Smashing Security podcast #408: A gag order backfires, and a snail mail ransom demand

Originally he was writing for a website are you familiar with urinal.net surprisingly no smashing security episode 408 a gag order backfires and a snail mail ransom demand with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, episode 408. My name's Graham Cluley.

And I'm Carole Theriault. How are you doing, Carole? I'm doing very well, but I have a house packed with people that are all in the other room, told to hold their breaths while we record. So I'd love to get the show on the road. Are you cool with that? That's fine with me. Okay, but first, let's thank this week's wonderful sponsors, 1Password, Tripwire, and Palo Alto Networks. It's their support that help us give you this show for free. Now, coming up on today's show, Graham, what do you got? I'm going to be talking about the Cyber Streisand effect. Okay. And I have snail mail with a twist. All this and much more coming up on this episode of Smashing Security.

Now, chums, I'm a bit of a Barbra Streisand fan. I don't know if I've mentioned it on the podcast before. Yes. Well, I've loved her since I saw her munching on a breadstick in What's Up, Doc? Or flirting over a piano with Burt Bacharach. For many years, I had a picture of her on my wall until my girlfriend told me to take it down. Oh,

really? Yes. Actually, I wouldn't that. I don't know. It depends. Was it a saucy picture?

No, no. Of course not a saucy picture. No, it's the goddess Barbra. You don't defile her with sauciness. Anyway, I lost the picture from my wall. To be honest, I should have kept the picture and got rid of the girlfriend. But anyway, I am a fan of Barbra and I'm not the only one. Some people can be a little bit obsessed with Barbra Streisand. I don't know if you're aware of that. She's a funny girl. Well, she has had quite an effect on people over the years. I don't just mean people getting a little bit trembly of the knee, her and A Star Is Born or hearing her sing The Way We Were. I am talking about the Streisand effect. And I know many people listening to this will have heard about the Streisand effect. But if you have not, let me quickly remind you what it is. Back in 2003, Babs, understandably in my view, wasn't very keen on having her privacy invaded. And she was reported to have tried to suppress the publication of a photograph showing her clifftop mansion in Malibu.

Well, right. She was kind of saying, hey, this is my business, not yours. Why are you allowed to take a picture of my house? I'm going to put a stop to this.

That's right. And despite what some people think, it hadn't been taken by paparazzi, this photograph. It was actually a photographer working on a project measuring erosion along the Californian coast. So they were taking lots and lots of photos of the clifftops, which included her pad in Malibu. And her lawyers attempted to sue the photographer because they wanted the photograph taken down. And the lawyers attempted to sue the photographer for $50 million. Seems a little bit excessive to me, but anyway, that's...

Do you think she was just embarrassed at how lavish her lifestyle was? She was kind of saying, you know, I'm just you, you know, just got a voice and... There's nothing Just about Barbara Streisand. She ended up losing the case. She had to pay costs to the photographer. And it was journalist Mike Masnick, who often writes for Tech Dirt, he ended up calling it the Streisand effect. Yeah, but come on, come on. If someone did that to me in some capacity, I might go get advice before I do what I'm told. I don't see there's a problem calling the cops and going, look, we're in this situation. What do you reckon? What you'd like the authorities to do is go, why not comply and fix the flaw in your software? Clearly,

There was some breakdown in communication somewhere, whether it was with the app developers themselves, how they told the police, or whether it was the police's response, it wasn't joined up thinking, was it? And the company later acknowledged that the students had acted in good faith, but only after the story had gone public and there was lots of backlash. And he said, look, I would be prepared to work with you in the future going forward. Well, that was a problem for a couple of years ago. So, dear, oh dear, it's happened all over again because there is a private health care giant here in the UK. They're called HCRG. They're formerly known as Virgin Care. Yeah, they're a company who look after people. And they have been threatening journalists who were reporting on the ransomware attack, which they suffered a couple of weeks ago by the Medusa ransomware gang. And the Medusa gang managed to take from this company, HCRG, customers' names, dates of birth, addresses, phone numbers, medical information, copies of passports, driving licenses, identity cards, national insurance numbers, financial documents. I think it's the

Worst when it's the healthcare sector. Because you are mandated to hand over all this very private sensitive information. In order to get care. And what do they do? They can just turn to their customers and go oh sorry we goofed.

