Smashing Security podcast #415: Hacking hijinks at the hospital, and WASPI scams

Was he like, what's it called? Like a fake, like a decoy, like a decoy duck and they actually were doing something else?

I'm sorry, a decoy duck?

Isn't it called a decoy?

Oh, the man who goes quack, quack. Smashing Security, episode 415, Hacking Hijinks at the Hospital. And Warspy Scams with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 415. My name is Graham Cluley.

And I'm Carole Theriault. Before we kick off, let's first thank this week's wonderful sponsors, 1Password and Vanta. It's their support that helps us give you this show for free. Now, coming up on today's show, Graham, what do you got?

I'm going to be taking a look at some hospital hijinks.

Ooh, and I'm going to find out what's going on with UK state pension payouts. All this and much more coming up on this episode of Smashing Security.

Okay, chums, picture the scene if you can. St. Anthony Hospital in the city of Oklahoma City. Nurses are running around, doctors are saving lives.

What is this? It's like an episode of ER.

Exactly, exactly. That's what's going on. Give him more insulin. There's one random man wandering around the halls. He's poking around in staff only areas. He's trying to get into multiple offices until finally he stumbles upon two unguarded computers.

Okay?

And he's using these computers and some staff go, whoa, whoa, whoa, whoa, whoa, whoa, whoa. You haven't got any business touching them. What are you doing? And our man's got a perfectly innocent explanation. He says, look, I've got a member of my family, they're undergoing surgery right now. I needed to use a computer urgently. I hope you don't mind that I was using this staff computer. Yeah, that's pretty good social engineering there. I'm assuming this is a scam. Well, what was he doing, you ask? What might he have been doing?

Well, don't ask me that. I'd be like, he could be doing anything.

Could just be playing Minesweeper, couldn't he? But no, what he's actually doing is he's installing a little something onto the computer, a tiny piece of software that secretly takes screenshots every 20 seconds and beams them off to an external server. You know, totally normal hospital visitor behaviour. That is the kind of thing you do, isn't it? You take a screenshot because there's so much information which is shown on the screen. You'll get emails, for instance. You may be able to grab credentials, people's contact details, people's private hospital information. Medical information.

I'm so old school though. I'm imagining it's an actual person looking at these thousands of screenshots that arrive, scanning to see if they can see any secret information and writing it down on a yellow pad.

The thing is, if you've only got access to a computer for a very short period of time, and you could be interrupted by someone wearing, you know, the hospital gown at any point.

Okay, good point.

You may just think, what I'll just do is I'll just try and grab whatever appears on this screen. Who knows what I'll find? Rather than plowing through, looking through the different databases and trying to gain access anyway. The installation of this malware could potentially have resulted in unauthorized access to patient data if he hadn't been stopped in time. But thankfully, vigilant staff were able to intercept him. Security footage showed him trying to access multiple offices, logging into different machines, and behaving so suspiciously, even the overstretched hospital IT team spotted something was up. They were able to put the resources in, get him.

Was he a fake? Like a decoy? Like a decoy duck? And they actually were doing something else?

I'm sorry, a decoy?

Was it called a decoy?

A decoy duck?

I'm just thinking that, you know, there is in hunting, I think they tend to put out a decoy duck to try and lure the ducks.

Oh, the mannequins.

Quack, quack. Yeah, yes. Or they have wooden ducks. Literally, they have wooden ducks that they put into the water to look like ducks so other ducks go, hey, she's hot. Let me check what's going on over here. And then hunters, yes.

Is this a little bit like when Bugs Bunny meets female Bugs Bunny with big eyelashes and he's like, "Ahoo-gah, ahoo-gah." Yes. Right.

Anyway, I'm just wondering if this person was a decoy and there was actually something else nefarious going on elsewhere.

You're so suspicious of all my stories. Anyway, the cops arrested the man. Now you might be wondering, who is this mysterious malware installing visitor? Is he some sort of low-level crook? Is he a bored teenager? Is he a confused pensioner thinking he was using a vending machine. None of those things. It was a guy called Jeffrey Bowie.

Jeffrey Bowie.

Don't know if he's any relation. CEO of a company called Veritaco. And Veritaco is a cybersecurity firm that offers services such as digital forensics, instant response, penetration testing. So he's now been arrested by Oklahoma City Police. And let me tell you, was he—

I have so many questions now!

Right, go on, go on, let's hear them.

