Is there any truth behind the alleged data breach at Fortnite maker Epic Games? Who launched the ransomware attack that caused a fallout at pharmacies? And what’s the latest on the heart-breaking hack of Finnish therapy clinic Vastaamo?
All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Jessica Barker.
Warning: This podcast may contain nuts, adult themes, and rude language.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Now, can we trust them? No!
No! You don't have to ask that question.
Everything that comes out of their mouth is just verbal blah blah.
Smashing Security, Episode 362: Ransomware Fraud, Pharmacy Chaos, and Suicide. With Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 362.
My name is Graham Cluley.
My name is Graham Cluley.
And I'm Carole Theriault.
And Carole, this week we're joined by a special guest, someone who's been on the show plenty of times before, but it is the newly anointed Dame Jessica Barker. Hello, Jess.
Hello. Hello.
Not quite a dame, actually. Not a pantomime dame either.
Not quite a dame. Stretching it a little bit there, but I'm not complaining.
So you've just been awarded an MBE for services to cybersecurity, is that right?
That's correct, yes. Feels very surreal. Popped to Windsor Castle, had a little visit. Oh right, a little visit with Prince William.
And he asked me some pretty good questions about cybersecurity when he pinned the medal on me. Yeah.
And he asked me some pretty good questions about cybersecurity when he pinned the medal on me. Yeah.
Yeah. Are we confident he's got a good password and he's turned on two-factor authentication? Did you have a chance to just check his password?
You know, I didn't ask what his password was, but he assured me he's not going to be giving any money away to princes who promise him, you know, their fortune if he just transfers a little bit of UK sovereign wealth.
So I think we're all right. I think we're doing all right.
So I think we're all right. I think we're doing all right.
I guess the difference is that he does occasionally get genuine emails from foreign princes, whereas the rest of us can't believe them.
But yeah. He's in a trickier position. You know, how can he tell? Right?
Before we kick off, let's thank this week's wonderful sponsors, Collide, KiteWorks, and Vanta. It's their support that helps us give you this show for free.
Now, coming up on today's show, Graham, what do you got?
Now, coming up on today's show, Graham, what do you got?
I'm going to be asking the essential question, who's frauding who?
Ooh.
And what about you, Jess?
I'm talking more ransomware.
And I'm going to talk about when psychotherapy is not exactly what you expected. All this and much more coming up on this episode of Smashing Security.
Now, chums, chums, I think I'm speaking for all of us when I say that we all love video games, don't we? We can't resist, can we? There we are, we're noshing away on our popcorn.
I don't play video games, Tim. You don't play video games? Jess, do you play video games out there in Vegas?
I don't play video games, Tim. You don't play video games? Jess, do you play video games out there in Vegas?
I love Tetris. Just, you know, that's my speed as well, actually.
Yeah.
Yeah, 35 years ago, that was a big deal. Well done. Right, okay. So, so you're, you're up to— yeah.
It hasn't aged. It hasn't dated. I promise you.
I play Snake on my Nokia.
Right.
Bit of software.
Bit of Minecraft, you know.
All right.
Occasional Minecraft, I must admit.
All right. Okay. Well, at the end of February, headlines broke that Epic Games— do you remember Epic Games?
They used to be called Epic MegaGames in my day, but now they're just called Epic Games. They are the people behind Fortnite, that incredible phenomena.
They used to be called Epic MegaGames in my day, but now they're just called Epic Games. They are the people behind Fortnite, that incredible phenomena.
That I've never played or seen.
Yeah.
Well, it's quite some— I have actually played it with children.
They just— because I was so bad at it, as I am at all 3D games, they said, what we're going to do is we're going to turn on your auto-shoot thing so you don't have to press shoot.
You just have to point at someone to shoot, they said.
They just— because I was so bad at it, as I am at all 3D games, they said, what we're going to do is we're going to turn on your auto-shoot thing so you don't have to press shoot.
You just have to point at someone to shoot, they said.
Dad!
I was so lost. I was like, where are you? Where are you? Whenever I tried to turn towards them, of course, I then fired on my own team as well. So it just wasn't successful.
Anyway, Epic Games headlines broke. That it had fallen foul of hackers.
The hackers supposedly had stolen 189 gigabytes of data, including email addresses, names, payment information, source code, the works.
Anyway, Epic Games headlines broke. That it had fallen foul of hackers.
The hackers supposedly had stolen 189 gigabytes of data, including email addresses, names, payment information, source code, the works.
Oh, all the stuff you just don't want out there, right?
All the stuff. And Fortnite is a phenomenon. It's so big. It's where now movies are actually premiered on Fortnite.
You have rock stars performing at virtual events, within the Fortnite game.
You have rock stars performing at virtual events, within the Fortnite game.
Seriously?
There's this huge— Oh, it's extraordinary. It's an amazing amount of money that the Fortnite guys are making. So they have online stores.
Yeah, but oh, so what? So you'd go to an online store and then you'd see a pre-ad, which would be a music video pre—
No, no, no, Carole. I don't understand.
You are in the virtual Fortnite world and there's a concert going on in the world where you can be doing all your Fortnite dancing and everything in front of the stage.
And there up on the stage are the stars or the movie, or— and they also have these massive endorsements by brands.
So the Avengers movies will do a deal with Fortnite to incorporate their characters into the game, or Lego recently have done something with Fortnite as well.
So it's an amazing amount of money slushing around. And so obviously a hack could be extremely damaging.
You are in the virtual Fortnite world and there's a concert going on in the world where you can be doing all your Fortnite dancing and everything in front of the stage.
And there up on the stage are the stars or the movie, or— and they also have these massive endorsements by brands.
So the Avengers movies will do a deal with Fortnite to incorporate their characters into the game, or Lego recently have done something with Fortnite as well.
So it's an amazing amount of money slushing around. And so obviously a hack could be extremely damaging.
And lucrative, depending on what side you're on.
And potentially, yeah, potentially very lucrative for the bad guys.
In this particular case, the people who claimed to be behind the attack were a cybercrime group called Mogilevich. Have you heard of Mogilevich?
In this particular case, the people who claimed to be behind the attack were a cybercrime group called Mogilevich. Have you heard of Mogilevich?
No.
No.
Well, Mogilevich, it turns out, is a real person.
There is a chap, I think he's called Semyon Mogilevich or something, and he is on the FBI's— I think he's number 149 in their top most wanted list.
There is a chap, I think he's called Semyon Mogilevich or something, and he is on the FBI's— I think he's number 149 in their top most wanted list.
Do you want to be— you know, I wonder, if you get to that list, would you want to be in the top 100? Do you do a few bad things just to try and nudge it up? 'Cause you know—
Well, this sounds like, right? You don't want to be 104.
No, you want to be 99 or top 10, maybe.
Yeah.
Well, he used to be in the top 10, but he hasn't done anything that bad to America for about 15 years.
Okay, I see what's happening here.
Comeback. This is the comeback.
As I understand it, he runs some great big criminal operation, mafia style, which cost obviously a lot of people money, caused lots of crimes. He's now in Russia.