Right, well in this particular case HCRG, reportedly the Medusa gang have demanded a two million dollar ransom and they claim to have stolen over 50 terabytes. Not megabytes, not gigabytes, not just terabytes of data. Not just bits, not just nibbles, no, 50 terabytes of data. And the lawyers for HCRG have been unleashed. They have been unleashed on a website called databreaches.net which is a great resource run by a journalist who goes by the pseudonym of Dissent Doe. And the law firm says that if databreaches.net does not take down two articles that talk about this ransomware attack, the site will be found in contempt of court and may result in their imprisonment, a criminal fine or having their assets seized.

So lawyers being rather heavy handed with their request.

Yes, especially when you consider that when you read these articles on databreaches.net, it says no more than what I've already said so far. Oh, well, expect a letter in the post soon, Graham, or an email. It just says this is the type of information that's been sent. There's no even redacted screenshots up there of the data. So the law firm is claiming, and by the way, it went to an actual court, right? They went to the high court, they've got an injunction, which they've then told databreaches.net about.

Oh, well, then they should just do what they're told, no?

Well, databreaches.net says, no, no, no, we're not going to do that. We're not prepared to do that, even though their web domain registrar has been contacted as well, have said, you know, if these articles aren't removed within 24 hours, the entire website is going to be suspended. But here's the thing. Databreaches.net had not only not published any of the leaked data, but it is a US-based website run by someone with a US address. And a UK court injunction means diddly squat to him if he's not operating under UK or high court jurisdiction. So, of course, this kind of behaviour, though, is going to put off other journalists from reporting news, which I would argue is definitely in the public's interest. Because if you go to HCRG's website, you will find no mention whatsoever of them having had a data breach. So someone's got to tell the public that this has happened and that kind of information which has been breached.

This is maybe where newspapers have alliances with other countries. And they're, I'll report this one because I'm out of the jurisdiction, you report that one.

Yes. We'll go to Greenland, we'll set up our website there. Works up for the moment anyway. So we've talked about organisations in the past taking action against innocent people, threatening them with legal action. It's obviously a very uncool thing. I think particularly when it's a health sector firm which has been security breached in this way. And we've talked about this on the podcast in the past. Back in episode 182 of Smashing Security, I told the story of how a British cybersecurity firm called KeepNet Labs threatened me with legal action because I blogged about its security breach, which meant anyone could access lots of their customer data. And, Carole, I don't know if I can take you back in time, take you back 18 years to 2007, when we used to work together at a certain cyber security firm called Sophos. And do the words Edugeek ring any bells to you?

Yes, yes, yes. I remember this.

Well, Edugeek is an online community for people who work in IT at schools and universities, colleges, that kind of thing. And as The Register reported at the time, Sophos had a spot of bother with them because a user of Edugeek was, how can I put it, he was rather disappointed with version five of Sophos' software. And he had a good old rant including some fruity language on Edugeek's message boards. And the next thing that Edugeek knew was they got a letter from Sophos' legal team threatening action and demanding that the guy's posts were pulled. And you and I knew nothing about this because first we knew about it was when journalists began to ring us up asking why we were trying to silence our customers from describing their experiences of our software. We ran up to the legal department and it turned out a member of staff had seen the messages and taken it into his own hands to ask his buddy in the legal team to send a threatening letter.

It was just a day and a week of the years we worked there. Just a day, just a day. But none of them considered of the possible ramifications on our company's reputation. I didn't know it was all going that far. I think it sounds as though you're, hey, no one should ever get lawyers to do anything for them because sometimes people are in a serious bind and, you know, some legal help will give them assistance, whether they're a corporation or an individual, right?

