Smashing Security podcast #369: Keeping the lights on after a ransomware attack

There's a very simple reason I suspect why they're not doing that anymore. Two words. Bird poop. Oh yeah. Is this true or are you just guessing? You're guessing, okay?

Smashing Security, episode 369. Keeping the lights on after a ransomware attack with Carole Theriault and Graham Cluley. Hello, hello and welcome to Smashing Security, episode 369. My name's Graham Cluley. And I'm Carole Theriault. Carole, you are back from your secret mission overseas, underwater. I am. On a different planet. I don't know where it was. It's all secret.

Yeah, I'm going to be talking about that in the Pick of the Week. But can I tell you something absolutely gorgeous and spring-like that I can tell you? Oh, yeah. Because remember a few weeks ago, I was like, oh, I have a Pick of the Week. It's this app called Merlin Bird ID. Oh, yeah, yeah, yeah, yeah. Anyway, so I come home from my adventures and I have three baby robins in my garden. And they came into the house. They flew into the house. I was a total, what's the Disney girl that has all the... Oh. Cinderella? Snow White? Snow White, I don't know. One of them, most of them have little birds floating around. That was me. I had all these tiny little birds flying around in and out of my house and it was gorgeous. So happy spring, everyone from England. So let's thank this week's wonderful sponsors, Collide, Sonrai and Vanta. It's their support that helps give you this show for free. Now, coming up on today's show, Graham, what do you got?

I'm going to be asking, will the last company to be hit by ransomware please turn off the lights? And I'm heading to India because they've just kicked off their new elections. Now chums, let's travel to old blighty the UK and there is a city in the UK called Leicester and for our American friends it's spelled Leicester.

Yeah. And I'm imagining, no offence to Leicester's city council, but I'm imagining they are not as tight in security terms as, say, a bank, for example. Well, maybe not. But if you think about it, just as it's really important to secure your funds, it's really important to secure your citizens' details. Because if you live in that area, you don't have any choice. You have to give your information to the council. Because you want your bins picked up and you have to pay your council taxes and all the rest of it. Vote and stuff like that. So they had had some information stolen then. Yeah, that's right. Yeah. And they described that data leak as a very serious matter. Twenty-five documents, they said. It doesn't sound like a lot, 25. I have no idea how big the documents are. Oh, I see. What you're thinking is maybe they're RTF files with a great big bitmap embedded inside them. So they're actually 312 gigabytes or something. I mean, it's not that huge, is it really? I'm wondering, though, okay, so the Leicester City Council will have probably one, maybe a handful of people that look after IT. I imagine they've got a few more than one or a handful. I would think they'd have. Really? In this age of AI, Graham, I don't know if you could be sure about that. You're just too old to understand how things work these days. I'm telling you. Leicester's quite a big city, isn't it? I think it is. It's bigger than Magdeburg. Is it bigger than Magdeburg? Let's not start that again. Anyway, quite a big difference. 25 documents, 1.3 terabytes, maybe up to three terabytes. You can understand why some people might think that the attacker sent the council back to the dark ages and whether it can do enough to keep the lights on. Okay, I have no idea.

What's happened is the streetlights have been found to be permanently on 24 hours a day, and no one knows quite how to turn them off.

What, are you kidding me? Nope. This is your story. That's what I'm shocked at. Okay, so the lights on the Leicester streets are on continuously.

Continuously. And it's the consequence of a ransomware attack. There's a 65-year-old guy called Roger Ewans. He told the Leicester Mercury that the streetlights down his neck of the woods have been turned on constantly. So he complains to the council. I imagine Roger complains quite a lot about things to the council. He hasn't got much to do. And he said that they got back to him and said the ransomware attack had attacked and affected the central management system and that the streetlights were, quote, misbehaving.

Okay, I don't know how streetlights work in Leicester, but in my neck of the woods, they are on all night, right? I don't think I would notice them even being on during the day. I'm not Roger Ewins, but it's not giving light pollution is all I'm saying.

I'm not sure everyone's streetlights do stay on all night long. I would love if mine didn't, to be honest. Well, exactly, because it can bleed straight through into your bedroom window, can't it? It does. It can ruin your sleep. It's a very important thing. And some of these newer streetlights with the LED, you know, it's all designed to save energy and everything. And it's oh, my goodness, that's so bright. Can't cope with that. You end up having to buy really thick curtains, don't you, Carole?