He's way out of reach of the American authorities, and he's dropped, he's sort of plopped down the list. He's no longer causing that.
Anyway, that appears to be who this cybercrime group have named themselves after. There's no reason to believe that it's actually connected with him.
But they posted a message on their website on the darknet claiming that they had hacked Epic Games, because of course that's what these gangs do these days, these ransomware gangs.
They advertise who their latest clients are. In other words, the companies they've hacked, how much data they've taken.
Quite often they talk about their market capital as well as to how much money these organizations have.
He's way out of reach of the American authorities, and he's dropped, he's sort of plopped down the list. He's no longer causing that.
Anyway, that appears to be who this cybercrime group have named themselves after. There's no reason to believe that it's actually connected with him.
But they posted a message on their website on the darknet claiming that they had hacked Epic Games, because of course that's what these gangs do these days, these ransomware gangs.
They advertise who their latest clients are. In other words, the companies they've hacked, how much data they've taken.
Quite often they talk about their market capital as well as to how much money these organizations have.
Mm-hmm.
And the newspapers all talked about Epic Games have been hacked.
This hacking group have said it, but some people actually went to the effort of asking Epic Games and said, so you've been hacked then? And Epic Games said, not as far as we know.
This hacking group have said it, but some people actually went to the effort of asking Epic Games and said, so you've been hacked then? And Epic Games said, not as far as we know.
What?
We're investigating.
I can understand this because it's not always easy to know if you have been hacked or not, because when it's something digital which has been taken, when it's something that's been copied as opposed to something that's been physically stolen, it's not like the Mona Lisa has left a gap on the wall, right?
Then it's hard to know if it's happened. And in particular case of Mogilevich, they weren't presenting any evidence that the hack had happened.
So Epic Games said, "There's currently zero evidence that these claims are legitimate. We haven't been contacted by this gang. They haven't provided any proof of this.
All we can see is a screenshot which has been posted up on Twitter of their webpage on the darkweb saying that they've hacked us." And—
I can understand this because it's not always easy to know if you have been hacked or not, because when it's something digital which has been taken, when it's something that's been copied as opposed to something that's been physically stolen, it's not like the Mona Lisa has left a gap on the wall, right?
Then it's hard to know if it's happened. And in particular case of Mogilevich, they weren't presenting any evidence that the hack had happened.
So Epic Games said, "There's currently zero evidence that these claims are legitimate. We haven't been contacted by this gang. They haven't provided any proof of this.
All we can see is a screenshot which has been posted up on Twitter of their webpage on the darkweb saying that they've hacked us." And—
I find it super weird. I'm not surprised that some people would go report this early, right, based on their name.
But are you saying that there was reputable press that were talking about this?
But are you saying that there was reputable press that were talking about this?
Yes, all kinds of press. I was contacted by some security vendors, PR agencies as well, saying, oh, here's our comment on the Epic Games hack.
Yeah.
In the aftermath of this. So you've got to be careful.
And what Mogilevich did was they said, well, look, if you want proof, you are going to have to hand over $15,000 because we don't want, they said, we don't want to hand over any evidence which could be used by other people to claim that they've hacked Epic Games.
And what Mogilevich did was they said, well, look, if you want proof, you are going to have to hand over $15,000 because we don't want, they said, we don't want to hand over any evidence which could be used by other people to claim that they've hacked Epic Games.
So they want a down payment. They want a deposit.
Right. Yeah. It's like, if you want the evidence, give us $15,000, then we'll give you the proof.
This is— I've not heard this before. Have you heard this before?
Not really, no. Normally they show you something.
Yeah, they kind of show off.
They would jack it a bit, or they would publish a bit.
There's been times where claims have been made and it's like, well, where's the evidence? And the evidence hasn't transpired.
But it's interesting, Epic are being very transparent in their statement, aren't they? Saying, you know, we're investigating. They're not just saying we're investigating, full stop.
They're saying we have no evidence and they've given a bit of detail there. But this whole thing of give us $15,000 for us to give any proof, that's, as far as I know, that's new.
But it's interesting, Epic are being very transparent in their statement, aren't they? Saying, you know, we're investigating. They're not just saying we're investigating, full stop.
They're saying we have no evidence and they've given a bit of detail there. But this whole thing of give us $15,000 for us to give any proof, that's, as far as I know, that's new.
So the gang are saying, "We're not going to produce any evidence of the hack because others might use this or claim to have conducted a similar hack." Epic Games are saying, "Well, we can see no evidence there's been a hack at all." And Epic Games isn't the first company which has allegedly been hacked by Mogilevich.
They also claimed last month to hack a subsidiary of Nissan. They also claimed to hack Ireland's Department of Foreign Affairs. And another outfit called Bazaar Voice.
But here's the thing. Here's the thing which has now emerged. A Mogilevich spokesperson.
Now, what— okay, if you're dealing with a ransomware gang, what's the kind of name you expect of a criminal operation? What would the name be of one of their spokespeople?
They also claimed last month to hack a subsidiary of Nissan. They also claimed to hack Ireland's Department of Foreign Affairs. And another outfit called Bazaar Voice.
But here's the thing. Here's the thing which has now emerged. A Mogilevich spokesperson.
Now, what— okay, if you're dealing with a ransomware gang, what's the kind of name you expect of a criminal operation? What would the name be of one of their spokespeople?
Nigel.
Nigel Fingers McVitty, you know, Feathers McGraw, something like that. Well, actually, it was Pongo. So Pongo.
Yeah, that face.
Pongo has come out and it appears that Mogilevich isn't what it was pretending to be. They've now said, we're not a real ransomware gang at all.
They're saying, we are a professional group of scammers who pretend to hack big companies in order to trick people.
They're saying, we are a professional group of scammers who pretend to hack big companies in order to trick people.
Yeah, try and pin that on me. Try and pin that in your legal system, huh? Ah, dancey dance dance dance.
Well, they're still saying that this is a way to make money. So they say this, they say their scam involves multiple layers.
They say it involves false claims where they pretend to hack major companies to gain attention.
They say it involves false claims where they pretend to hack major companies to gain attention.
Okay.
They claim that it's about fake ransomware access, so they offer to sell access to a nonexistent ransomware infrastructure. So they claim to be ransomware as a service.
So they're offering to take on board new affiliates.
So they're offering to take on board new affiliates.
Jesus Christ, the world's going crazy.
If you sign up and give them money.
So they're scamming the ransomware affiliates amongst all of the other stuff they're doing.
Wow.
That's right. They're also— you remember they're asking for $15,000. So it's, you have to give us proof that you can pay $15,000.
They're saying, send us a screenshot of your cryptocurrency wallet so that we can see that you've got that much money in the cryptocurrency. What, $15,000? Yeah, yeah.
They're collecting screenshots of potential buyers, people who want to buy the data, their crypto wallets, and they're then using those screenshots, right, that they've been given to pretend— well, what they're doing is they're using them to use as evidence to sell stolen crypto accounts.
So there's other people who want to buy crypto accounts. They're saying, yeah, well, look at all these ones we've got access to. Here are the screenshots.
