe news had got around and people going, oh, that's a bogus one.
Now it wasn't a fake. They hadn't just made up the number. They presumably chose the number that was in some kind of digital limbo where it did exist.
So it was real, but it wouldn't come up and say, oh, that's a bug some security appliance, or that's a bug in some kind of word processing software where you realize they've just stolen the number.
But they did change the patch number in the actual plugin details that I saw.
So there is a discrepancy between the slug in the URL, which mentions the CVE ending 45124, and the one in the body of where you download the plugin that says 46182, if you happen to notice.
Now, the only obvious screw-up that existed by the time I looked at this, it was a few days after I'd first heard about it, but I didn't have any samples of anything yet, is it seems that the crooks had decided that part of the information they were using was now well known.
So they changed it. And this is another part of the trick that I think you're right, Graham, that if you're privacy conscious, security conscious, would draw you in.
They've included a bogus CVE number, right? It says CVE-2023-45124. And if you go to the MITRE website, or at least when I went there and did, I thought, is that a real CVE?
And I had a look and it's one of those CVEs that this really annoys me about the way MITRE do this CVE allocation is that sometimes their website is almost like your own worst enemy because it says this CVE is real, it's been allocated, but it hasn't been written up yet.
In other words, it exactly matches the story that the crooks pitched you in the email. We're working on a patch for the product WordPress.
In the interim, the CVE has been allocated and here's a workaround, a plugin. And obviously that first CVE, maybe news had got around and people going, oh, that's a bogus one.
Now it wasn't a fake. They hadn't just made up the number. They presumably chose the number that was in some kind of digital limbo where it did exist.
So it was real, but it wouldn't come up and say, oh, that's a bug some security appliance, or that's a bug in some kind of word processing software where you realize they've just stolen the number.
But they did change the patch number in the actual plugin details that I saw.
So there is a discrepancy between the slug in the URL, which mentions the CVE ending 45124, and the one in the body of where you download the plugin that says 46182, if you happen to notice.
I've just spotted a mistake they've made, actually, looking at this.
So do you want to tell them? Because it's still going, this scam, or do you want to leave it there just in case?
I'm reading your article on your blog and I'm looking at these images you've got up and they have made a mistake, which is a really obvious one, which is in the word WordPress.
Oh, yes. Yeah, you're right.
The official WordPress is a camel case word.
It's a capital P halfway through, and they've put it in most places, not absolutely everywhere, but in most places they've put it with a lowercase p.
So the nerd in me might have spotted that because I write WordPress so often.
It's a capital P halfway through, and they've put it in most places, not absolutely everywhere, but in most places they've put it with a lowercase p.
So the nerd in me might have spotted that because I write WordPress so often.
The nerd did spot it.
But I didn't know. I'm looking at it now and I can't not see it. Yeah, but I just glossed over that.
The other thing they didn't do, presumably they wanted one fake plugin page to deal with en-gb, en-ca, us, I think all the countries they had targeted.
I've put a picture of a real one from the real Canadian English-Canadian community site, and it actually has the name of the country at the top next to the WordPress logo.
And they haven't got that. That's a customization. But all their domains, I think, end up at the same page. So they presumably didn't get it together.
There is something we can all learn from this. If we're programmers or coders and not WordPress users.
And that is that although it says it prevents you getting malware and protects you against attacks, actually what the plugin does, as you've probably guessed, even if you haven't read my article about it, is it actually goes out and installs malware for you so that they can get back in.
And it just goes and downloads a free and open source PHP backdoor available. You can probably guess where it is. It's on GitHub.
Even though it's— you can't imagine why anyone would want to use it for legitimate purposes.
It's advertised on GitHub with, and I'm using big air quotes here, for educational and testing purposes only.
So the crooks can come back in with a password that they set into the code.
The other thing they didn't do, presumably they wanted one fake plugin page to deal with en-gb, en-ca, us, I think all the countries they had targeted.
I've put a picture of a real one from the real Canadian English-Canadian community site, and it actually has the name of the country at the top next to the WordPress logo.
And they haven't got that. That's a customization. But all their domains, I think, end up at the same page. So they presumably didn't get it together.
There is something we can all learn from this. If we're programmers or coders and not WordPress users.
And that is that although it says it prevents you getting malware and protects you against attacks, actually what the plugin does, as you've probably guessed, even if you haven't read my article about it, is it actually goes out and installs malware for you so that they can get back in.
And it just goes and downloads a free and open source PHP backdoor available. You can probably guess where it is. It's on GitHub.
Even though it's— you can't imagine why anyone would want to use it for legitimate purposes.
It's advertised on GitHub with, and I'm using big air quotes here, for educational and testing purposes only.
So the crooks can come back in with a password that they set into the code.
You know, the other cheeky thing that they do with this is that if you install the patch, they then display a little dialogue saying, thank you for patching your system.
Lovely, lovely. You're all up to date. You can help the WordPress community by sharing the word.
We encourage you to share this patch with people you think might be affected by this vulnerability.
So you could actually be doing the bad guys' dirty work for them by getting your friends to install it as well.
Lovely, lovely. You're all up to date. You can help the WordPress community by sharing the word.