I do have very thick curtains.

Say no more. So a city council spokesperson said, "We are aware of a number of streetlights that are staying on during the day. This is due to a technical issue related to the recent cyber attack. When we were forced to shut down our systems, it means we are currently not able to remotely identify faults in the street lighting system." What?

I wish they'd give us more information. Surely if they shared this with the world, some techno wizard would say this is how you can do it.

Well, you don't want any old Thom, Dick or Harry shimmying up Streetlight, Carole, trying to debug them.

No, I imagine they would have emailed them and said, maybe do this in the code, you know, check this out.

Oh, what, so they should just publish the Streetlight code on GitHub and say go for it in their remote access system? Because these things are about to, I bet Streetlights have got a default password. I bet they're street signs. I bet they're those roadwork signs.

Really? I've never thought about that.

So I'm surprised because I thought, why are there central systems managing streetlights anyway? I thought, surely, I remember as a kid, there was streetlights outside my bedroom window. It was a decent enough distance, didn't keep me awake. But I noticed it would come on when it got to about dusk and then turn off again in the morning. And it was a different time every day. It would slightly change over the weeks. You'd notice it slightly change.

There'd be some sensor that would go, oh, daylight. Exactly. Exactly.

You'd have a light sensitive sensor telling if it's dark or not and turning the light on and off accordingly. And well, there's a very simple reason, I suspect, why they're not doing that anymore. Two words.

OK.

Bird poop. Oh. Yeah.

Is this true or are you just guessing? You're guessing. OK. So you just think there's these massive seagulls running around, literally trying to aim their feces at the sensors. To fuck with people. In my experience, a seagull or a pigeon with an iffy tummy can be more precise than an Exocet missile. Yes. Do you think this is part of the attack or do you think this is maybe incompetence on the part of the council?

Oh, I don't think it's the ransomware gang. No, I think this is just a side effect of the IT systems being busted. In Leicester, they're longing to turn off the lights. They want to recover from the attack, but the councillors said, it's not going to pay any ransom. Frankly, they said, we're broke. Even if we wanted to, we can't afford it. Because like many councils in the UK, they've just got no money and there's no more money coming from central government.

And presumably, they're more concerned about the three fucking terabytes of data they lost as opposed to the lights being on. Yeah, that's not... I would

Be. That could be quite costly, couldn't it? I mean, what happens when the regulators start fining them over that or fines them to be incompetent or they didn't encrypt properly or blah, blah, blah, blah? About that data, which is now in the hands of the criminals.

Exactly. Who is that guy you quoted? Roger Ewens, right? 65-year-old Roger Ewens who complained. He maybe should be more worried about the data they stole from him and where it's ended up. Don't get him started. I'll close the lights being on. Well, we're going to India. And you might be aware that India is currently going through an election cycle that just kicked off in earnest last Friday. And for those of you out there who are unfamiliar with the country's political modus operandi, know that India's democracy is the largest in the world. The country has a parliamentary system defined by its constitution with power distributed between the central government and the states. Yeah. Now, India's elections are no small feat because they must cater to almost a billion voters, more than a tenth of the world population. It's amazing, isn't it? It's incredible. And there's another hurdle, the languages, right? So, whereas the UK has one. UK has Welsh. Oh,

You're absolutely right. Gaelic, Cornish, Cockney, Mancunian. OK, let me rephrase. So whereas the UK has a small number of official languages, and where Canada has two official languages, India has 23 official languages, including English, but there are apparently 780 languages spoken. Right? OK, so this two kilometers rule, that seems insane to me at first because it's well, two kilometers doesn't take you very long to walk two kilometers, does it?

No, it takes you long to walk 10 kilometers.

Right, but at two kilometers, it's going to take you, what, 10 minutes, 15 minutes, something like that? I guess there are problems if you're in a mountainous area. Yeah. Elephants, Graham. They're not very fast.

Yeah, but they can go through debris that humans can't go through easily.

And they only go for so far until you've got to fill them up again at a diesel station.