They're saying, send us a screenshot of your cryptocurrency wallet so that we can see that you've got that much money in the cryptocurrency. What, $15,000? Yeah, yeah.
They're collecting screenshots of potential buyers, people who want to buy the data, their crypto wallets, and they're then using those screenshots, right, that they've been given to pretend— well, what they're doing is they're using them to use as evidence to sell stolen crypto accounts.
So there's other people who want to buy crypto accounts. They're saying, yeah, well, look at all these ones we've got access to. Here are the screenshots.
Wow.
It's cheeky. It's very cheeky. They're even pretending— so there are access brokers. There are people who say, look, I've hacked into these companies.
I'm not the one deploying the ransomware, but I can sell you access to these companies.
So they've got people who are applying again to work with the Mogilevich ransomware gang, if we call it a ransomware gang for a moment.
They're saying, give us the proof that you can access these companies. And then they are turning around and selling the evidence of access for profit themselves as well.
I'm not the one deploying the ransomware, but I can sell you access to these companies.
So they've got people who are applying again to work with the Mogilevich ransomware gang, if we call it a ransomware gang for a moment.
They're saying, give us the proof that you can access these companies. And then they are turning around and selling the evidence of access for profit themselves as well.
Wow.
So they're using other people's hacks and other people's information to try and convince others that they are hackers. In order to make money.
Do you know what? Amazing.
Yeah. And you're never allowed anymore to say, "Oh wow, how is someone duped by that or by something?" Because the world's gone mad. Right. Look at the links, the effort.
Exactly. The layers of things. Yes.
And they have no shame.
Yes.
It goes to show just when we think we know what the criminals are doing, you know, pretty much, we know their operations, we know how they're working, then something like this comes along.
Like layers upon layers.
Like layers upon layers.
Someone called Pongo has outsmarted many other people.
By the way, they claim that the most money they've made, they claim that they fabricated a data breach at the drone company DJI.
I don't know if you know that, they're quite a popular drone manufacturer.
By the way, they claim that the most money they've made, they claim that they fabricated a data breach at the drone company DJI.
I don't know if you know that, they're quite a popular drone manufacturer.
Okay.
They claim they were able to scam someone for $85,000 after claiming that they'd hacked them. Now, can we trust them?
No!
No.
Do you even have to ask that question? Everything that comes out of their mouth is just verbal blah blah.
Yeah. They say, "We don't think of ourselves as hackers, but rather as criminal geniuses." Yeah. Well, I'm not sure about that.
Thanks, Pongo.
Thanks for that. Noted.
Noted.
I'm not sure anyone who ever calls themselves a genius is actually a genius. If you're calling yourself that.
Yeah.
But these companies who they say have been hacked are suffering. Obviously they have damage done to their reputation.
They're going to incur expenses investigating the false claims, having to get their PR companies or legal department involved.
And in some cases, we've even seen lawyers rush to file class actions, going for compensation for a data breach, which has never actually happened, purely because someone called Pongo has claimed that it has.
They're going to incur expenses investigating the false claims, having to get their PR companies or legal department involved.
And in some cases, we've even seen lawyers rush to file class actions, going for compensation for a data breach, which has never actually happened, purely because someone called Pongo has claimed that it has.
Wow.
And the stress of this, right?
When you're working for an organization and there is this apparent data breach, the stress that causes everybody directly and indirectly in that organization can be huge.
And then to turn it around and find it's actually just a scam within a scam.
When you're working for an organization and there is this apparent data breach, the stress that causes everybody directly and indirectly in that organization can be huge.
And then to turn it around and find it's actually just a scam within a scam.
This is—
I just think, though, there's a weird line, though, that's been grayed out because I can see people bandying this around on socials going, oh my God, did you hear about this? Right?
And if you're a good journalist, she'll be oh, that's interesting, let me do some fucking digging, right?
And if you're a good journalist, she'll be oh, that's interesting, let me do some fucking digging, right?
Yeah, but everyone now is racing to be the first out with the news.
I don't care if you're calling yourself a newspaper and you're saying trust us, not social media.
Yeah, but also there have been hacked companies who've kept quiet about hacks for a long time or said we haven't seen any evidence, and then later, you know, a month and a half later, have to admit, well, oh yes, there was something which happened.
It can be very hard, can't it, to make sense of it all, particularly in the early days. And that's what this group is relying on, right?
They're relying on how difficult it can be to see the wood from the trees.
They're relying on how difficult it can be to see the wood from the trees.
Maybe everyone should just slow the fuck down. Maybe that's what has to happen, right? Everyone just has to chill out, take their time, and think about things before they run around.
As far as we know, there's no actual proof that Pongo and the Mogilevich gang has actually ever scammed anyone for any money at all.
But they have done is they've got journalists to write about them, helping make them famous, and indeed podcasters talk about them.
But they have done is they've got journalists to write about them, helping make them famous, and indeed podcasters talk about them.
I'm just imagining a bunch of these guys, right, sitting around, you know, smoking a big doobie and going, you know what we could do? Do you know what we could do?
And then coming up with this insane plan. And then somehow they were able to pull it off in the real world. And what does that say?
And then coming up with this insane plan. And then somehow they were able to pull it off in the real world. And what does that say?
Yeah.
I think if the doobie were that big, they would never, they'd have to come up with the idea, but maybe not actually imagine it.
Not actually do it.
Jess, what have you got for us this week?
Well, I am continuing the theme of your last few episodes and unfortunately, because we've been talking about ransomware for a while, continuing the theme of lots of conversations in cybersecurity talking about, you've guessed it, ransomware.
Malware, a ransomware attack that has reportedly affected over 67,000 pharmacies and maybe around 130 million customers in the US.
It seems that the BlackCat group are back with an attack on Change Healthcare. I had not heard of Change Healthcare until last week, but hearing a lot about them now.
They connect US healthcare providers with the insurance companies who pay for their services and determine what patients owe.
So in the US, when you're going to get your prescription, often it's a copay thing.
I'm still learning the system here, but copay thing where insurance will pay most of it and you as the patient might pay a small sum.
Malware, a ransomware attack that has reportedly affected over 67,000 pharmacies and maybe around 130 million customers in the US.
It seems that the BlackCat group are back with an attack on Change Healthcare. I had not heard of Change Healthcare until last week, but hearing a lot about them now.
They connect US healthcare providers with the insurance companies who pay for their services and determine what patients owe.
So in the US, when you're going to get your prescription, often it's a copay thing.
I'm still learning the system here, but copay thing where insurance will pay most of it and you as the patient might pay a small sum.
Yeah, so you go into Walgreens or CVS or somewhere like that, you don't have to pay the full charge because some of it's been paid by your insurance.
Exactly. And you've been already paying your insurance, and that's what it's there for, right? And Change Healthcare is huge.
It says that it manages 15 billion claims totaling more than $1.5 trillion every year. Huge.
And recently, late February, it seems that Change Healthcare was hacked and the attack has been claimed by BlackCat, also known as ALPHV.