We encourage you to share this patch with people you think might be affected by this vulnerability.
So you could actually be doing the bad guys' dirty work for them by getting your friends to install it as well.
Yes, this is a Trojan horse, not an old school computer virus capable of self-spreading.
But they've added the computer virus part into it by getting you to help spread it to your buddies. And that popup, it just looks fine, doesn't it?
The patch has been installed successfully, your WordPress is up to date, blah, blah, blah.
And in the ratings, they didn't just do what you'd expect and have everyone gave it 5 stars. They put in a few people who didn't like it.
They got a couple of people who only gave it 4 and 2, and they even had one person, no, 1 star, rubbish. It just—
But they've added the computer virus part into it by getting you to help spread it to your buddies. And that popup, it just looks fine, doesn't it?
The patch has been installed successfully, your WordPress is up to date, blah, blah, blah.
And in the ratings, they didn't just do what you'd expect and have everyone gave it 5 stars. They put in a few people who didn't like it.
They got a couple of people who only gave it 4 and 2, and they even had one person, no, 1 star, rubbish. It just—
You know what the worst irony of all this is though, Duck, is they're gonna listen to this show.
Of course they are.
I take notes and you've just improved them marginally.
Yeah. Nice work, Doug.
Yes.
Well, you pointed out the typo. Yeah.
Yeah, Graham. I did nothing. I was hardly listening.
Carole, what's your story for us this week?
You guys know the expression winning hearts and minds?
Yes.
You know where it comes from?
Shakespeare.
Second World War?
Yes, war.
According to Military History Wiki that I found, it's a concept occasionally expressed during war, insurgency, and other conflicts, and it's where one side seeks to prevail by not using superior force, but by making emotional or intellectual appeals to sway supporters of the other side.
Kind of rhetoric, basically, type of rhetoric.
According to Military History Wiki that I found, it's a concept occasionally expressed during war, insurgency, and other conflicts, and it's where one side seeks to prevail by not using superior force, but by making emotional or intellectual appeals to sway supporters of the other side.
Kind of rhetoric, basically, type of rhetoric.
Rhetoric. Have you ever used that word on the podcast before? Because I like it. I like hearing the word rhetoric. I don't think it's used enough these days.
That's what I studied when I was studying a long time ago.
Exactly. Yeah, yeah, great.
Now, hearts and minds, when you think of people, I think President Zelensky comes to mind. He's still leading the fight to save Ukraine as an autonomous region.
Careful, not autonomous region, sovereign independent state.
Okay, sovereign independent state. Thank you very much, Duck.
But I would argue that he's won the hearts and minds of many people in the world, including that of celebrities, because actually, some of us know that he used to be an actor before he was the leader.
But I would argue that he's won the hearts and minds of many people in the world, including that of celebrities, because actually, some of us know that he used to be an actor before he was the leader.
Yeah, wasn't he a comic actor or something?
Yeah, comedian and actor. Reagan was too, right? Reagan was an actor.
He was in a TV show about a comedian who somehow becomes president, and then he became president. In real life, it's so crazy.
As if any country would hire someone just on the basis of appearing on a TV show.
As if any country would hire someone just on the basis of appearing on a TV show.
Imagine that.
Yeah, crazy.
Last January, The Guardian published this article on how Zelensky became Hollywood's man of the hour.
And the strapline is, from Ben Stiller to Jessica Chastain, celebrities have embraced Ukraine's president and offer support to the country's war effort.
So that's kind of proof that he's the winner of hearts and minds of the moment, do you not think?
And the strapline is, from Ben Stiller to Jessica Chastain, celebrities have embraced Ukraine's president and offer support to the country's war effort.
So that's kind of proof that he's the winner of hearts and minds of the moment, do you not think?
Yes. Yes.
Okay, just making sure everyone's still with me.
I was nodding feverishly, but very quietly.
Yeah, I was just thinking, is this a trick question? Think carefully, because after not spotting that WordPress mistake, I'm feeling I need to be more cautious in my digital life.
But yes, yes, Carole.
But yes, yes, Carole.
Okay, so no surprise this must frustrate and anger those on the pro-Russian side of things. Perhaps they wonder, why isn't our esteemed leader Putin, Mr.
Putin, the smallish man who wrestles big cats and hunts bare-chested, why is he not loved and admired in the same way?
Putin, the smallish man who wrestles big cats and hunts bare-chested, why is he not loved and admired in the same way?
Yeah, funny that.
So one way is to discredit the opposite side, right? Start chipping away at the reputation. And you could use the digital world as your vehicle.
So a group has been working on this, revealed Microsoft just last week, in a rather novel way. And I'm so interested to hear what you guys think of this approach.
So here are the ins and outs of a new cyber campaign.
They have this unknown pro-Russian influence group, and they say they recruited legit bonafide Hollywood actors and other celebs.
So we have names like Priscilla Presley, Elijah Wood, Dean Norris, Kate Flannery, just to name a few, right?
And you're like, well, how did they get them to take part in a smear campaign?
Well, Microsoft thinks that these celebs were directly contacted via video messaging platform such as Cameo.