Was he hired by the hospital to do a pen test operation? Was he literally there just visiting his old relative?

No.

Okay.

So he wasn't there for that reason.

Okay.

And he's not happy about all the media reports. He says his case has been misreported by the TV news. He's been posting on LinkedIn about what happened.

What does he say happened?

He claims that despite what official court records say, that he wasn't arrested by Oklahoma City Police. He claims he's been defamed. He's basically saying, look, everyone calm down. I wasn't arrested. I just woke up and everyone thought I was in jail. He says his phone went crazy telling him that he'd been arrested at the hospital. He says, look, nothing like that happened. And he carries on in this LinkedIn post, which I'll link to in the show notes. He claims his reputation has been wrecked, and he's demanding that the News 9 TV station in Oklahoma City, which reported on this case, did incalculable damage to his business reputation. Well, he has actually calculated the amount, actually. He says he's lost a whopping $12,000. So that's what he's demanding from the TV station.

$12,000?

I know. It's what a typical cybersecurity CEO earns per hour, isn't it?

So he's saying all this, all this thing of being arrested, that's cost him 12 grand.

12,000 pounds, he says. Right. He goes on to explain in this LinkedIn post. He says, "Well, yeah, yes." He said, "I did access two hospital computers." So obviously that's like an open invitation. Once you've gone into a staff area, which, you know, a regular visitor, member of the public shouldn't be in, in a hospital. If you see a username and password on the side of a computer, then you're perfectly within your rights to enter that username and password to gain access to the computer. That's his opinion as a so-called cybersecurity professional.

Hey, hey, hey, come on. We know many, many cybersecurity professionals in our time that would have done exactly this.

Well, yes.

I'm not saying it's good, but there's this almost this weird "Oh, I'm gonna teach them a lesson" attitude about it.

Yes, that is true. He's not alone.

Okay, so he had that. So he went in and he's like, he sees the username and password taped to the screen or whatever and goes, "I'm just gonna try it out and see what happens," not realizing he's breaking the law.

Breaking the law. And he installs this piece of spyware, remember? Which sends the screen images to a remote IP address where you can collect them later. There's another computer as well, which he already accessed, according to him in his LinkedIn post. Remember, this is in his LinkedIn post where he's admitting he entered the username and password. He's admitting he went into offices, and he says on this other one where he said the computer was already logged in, all I had to do was jiggle the mouse.

Mm-hmm.

So he says he wrote this malware, an entirely innocent PowerShell script he whipped up on the fly, and he even includes in his LinkedIn post screenshots of the malware. So this isn't the greatest defense that's ever been.

No, he's arming the other side quite generously here. He is, he is. If indeed he is the one posting all this stuff on LinkedIn.

Maybe his account's been hacked.

I know, I can't help it.

Maybe he didn't lock his LinkedIn account. Maybe someone just came along, went into his office, jiggled his mouse, and was able to post on his LinkedIn account. Who knows? Now, it's an odd way to claim that he definitely didn't do anything wrong. He makes some other claims as well. He says that the FBI, he says the FBI were very underhand, he said. He says they bought me lunch. They said they wanted to chat to me about using AI to catch online paedophiles. And when he showed up for the lunch, they then turned the tables on him and hit him with this hospital hack instead. Anyway, he's very, very angry, but he says he's very, very happy to speak to the media about this, what he claims is a miscarriage of justice. He's requesting payment for interviews. So if you're a member of the media who wants to report on this, he says, you can get in touch with me, but be ready with Apple Cash in order to pay me. So he writes all this on LinkedIn. I've been to his LinkedIn page and checked it all out. And some people have been replying to him, pointing out that, you know, as a cybersecurity professional, was it really wise to access a PC to write a script that takes screenshots, sends them offsite without prior authorization? Because I think you'll actually find, I think you'll find, I think you'll find that is actually a crime. So aside from this particular case, where do we stand, Carole, on this kind of thing? Should people, if they see a computer with a username and password, where do they stop?

Where do we stand on this? With the law, Graham. Okay? With the law, which means you don't touch someone else's machine. You don't go in and type in their username and password, and you don't play around and send emails pretending to be them or do little jokes, 'cause it's against the law, at least in the UK. Check the laws in your own geography, I suppose.

I think it's probably the case in most places around the world. Anyway, good luck, Geoffrey Bowie, on your defence. We don't know if you have been arrested, as the police say, or not. But potentially, you could be facing a large fine and maybe even some prison time if found guilty. Carole, what's your story this week?