The criminals stole data about patients, then they encrypted the company files. And, you know, we know how the story goes. Demanded payment to unlock the files, to decrypt them.
Change Healthcare then responded, as many organizations have to do when they're hit with ransomware, by shutting down most of its network to try and contain and recover from this horrible situation.
And it's especially horrible because it's having a huge impact on people. Many patients saying they can't get their medication at all because of this.
Lots of people saying they are going to a pharmacy thinking they're going to be getting their prescription, and then they're given a choice.
They either pay full price for medication or go without.
It says that it manages 15 billion claims totaling more than $1.5 trillion every year. Huge.
And recently, late February, it seems that Change Healthcare was hacked and the attack has been claimed by BlackCat, also known as ALPHV.
The criminals stole data about patients, then they encrypted the company files. And, you know, we know how the story goes. Demanded payment to unlock the files, to decrypt them.
Change Healthcare then responded, as many organizations have to do when they're hit with ransomware, by shutting down most of its network to try and contain and recover from this horrible situation.
And it's especially horrible because it's having a huge impact on people. Many patients saying they can't get their medication at all because of this.
Lots of people saying they are going to a pharmacy thinking they're going to be getting their prescription, and then they're given a choice.
They either pay full price for medication or go without.
So you're living out in the States now, Jess. Do you know anyone who's been affected by this?
I have heard from a few people. I don't know anyone directly, but heard from a few people and certainly been reading a lot about it.
I read just before we went to record this in the Washington Post, one patient saying of the difficulty she's been having getting medicine for her bipolar disorder.
I read just before we went to record this in the Washington Post, one patient saying of the difficulty she's been having getting medicine for her bipolar disorder.
Oh my God.
First, she was told she couldn't get it at all. Then she's told, oh, we can give you the medication that you need, but you're gonna have to pay $1,700 for one month's supply.
Oh my goodness.
And so she's obviously having to try and manage all of this. Incredibly stressful. I can't even imagine.
She's then told, oh no, you only have to pay us $450, but normally it should only cost her $15.
And so people are in this position where they are not able to afford to get the medicine that they need.
And to make it worse, the communications have been criticized, and it seems that patients are only finding out if their coverage has been affected when they turn up to try and get treated by a doctor or get their medication.
So people aren't—
She's then told, oh no, you only have to pay us $450, but normally it should only cost her $15.
And so people are in this position where they are not able to afford to get the medicine that they need.
And to make it worse, the communications have been criticized, and it seems that patients are only finding out if their coverage has been affected when they turn up to try and get treated by a doctor or get their medication.
So people aren't—
Which is when they've run out of the medicine.
That's when you need it the most, when you need it, and suddenly you're confronted with this.
You haven't been told in advance, no preparation, and you stood there in a pharmacy probably feeling pretty vulnerable.
You haven't been told in advance, no preparation, and you stood there in a pharmacy probably feeling pretty vulnerable.
So basically the insurance companies are refusing to pay out on good faith at the moment, is basically what's happening.
I think it's changed healthcare.
They're the bit which actually look it up on your insurance records and can tell the pharmacist, yes, this has been paid for by so-and-so, therefore they don't have to pay so much.
They're the bit which actually look it up on your insurance records and can tell the pharmacist, yes, this has been paid for by so-and-so, therefore they don't have to pay so much.
Yeah.
So that bit of the infrastructure isn't working.
Yeah, supply chain meltdown. Yeah, it is.
And the pharmacies are then stuck, like they just don't know, they don't have the information, and they don't have a ton of cash.
They're often independent places. I know there's some big ones, but I'm sure that maybe independent ones also got hit.
Yeah, yeah, it's affecting so many.
Said to be costing hospitals in the US millions, and the American Hospital Association has said this is the most significant attack on healthcare in US history.
Said to be costing hospitals in the US millions, and the American Hospital Association has said this is the most significant attack on healthcare in US history.
So it's been huge. A bigger attack than that done by the politicians over the years. That's really bad then, isn't it? I mean, healthcare system.
I mean, it does open up a whole debate, doesn't it, of people paying for healthcare and the kind of impact that it can have when you don't have insurance covering your payments for whatever reason that may be, if it's ransomware or something else.
And so it's had this huge impact. It's really hit the headlines. There's been lots of people talking on social media, of course, about the impact that it's having on them personally.
And just as we were going to record, I saw Wired reporting that Black Cat have apparently received a payment of 350 bitcoin, equivalent to about $22 million. Wow.
So of course, speculation that because of all of this disruption, they have been paid off.
As we know, it can be a case where ransomware gangs are paid and then there's still a whole heap of disruption, and it doesn't mean things necessarily just ping back to normal.
And the news just in, as we're seeing a return of the debate about whether to ban ransomware payments. So very interesting.
And so it's had this huge impact. It's really hit the headlines. There's been lots of people talking on social media, of course, about the impact that it's having on them personally.
And just as we were going to record, I saw Wired reporting that Black Cat have apparently received a payment of 350 bitcoin, equivalent to about $22 million. Wow.
So of course, speculation that because of all of this disruption, they have been paid off.
As we know, it can be a case where ransomware gangs are paid and then there's still a whole heap of disruption, and it doesn't mean things necessarily just ping back to normal.
And the news just in, as we're seeing a return of the debate about whether to ban ransomware payments. So very interesting.
Yeah, we had that debate a few weeks ago on the show with someone, and yeah, it's a really difficult one, isn't it? Yeah.
I guess Change Healthcare probably has insurance for this kind of thing.
Yeah.
So it's good that they were able to look up, or their insurers were able to look up, whether they were actually insured in order to pay the ransomware gang.
At least that bit of the infrastructure was working.
At least that bit of the infrastructure was working.
And we know, you know, many ransomware gangs have said that they specifically target insurance companies to find out who's got insurance and then go after the people who've got insurance, 'cause they know, I think one of them described such targets as the tastiest morsel.
I read that while writing my forthcoming book, "Hacked: The Secrets Behind Cyberattacks," where I talk about ransomware.
I read that while writing my forthcoming book, "Hacked: The Secrets Behind Cyberattacks," where I talk about ransomware.
Oh, you've got an upcoming book, Jessica, there.
What?
What? This is hot news.
Oh, did I mention that?
You kept that quiet.
Yep, book coming out in April.
And one of the chapters, of course, is on ransomware, as well as lots of other issues that we're dealing with in cybersecurity and some of these stories that emerge, some of these issues that come out and the impact they have.
And one of the chapters, of course, is on ransomware, as well as lots of other issues that we're dealing with in cybersecurity and some of these stories that emerge, some of these issues that come out and the impact they have.
I look forward to hearing more about your book in the Pick of the Week section later on.
Carole, what have you got for us this week?
Okay, I'll kick off with a question. Have either of you been to some sort of therapy in your lives? Don't worry, I'm not going to ask for any details.
I thought you were volunteering to be my new therapist. I have.
I have therapy after every podcast.
Oh, do you? Oh. But one of the big challenges, well, at least for me, at the start is how do you trust an absolute stranger with your deepest, darkest stuff?