And Cameo is a website where you pay all manner of people, bonafide people, including a gaggle of celebs and comedians and whatnot to get personalized mini videos from your favorite stars.
So a group has been working on this, revealed Microsoft just last week, in a rather novel way. And I'm so interested to hear what you guys think of this approach.
So here are the ins and outs of a new cyber campaign.
They have this unknown pro-Russian influence group, and they say they recruited legit bonafide Hollywood actors and other celebs.
So we have names like Priscilla Presley, Elijah Wood, Dean Norris, Kate Flannery, just to name a few, right?
And you're like, well, how did they get them to take part in a smear campaign?
Well, Microsoft thinks that these celebs were directly contacted via video messaging platform such as Cameo.
And Cameo is a website where you pay all manner of people, bonafide people, including a gaggle of celebs and comedians and whatnot to get personalized mini videos from your favorite stars.
So the likes of Elijah Wood have got a Cameo account, haven't they?
Yes, it seems they do.
Times must be tough.
I went looking to see who I could find on it, and I found Don Johnson, right? Star of '80s cop show Miami Vice.
Well, that's the whole point, Carole, because he was a star of a 1980s TV show. He hasn't done anything since. And so the only way he can make money—
Well, no, but he's charging $400 a pop for a 1-minute or so video.
And how many is he making of those?
I have no idea, but he had a few examples which I watched. I'll put a link in the show notes for everybody.
Okay, and what you do is you kind of would say to him, hey, hey, hey, okay, here's your $400, can you address it to this person and make this message?
Like maybe I'd say, hey, you know, Graham. Yeah, I would say do it to Graham and say happy birthday for next birthday party or something like that, right?
Okay, and what you do is you kind of would say to him, hey, hey, hey, okay, here's your $400, can you address it to this person and make this message?
Like maybe I'd say, hey, you know, Graham. Yeah, I would say do it to Graham and say happy birthday for next birthday party or something like that, right?
You'd be like, oh, that's so Carole, can I just say at this point, I'm feeling slightly poorly because I'm remembering that there was a chap in the United Kingdom who got on Cameo, and I seem to remember he was charging 70 quid a go.
Oh, really?
Who was that person?
Well, I don't want to say it.
Does it rhyme with fine?
No, but his first name rhymes with trigeminal.
Tri. Jewel Barrage.
70. 70 quid? Really?
Wow.
Apparently.
Yeah.
So, I don't know. I think, guys, you could probably do this as a sideline if you wanted. You're pretty, you know, you're celebs in the area of cyber.
You could send people little, you know, jokes or something.
You could send people little, you know, jokes or something.
But no, no, no, no, no, no, no. Absolutely not. I have thought about it, obviously.
Oh, right.
But no, because there is nothing sadder than seeing somebody up on Cameo whose career has fallen to such depths that they now will read out messages to people saying happy birthday.
Why is it sad? It makes people happy. Who?
Who are these people?
Oh, if I got one of my mom's favourite people to say, hey, mom.
No, I've looked up Cameos before of people, you know, like actors from Doctor Who and things. And I think, oh my God, this is so embarrassing that they're having to do this.
And so if your mum, who currently thinks that the world of, I don't know, Thom Selleck or something like that, if she saw Thom Selleck wishing her a happy birthday, she'd think, oh, this is what he's doing now.
This is as good as it's got.
And so if your mum, who currently thinks that the world of, I don't know, Thom Selleck or something like that, if she saw Thom Selleck wishing her a happy birthday, she'd think, oh, this is what he's doing now.
This is as good as it's got.
I don't think everyone's quite that cynical about it, Graham. I agree. I think some people just think it's like good, clean fun.
And if somebody wants to make, let's face it, $400 for a minute's work.
And if somebody wants to make, let's face it, $400 for a minute's work.
See, Duck's thinking about it.
That's a good rate by any account.
I'd love to do that, but I don't think many people are probably buying greetings at $400 from Don Johnson from Miami Vice.
I'm going to crack on with my story, okay?
Okay. I think you're going to be a winner, Carole, because obviously this story wouldn't exist if Cameo wasn't popular.
I suppose. And they don't know if it is Cameo. It's a site like Cameo. They've mentioned that. They're not sure exactly how they managed to do this.
So anyway, so the pro-Russian influence group says Microsoft requested that these celebs create a personalized video.
They wanted a message to help encourage someone to seek help for their substance abuse, and this person was to be called Vladimir.
So anyway, so the pro-Russian influence group says Microsoft requested that these celebs create a personalized video.
They wanted a message to help encourage someone to seek help for their substance abuse, and this person was to be called Vladimir.
Oh no.
So you have a video of someone like Elijah Wood saying, hey Vladimir, look, it'd be really good if you laid off the sauce, or, you know, stop heroin or whatever, and we're behind you, we've got you, you know, shout out.
So they, so they edit it so they just have the bit where—
Well, they have the name, they have the whole video.
It's a one minute long, maybe whatever they grab, but then they put an overlay over it so it looks like it comes directly from the actor's Instagram page.
So they've overlaid things like emojis and links and the sort of stuff that give it a real feel, says the Register.