I'm getting back to my story. Go ahead. But this election cycle is different from previous elections thanks to the rising power of AI. And it turns out that AI plus elections equals crazy times a go-go. So, of course, we have the troublemakers, right? An example would be fake videos featuring two prominent Bollywood actors, Amir Khan and Ranveer Singh, where they purportedly criticized Prime Minister Narendra Modi and advocated support towards the opposition Congress Party. The two videos have been viewed on the socials more than a million times, reported Reuters. Now, both actors have said the videos are fake. Facebook X, aka Twitter, and at least eight fact-checking websites have said they are altered or manipulated, which the Reuters Digital Verification Unit also confirmed. There was also a viral video of Rahul Gandhi's resignation from Congress that took over social media, but it was fake. They used an AI-generated cloned voice and used an altered video of him filing his nomination papers for the 2024 polls. So they basically took an existing video, tweaked it, added new voices to it, and tried to say, I'm resigning from Congress. But AI is also being used legitimately by candidates. So imagine Graham, right? So let's say we're having an election here in the UK, right? And you pick up the phone, the phone rings, right? You pick it up and it's a cold call campaign thingy saying vote for Richie Rich Sunak. So what do you do, right? You would probably, what would you do? Would you hang up? Would you say, I'm very sorry, I'm not interested? I'm a very busy man. Say you're eating or pooping or something. Yeah. My other half calls, you know, bathroom breaks, business meetings. So you have a big business meeting to attend.

I'm just on a conference call at the moment. I would be pretty annoyed. So it's just a robot, is it? It's not actual human ringing up on Rishi Sunak's behalf.

The way normally, typically these campaign calls would work is you would either get someone calling up and going, who are you voting for? You know, what are you doing? And it's

just a huge invasion of my privacy. It's none of their business. I don't want to speak to anyone from any political party on the phone. How dare they ring my bloody phone and interrupt my life? What if they show up at your door? Well, you know, I can obviously...

Slam the door in their face as opposed to hang up the phone?

I don't mind when people come round to the door as much. It's because you're lonely, probably. I think that could be the reason. Come in for coffee.

Please, please be my friend, please. But what if, you know, the phone's ringing, you pick up and the caller says, hi, Graham, I hear there are issues in your town, such as Amazon deliveries going awry. Yes, that's very true. Right. So they use your name and contextualize the pitch for you to make you stay on the phone longer and hear what they have to say.

Yeah, yeah. OK.

Right. And this is what's happening right now in India, making the job of candidates much easier, all thanks to AI, because they can use AI to contact their voters in their native tongue, be it one of the 780 languages that are spoken. Wow. And talk about the issues that are close to the communities and the specific geographies.

But are they actually having conversations with people or are they just reading out a speech?

Honestly, I have no idea. But I can appreciate if you're a candidate in India going for the prime ministership and you have 780 languages and you speak, what, two of them as the current prime minister apparently does, how do you get your message across to everybody else? So AI-generated stuff could be the answer, right? Because it can translate it into all the dialects, at least the 23 official ones. So political parties are crafting AI-generated news anchors, right? So you even have fake news anchors to convey political messages, election promises and manifestos. Now when I say AI-generated, I don't mean fake. These are advocated by the actual party. And the point is to connect with a wider voter base over live streaming on social media platforms across diverse linguistic demographics.

Well, hang on, hang on. Just roll back a second. What do you mean here? So you're saying these are AI generated, but they're not fake. Do you mean they're not malicious? They're not deliberately deceptive?

Yes, they're not deep. See, that's the problem. So I think many of us associate the word deepfake with bad. Okay. Right? But if I am a party and I want to do this, I'm, let's just create an avatar. Let's get the messages out. Let's target, you know, specific messages based on specific regions. And then let's slap it in and, you know, way to go.

You know, I think these politicians, I think they've got the wrong end of the stick of how to deal with this, because I think most people do not want a call from a political candidate. Right. They do not want to have that phone call. What I would do if I were a political party. So if it were the Cluley Party, what I might think I would do is I would run a campaign which rang up people pretending to be my opposition, right, and annoy the voters with my constant phone calls pretending to be the opposition in order that I get the votes instead.