Well, I don't know if it's as crazy as yours.

Okay.

But you're a maturing man, right?

Thank you. Finally.

Do you ever think about retirement?

Oh my God. Yes. You do? I'd love to.

I bet you've been planning it since the age of 8 or 9.

I was planning to retire at 30, as I remember, and I've gone a little bit past that now.

The idea is a little bit scary because it basically means you don't make any more money and you have to live off your savings. Yeah, I met this US couple. They were tech high flyers, right, with lots of wonga. But their retirement aim was $9 million US.

What?

I'm not kidding.

That's ridiculous.

Yeah, $9 million. I coughed up my cornflakes like, what?

That's insane.

But the 0.01% aside, if you're based in a country that offers you a state pension it can be a lifesaver. You know, I don't know about you, but I live in a not-so-chi-chi neighborhood, and there are a number of older people who would literally not heat their homes or eat enough were it not for state pensions.

Yes, state pensions in the UK, they're not huge by any means, are they? They're not luxurious.

No.

But every little helps.

Every little helps. So because we have an international audience, I'm going to give a little mini history lesson on pensions to tee up this story.

This is why I listen to Smashing Security. I'm fascinated. I will learn something right now. Go on then.

You will. You will. So the modern state pension was introduced in 1948, and men who made enough National Insurance contributions received their state pension at 65, and women received it at 60. Now, in 1995, the then Conservative government introduced a timetable to make the age at which men and women start getting state pensions the same.

Yes.

And the idea was to slowly rise the state pension age for women to 65 between the years of 2010 and 2020. Fine. But in 2010, a coalition government decided to speed up these changes, all in the aim of reducing the overall cost of state pensions. Because if you can raise the number by 5 years more quickly, you can save a lot of wonga.

Yeah, people might die by the time they're due their pension. That's what they're thinking. Save some money that way.

If you're looking at a government for saving money, I can see why you'd want to do this. It's not great for the people. Anyway, the Pension Act 2011 brought forward the qualifying age of 65 for women to 2018, two years earlier than expected.

Right.

And Which magazine at the time wrote, the state pension age officially equalizes today, meaning that from now on, no man will qualify for a state pension at an older age than a woman. Now, obviously some people were unhappy with this decision, particularly women who were nearing retirement and suddenly having 5 years tacked on. So a group was founded called Women Against State Pension Inequality, WASPI. They're known as WASPI, which, you know, I don't know, I'm not super comfortable with that name. Maybe it's because I come from the other side of the pond. But yeah. Anyway, so it's called the WASPI Campaign. And they say this campaign is fighting for justice for all women born in the 1950s who were affected by the changes to the state pension age. So they say we're not against equalization, but maintain that changes were poorly communicated and have called on successive governments to provide redress to the millions of women impacted. Now, the thing is, is most women affected now have reached their state pension age. And the WASPIs now say that a lump sum compensation for the lack of notice would be nice, right? Because that would be commensurate with the degree of loss suffered. It would be an equitable solution.

Yeah, it would be nice. Yeah.

So in March last year, the parliamentary ombudsman recommended that affected women receive compensation in the range of £1,000 to £3,000 each. The WASPIs wanted, I think, around £10K. They thought that was commensurate. But hey, £3,000, you know, I don't know, better than nothing.

Hang on a moment. Just speaking from the man's point of view, couldn't all of us men ask for some compensation? Because if they wanted equality, they could have reduced the age at which men could get their state pension to what women had. So all those years when we'd had to work—

Why don't you start a campaign called the Wankies? And then I'm trying to work out how that acronym might work.

Wow.

Listen, so, so the Ombudsman recommended that affected women receive compensation. Okay, this is in March last year. But by the end of last year, in December, the Labour government announced that the affected women would not receive any financial compensation. And currently, a High Court challenge by WASPI campaigners is in progress.

Okay.

This whole pension thing has been in the press for, what, 10 years? And I agree, it doesn't impact you directly, but it does impact a lot of people. More than 3.6 million women were affected by this Department for Work and Pensions failure to properly inform them of the increase to the state pension age.

Yeah.