It's a one minute long, maybe whatever they grab, but then they put an overlay over it so it looks like it comes directly from the actor's Instagram page.
So they've overlaid things like emojis and links and the sort of stuff that give it a real feel, says the Register.
Oh, so the theory is that instead of thinking, "Oh, somebody paid 70 quid for that," they think, "Hey, that person feels strongly enough that they actually put it on their own social media page by themselves."
Exactly. Yeah.
Priscilla Presley.
Yeah, everyone, when you see it, you're thinking, "Wow, Priscilla Presley really cares about Vladimir." Couldn't they just get Steven Seagal to do that?
Isn't he a friend of Vladimir Putin? Couldn't they just get Steven Seagal to do all of these videos and put them on his real Instagram?
Yeah, but that wouldn't work. That wouldn't work as well, would it?
Because if you're known to have that particular viewpoint, it's when someone that you wouldn't expect suddenly seems to be Frodo Baggins.
Because if you're known to have that particular viewpoint, it's when someone that you wouldn't expect suddenly seems to be Frodo Baggins.
And these videos are then shared on Russian social media networks, all in the name of promoting Russia's long-running claim that Ukraine's leader suffers from addiction, which is reported widely, this is completely false.
But how weird is it? Why wouldn't you use a deepfake? Is it because the celebrity can't deny that he said it?
But how weird is it? Why wouldn't you use a deepfake? Is it because the celebrity can't deny that he said it?
Maybe, or maybe it's just cheaper and easier. And the thing with deepfakes is no matter that everyone goes, "Ooh, look how good they are," they are fake.
It's that WordPress page that I was just talking about and Graham said, "Oh look, they spelled WordPress wrong," which none of us had noticed till halfway through the podcast.
The thing is that nothing is quite as real as something that is actually real.
It's that WordPress page that I was just talking about and Graham said, "Oh look, they spelled WordPress wrong," which none of us had noticed till halfway through the podcast.
The thing is that nothing is quite as real as something that is actually real.
Yeah, I should underline the celebs who took part in this had no idea that Vladimir, the name, was referring to Vladimir Zelensky or President Zelensky.
And there's nothing new with warring sides trying to bash in the reputation of the opposition. But why use Priscilla Presley, for Christ's sake? It's so weird.
And there's nothing new with warring sides trying to bash in the reputation of the opposition. But why use Priscilla Presley, for Christ's sake? It's so weird.
For anything.
Come on.
Yes. What would be the point?
The South Threat Analysis Center has observed seven Star videos since July 2023, and it says that they're expecting to see much more in the coming year.
So, it's gonna intensify as the war rages on.
So, it's gonna intensify as the war rages on.
I suppose the deal is that it's not so much the name of the person as that that name is known to be someone who is American.
What, Vladimir?
Priscilla.
No, the celebrity crew. Try and keep up with your own story.
I told you I was out very late last night.
I'm suffering.
Now, you've probably noticed the uptick in identity-based attacks recently hitting the headlines.
If you're working crazy to get everything behind SSO and make sure everyone's using strong passwords and MFA, then Push Security is for you.
Push Security helps you to monitor and secure your entire identity attack surface, including non-SSO identities.
Get notified in real time to vulnerabilities across all your internet-facing identities.
What's more, Push Security then guides your employees to fix simple issues so your team can carry on fixing everything else. Want to check it out?
Well, head over to pushsecurity.com/smashing. That's pushsecurity.com/smashing, and thanks to them for supporting the show.
If you're working crazy to get everything behind SSO and make sure everyone's using strong passwords and MFA, then Push Security is for you.
Push Security helps you to monitor and secure your entire identity attack surface, including non-SSO identities.
Get notified in real time to vulnerabilities across all your internet-facing identities.
What's more, Push Security then guides your employees to fix simple issues so your team can carry on fixing everything else. Want to check it out?
Well, head over to pushsecurity.com/smashing. That's pushsecurity.com/smashing, and thanks to them for supporting the show.
Thank you to Smashing Security sponsors Vanta, where you can shortcut compliance without shortchanging security.
Expand the scope of your security program with Vanta's market-leading compliance automation.
Vanta's 5,000+ global customers report saving over 300 hours in manual work and up to 85% of cost for SOC 2, ISO 27001, HIPAA, GDPR, custom frameworks, and more.
And with Vanta's 200+ integrations, you can easily monitor and secure the tools your business relies on.
From the most in-demand frameworks to third-party risk management and security questionnaires, Vanta gives SaaS businesses of all sizes one place to manage risk and improve security in real time.
As a special bonus, Smashing Security listeners get a whopping 20% off Vanta. Just go to vanta.com/smashing. That's vanta.com/smashing.
If you work in security or IT and your company has Okta, this message is for you.
For the past few years, the majority of data breaches and hacks you read about have something in common. It's employees.
Hackers absolutely love exploiting vulnerable employee devices and credentials. But imagine a world where only secure devices can access your cloud apps.
Here, credentials are useless to hackers, and you can manage every OS, even Linux, from a single dashboard.
Best of all, you can get employees to fix their own device security issues without creating more work for IT. The good news is you don't have to imagine this world.