Sometimes, though, if you've goofed up, it's good to put your hands up and admit it, isn't it? Rather than try and silence the discussion entirely.

Oh, 100%. That has legal ramifications, though, right? Because they admitted blame, let's sue them.

Carole, what's your story for us this week? Okay, so throughout history, several notorious imposter scams have been recorded. So if we go back 100 years, back in 1925, Victor Lustig posed as a French government official and convinced scrap metal dealers that the Eiffel Tower was slated for demolition. I feel a little bit more sorry for the victims of that than I do people who are trying to buy the Eiffel Tower. You think that you're going to buy the Eiffel Tower for scrap?

It's a lot of scrap metal if they're going to tear it down and build a new one.

Well, it's a lot of money, isn't it? But I mean, really, if you've got that much money, haven't you got a little bit more sense? Haven't you got other people who would advise you and double check?

A hundred years ago, Graham.

Well, yes, it's still, yeah, but it's still not two francs, 50 cents, is it? You could go back in time, you could go tell them off. You could just go, idiots. Les idiots. Imbecile. But investigations, including those by journo, author and friend of the show, Jamie Bartlett, later revealed that OneCoin lacked genuine blockchain and held no real value. Bianlian, yes, I've heard of them. I say I've heard of them, I wasn't sure how to say their name.

I may not be doing it justice. Apologies if I am not. So this gang developed ransomware that was deployed against numerous companies for the last three years. And these guys are definitely serious about ransomware and have evolved. So, for instance, an updated security advisory from the U.S. cybersecurity agency, CISA, explained how the infamous Bianlian had stopped deploying encryption services to their victims, instead choosing to exclusively exfiltrate the data or hoover it up.

Okay, so they're not locking up any computers anymore. They're just saying, we've taken your data.

Yeah, they just take their big digital straws out, suck everything up, and they go, okay, give us money if you want it back or if you don't want us to put it out. TechRadar called them one of the nastiest ransomware groups around. Now, Graham, you're pretty au fait with security. In your opinion, in your expert opinion, let me say that, would it be weird for this group, Bianlian, to do another weird U-turn in their ransomware strategy and start relying on snail mail as an infiltration method?

As an infiltration? What, a way of infecting companies?

Well, no, as a way of wiggling their way into the organisation and making their demands.

Oh, so they're saying, we've taken your data and they're going to send the ransom note via post. Yeah, yeah. You basically are opening your mail at your company, and this is the letter that you open. Let me have a look. Okay, so we've got an envelope saying, time sensitive, read immediately.

Yeah, and they're explaining how it happened, how they were able to infiltrate their network by saying it was insecure. They want Bitcoin payment, they even have a QR code inside.

Yeah, and there are links, you know, for people to follow to go and make the payment.

As proof that we are serious, below is our website with published data from prior victims who did not comply with our demands. If you do not pay us on time, all the data in our possession will be leaked to the public to abuse. And then they give a Tor project link.

Why are they sending this via post, which costs money, as opposed to email, which doesn't really cost money, does it?

Well, do you want to know what Guidepost security firm found out? Go ahead. Because they got a few reports about this. And they pointed out that communication of a ransom demand via the postal service is not something they'd previously observed from any legitimate ransomware group. The other weird thing they point out is that the wording and content of the message is inconsistent with the ransom notes that they have observed from Bian Yan in the past, because it contains nearly perfect use of English and features longer, more complex sentence structures. I'm thinking, okay, they used AI, big whoop. The letter does include links to sites on the dark web where the real Bian Yan has leaked data, but these links are kind of meaningless as the addresses are commonly known. So,

These companies haven't necessarily had any of their data taken at all.

Correct.

It's a scam.

Correct.

And they're putting this in the post because they didn't have any carrier pigeons available, presumably.

