Smashing Security podcast #387: Breaches in your genes, and Kaspersky switcheroo raises a red flag

But one guy called support as irate as a swatted wasp. He said he installed it across his whole network. He'd used his admin username and password, bypassed all the warnings we'd built in. And the problem was he did not speak Klingon. Oh! Right? What was he supposed to do?

Oh dear. He was fuming like a Ferengi. Smashing Security, episode 387. Breaches in your jeans and Kaspersky switcheroo raises a red flag with Carole Theriault and Graham Cluley. Hello, hello and welcome to Smashing Security, episode 387. My name's Graham Cluley. And I'm Carole Theriault. Carole, welcome back to the country. Good to have you back in old blighty after your mission.

Yes, well, thank you. It's wonderful to be here, jet lag and all. But I'm excited to get this show kicked off. So let's first thank this week's wonderful sponsors, 1Password, Vanta and Sentinel One. Now coming up on today's show, Graham, what do you got?

I'm going to be asking the questions that really matter, like, who do you think you are?

Okay, and I'm talking Kaspersky and how it's handling a USA-sized snafu. All this and much more coming up on this episode of Smashing Security.

Now, chums, chums, and specifically you, Carole, as you're the only one here in the room. Have you ever wondered where you came from? Well. Have you ever wanted to delve into your family tree?

Delve into my family tree? Well, we do have some of that stuff, so I know a bit, but... There's

a long line of Theriaults. Is there a deep and murky past? None of your

business. None of your business.

Oh, interesting. Any murderers, explorers? None of your business. Maybe a millionaire. Maybe. I mean, wouldn't it be fascinating to discover that someone in your family's past had made a fortune on the stock market? What if they'd known when the best time was to buy, when the best time was to sell, and maybe, just maybe, some of that financial wizardry could have drifted down, the generations could have trickled down to you, ended up in your DNA. My

DNA? Yeah. What do you mean? Like, I'm related to these people that had been, in the past, very, very rich through the stock market.

And maybe you'd have financial nous. Maybe it's a secret talent which has been passed down through the generations. It's possible.

Right. Okay. Like, you know, my whole family are hairdressers. My great-grandfather was a hairdresser. My grandfather was a hairdresser. Yeah, okay. It could be. It could be. It's in the DNA. So today

I'm going to talk about a chap called Robert Westbrook. He's 39 years old. He claims to have attended Oxford University just down the road from you. But frankly, haven't we all? You know, haven't we all claimed that? I mean, we've all made claims, haven't we? But, you know, going to Oxford University. No. I've been to Oxford University. Okay, right. Doesn't mean I went on a course what are you? What? Doesn't mean I got a qualification I'm so clever. This chap Robert Westbrook, as far as I know, he could have just binge watched some episodes of Inspector Morse and gone around with a tweed jacket with patches on his elbows. Sure. Did he study at Oxford? I don't know. If he studied at Oxford I don't know. I went to LinkedIn. I actually found him on LinkedIn and his profile says that he has a bachelor's degree in philosophy politics and economics. PPE. PPE, yeah, because that's one of the politicians, isn't it? So well done to him. Doesn't give a year. So, you know, I'm a little bit sceptical. Even

if he gave a year and gave all that information. Yep. Like, how easy is it to lie on LinkedIn?

Very easy. Very easy, I found. Extremely easy.

Right. I don't hang out in those waters, but from what I hear.

Anyway, I checked him out. I went to Companies House and I found him. It does seem that he set up his own little investment company. Okay. And it does seem that he decided to make his fortune on the stock market. Okay. Loads people do that. No big deal. Loads people do that and there's lots of ways of doing it aren't there. There's a number of ways. You can pour over financial reports, you can analyze market trends. His approach though was a little bit different because why study the financials when there's a more direct way of finding out which way the markets may turn? Yes. What he did was he went to genealogy websites. Okay. You've totally lost me. Okay. Genealogy, I know what they are but like ancestry.com sites like that. Okay. And you're thinking why? Why are you telling me this? What nonsense are you talking? Correct. Well he went there not because he wanted to find out about his great aunt Mildred or how she was famed for a spotted dick recipe. Nothing like that. But because sometimes it's a case of move over dark web because perhaps the secrets you need to hack into people's email accounts are buried in the past. Now you're intrigued.

No, I'm just wondering why you're talking like this, but OK. Well, I'm trying to be dramatic. Yeah, yeah.