You can just start using Kolide.
Kolide is a device trust solution for companies with Okta, and it makes sure that if a device is not trusted or secure, it can't log into your cloud apps.
Visit kolide.com/smashing to watch a demo and see how it works. That's k-o-l-i-d-e.com/smashing.
Expand the scope of your security program with Vanta's market-leading compliance automation.
Vanta's 5,000+ global customers report saving over 300 hours in manual work and up to 85% of cost for SOC 2, ISO 27001, HIPAA, GDPR, custom frameworks, and more.
And with Vanta's 200+ integrations, you can easily monitor and secure the tools your business relies on.
From the most in-demand frameworks to third-party risk management and security questionnaires, Vanta gives SaaS businesses of all sizes one place to manage risk and improve security in real time.
As a special bonus, Smashing Security listeners get a whopping 20% off Vanta. Just go to vanta.com/smashing. That's vanta.com/smashing.
If you work in security or IT and your company has Okta, this message is for you.
For the past few years, the majority of data breaches and hacks you read about have something in common. It's employees.
Hackers absolutely love exploiting vulnerable employee devices and credentials. But imagine a world where only secure devices can access your cloud apps.
Here, credentials are useless to hackers, and you can manage every OS, even Linux, from a single dashboard.
Best of all, you can get employees to fix their own device security issues without creating more work for IT. The good news is you don't have to imagine this world.
You can just start using Kolide.
Kolide is a device trust solution for companies with Okta, and it makes sure that if a device is not trusted or secure, it can't log into your cloud apps.
Visit kolide.com/smashing to watch a demo and see how it works. That's k-o-l-i-d-e.com/smashing.
And welcome back. Can you join us at our favorite part of the show? The part of the show that we like to call Pick of the Week.
Pick of the Week.
Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they like.
It doesn't have to be security-related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they like.
It doesn't have to be security-related necessarily.
Better not be.
Well, my Pick of the Week this week is security-related.
Uh-oh. We're this close to Christmas, and you seriously are pulling this rando one out. Okay.
That's— it's usually when I'm on the show, it's usually me going, "Oh, I don't really do anything except cybersecurity." And I'm the one who lets you down this time.
I have something that is not security-related. Thank you, duck. It does involve coding though.
I have something that is not security-related. Thank you, duck. It does involve coding though.
Carole, I've got a question for you. Duck, you're not allowed to answer this. Carole, have you got a Pi-hole? Do you know what a Pi-hole is?
No, I don't. Is it a Raspberry Pi?
It's not your mouth either. No, it's not. A Pi-hole is a bit of software which you might run on a Raspberry Pi. Yeah, I said Raspberry Pi. Oh, well, yeah.
No, not a raspberry pie you eat.
No, not a raspberry pie you eat.
No, I know, you dingbat.
Oh, okay. Okay. I'm with you, Carole.
I think he's winding you up.
Okay, Crow. You explain then, Crow. You explain then if you've got one of these.
No, I haven't used it. It's still in its box. Someone gave one to me.
Oh, okay. All right. Well, Pi-hole is a bit of software you can run on a Raspberry Pi.
It's quite well known and you can send anything which looks like an ad coming over your internet connection to a black hole inside the Raspberry Pi so it doesn't get displayed on your computer, on your phone or any of your other devices.
Devices which are on your Wi-Fi. Now, my pick of the week this week is not a Pi-hole. It is something which is just like a Pi-hole called AdGuard Home.
It's a free and open-source piece of software from the folks who make the AdGuard plugin you might have used or the AdGuard DNS service.
It's quite well known and you can send anything which looks like an ad coming over your internet connection to a black hole inside the Raspberry Pi so it doesn't get displayed on your computer, on your phone or any of your other devices.
Devices which are on your Wi-Fi. Now, my pick of the week this week is not a Pi-hole. It is something which is just like a Pi-hole called AdGuard Home.
It's a free and open-source piece of software from the folks who make the AdGuard plugin you might have used or the AdGuard DNS service.
Yeah, you alluded to this last week, did you not, in your story or one story, one of our stories?
I did mention it because I had reason to put some internet filtering at home. Let's not go into the details. Maybe have a bit more parental control, blocking ads.
Because the inflatables were getting too much. There's too much inflatables in the house.
Oh, I wonder if I'm blocked from reaching the inflatables site. Anyway, so what you do with AdGuard Home, as I say, it's free. You can download it from GitHub.
It's not just put up there for research purposes only. It is put up there for legitimate purposes. You can run it on your Raspberry Pi.
You connect your Raspberry Pi to your router and it means that you can block ads and tracking and porn and all kinds of other things. You can customize it for different devices.
You can have customizable block lists. You can use some of the many other block lists which are already out there. And it works a treat and it works really well. I have a question.
Ask me a question. What would stop—
It's not just put up there for research purposes only. It is put up there for legitimate purposes. You can run it on your Raspberry Pi.
You connect your Raspberry Pi to your router and it means that you can block ads and tracking and porn and all kinds of other things. You can customize it for different devices.