Yeah. Are they script kiddies? What is it? They've written a letter. There's no evidence of any computer jiggery-pokery going on. Are the FBI now

Analyzing the saliva on the back of the envelope where they've stuck it down? Have they written the address in crayon or have they printed it?

Weirdly, the note does not contain any contact information, which is usually...

Oh, how disappointing.

No, but typically you would be able to contact the ransomware group to start the negotiations on the ransom. And there's nowhere for anyone to do that, which GuidePost Security point out as an interesting thing to note.

Oh, I see. Yes. So it's just a case of you can see past victims here, which presumably goes to the, shall we call them the legitimate ransomware gang, but they just want you to drop a whole load of Bitcoin into their wallet. Yes. The FBI does, of course, have recommendations, right? Even though they assess the letter as an attempt to scam organizations into paying a ransom, the letter contains a US-based return address of Bian Nian Group, originating from Boston, Mass. Well done, you. Welcome, FBI.

Done my job. I've told our world.

I just hope this fake Bian-Yan gang don't set their lawyers on us for publicizing their attack method, which is ruining their business.

Well, I hope so too. I hope so too. Links in the show notes if you want to see where I got my information. If you've been in the cybersecurity industry for a while, chances are you've already heard of Fortra's Tripwire because they've been setting the standard for integrity monitoring tools for more than 25 years. What you might not know is just how much of your environment Tripwire can monitor. That's right.

Tripwire Enterprise gives you context for suspicious changes across your servers, network devices, applications, databases, file systems, desktops, and more to give you the real-time awareness needed to stop breaches before damage is done. It also automates compliance enforcement with the industry's largest policy library. So visit tripwire.com slash demo to set up a personalized demo session with a cybersecurity expert and learn how Tripwire can be your integrity management ally. And thank you to Tripwire for sponsoring the show. Scary stuff. Yeah, it's clear that staying ahead of the threat landscape is more important than ever.

That's why we are excited to tell you about the 2025 Unit 42 Global Incident Response Report from Palo Alto Networks.

Now, this report is packed with information about the latest trends and attacker techniques, as well as real-world case studies from top threat intelligence experts.

So whether you're a seasoned pro or just starting in cybersecurity, this report is your ultimate advantage in combating rising threats. And let's face it, we could all use a bit of future-proofing in our security strategies.

So what are you waiting for? Head over to smashingsecurity.com slash unit 42 to download the report. That's smashingsecurity.com slash unit 42. And thanks to Palo Alto Networks for supporting the show. Do your end users always, and I mean always without exception, work on company-owned devices and IT-approved apps? I didn't think so. Well, 1Password Extended Access Management helps you secure every sign-in for every app on every device because it solves the problems traditional IAM and MDM can't touch.

1Password Extended Access Management is the first security solution that brings all these unmanaged devices, apps and identities under your control. It ensures that every user credential is strong and protected. Every device is known and healthy. And every app is visible.

So secure every app, device and identity, even the unmanaged ones. Go to 1Password.com slash smashing. That is 1Password.com slash smashing. And welcome back. And you join us at our favourite part of the show. The part of the show that we like to call Pick of the Week. Pick of the week. Pick of the week. Pick of the week is the part of the show where everyone chooses to spend their time. It could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website or an app. Whatever they wish. It doesn't have to be security related necessarily. Better not be. Well, my pick of the week this week is not security related. In fact, my pick of the week this week is not a pick of the week. My pick of the week this week is a nitpick of the week. Oh, dear. And my nitpick of the week this week is the phrase public school. Now, in most parts of the world, a public school is exactly what it sounds like. A school funded by the public, for the public, which anyone can attend. Seems simple, doesn't it? Very, very simple. But no, not here in the UK, because here in the UK, public school means something entirely different. Here in the UK, a public school is actually a private school. So it's both public and it's private at the same time. It's like calling a luxury yacht a public ferry, which anyone can ride on as long as they bring along a great big pile of gold and have caviar on their toast. So it's not really a public ferry, is it? Similarly, public school is not actually a public school. So I wondered why they called public schools when they're not public schools. And it turns out the schools were open to the public as long as you were part of the elite public who could actually pay. So it's a bit like a private members club. You have to be a member of... Oh, hang on, though. A private members club has actually got the word private in its title. So that isn't a very good example. So maybe you, Carole, can explain to me why public schools are called public schools. No, not in this country. No, it's bonkers, isn't it? So everyone understands that private schools means a school that isn't funded by the state. But here in the UK, where public schools are private, private schools are also private. And then there's also this delightful term, independent school.