Because it is alleged that Robert Westbrook used information he gathered from genealogy websites to crack open the accounts of high-ranking executives, including CFOs, chief accounting officers, finance directors. How did this work? Well according to U.S. authorities... Is

this because their passwords were like my grandmother's name was Martha? Oh so close, so close. According to U.S. authorities, on at least five occasions between 2019 and 2020, Westbrook managed to reset passwords by correctly answering security questions. Things like what's your mother's maiden name? Things like what year were you married? Things like who inherited Aunt Agatha's wooden leg, that kind of material, which you use as a security question for when you can't remember your password and you need to reset it. So I don't understand. I've not been on any of these ancestry sites, right? But can you access anybody's profile and get all the info or is that hidden? No, I think you can research if you've bought the subscription. You can go and look up anyone's details as to who they married and when and when they died and all that kind of information. Their full name, their maiden name and so forth. God, he must have felt like a little god, eh? Just sitting there gathering all this stuff, just going, oh, thank you very much to see you, Mr. CEO. That's exactly what I needed for my next plan of attack.

You know how you can set up your email clients so maybe it can play a different noise when you get a new email? So you'd have Joe and Alumni saying, you've got mail in the old days of AOL. Well, you can imagine the kind of bing bong or the ka-ching every time one of these emails was forwarded to him with some juicy information. And this insider information, it's alleged, was then used by Westbrook to generate over three and a half million dollars by making profitable trades on the stock market. Before, of course, it became known to the general public, you know, the information. So he got a sort of first sight of it before it was published.

So I'm wondering how he got caught, because I'm guessing he did. Otherwise, you know, what is he telling you on the QT? If he was on the QT, he's going to be pretty disappointed to hear this podcast. So although he tried, it is alleged, to conceal his identity through the use of VPNs and anonymous email accounts and buying things on cryptocurrency and all the rest of it, there are experts at the SEC, the Securities Exchange Commission, who were curious about some of the transfers, some of the timings. But like, as we talked about in the show recently, if you crack into someone's email, like people have years and years and years of information in there. And I'm imagining now, especially with the AI tech that we have, you can actually parse that data much more easily. Like I was always kind of using that. Hey, it's a needle in the haystack if you come near me, because I've never organized anything. But actually, AI can do that now quite quickly, I hear. So that's interesting, right? Because, and there's so much information in email. Like it's-

Oh, huge amount, huge amount. And it may be being kept for regulatory reasons inside organizations as well. So they can't delete it.

Yeah, but what about you though? Like, I bet you don't delete all your email. Like I bet your email goes back 20 years. And why? I mean, when is the last time you looked at an email that was more than a year old? Oh, I do, I do. No, sometimes I do. But yeah, I hear you, yeah. And there's a lot of cruft, isn't there? A lot of stuff you should delete. Yeah. Or just delete it. Although that doesn't help

With new emails, of course, coming in, which may be about, you know, if, for instance, my company were doing a merger and acquisition with yours, for instance, we wouldn't want that becoming public information, would we? But the other thing is that obviously very crafty using these genealogy websites to find out this information. And it suggests that the executives at these hacked companies weren't adhering to best security practices because you should never choose easy to guess or easy to find out answers to secret forgot your password questions. So if you're like Paris Hilton and your passwords are basically the name of your pet chihuahua, that's a piece of personal information. If you're Sarah Palin, if you remember her, do you remember the good old days of Sarah Palin?

Yes, of course I do when we thought that was as crazy as it would get.

She, for instance, had her email account because she'd used public information to secure it like information which was contained in her biography about when she'd met her husband, town that she was born in, that kind of information. So instead of that, tell a lie when you're asked to give your city of birth, say it's uv6 dnw01xsb or say your mother's maiden name is Xena Warrior Princess. Don't use those two examples. Okay, there is a

Cost to that though, because you might be a very good liar and be able to keep all your lies in check. Some of us are really crap at lying and don't remember if we happen to have to lie. We don't remember, right? Because it's not true.

Are you lying about being a crap liar? Now, this chap, Robert Westbrook, he's been arrested in the UK. The intention is to extradite him to the US, he's going to face all kinds of charges. If convicted of everything, he could face up to 65 years in prison.

Yeah, see, the US is a weird country to choose. Like, you know, the penalties will be much higher there, I imagine, than anywhere in the EU.

Yeah, maybe. I think maybe you're right. Anyway, folks, insider trading, not a good idea. Oh, well, thank you. Well, it's just a piece of advice. That's what I do. I just share my wisdom. Share my wisdom. People are so lucky. Carole, what's your story for us this week?

Okay, well, first, Graham, I'm going to take you down a memory lane. Oh, yes. A joyous memory, not one of those yucky ones, don't worry. Good. Cast your mind back to 2009. This is the year Barack Obama took office, the year Russia shut the oil line to Ukraine. Oh, yes. And Kate Moss kept promoting the smoky eye look. Oh,

Yes. That's what I mostly remember of 2009. Yes. Kate Moss's smoky eyes.