You can have customizable block lists. You can use some of the many other block lists which are already out there. And it works a treat and it works really well. I have a question.
Ask me a question. What would stop—
What would stop said person in household from just disconnecting the chain and putting the chain back together the old way. Would you get notified of that?
Well, it depends how well he would cover his tracks, because obviously my router is now using the AdGuard Home.
It's sending all the traffic through it in order that it gets filtered. So if they were able to also reconfigure my router, then potentially they could do that.
But that's protected with a password. Password. AdGuard Home is protected with a password as well. And I haven't used an easy-to-guess password.
It's one that's just sort of long and randomly generated.
What he can do, of course, is simply turn off Wi-Fi on his device and use his cell phone connection instead to access stuff.
And that, that's a whole other story of how you lock down your smartphone from being able to do things.
It's sending all the traffic through it in order that it gets filtered. So if they were able to also reconfigure my router, then potentially they could do that.
But that's protected with a password. Password. AdGuard Home is protected with a password as well. And I haven't used an easy-to-guess password.
It's one that's just sort of long and randomly generated.
What he can do, of course, is simply turn off Wi-Fi on his device and use his cell phone connection instead to access stuff.
And that, that's a whole other story of how you lock down your smartphone from being able to do things.
Ah, okay.
A little bit complicated. Yeah. Yeah. Well, I've already actually taken steps about that as well. But anyway, my pick of the week right now is AdGuard Home. It's free. It's open source.
Go and check it out. I'm quite impressed with it. I've been running it for a couple of months now.
Go and check it out. I'm quite impressed with it. I've been running it for a couple of months now.
Well, future pick of the week.
Yeah. Duck, what's your pick of the week?
My pick of the week, it's something that I've used before and I've come back to recently because I dropped my beloved Garmin down the stairs outside my flat, which it did not survive, and I had to go and get a new one.
And I decided I'd buy the tiny little, the little entry-level one because it's really tiny and it fits in your pocket. I think it's called the Garmin Edge.
And it wouldn't be popular with people who like to track everything and have real-time online maps and do all the turn-by-turn navigation that many cyclists do.
I don't really like that because I like to just enjoy the ride, and I usually know where I'm going. I just sometimes get lost along the way. So I used a thing called Connect IQ.
If you're a programmer and you're a cyclist and you've got a Garmin, it is actually user programmable, and you can go and download their development kit, their Connect IQ development kit.
And you have to learn a language called Monkey C, which is— wow, if you already know C, it's pretty easy to pick up.
It's sort of like a scripting language, and you can write your own apps that display what you want while you're riding along.
And I used it to build, even my tiny little Garmin, the screen just fills up with a compass like an orienteering compass.
So it doesn't just give the bearing in like 203 degrees or whatever. It's good looking. You could just glance at it and see which direction you're going.
And I found that this, what you might call approximate navigation, where I know where I'm going, let's say I need to get from Oxford to Bicester, or I need to get from Oxford to the big Tesco, and I want to take a different route, and I know that I roughly need to keep going in a southeasterly direction.
Then when I get off track, I can just glance down at my compass and figure, yeah, I'm going a little bit off course. I need to take a right somewhere here and work my way across.
And I decided I'd buy the tiny little, the little entry-level one because it's really tiny and it fits in your pocket. I think it's called the Garmin Edge.
And it wouldn't be popular with people who like to track everything and have real-time online maps and do all the turn-by-turn navigation that many cyclists do.
I don't really like that because I like to just enjoy the ride, and I usually know where I'm going. I just sometimes get lost along the way. So I used a thing called Connect IQ.
If you're a programmer and you're a cyclist and you've got a Garmin, it is actually user programmable, and you can go and download their development kit, their Connect IQ development kit.
And you have to learn a language called Monkey C, which is— wow, if you already know C, it's pretty easy to pick up.
It's sort of like a scripting language, and you can write your own apps that display what you want while you're riding along.
And I used it to build, even my tiny little Garmin, the screen just fills up with a compass like an orienteering compass.
So it doesn't just give the bearing in like 203 degrees or whatever. It's good looking. You could just glance at it and see which direction you're going.
And I found that this, what you might call approximate navigation, where I know where I'm going, let's say I need to get from Oxford to Bicester, or I need to get from Oxford to the big Tesco, and I want to take a different route, and I know that I roughly need to keep going in a southeasterly direction.
Then when I get off track, I can just glance down at my compass and figure, yeah, I'm going a little bit off course. I need to take a right somewhere here and work my way across.
And like a compass, like, yeah, just like a compass.
So the problem with having a normal compass on a bicycle is, even if you have an aluminum bicycle, there's lots of steel everywhere.
And so when you put the compass near it, it's like having a compass inside a car.
It's a very complicated thing to have one that's tiny, inexpensive, and that you can, that isn't set up specially, that you can remove so that it doesn't get stolen.
And so when you put the compass near it, it's like having a compass inside a car.
It's a very complicated thing to have one that's tiny, inexpensive, and that you can, that isn't set up specially, that you can remove so that it doesn't get stolen.
I didn't know that. So this is with the Garmin.
Obviously you have to be moving for it to work 'cause it uses GPS.