Okay, so history lesson over. Why am I talking about this? Well, last week, Angela Meaden, she's the chair of the WASPI campaign, spoke about an alarming spike in spam attempts aimed at affected women. In recent days. So they warn of bogus websites promising compensation payouts worth thousands of pounds to women who had their state pension age delayed by the government. So searching for terms like WASPI or WASPI compensation can land you on a site that looks legit but is very much not, they say. And some media reports blame Google for spreading this effectively fake news, right? So they say, quote, headlines circulate false claims, which are then pushed by Google News, such as DWP, which is Department of Work and Pensions, announces £3,000 compensations for 3.8 million WASPI women, or provide a Martin Lewis WASPI calculator that lures women into giving away personal data.

He's the money-saving expert, isn't he?

He is. So what do people do, right? If you're a woman of that age and you're going, I don't know what's going on right now, do I have compensation? Do I not? I've seen it in the press. I've seen a few headlines. I'll Google it, right? So Martin Lewis, he's gotten involved. He's a financial expert and TV personality. He's sounding the alarm and urging caution and vigilance against these fraudulent schemes.

Right.

And what they're doing, he says, is they're purporting you can put money in and apply for compensation. That does not exist. So what do you think scammers are at fault, but you can also see how affected women would Google for this stuff and look for information on this.

Yeah, absolutely. There are a lot of scams out there in your Google search results, unfortunately, aren't there? There's a lot of dubious web pages. Sometimes you also get those sponsored ads as well, where the criminals have actually managed to boost their listings higher up in the search results in order to—

Exactly.

Get more people travelling to their dodgy sites and entering their personal information.

And it makes me kind of annoyed because if people are looking hard at their state pensions, I'm going to say they're not rolling in cash, you know?

No, no.

And targeting these people as potential victims, that's kind of, you know, trolling them is pretty low.

Yeah.

So what does this scam look like? So you'll see a website suggesting you can get compensation for being one of the WASPI women or women born in the 1950s. They typically tout you can claim for a payout worth several thousand pounds. They often mention £2,950, and that was the highest payout recommended last year by the Parliamentary Health and Service Ombudsman, as we talked about earlier. They have the site calculators claiming to show how much you could be owed in compensation. These figures are often inflated to get the potential victim excited at the return. And then of course, if you get on there, some women have been asked for their birth certificates and banking details.

Yep.

Some sites also appear to be trying to push people to sign up for other compensation schemes, including those for car finance. So the upshot here is UK women who were born in the 1950s ignore anything claiming a compensation scheme because it does not exist. The government has rejected calls for payouts. That's the latest that's happened to date. And even though the case has been in the news again this year with the WASPI group threatening legal action, the position has not changed. But if it does, the compensation would be administered by the government, and you probably wouldn't have to do much because they know you exist.

Yeah, exactly. Even if it did come through, it's not going to be the situation that you have to visit a website and register and give your information, because clearly the government already knows about you and how old you are and whether this is something that you should be given.

I couldn't have said it better myself, Graham.

I don't know how many listeners of ours fit this demographic of being female and born in the 1950s. I think I looked at some stats, and maybe it's not a huge percentage, but maybe our lovely listenership can do their bit to make sure that their elderly relatives don't fall for scams and maybe get them listening to Smashing Security as well.

I was wondering when the plug was going to come.

Now, Carole, according to Vanta's latest State of Trust report, cybersecurity is the number one concern for UK businesses. And of course, Vanta can help you with that.

Whether you're a startup growing fast or already established, Vanta can help you get ISO 27001 certified and more without any of the headaches.

You see, Vanta allows your company to centralize security workflows, complete questionnaires up to 5 times faster, and proactively manage vendor risk to help your team not only get compliant, but stay compliant.

So stop stressing over cybersecurity and start focusing on growing your business in 2025. Check out Vanta and let them handle the tough stuff. Head to vanta.com/smashing to learn more. That's vanta, V-A-N-T-A,.com/smashing. And thanks to Vanta for sponsoring Smashing Security. Do your end users always, and I mean always without exception, work on company-owned devices and IT-approved apps? I didn't think so. So my next question is, how do you keep your company's data safe when it's sitting on all those unmanaged apps and devices?

Well, 1Password Extended Access Management helps you secure every sign-in for every app on every device because it solves the problems traditional IAM and MDM can't touch.

1Password Extended Access Management is the first security solution that brings all these unmanaged devices, apps, and identities under your control. It ensures that every user credential is strong and protected, every device is known and healthy, and every app is visible.