Yep. Yep.
Now, if the fit's right between you and your therapist, I guess the trust grows and then you start sharing the hardest stuff all in the name of improved mental health.
So to that we say yay. But what happens if the trust between patient and therapist is broken? And you've already shared some stuff, it could be absolutely catastrophic.
So to that we say yay. But what happens if the trust between patient and therapist is broken? And you've already shared some stuff, it could be absolutely catastrophic.
Well, if you find out your therapist has got a bit of a big mouth and they're gobbing off to other people about your private—
Yeah, or they're recording you secretly so that they can then share it.
Oof, that would be horrendous.
Okay, so this story starts way back in 2008, and there's this brand-new psychotherapy clinic that was opened in Helsinki, Finland. Called Vastaamo.
And Vastaamo provided mental or private mental health services to its patients through 25 therapy centers dotted across Finland.
And they even subcontracted their services to the Finnish health system.
And you would think, right, or maybe I'm crazy, but you would think, especially if you worked with the national health system, that you'd have pretty robust security in place.
I mean, therapists, literally the protectors of secrets.
And Vastaamo provided mental or private mental health services to its patients through 25 therapy centers dotted across Finland.
And they even subcontracted their services to the Finnish health system.
And you would think, right, or maybe I'm crazy, but you would think, especially if you worked with the national health system, that you'd have pretty robust security in place.
I mean, therapists, literally the protectors of secrets.
You'd hope so.
Well, we're wrong. So in October 2020, okay, so this is what, 12 years after they opened, Vastaamo announced to the world that they had been hacked.
And worse than that, they said that the attackers had stolen patient records, approximately 36,000 confidential psychotherapy patient records and 400 employee records were now in the wrong hands.
And surprise, surprise, we have a trifecta of ransomware discussion today. A ransom was demanded of approximately €450,000 in bitcoin.
And the threat was pay up or these records will find themselves in the public arena.
And worse than that, they said that the attackers had stolen patient records, approximately 36,000 confidential psychotherapy patient records and 400 employee records were now in the wrong hands.
And surprise, surprise, we have a trifecta of ransomware discussion today. A ransom was demanded of approximately €450,000 in bitcoin.
And the threat was pay up or these records will find themselves in the public arena.
And this wasn't Pongo who had got in touch with Vastaamo, was it?
No, I don't think so.
No, I don't think it was.
No, no, no, no. But this is a tricky one, similar to yours, I think, Jess, which was pretty tricky. That question, to pay or not to pay, because you're affecting here mental health.
Yeah.
And I would like to think that patient records are at least pseudonymized. The GDPR word, isn't it?
So if I were a patient, maybe I would be recorded in my notes only via reference number, just in case the information maybe got in the wrong hands, so they might know personal information, but they wouldn't be able to directly tie it to me specifically.
So if I were a patient, maybe I would be recorded in my notes only via reference number, just in case the information maybe got in the wrong hands, so they might know personal information, but they wouldn't be able to directly tie it to me specifically.
It does. And why not have a system like that? What's the harm of a system like that?
Sounds sensible.
Exactly. And since GDPR regulations have been passed, you know, this is 2020 we're talking about, this is not a crazy assumption on my part. But it turns out I am bonkers, guys.
I'm totally bonkers. Graham, you're always right.
The hacked patient database contained clients' personal information such as their full names, home address, email address, social security numbers, name of the clinics where they receive treatments, therapists, and doctor's notes from each session.
So things like, I hate my boss, dad, mother, sibling, spouse. I have addictions to food, drugs, gambling, alcohol. I was mistreated, unloved, unseen. All that stuff.
I'm totally bonkers. Graham, you're always right.
The hacked patient database contained clients' personal information such as their full names, home address, email address, social security numbers, name of the clinics where they receive treatments, therapists, and doctor's notes from each session.
So things like, I hate my boss, dad, mother, sibling, spouse. I have addictions to food, drugs, gambling, alcohol. I was mistreated, unloved, unseen. All that stuff.
Yep.
And all this found its way into the hands of the baddies threatening to release the fully identifiable patient records to a zealous online crowd of nosy parkers.
Oh, absolute nightmare scenario for everyone.
So the company resists the ransom. They say, no, we're not going to pay, we're not going to pay. So the hacker, AKA ransomware, okay, clever, clever, I see what he did.
He published the therapist notes of at least 300 patients, including politicians and police officers, and this was all on Tor. But the hacker didn't stop there.
He also thought it might be fun to approach victims directly because, God, he had all their information, full name, email address, social insurance number, and why not email them directly with extortion demands, you know, saying, hey, pay me €200 in bitcoin within 24 hours.
Or actually, the ransom will go up after that to €500.
He published the therapist notes of at least 300 patients, including politicians and police officers, and this was all on Tor. But the hacker didn't stop there.
He also thought it might be fun to approach victims directly because, God, he had all their information, full name, email address, social insurance number, and why not email them directly with extortion demands, you know, saying, hey, pay me €200 in bitcoin within 24 hours.
Or actually, the ransom will go up after that to €500.
Oh, this is awful.
He's just a shit, isn't he?
He's such a shit. He's such a shit, whoever this guy is, but we're gonna find out, hopefully, by the end of this story.
Now, Graham, you talked about this on an earlier Smashing Security episode.
Now, Graham, you talked about this on an earlier Smashing Security episode.
Yeah.
But suddenly, there was a huge leak, a 10-gigabyte data file containing the private notes of at least 2,000 patients and their therapists, right? All this appears on the dark web.
Web.
But along with that, the attacker also managed to upload the contents of his very own computer at the same time.
Oh, basically advertising his involvement in the crime to anyone who might have been looking for him. And trust me, the Finnish authorities were.
Oh, basically advertising his involvement in the crime to anyone who might have been looking for him. And trust me, the Finnish authorities were.
I bet.
Yeah, we've all done it. We've all done the click, drag, drop oops, haven't we? Where we just copy far too much. Attach the wrong file.
Yeah, I once replied all— this is when I was working in a company— and I replied all a message that I should not have replied all to.
And, boy, did I— I still had an Ethernet cable. I thank God I ripped that cable out so fast.
And, boy, did I— I still had an Ethernet cable. I thank God I ripped that cable out so fast.
Oh my Lord.
It's nice to know the criminals do this too, you know, these criminal geniuses. Nice to know they make the same mistakes.
Well, unfortunately, with his mistake, he leaked basically his entire data dump of all these people who had all their secret notes with their therapist, all their information.
Now, this accident of his led to the arrest, his arrest by French authorities, who soon extradited him to Helsinki.
And as I speak, Ransom Man is now on trial, and the prosecutors are asking for the maximum penalty of 8 years.
And he stands accused of aggravated computer break-in on nearly 10,000 counts of dissemination of information violating personal privacy and more than 20,000 counts of attempted aggravated extortion and 20 counts of aggravated extortion.
So they've got him. He's got a lot of counts.
Now, this accident of his led to the arrest, his arrest by French authorities, who soon extradited him to Helsinki.