But it's great just having this big thing that just says, you know, well, north's behind you, north's ahead of you, or, you know, you need to turn left.
And I got to write the code myself and do a little bit of graphics.
But it's great just having this big thing that just says, you know, well, north's behind you, north's ahead of you, or, you know, you need to turn left.
And I got to write the code myself and do a little bit of graphics.
You should put your code up and share it with other people.
Put it on GitHub for research purposes only.
There is a Connect IQ community site where you can download stuff. So I might just do that.
And the other thing I did with it is I have a particular predilection for the typeface for terminal windows.
I like the typeface that was originally used on the IBM 3270 terminals from the 1970s. And there is a fantastic font called IBM 3270, free open source font.
And I actually adapted that and I used that for the little speedo part. So it actually looks like I'm riding along looking at an IBM 3270.
And the other thing I did with it is I have a particular predilection for the typeface for terminal windows.
I like the typeface that was originally used on the IBM 3270 terminals from the 1970s. And there is a fantastic font called IBM 3270, free open source font.
And I actually adapted that and I used that for the little speedo part. So it actually looks like I'm riding along looking at an IBM 3270.
I love, I played, what was it called, that game? Tetris. No, no, no, no, it was like a word game. Zork, Zork. Oh, the Infocom games, the old text adventures.
Yes, and I played that on a green screen, IBM green screen, like with the, yeah. I didn't— yeah, very cool.
Yes, and I played that on a green screen, IBM green screen, like with the, yeah. I didn't— yeah, very cool.
You can get the emulators for all of those games. Hitchhiker's Guide, the lot.
Super. I didn't know that. That's really cool.
If you like green text on a black background, I can recommend Paul Ducklin's blog as well, which is all monospaced and very old school.
I didn't know you were writing a blog. I want to go check it out, Duck. I didn't even know.
educklin.com.
Oh, perfect. Easy peasy.
Carole, what's your pick of the Pick of the week?
Well, we haven't mentioned it, but the holidays are upon us. So my pick of the week is top 5 things to get for the cook in your life.
Now, I've not chosen dumb things, I've not chosen obvious things, and I haven't chosen expensive things. So I've got 5 things under $50 for you guys to consider. So no saffron.
Yeah, no saffron. Weirdly, none of it you can eat. These are all tools or, you know. So one is an instant read thermometer. I use the ThermoPen.
This is a digital pen that instantly reads out the temperature of whatever you stick it into. So for example, all baked goods need to be at 200 Fahrenheit or 93 Celsius.
You just know that, and you never overcook or undercook a cake again, right? You never overcook your fish.
Now, I've not chosen dumb things, I've not chosen obvious things, and I haven't chosen expensive things. So I've got 5 things under $50 for you guys to consider. So no saffron.
Yeah, no saffron. Weirdly, none of it you can eat. These are all tools or, you know. So one is an instant read thermometer. I use the ThermoPen.
This is a digital pen that instantly reads out the temperature of whatever you stick it into. So for example, all baked goods need to be at 200 Fahrenheit or 93 Celsius.
You just know that, and you never overcook or undercook a cake again, right? You never overcook your fish.
But when you get it out, it's full of holes. It looks as though someone's been stabbing it.
We only do it once or twice.
You don't have to destroy— I seem to remember the ThermaPen has been a Pick of the Week in the past.
It has, but that's why I've got 4 more. Thank you very much.
Let's see how you do with those ones.
Okay. A second one is a small flat whisk. This is also known as a French whisk or a stainless steel egg beater.
It's got— it's flat and has a coiled ring all around this kind of spoon-like shape.
It is so quick to do egg sauces, dressing, and even whisking whipping up cream for a hot chocolate. It's just a tiny great tool. Single mold mini and large silicone spatulas.
So you can get them with wooden handles, you can get them with different stuff.
It's got— it's flat and has a coiled ring all around this kind of spoon-like shape.
It is so quick to do egg sauces, dressing, and even whisking whipping up cream for a hot chocolate. It's just a tiny great tool. Single mold mini and large silicone spatulas.
So you can get them with wooden handles, you can get them with different stuff.
Say that again.
Single mold silicone spatulas in a variety of sizes.
I think there's a fetish website for those, isn't there?
Why do you have to make everything dirty? Everything. See, now I'm going to say it will clean out any bowl of goop. Now it feels rude to say that. And they wash up in seconds.
Oh, is that because it works itself into any corner, any shape, any roundness? And that's what I hate about stuff. You want to get something out the bottle, the last bit of mustard.
I keep— it's there, there's quite a lot left, I need one bit, one spoon more, but you put your stainless steel spoon in and you come out with nothing.
I keep— it's there, there's quite a lot left, I need one bit, one spoon more, but you put your stainless steel spoon in and you come out with nothing.
Yep, Duck. I'm going to keep my eyes peeled. If I— I'm always on the hunt for them. If I see them, I will buy you one. Oh, number 4 is a marble rolling pin.
Okay, not a wood one or ones with all kinds of, you know, handles and all that. Just a marble stick. It's about 1.5 inches in diameter.