Do you think that's not happening right now? Do you think that there are not other parties that are trying to take down the current

Political leader? It's like a joe job, isn't it? Yeah. Oh, I'm sure there are, but I just think use the deep fake and the AI technology to pose as... No, no, don't do that. Don't do that. Do not listen to Graham.

No, no, no, no. No, no, I'm not saying do it. I'm just saying the if. I think what I'm saying is both things are happening. So a legitimate party is using AI tech to be able to get their messages out in a more engaging way to a broader audience. But also you've got the baddies that are trying to discredit certain parties or cause some strife using deep fakes to try and mess the whole thing up. Misinformation and all that stuff. Yes. All I'm saying is the bad guys don't have to be lying in the message. OK, OK, OK. Well, they've heard it here. You've heard it here, folks. There's elections coming up across Europe and the States, and maybe they'll use that, Graham. So you've given that away for free.

There he is, sat cross-legged. Yeah. That's quite impressive for a man of his years. Well, who knows if it was really him, right? Right. Oh, sorry. Yes, you're right. Don't go onto Instagram.

I agree. Follow my lead. Get the fuck off the socials. So as the lines between real and fake blur, what the actual fuck are voters supposed to do? Like, what are their options? Don't vote because you don't know what you don't know. You don't know what's real. You don't know what's fake. Or you cast a vote and hope that you weren't misled. Like, it's a bit of a nightmare for democracies the world over. And it's leaders of countries that aren't democratic that might actually win out here. Yeah. That's a bit ominous, but there you go. So there's my cheery pick of the week. But I would just say pay attention to see what happens there because elections are coming in lots of our countries. A lot of our listeners living countries that I've mentioned. And it might be good to have an idea of what actually happens there. Because trust me, the bad guys are paying attention to it. You just

Said pick of the week, I think by accident. You said, and there's my cheery pick of the week.

So I can't wait to get to my pick of the week. That's why.

I've noticed. So there are some elections coming up here in the UK. Yes. Both local elections. And then later in the year, there's some point to be determined there's going to be a general election as well. And it's quite interesting, this whole are we going to begin to see fake news? Of course we will. Well, I'll tell you what I've been noticing. I've been getting campaign leaflets through my door. Now, there's a particular political party which isn't doing terribly well in the polls at the moment compared to their current allocation of members of parliament. I'm not going to name any names, but what's interesting is the things which come through the door. They've really disguised which political party they're from. So if it's the incumbent who isn't doing terribly well, you have to look really hard to actually work out, well, which political party is this person actually representing? Oh, it's that one. Because they don't want to mention it because they know that that's not taken the right way. So I wonder if we will see fake deep fake and AI technology somehow getting around that problem as well.

Yeah, and still, I would say today, I think, I don't know, I'm just guessing here, the ballparking, but I feel that when I read AI generated content, I can kind of spot it after a few paragraphs, if not earlier. But I suspect that's going to get much, much harder to spot with the naked eye in years to come.

Good luck in your election.

Actually, I think it's more good luck to all of us who are going to be facing elections in the near future. So take heed, my friends.

When it comes to ensuring your company has top-notch security practices, things can get complicated fast. Now you can assess risk, secure the trust of your customers, and automate compliance for ISO 27001, SOC 2, and more with a single platform. That platform is Vanta. Vanta's market-leading trust management platform helps you continuously monitor compliance alongside reporting and tracking risk. Plus, you can save hours by completing security questionnaires with Vanta AI. Join thousands of global companies like Atlassian, Flow Health and Quora that use Vanta to automate evidence collection, unify risk management and streamline security reviews. Smashing Security listeners get 20% off Vanta. All you have to do is go to vanta.com slash smashing to claim your discount. That's V-A-N-T-A dot com slash smashing. And thanks to Vanta for supporting the show.

If a security software company said they could help you reduce the permissions attack surface in your cloud by 92% with a click of a single button, what would you say? Sonrai Security just made achieving least privilege easy with the Cloud Permissions Firewall, a scalable solution that easily restricts excessive permissions from human and machine identities, quarantines unused identities, and disables unused regions and services without any disruptions. Even better, the solution maintains this level of risk reduction by automatically enforcing least privileged policies as new identities are added to the environment. What's better? The fact that you can test drive Sonrai's cloud permissions firewall for free for 14 days. Just visit smashingsecurity.com slash Sonrai. That's smashingsecurity.com slash Sonrai. That's S-O-N-R-A-I.