And as I speak, Ransom Man is now on trial, and the prosecutors are asking for the maximum penalty of 8 years.
And he stands accused of aggravated computer break-in on nearly 10,000 counts of dissemination of information violating personal privacy and more than 20,000 counts of attempted aggravated extortion and 20 counts of aggravated extortion.
So they've got him. He's got a lot of counts.
Because this was a huge crime in Finland, wasn't it? It was one of the biggest cases ever, I think, in terms of the number of people who were impacted.
And in terms of well-being and the psychological impact of this, it just— you dread to think to be an individual and receive an email like that trying to extort money from you.
Otherwise, your deepest, darkest fears and secrets are going to go out there in public. It's just a horrible scenario to think about putting someone through that.
Otherwise, your deepest, darkest fears and secrets are going to go out there in public. It's just a horrible scenario to think about putting someone through that.
Okay, this is my big question for you two here. Okay, the moral quandary I got myself into when I was writing this.
So this for me is invasion of privacy as serious as it gets, right? I think we all can agree on that. It's even led to suicides.
And then I started wondering whether this hack is worse than the hack on adult hookup site Ashley Madison, which happened what, 8 years ago? I have no idea.
Where victims were effectively ousted online as cheaters.
So this for me is invasion of privacy as serious as it gets, right? I think we all can agree on that. It's even led to suicides.
And then I started wondering whether this hack is worse than the hack on adult hookup site Ashley Madison, which happened what, 8 years ago? I have no idea.
Where victims were effectively ousted online as cheaters.
I think it's worse.
Why?
Because people who are going to therapy are people who are already struggling with their mental health, whereas people who are having affairs with a virtual bot on Ashley Madison—
I would argue they probably are doing the same. They're probably—
But I think they're probably less able to cope with the stress and anxiety. It's they're going through a tough time anyway, which is why they're getting therapy.
The last you want is the threat that your information is going to be made public.
The last you want is the threat that your information is going to be made public.
Public. And actually, people can actually mandate you to go to therapy, right? That can be a court mandate, or it can be a job mandate.
So you may not even have chosen to go there on your own.
So you may not even have chosen to go there on your own.
Yeah. And then you've opened everything up, and any positive benefit that has come from that therapy could be in jeopardy from going through this, right?
And then what, you're gonna— how are you gonna recover from something this? It has such an impact on trust, doesn't it? It's, I think it's worse.
I mean, it certainly reminded me of Ashley Madison as you were talking through it in terms of the impact. It just doesn't bear to think about doing this to people.
And then what, you're gonna— how are you gonna recover from something this? It has such an impact on trust, doesn't it? It's, I think it's worse.
I mean, it certainly reminded me of Ashley Madison as you were talking through it in terms of the impact. It just doesn't bear to think about doing this to people.
Yeah, I don't normally say I hope he gets the whole maximum penalty because I'm not big on that, but in this case, it's pretty, it's pretty shitty.
Yeah.
And there's also some, the fact that he went after individual patients, proving that he knew everything and tried to extort. It's just— it's too gross for words.
That's a whole other level, isn't it? To do that and know that you are going directly to a person.
And presumably, he dipped into the files and he read, you know, what was in those notes, and then to go to that person just is really hard to get your head around someone doing that.
And presumably, he dipped into the files and he read, you know, what was in those notes, and then to go to that person just is really hard to get your head around someone doing that.
The guy who's in court at the moment, Aleksi Kivimäki, I think his name is.
Kivimäki, yeah.
Yeah, he's also been associated with Lizard Squad, if you remember them. They brought down PlayStation Network.
Oh, yes.
There's all kinds of other hacks and generally shitty behavior, which has been coming from that corner of cyberspace.
So, yeah, Graham, should we award him the Smashing Security Dipshit Award?
Yes. Dipshit of the year? I don't know, decade? I just think it's really, really scummy.
Well, I'll start with the week. We can maybe do it every week.
Oh, we could have a little jingle, maybe. Legacy managed file transfer tools are dated. They lack the security that today's remote workforce demands.
Companies that continue relying on outdated technology put their sensitive data at risk.
Well, this podcast is sponsored by KiteWorks, who enable organizations to effectively manage risk in every send, share, receive, and save wave of sensitive content.
To do that, they've created a platform that delivers content governance, compliance, and protection to customers, tracking, controlling, and securing sensitive content as it moves within, into, and out of organizations, all while ensuring regulatory compliance on all sensitive content communications.
KiteWorks provides the industry's first private content network for protecting risky third-party communications with secure email, secure file sharing, secure mobile, secure platforms, managed file transfer, and governed SFTP servers.
Visit KiteWorks.com to get started today. That's KiteWorks.com, and thanks to them for supporting the show.
Companies that continue relying on outdated technology put their sensitive data at risk.
Well, this podcast is sponsored by KiteWorks, who enable organizations to effectively manage risk in every send, share, receive, and save wave of sensitive content.
To do that, they've created a platform that delivers content governance, compliance, and protection to customers, tracking, controlling, and securing sensitive content as it moves within, into, and out of organizations, all while ensuring regulatory compliance on all sensitive content communications.
KiteWorks provides the industry's first private content network for protecting risky third-party communications with secure email, secure file sharing, secure mobile, secure platforms, managed file transfer, and governed SFTP servers.
Visit KiteWorks.com to get started today. That's KiteWorks.com, and thanks to them for supporting the show.
Smashing Security is also sponsored by Vanta. Managing the requirements for modern security programs is increasingly challenging and time-consuming. Enter Vanta.
Vanta gives you one place to centralize and scale your security program. Quickly access risk, streamline security reviews, and automate compliance for ISO 27001, SOC 2, and more.
You can leverage Vanta's market-leading trust management platform to unify risk management and secure the trust of your customers.
Plus, use Vanta AI to save time when completing security questionnaires. Smashing Security listeners, you get 20% off Vanta.
All you lucky sausages have to do is visit vanta.com/smashing to claim your discount. That's V as in Victor, A-N-T-A.
Vanta gives you one place to centralize and scale your security program. Quickly access risk, streamline security reviews, and automate compliance for ISO 27001, SOC 2, and more.
You can leverage Vanta's market-leading trust management platform to unify risk management and secure the trust of your customers.
Plus, use Vanta AI to save time when completing security questionnaires. Smashing Security listeners, you get 20% off Vanta.
All you lucky sausages have to do is visit vanta.com/smashing to claim your discount. That's V as in Victor, A-N-T-A.
Smashingsecurity.com/smashing.
And thanks to Vanta for sponsoring the show.
You've probably heard us talk about Kolide before, but did you know Kolide was just acquired by 1Password?
Well, that's pretty big news since these two companies are leading the industry in creating security solutions that put users first.
For over a year, Kolide Device Trust has helped companies with ensure that only known and secure devices can access their data.
And that's what they're still doing, but now as part of 1Password. So if you've got Okta and you've been meaning to check out Kolide, now's a great time.
Kolide comes with a library of pre-built device posture checks, and you can write your own custom checks for just about anything you can think of.