You know, I would say, though, I've been living here a number of decades. And I would say a lot of things that seem to have come from perhaps higher classes throughout the decades have a natural way of trying to obfuscate themselves to be so complex and nonsensical that the average puncher wouldn't be able to figure out the rules. So there's twists and bends and complete complexities because it shows if you don't know all those, you're not part of the elite crowd. So it's a way of keeping out the riffraff.

So you live, for instance, in Oxford, right? I do. And what river runs through Oxford? The Thames. But if you're in Oxford, you don't call it the Thames. Isis. You call it the ISIS, which leads to all kinds of other confusion as well. Only for those people that have very poor geography. Well, I remember that there was an ISIS cricket team. And I think there was some concern as to who its members may have been made up. Anyway, there's also this delightful term, independent school, which, as you've just pointed out, seems to be a fancy way of saying private school without the baggage of sounding exclusives. I think you're absolutely right. Just as there's Magdalen College, which is actually spelt Magdalen. Maudlin, Maudlin, Graham. Maudlin. Maudlin College, exactly. That's Maudlin. What am I saying? Maudlin. Have I got it wrong? Anyway, my nitpick of the week is the term public school. Let's start right here, only calling public schools public rather than private schools public. Thank you very much. I don't know if I'm going to sign up to that. What? I'm kidding. Coral, what's your pick of the week? I don't have Apple TV, but I've had so many people in the last couple of weeks recommend to me that I should watch Severance.

I agree. So basically the premise is, you know, it balances the real and the surreal. And the show follows four employees who effectively sort numbers floating on their computer screens. And they're in this huge room and there's these four desks and these four people working, you have no idea what they're doing. It makes not much sense to you as a viewer. And early in season one, you learn that they all have chosen to have a chip put in their brains that cuts their memories in half. So they kind of divide it as innie and outie. So the working part, the part working inside the office is called the innie. And it has no knowledge of who they are beyond the walls of that company. And the outer part, the outie, has no memory of the working day. And what their innies are working on, on these numbers going in, seems to be very, very important to this big company, Lumon. But no one really knows why or how or who's going to benefit or what's going on. So problems ensue, of course. The show's creator, Dan Erickson, was inspired by wishing that his tedious office temp job could zoom by so that he could get back to screenwriting. Anyway, so series two has just come out. Some series shake up things pretty radically between seasons. You know, you just have no reference point. But this is a seamless continuation. So we basically pick up five months after the cliffhanger event from season one. I'm not going to give any highlights because, Graham, you haven't watched season one yet. But you will love it acting as stellar characters, become weird family members, and you don't really know who to root for. It's delicious. So my pick of the week is Severance Season 2. Don't miss Season 1, though. And find it on Apple TV+. Wonderful.

Well, that just about wraps up the show for this week. You can find Smashing Security on Blue Sky, unlike Twitter, which wouldn't let us have a G. And don't forget to ensure you know there's another episode. Follow Smashing Security in your favourite podcast app, such as Apple Podcasts, Spotify and Pocket Casts. And huge, huge thank you to our episode sponsors, Tripwire, 1Password and Palo Alto Networks. And, of course, to our wonderful Patreon community.

It's actually more than 407. Oh, there you go. Until next time, cheerio. Bye-bye. Bye. Thank you.