You've probably heard us talk about Collide before, but did you know Collide was just acquired by 1Password? Well, that's pretty big news since these two companies are leading the industry in creating security solutions that put users first. For over a year, Collide Device Trust has helped companies with Okta ensure that only known and secure devices can access their data. And that's what they're still doing, but now as part of 1Password. So, if you've got Okta and you've been meaning to check out Collide, now's a great time. Collide comes with a library of pre-built device posture checks, and you can write your own custom checks for just about anything you can think of. Plus, you can use Collide on devices without MDM, your Linux fleet, contractor devices, and every BYOD phone and laptop in your company. Now that Collide is part of 1Password, it's only going to get better. Check it out at collide.com slash smashing to learn more and watch the demo today that's K-O-L-I-D-E dot com slash smashing and thanks to them for supporting the show and welcome back can you join us at our favorite part of the show the part of the show that we like to call Pick of the Week Pick of the Week Pick of the Week is the part of the show where everyone chooses to say, it could be a funny story, a book, a podcast, a website, or an app. Whatever they like. It doesn't have to be security-related, necessarily. Better not be. Well, Carole, you know me. I like to keep my picks of the week topical.

Oh, wait. Is this from the 50s or something?

1957 it was. Oh, my God. When a movie came out, which I have never seen a classic movie. Maybe you can guess what it is. Directed by Sidney Lumet. No. Starring Henry Fonda.

Oh, I like Henry Fonda, but I haven't seen all his films. Also

has Jack Klugman, who later found fame as Quincy in it. It's basically... Our listeners are

going crazy. They're going, Carole, don't you understand? It's easy. It's an all

male cast and largely on one set. It is 12 Angry Men. I had the flu this weekend, so I was cuddled up on the sofa and I thought, what can I do to make myself feel better? And so I watched 12 Angry Men. Have you ever seen 12 Angry Men?

I think I have because my husband's a movie buff, so I get to be educated regularly with wonderful films from the past.

It's a great old black and white movie with fantastic cast. It is a seemingly open and shut case of murder where a jury has to decide if a young man is guilty or not. If he is found guilty, he's been sentenced to death. And I'm sure many people already know this. Many of you may already have watched it. But for you youngsters who listen to the podcast who haven't got around to watching it yet, or people like me who are quite mentally young and culturally young, you may not know. But anyway, the premise is this. At the beginning of the movie, only one of the jury believes that there is reasonable doubt about the murder charge. Everyone else thinks that the suspect is guilty. And they also think they should be allowed to nip home early from the jury service to go and watch the ballgame. And so it's up to Henry Fonda as the one man on the jury to convince all the others. It shouldn't be a guilty verdict.

I'm going to watch this. I'm sure I've seen it. I'm going to watch it again. It's

Great characters, sharp script, explores prejudices in this single claustrophobic jury room. I'm sure it's been done as a play many times as well.

Christ, do you think we're going to get AI-generated movies where the plots are going to be so fucking boring we're going to want to just gouge our ears?

I saw a trailer for one just the other day. A completely AI-generated movie.

It's going to make so much money just because people want to see and it's going to be so poo-poo.

After watching the trailer, you won't want to see it, probably. It's not on my list, I'll tell you what. Anyway, 12 Angry Men.

Well, as listeners know, I was traveling last week. I was in Canada and I ended up taking the train to catch my plane back to Heathrow. And the trains in Canada are operated by Via Rail. And I have to admit, I've always been a big fan, especially after coming to England, because they are staffed by lovely people. There's a lot of staff, you know, there's people to help you on the train, people to help you put your bags away, people to direct you where you need to go. You're never lost. You're always feeling like I know where I'm going and I know what I'm doing and I know where my seat is.

Did you say there are lovely people manning the train? Is that what you said?

Damn it. Working on the train. Thank you. Let's just keep doing this. This is good for us.