Pastry likes cold, and marble is chilled, and it's way better than silicone or wood in my opinion. Just don't drop it, as I have done, so I have a second one now because they crack.
Okay, not a wood one or ones with all kinds of, you know, handles and all that. Just a marble stick. It's about 1.5 inches in diameter.
Pastry likes cold, and marble is chilled, and it's way better than silicone or wood in my opinion. Just don't drop it, as I have done, so I have a second one now because they crack.
Also, if they land on your foot, I mean, it's granite, right? This is going to take your toe off. They are heavy.
And the last one is for people with wrist sensitivities. I have that, and a lot of older people have it too.
And so instead of, you know, they have things to open jars and they're these big clunky things. Hate those things. There's an answer. There's these things called rubber gripper pads.
It's basically a tiny thin— we're back to latex and rubber, children. It's a little round rubber and you, thin, and you just put it on top of the lid and bish bash bosh, you open.
And so instead of, you know, they have things to open jars and they're these big clunky things. Hate those things. There's an answer. There's these things called rubber gripper pads.
It's basically a tiny thin— we're back to latex and rubber, children. It's a little round rubber and you, thin, and you just put it on top of the lid and bish bash bosh, you open.
Oh, that's so clever.
These are all quite economical and they're all good and used and recommended. So all the links are in the show notes.
These are not necessarily exact ones I have because some I've had for a long time. I had no idea where I got them, but you'll see what I'm talking about. So check out the show notes.
These are my pick of the weeks. Thank you very much.
These are not necessarily exact ones I have because some I've had for a long time. I had no idea where I got them, but you'll see what I'm talking about. So check out the show notes.
These are my pick of the weeks. Thank you very much.
Fantastic stuff. And that just about wraps up the show for this week. Duck, I'm sure lots of our listeners would love to follow you online and find out what you are up to.
What is the best way for folks to do that?
What is the best way for folks to do that?
The best way is to go to pducklin.com, or if it's easier for you, paulducklin.com out in full, or you can follow me on X.
I can't believe I didn't say Twitter, but I'll say Twitter as well. I am @ducklin. Blog, and you can find me as P. Ducklin on Facebook and LinkedIn as well.
I can't believe I didn't say Twitter, but I'll say Twitter as well. I am @ducklin. Blog, and you can find me as P. Ducklin on Facebook and LinkedIn as well.
And that's Ducklin without a G, of course.
I was just saying, did you register that one? Because I'm just looking for it. It is indeed.
And you can follow us on Twitter @SmashingSecurity, no G. Twitter doesn't allow us to have a G. And we also have a Mastodon account.
And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Spotify, Overcast, and Apple Podcasts.
And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Spotify, Overcast, and Apple Podcasts.
And massive thank you to our episode sponsors, Push Security, Fanta, and Kolide. And of course, to our wonderful Patreon community. It's thanks to them all that this show is free.
For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 351 episodes, check out smashingsecurity.com.
For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 351 episodes, check out smashingsecurity.com.
Until next time, cheerio, bye-bye, adieu.
Farewell. That's not funny. Toodaloo. Pip pip.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Paul Ducklin – @duckblog
Episode links:
- Fuzzy Duck – Wikipedia.
- Cybercrime author Geoff White demonstrates his NSFW balloon trick at the “Smashing Security” podcast Christmas party – Reddit.
- Rule 34 – Wikipedia.
- We are (temporarily) offline – InflateVids on Patreon.
- Fast Company’s Apple News access hijacked to send an obscene push notification – The Verge.
- Fast Company Hacker on Rogue Apple News Notification: ‘Anyone Could Have Done It’ – Vice.
- The WordPress backdoor with its own backdoor! (And fake CVE numbers, too) – Paul Ducklin.
- Russian influence and cyber operations adapt for long haul and exploit war fatigue – Microsoft.
- How Zelensky became Hollywood man of the hour – The Guardian.
- Nigel Farage wishes Hugh Janus a happy birthday – YouTube.
- Don Johnson – Cameo.
- Hollywood plays unwitting Cameo in Kremlin plot to discredit Zelensky – The Register.
- Winning hearts and minds – Military Wiki.
- AdGuard Home – GitHub.
- Garmin Edge 130 Plus – Garmin.
- Garmin Connect IQ – Garmin.
- The Thermapen.
- Flat Whisk Stainless Steel Egg Beater Mixer Kitchen Tool – Amazon.
- Small Silicone Spatulas – Amazon.
- 3 Pcs Rubber Jar Gripper Pads – Amazon.
- Marble Dough Roller – Amazon.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsored by:
- Push Security – Monitor and secure your entire identity attack surface, including non-SSO identities. Get notified in real-time to vulnerabilities across all your internet-facing identities, and have your staff guided to fix simple issues.
- Kolide – Kolide ensures that if your device isn’t secure it can’t access your cloud apps. It’s Device Trust for Okta. Watch the demo today!
- Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get 10% off!
Support the show:
You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.
Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!
Follow us:
Follow the show on Bluesky at @smashingsecurity.com, or on Mastodon, on the Smashing Security subreddit, or visit our website for more episodes.
Thanks:
Theme tune: “Vinyl Memories” by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