And you and I were working at an AV company in PR and communications and all that. And basically, we wanted to do something a bit off the wall to get some press attention. And we didn't know what. So I suggested we pull together a little tiger team of brainiacs. Do you remember? And we had and a friend of the show, Mark Stockley, and Vanja Svajcer, and you and me. And I think there was someone else who I'm forgetting. Sorry, sorry, sorry. And we all got together to brainstorm, what can we do? Right. Yes. And we came up with the idea because it was going to tie in with a new Star Trek movie. This was the first reboot with the original TV actors. Oh, yes. And that was about to launch in theaters across the UK in 2009. So we decided we'd go all out and translate every text string that was displayed in our flagship Windows product. Into Klingon. Into Klingon. And we somehow found and paid a Klingon translator named Melanie. And we kept laughing because we're like, I don't know if she's going to get it right. You know, she could just be writing gibberish. I mean, it's not like I can read it. But we put it all together and we had some dudes put it into the product. Yeah. And then how to get press attention. Do

You remember how we did that? Before we got press attention, surely the thing, how are we going to do quality control that the messages were displayed in the right places? I mean, how were they checking? You can't trust the translator. Surely we needed to find a second translator who could read Klingon.

And so you remember, this is how we launched it. We made it look as though it was half finished, although we had totally finished the whole product.

Not difficult with our software. Yeah.

And when we put it up on a web page and we had little comments displaying on the final page, kind of looking like code, like we were working on it.

Oh, there was stuff embedded in the HTML. So if you looked at the source code of the web page, it looked like it almost leaked out by accident. Wasn't that what we did?

Exactly. Yeah. It worked. We must have leaked it as anonymous tips to certain publications. We must have done that. I don't remember. But it worked. We got oodles of press. Yes. We even had a YMCA song to promote it. Sung in Klingon. Sung in Klingon, I should add. Sung in Klingon, sung in Klingon. Now, for the record, we did not push this product out to all paying customers, right? We made it available as a clear single install, as a joke. But one guy, one guy called support as irate as a swatted wasp, I tell you. And he said he installed it across his whole network. He'd used his admin, you know, username and password, bypassed all the warnings we'd built in. And the problem was he did not speak Klingon. What was he supposed to do? How could he get it off his systems?

Oh, dear. He was fuming like a Ferengi.

So this brings me to this week's story. Well, less of a story, more of a situation that I thought we could noodle about because I think I can argue that this company is in a pretty tight spot. And it all revolves around Russian antivirus company Kaspersky. The US Commerce Department announced in June earlier this year its plans to ban the sale of antivirus software made by Russian firm Kaspersky. Why? Because the U.S. government placed the blame on its alleged links to the Kremlin. Back in June, a spokesperson for the Commerce Department said that Moscow's influence over the company was found to pose a significant risk to U.S. infrastructure and services, that the US was compelled to take action due to Russia's capacity and intent to collect and weaponize the personal information of Americans.

Yes, that's one argument they could use. I mean, there is a counter argument that, of course, they also posed a significant risk to American antivirus companies who were trying to compete with them.

So, no surprise, Kaspersky was not best pleased with this, right? The US is an absolute huge market for any antivirus firm. And at the time, Kaspersky said it intended to pursue all legally available options to fight the ban and denied it engaged in any activity that threatened U.S. security. And I should note that according to the registers, Iain Thomson, another friend of Smashing Security, his article suggests that U.S. authorities have not provided details to back these assertions and that Kaspersky offered to hand over its source code for checking by U.S. officials, but he writes that the offer was ignored. So there's that. The U.S. plan was simple in premise. Barred loads of Kaspersky software, barred updates, barred sales and licensing of the product from the 29th of September. And sellers and resellers who violated this restriction would, of course, face fines from the Commerce Department. So I'm going to pause here. So, Graham, you and I hail from this AV world. I can't think of a single antivirus outfit who would not panic at this situation.

Oh, gosh, yes.

Yeah. Because not only can you not sell products, but you can't even send updates. So effectively, you're leaving everybody in a lurch.

I mean, they were given a little bit of time. There was some warning before it happened. But yeah, this deadline, which is now gone, hasn't it, was looming, of course. And you must be thinking, not only is this cutting off a revenue stream, but also what's going to happen to those companies because they won't be protected with up-to-date antivirus software.

Right. Efforts to reverse the decision failed. And the Russian AV company ended up complying with the ban. But how they approached it caused a bit of a ruckus. So the plan Kaspersky came up with was to automatically transition US-based users of its consumer-grade products to Ultra AV, which was provided by an American vendor. Ultra AV. Haven't heard of that one.