Also, you seem to have offended everyone who works on the train system in the UK by suggesting they're not lovely. I mean, there may be fewer of them. Okay, you tell me at the end of this story if this would happen in the UK. All right. Now, the only drawback of these trains, and I'll admit this now, is they're not nearly as frequent as trains in Europe. So you have to plan your journey a little more carefully so you don't end up waiting somewhere for hours. Oh, no, Carole.

I didn't pay for the food, so I didn't notice at the restaurant. But I pack and unpack my carry-on luggage, tiny, but nowhere to be found. And now I'm out of contact with the world for seven hours. And in the wallet, I had a number of important cards, banking stuff and all that. I had my driver's license, and I had a wad of cash because I'd sold a few paintings while I was out in Canada. So nightmare, just annoying. So when I get home, I'm jet lagged as anything because it was a full flight. They basically put two flights onto one, so we were sitting like little sardines on an overnight flight. But I started calling banks, right, to cancel cards. And they were all, aside from one, Barclays, relatively easy to do with new cards being dispatched instantly. So I get some shut eye, right, because I'm jet lagged. I get sleep for a few hours. I wake up and I have a lovely email from the people at Via Rail. I get this email from Via train agent Raphael. Emails me to say they have found my wallet on the train at the end of the line and request that I get in touch with them on how they can get it back to me. I tell them, I'm out of the country. Could a family member in a completely different city pick it up? Yes, no problem. The wallet was on the train the next day to be delivered to the station of my request.

Oh my goodness.

Now, my question in my head is, will the cash be in there, right? Because who knows how the wallet got into the hands of the lost and found of Via Rail, right? It could have been somebody.

I would never even have thought of that. Really? I wouldn't worry about the cash. It's the cards that matter, isn't it?

Well, you don't know how much cash was in it. It was an annoying amount of cash. I'm a very good artist.

I know, but whenever I'm with you, you never seem to have any cash on you at all.

Exactly. So my wallet was picked up by a family member. And guess what? All the money is still there.

I thought you were going to say the family member pinched it.

They probably have. So my pick of the week is that I love Via Rail. I love Mr. Raphael. And if you find yourself in Canada, I do think you should check out the trains just to see how to do them right. Because it is a really lovely experience. I might even do a cross Canada, you know, east to west on the train sometime because it's so comfortable.

It is a lovely story and a true reflection of how Canadians are the loveliest people in the universe. But did they charge you anything for delivering your wallet to this?

Yeah, 400 pounds. Reasonable, right? Not a cent.

Okay, not a cent.

Not a cent. All I got was lovely emails because obviously I was very effusive at this service. I think I sent at the end, I was like, digital hugs.

It occurs to me that this could be something which could be exploited because maybe if you want to deliver a package or a parcel across Canada, maybe you do is just leave it on any old train and wait for Via Rail to get in touch with you and say, oh, could you deliver it to a family member in Vancouver? And they say, sure, we'll organise that. And then it gets over there and you don't have to pay anything.

I cannot believe you would put a tinge of shit on this otherwise beautiful rainbow of a story, Graham. Actually, I'm not surprised at all. I'm not surprised at all that you've done that. Anyway, Via Rail is my pick of the week. Thank you very much, Raphael. Thank you to everyone who helped find it and return it to me. And I'm thrilled.

That is a brilliant story. Oh, Canada. Yes. Yay, Canada. Well, that just about wraps up the show for this week. You can follow us on Twitter at Smashing Security. No G. Twitter announced to have a G. And don't forget to ensure you never miss another episode. Follow Smashing Security in your favourite podcast app such as Apple Podcasts, Spotify and Pocket Casts.

And huge, huge thank you to our episode sponsors, Sonrai, Vanta and Collide. And of course, to our wonderful Patreon community. It's thanks to them all that this show is free. For episode show notes, sponsorship info, guest lists and the entire back catalogue of more than 368 episodes, check out smashingsecurity.com.

Until next time, when we have a great special guest. Cheerio. Bye-bye.

Bye who's our guest next week?

I'll tell you secret I don't get to know I can tell you it is in the calendar.

The listeners the listeners oh okay I'll just open my email.

We can beep it out we can beep it out if you like it's only... Do

I just block out the fuck? You just block out whatever you want.