Plus, you can use Kolide on devices without MDM like your Linux fleet, contractor devices, and every BYOD phone and laptop in your company.
Now that Kolide is part of 1Password, it's only going to get better. Check it out at kolide.com/smashing to learn more and watch the demo today.
That's k-o-l-i-d-e.com/smashing, and thanks to them for supporting the show. And welcome back. Can you join us for our favorite part of the show?
The part of the show that we like to call Pick of the Week.
Well, that's pretty big news since these two companies are leading the industry in creating security solutions that put users first.
For over a year, Kolide Device Trust has helped companies with ensure that only known and secure devices can access their data.
And that's what they're still doing, but now as part of 1Password. So if you've got Okta and you've been meaning to check out Kolide, now's a great time.
Kolide comes with a library of pre-built device posture checks, and you can write your own custom checks for just about anything you can think of.
Plus, you can use Kolide on devices without MDM like your Linux fleet, contractor devices, and every BYOD phone and laptop in your company.
Now that Kolide is part of 1Password, it's only going to get better. Check it out at kolide.com/smashing to learn more and watch the demo today.
That's k-o-l-i-d-e.com/smashing, and thanks to them for supporting the show. And welcome back. Can you join us for our favorite part of the show?
The part of the show that we like to call Pick of the Week.
Pick of the Week.
Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
It could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they like.
It doesn't have to be security-related necessarily.
It could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they like.
It doesn't have to be security-related necessarily.
Better not be.
Well, my Pick of the Week this week is possibly slightly security-related. Because we've just had this wonderful thing. What a fantastic thing that we have.
Okay, we've had decimalisation, so we no longer use pounds, shillings, and pence. You know, we went metric, right? We went decimal. Fantastic. That's happened.
Many countries now, they've dropped the mile. They're using kilometres instead. Tremendous.
But we still have this oddity which is known as time, where we're splitting days up into 60-minute hours, and there's 24 hours of those in a day, and there's 365 days in a— eh, not this year though, because this year was a leap year.
So every 4 years, as we know, we inject an extra day into the calendar. And what do you know? Things go wrong.
Because yes, ladies and gentlemen, even in 2024, 24 years after the Millennium Time Bomb—
Okay, we've had decimalisation, so we no longer use pounds, shillings, and pence. You know, we went metric, right? We went decimal. Fantastic. That's happened.
Many countries now, they've dropped the mile. They're using kilometres instead. Tremendous.
But we still have this oddity which is known as time, where we're splitting days up into 60-minute hours, and there's 24 hours of those in a day, and there's 365 days in a— eh, not this year though, because this year was a leap year.
So every 4 years, as we know, we inject an extra day into the calendar. And what do you know? Things go wrong.
Because yes, ladies and gentlemen, even in 2024, 24 years after the Millennium Time Bomb—
No!
Software developers are still falling over themselves and have bugs in their code.
In New Zealand, as we hit February 29th, and of course New Zealand gets hit first because that's the first sort of major populated place where the new year comes in, where a leap year comes in, some of their gas stations across the country stopped people to pay for their gas, for their petrol, on Thursday because it couldn't cope with the date of February 29th.
And so they weren't able to process payments, which I think is rather quaint in 2024 that that kind of thing is still happening almost a quarter of a century after Y2K.
And I also noticed that some security vendors and software vendors also failed as a consequence of the leap year bug. Oh! Including, yes, including a company known as Sophos.
I don't know if you've ever heard of them, Carole. No! A number of their pieces of software failed on February the 29th, as did Citrix as well. Some of its software.
In New Zealand, as we hit February 29th, and of course New Zealand gets hit first because that's the first sort of major populated place where the new year comes in, where a leap year comes in, some of their gas stations across the country stopped people to pay for their gas, for their petrol, on Thursday because it couldn't cope with the date of February 29th.
And so they weren't able to process payments, which I think is rather quaint in 2024 that that kind of thing is still happening almost a quarter of a century after Y2K.
And I also noticed that some security vendors and software vendors also failed as a consequence of the leap year bug. Oh! Including, yes, including a company known as Sophos.
I don't know if you've ever heard of them, Carole. No! A number of their pieces of software failed on February the 29th, as did Citrix as well. Some of its software.
Quel dommage!
Indeed, indeed. And okay, so here's my question. Is this a pick of the week or is this a nitpick of the week?
Is my nitpick that leap years actually exist and we haven't yet decimalized time, or is my pick of the week that I'm actually tickled by the fact that we're still having these problems?
And let's not even talk about the Linux time bomb, which is, is it 2038? Okay, let's not. I'm giving you warning now. I mentioned it here first.
That's when we're going to have trouble as well with Linux, but yeah.
Is my nitpick that leap years actually exist and we haven't yet decimalized time, or is my pick of the week that I'm actually tickled by the fact that we're still having these problems?
And let's not even talk about the Linux time bomb, which is, is it 2038? Okay, let's not. I'm giving you warning now. I mentioned it here first.
That's when we're going to have trouble as well with Linux, but yeah.
Well, I your nitpick pick of the week, Graham. And you know, if we can do away with time, that means we can do away with time zones and that would make me very happy.
And aging.
Right, yeah, yeah, I'm on board.
Fantastic. Jess, what's your pick of the week?
Well, mine is not security related at all. I recently discovered the delightful Resident Alien. When it landed, pun intended, fully on Netflix. Have either of you seen Resident Alien?
No, I haven't heard of it. What's it about?
Well, it's been out there for a while, but it's only recently come to Netflix. We really enjoyed it. It is surprisingly wholesome and at times very much laugh out loud.
It's kind of a light sci-fi comedy about an alien who crashes on Earth during a mission to wipe us humans out of existence.
So, you know, kind of premise we've heard before and doesn't necessarily sound necessarily hilarious, but I would highly recommend it.
It's sort of easy to watch, it's escapism, and it's a kind of adult, but not that kind of adult, Mork and Mindy.
It's kind of a light sci-fi comedy about an alien who crashes on Earth during a mission to wipe us humans out of existence.
So, you know, kind of premise we've heard before and doesn't necessarily sound necessarily hilarious, but I would highly recommend it.
It's sort of easy to watch, it's escapism, and it's a kind of adult, but not that kind of adult, Mork and Mindy.
Not porn aliens, thank God.
No, certainly we're not up to season 2 anyway. I can't speak beyond that. It might all take a turn.
But I loved Mork and Mindy when I was growing up, and it's slightly— it's got a slight Mork and Mindy but for 2024 vibe, slight undertone, you know, of darkness, but very funny and kind of wholesome.
So if you're looking for some escapism that might also surprise you so check out Resident Alien. Let me know what you think.
But I loved Mork and Mindy when I was growing up, and it's slightly— it's got a slight Mork and Mindy but for 2024 vibe, slight undertone, you know, of darkness, but very funny and kind of wholesome.
So if you're looking for some escapism that might also surprise you so check out Resident Alien. Let me know what you think.
Fantastic.
Thank you very much, Jess. Krow, what's your pick of the week?
Well, mine is a bit adult.