Me neither. Haven't heard of that one before. Me neither. No. And we know quite a lot of antivirus companies. We do know quite a lot. And your Yeti knows even more really, really obscure antivirus companies.

Yes. Well, I even asked him about this. He said, I've been asking around. No one's heard of it. I haven't heard of it. Right. Wow. So I saw that Kaspersky started talking about this publicly at the beginning of September. It may have been earlier than that, but that was the first I saw. And this past week, the switch started, right? Kaspersky software being automatically replaced by Ultra AV on some Windows systems. Presumably using the permissions already granted to what Kaspersky was allowed to do, I'm guessing. But some people are not very happy, right? I found this Kaspersky forum where people are letting off a little bit of angry steam. Different versions of why do you use a bottom-level antivirus when we paid for Kaspersky-level antivirus, right? And the official-looking answer from Kaspersky says, Hello. As you may know, the U.S. authorities have restricted the sales and distribution of Kaspersky products in the U.S., but we remain committed to providing you with the utmost cybersecurity. And as we're forced to limit our cybersecurity products in functionality, we give you an opportunity to let a replacement security solution by our trusted partner, Ultra AV.

People would be an awful lot more comfortable if it was an antivirus maybe they'd heard of. I mean, Kaspersky had a very good reputation for looking after computers. I mean, it was very good at finding malware. But Ultra AV is a bit of a mystery, isn't it? What its quality is like. I saw some reports saying that, you know, hey, we're the hush-hush company. You know, if people don't know us, they don't attack us. Oh, yeah. Well, just ask CrowdStrike. Yeah. And you need to trust your provider. I imagine these companies have bought site licenses, have paid Kaspersky for, I don't know, the next three years or something, haven't they?

Well, that is something because some people have been asking for their money back, saying, look, I like Kaspersky. I'm not into this whole Ultra AV thing. Can I have my money back, please? And they wrote on their forum, dear customer, greetings. Appreciate you getting in touch. Unfortunately, we are unable to process your refund request at this time. We have a 30-day no-questions-asked return policy for all purchases made through our official online store, as outlined on our website. So basically, people that bought three-year site licenses or single licenses.

Yeah, this is happening both at businesses and home users, I imagine, is it?

I'm seeing it at consumer-level AV. But I mean, I am sure there are many small companies that have that level of AV across their company.

Because those businesses are going to be needing to run a different antivirus as well. I imagine there's a lot of rival antivirus companies who are rubbing their hands together saying, we will take on your license. We will protect you. Come to us. You know, if you've got six months of your license still with Kaspersky, we'll give you that for free. Just sign up with us for the next three years.

And you'd think a reputable company may have come up with a deal for this to be able to take over those customers in a way that would feel more. I mean, there's always going to be gripes, right? There's no way you could do this and not have gripes. I get that.

Maybe, though, the regular antivirus companies, let's call them the American antivirus companies, were petrified about getting into a business relationship with Kaspersky in case some of this shade which has been thrown at Kaspersky lands on them as well. It's, well, you know what? We don't mind if these customers choose to come to us, but maybe we shouldn't be the chosen one, as it were. Maybe that's why they've ended up with Ultra AV, whatever that is.

Well, yeah. I'm just surprised that Kaspersky is allowed to put Ultra AV in place and not have to give the option of getting money back. It must be in the fine print. You know, comes back to my big adage, always read the fine print. Support for today's podcast comes from SentinelOne, which secures and protects every aspect of your cloud in real time. Discover all your assets and deploy AI-powered protection to shield your cloud from build time to run time. On top of that, SentinelOne offers threat hunting, visibility and remote administration tools to manage and protect any IoT devices connected to your network. Looking for a cloud-native application protection platform? SentinelOne is your ultimate CNAP solution. Go to smashingsecurity.com slash sentinelone for more information and a free demo. See what a flexible, cost-effective and resilient cloud security platform can do for your organization with SentinelOne. That's smashingsecurity.com slash sentinelone. Quick question. Do your end users always and I mean always without exception work on company owned devices and approved apps? I didn't think so. So my next question is how do you keep your company's data safe when it's sitting on all of those unmanaged apps and devices? Well 1Password has an answer to this question and it's called extended access management. 1Password extended access management helps you secure every signing for every app on every device because it solves the problems traditional IAM and MDM can't touch. Go and check it out for yourself at onepassword.com slash smashing. That's onepassword.com slash smashing and thanks to the folks at 1Password for supporting the show. Whether you're starting or scaling your company's security program, demonstrating top-notch security practices and establishing trust is more important than ever. Vanta automates compliance for SOC 2, ISO 27001, and more, saving you time and money while helping you build customer trust. Plus, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust centre, all powered by Vanta AI. Over 7,000 global companies like Atlassian, FlowHealth and Quora use Vanta to manage risk and prove security in real time. Get $1,000 off Vanta when you go to vanta.com slash smashing. That's vanta.com slash smashing for $1,000 off. And welcome back. Can you join us at our favourite part of the show, the part of the show that we like to call Pick of the Week. Pick of the Week. Pick of the Week is the part of the show where everyone chooses something. It could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website or an app. Whatever they wish. It doesn't have to be security-related necessarily. Better not be. Now, Carole, do you remember the old days? No. Well, if you did, you would remember that in the days before Spotify and iTunes and things like that, you used to rip CDs and you'd have hundreds, if not thousands, of MP3 files. And you would curate them. You would put them into folders. You'd organize them. Maybe you'd... I didn't. You didn't do any of that? I still have 20,000 songs. Someone gave me a huge dump of their MP3s and just slapped it into my music, which I've been continuing to add to. And it's full of crap I don't like at all. It's a complete disaster nightmare.

Well, wouldn't it be great to organize those things so you could see what they were without having to listen to them? Wouldn't it be great if you had all the cover art added? Wouldn't it be great if you had all the tags and the genres and all of that stuff which you'd normally have to do by hand if it was magically occurring? Well, I've had this situation recently where I had some MP3 files and I thought, oh, I don't want to have to tag everything. I found a free and open source piece of software called Picard and it links up with a database which knows all about millions and millions of pieces of music called MusicBrainz. Now, I almost didn't suggest this because MusicBrainz is spelt with a Z at the end, which upsets me. But MusicBrainz Picard identifies tags, organizes your digital audio recordings, helps you organize your music collections, renames your files, sorts them into folders. It is free. It's available for Windows, Mac and Linux. And I can report it works a treat. I'm really, really impressed by it.

Really? Yeah. OK, that sounds good. Do you think I could do it on my own or do you think I'd need help?

I think most people could do it on their own, Carole. Let's just leave it at that. I think the vast majority of people would have no trouble at all doing this. I'm not making any promises regarding yourself. Anyway, MusicBrainz Picard is my pick of

the week. Very good. And funny that, you know, you say Picard and I talked about Star Trek. Oh, my God. Oh, yes.

Very good. Very good. Carole, what's your pick of the week?

OK, so sometimes you need downtime, right? We all need downtime, real downtime. You want to do something where you don't have to think or you don't have to follow twisty, twisty plot or, you know, you can't even contemplate listening to music because it might get complex. You just need reality TV. You know what I'm talking about? Marriage at First Sight. That's right. What was it? Season six. Now, this is a rare pleasure for me because outside these down moments or these downtime moments, reality TV is not my thing at all. But if a new show crops up and I'm feeling it as I was this weekend, it can be a lovely experience. So my reality TV recommendation as my pick of the week is Culinary Class Wars. It's a sizzling competition, it's Korean, it's on Netflix, sizzling competition that will see a hundred top chefs going apron to apron in a dramatic battle for culinary excellence. How could you not watch that right? So in these hundred competitors you've got hidden masters, so people that aren't yet really recognized.

A hundred competitors did you say? So this is Squid Game, but with saucepans. Kind of, kind of. And you've got two colored teams and they go face to face and they're given some food stuff and they have to go head to head and one gets kicked out and one doesn't. Sounds fascinating. It sounds great. Can I ask a question? Why Class Wars? Is it because some of them are posher than others? Is it Penelope Keith versus Felicity Kendall? I mean, what's going on?

They've taken star chefs, so I guess TV chefs or people with Michelin stars, that sort of thing, and they've pitted them against lesser-known chefs, and they're put into two different teams, one called the White Spoons and the Black Spoons, very cleverly. So, yeah, it's great fun. It's great fun.

Terrific. Well, thanks for that recommendation. Well, that just about wraps up the show for this week. You can follow us on Twitter at Smashing Security. No G, Twitter doesn't allow us to have a G. And don't forget to ensure you never miss another episode. Follow Smashing Security in your favourite podcast app, such as Apple Podcasts and Pocket Casts.

And huge, huge thank you to our episode sponsors, SentinelOne, Vanta and 1Password. And of course, to our wonderful Patreon community. It's thanks to them all that this show is free. For episode show notes, sponsorship info, guest lists and the entire back catalogue of more than 386 episodes, check out smashingsecurity.com.

Until next time, cheerio.

Bye-bye. Bye. Thank you.