Surprise, surprise.
'Cause I really enjoy house porn.
Pardon? Excuse me?
You know, if I have a few hours to myself, I might choose to dim the lights, put on my joggers, get a cuppa, cup of tea and open up Rightmove.
Oh, I see. Oh, right.
We really wondered where that was going.
And then I might put in a random location. My most recent one was Cardiff. And then I put in some random price bracket and then I just gawk at people's houses.
Ooh, look at the extension on that one. That kind of thing.
Yeah. Or you know, the current owner's a hoarder, right? And once I saw open bills with addresses on the desk and I gave the story to a BBC journalist Zoe Klein, right?
To warn people not to do that, to be more careful. So, this Reddit community, this is all on Reddit.
This is actually a Pick of the Week that comes from fan of the show, CEO of Traced, Ben Jones. It's a Reddit sub called Spotted on Rightmove.
And it's a community that collates wacky properties found on the UK house flipping site, Rightmove.
I don't know if you have I don't know if we have it outside the UK, but you'll see hugely inflated house prices or incredibly nasty bathroom suites, or there's one where it's, is that blood on the mirror?
Right? Or just unusually beautiful or nasty places to live. So one that I saw had this bath, you know, and people talk about the avocado suite being pretty hideous.
This one is basically raspberry ripple ice cream. So it kind of looks like there's blood everywhere across the backs. There's another living room covered with swords of all sorts.
And my favorite, and the title in the subreddit, the title of the thread is, this property is perfect if you want to warm up your lunch while taking a poop.
Oh, because the toilet is literally a foot away from the counter in the kitchen. Yes.
To warn people not to do that, to be more careful. So, this Reddit community, this is all on Reddit.
This is actually a Pick of the Week that comes from fan of the show, CEO of Traced, Ben Jones. It's a Reddit sub called Spotted on Rightmove.
And it's a community that collates wacky properties found on the UK house flipping site, Rightmove.
I don't know if you have I don't know if we have it outside the UK, but you'll see hugely inflated house prices or incredibly nasty bathroom suites, or there's one where it's, is that blood on the mirror?
Right? Or just unusually beautiful or nasty places to live. So one that I saw had this bath, you know, and people talk about the avocado suite being pretty hideous.
This one is basically raspberry ripple ice cream. So it kind of looks like there's blood everywhere across the backs. There's another living room covered with swords of all sorts.
And my favorite, and the title in the subreddit, the title of the thread is, this property is perfect if you want to warm up your lunch while taking a poop.
Oh, because the toilet is literally a foot away from the counter in the kitchen. Yes.
That's not allowed.
Surely. Is that in London and does it cost a fortune? That would be my assumption.
Yeah, most of them seem to be in London and costing an absolute fortune. So there you go. The Reddit sub that is my pick of the week is called Spotted on Rightmove.
Have fun if this sounds like your thing, and thank you, Ben, for this pick of the week.
Have fun if this sounds like your thing, and thank you, Ben, for this pick of the week.
Crikey. Oh, it looks quite addictive, this. I mean, there are a lot of people who love to look around other people's houses, but this is a curated list.
I just wish I'd known about it before and was more active user of Reddit because I have seen some absolute howlers. And I think I could have just got a lot of social juice there.
Well, that just about wraps up the show for this week. Jess, I'm sure lots of our listeners would love to follow you online and find out what you are up to.
What's the best way for folks to do that?
What's the best way for folks to do that?
You can find me on pretty much all of the socials, including my recent foray into YouTube and TikTok, @drJessicaBarker.
And shameless plug, of course, I have a new book coming soon, which you can pre-order now, Hacked: The Secrets Behind Cyberattacks.
And shameless plug, of course, I have a new book coming soon, which you can pre-order now, Hacked: The Secrets Behind Cyberattacks.
Brilliant.
Super duper. And you can follow us on Twitter @SmashingSecurity, no G, Twitter won't allow us to do that. We've also got a Mastodon account.
And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Overcast.
And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Overcast.
And huge, huge thank yous to our episode sponsors, Kolide, KiteWorks, and Vanta. And of course, to our wonderful Patreon community. It's thanks to them all that this show is free.
For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 361 episodes, check out smashingsecurity.com/podcast.
For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 361 episodes, check out smashingsecurity.com/podcast.
Smashingsecurity.com.
Until next time, cheerio, bye-bye, bye-bye, bye-bye.
Bro, these houses.
Who would make a sandwich and have a shit? Who does that?
That picture.
Here, I'll try and get you this bathtub because it is just unbelievable.
Oh, that bath.
Oh my giddy aunt.
What would possess someone to ever—
Oh boy.
Just honestly, the raspberry ripple is banging on.
It looks like someone died in there.
I think I saw something like this on Breaking Bad.
Boy, oh boy.
Boy, yeah, that's a whole other level. The loo seat matches, doesn't it? The loo seat and the sink match.
Oh yeah, and the sink—
Someone has committed to their vision. It's not turned out the way most of us might like, but someone's really gone all in on that.
Brilliant.
Jess, thank you so, so much.
Yes, thanks, Jess.
Thank you, it's really nice, really good fun.
And thank you so much for talking to us. We're very honored, milady.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Jessica Barker – @drjessicabarker
Episode links:
- Mogilevich claims it has breached Epic Games – Twitter.
- Fraudster’s fake data breach claims should remind media to be carefu what we report – DataBreaches.net.
- Prescription orders delayed as US pharmacies grapple with “nation-state” cyber attack – Bitdefender.
- US pharmacy outage triggered by ‘Blackcat’ ransomware at UnitedHealth unit, sources say – Reuters.
- Hackers Behind the Change Healthcare Ransomware Attack Just Received a $22 Million Payment – Wired.
- Vastaamo data breach – Wikipedia.
- The CEO who also ran IT, Strava strife, and TikTok tall tales – Smashing Security podcast.
- Ex-CEO of hacked therapy clinic sentenced for failing to protect patients’ session notes – Bitdefender.
- Ex-CEO of breached pyschotherapy clinic gets prison sentence for bad data security – Sophos.
- Vastaamo victims’ lawyer: Some took their own lives after patient record leak – Yle.
- Prosecutors call for maximum penalty over Vastaamo hacking – Helsinki Times.
- Self-pay gas station pumps break across NZ as software can’t handle Leap Day – Ars Technica.
- Citrix, Sophos software impacted by 2024 leap year bugs – Bleeping Computer.
- Resident Alien trailer – YouTube.
- Resident Alien – Netflix.
- r/SpottedonRightmove – Reddit.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsored by:
- Kiteworks – Step into the future of secure managed file transfer with Kiteworks.
- Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get 10% off!
- Kolide – Kolide ensures that if your device isn’t secure it can’t access your cloud apps. It’s Device Trust for Okta. Watch the demo today!
Support the show:
You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.
Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!
Follow us:
Follow the show on Bluesky at @smashingsecurity.com, or on Mastodon, on the Smashing Security subreddit, or visit our website for more episodes.
Thanks:
Theme tune: “Vinyl Memories” by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