So secure every app, device, and identity, even the unmanaged ones. Go to 1Password.com/Smashing. That is 1Password.com/Smashing. And welcome back. And you join us on our favorite part of the show, the part of the show that we like to call Pick of the Week.

Pick of the Week. Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they like. It doesn't have to be security related necessarily.

Better not be.

Well, my Pick of the Week this week is not security related.

Excellent.

Carole, as you've already intimated earlier on in the podcast, I've reached a certain age.

A ripe old age.

And that means that, you know, I'm looking for certain pursuits. And one of the things that my lovely lady and I like—

Shuffleboard?

No, one of the things— Shove-ha'penny. One of the things that my lovely lady and I like to do is go and visit a National Trust property.

Ah, yes, you are a man of a certain age. That's lovely.

Yes, I am. Exactly. We go for a little perambulation. So, for those who don't know, there's over 500 National Trust locations in the UK. There's amazing historic houses to explore and landmarks. And if you get a National Trust annual subscription, you gain free access to these. But there is a problem.

Oh?

And the problem is that the card comes on a little piece of card. Because they don't have a digital version of the National Trust card. So you can't—

You're offering your services to them as a volunteer? To help them sort this out?

Nope.

Oh.

What I'm going to do is I'm going to offer my services to any listeners who have a problem not only with the National Trust card, but maybe other things and membership cards. Who carries their wallet around with them anymore?

Just take a picture of it.

It's not always as simple as that, Carole.

Oh, okay.

Not always as simple.

Okay.

Maybe it is.

Maybe it is. Okay.

Maybe it is that simple.

It might be.

Anyway, here's what happened. My wife was off to the National Trust and she's flapping around in the bedroom saying, "Where's my National Trust card? Where's my National Trust card? I can't find it, blah, blah, blah." She's saying all this. And I'm saying, "I don't know." And she says, "Look, don't even bother looking. You'll never find it." But she says it's around somewhere. And eventually she finds it, right? And I said to her, "Don't they have a digital version you can have on your phone?" She says, "No, they don't. They've only got this card." And I said, "Give the card to me," right? I didn't take a photo of it.

And she's like, "Oh, I love this man so much. He's so supportive and lovely." That is how she responded. That's how she responded.

LastPass time. But what I did find was I found an app for my iPhone. There is a wallet facility on the iPhone, which is how you pay for things and how you put your gym membership card and all sorts of things like that, your Nectar points and all those sort of things. But you're limited as to what you can put in it. I have found an app called Wallet Creator, which is free and does not have any adverts. That's very exciting to me, which allows you to create your own custom cards you can put in your Apple Wallet where it will scan the barcode on the real-life card that you have and then add it as a card in digital form on your Apple Wallet. I think it's very exciting.

Kind of like a picture.

It is kind of like a picture. Yes, it is kind of, but you'd then have to store all those pictures somewhere. Where would you store those?

That's a fair point.

I suppose you could put them in an album.

Yeah, you'd have to put them in an album.

Yeah.

Yeah.

And you can customise it. You can customise it with a logo and the colour. Anyway, so my wife actually ended up, even though she managed to find her card, she used this to check into the National Trust and apparently they were very impressed. They said, "Oh, I didn't know you could do that." The app is called Wallet Creator. I will put a link in the show notes. There are other apps which do this, which charge you a fortune. Don't use them. Use this one instead. It worked for me. And that is my pick of the week. Carole, what's your pick of the week?

I don't know how much time you spend on TikTok, Graham.

Zero.

Yeah, okay, me too, right? I don't spend a second there, but I do occasionally get tidbits of info on what's hot or not from friend TikTokers, right. And recently, last year, there was a huge big hoo-ha about the Dubai chocolate bar. Has this made it into your echo chamber at all?

The Dubai chocolate bar?

Yeah.

Is it sort of encrusted with jewels and nonsense like that?

No, no, it's made with pistachio cream and tahini, which is basically sesame seed butter, enrobed in chocolate.

Enrobed. Yeah, enrobed.

It has a kataifi crispy filling inside the cream.

And this is on TikTok. A chocolate bar is on TikTok.

So it launched in 2021, right? From this high-class Dubai chocolatier called Fix.

Right.

And then in 2023, a food influencer samples it. Apparently, you know, she did something because it's landed more than 120 million views.

Oh, for goodness' sake.

And spawned thousands of copycat videos of people sampling the same chocolate bar. I want you to Google this while I'm talking. Google Dubai chocolate bar just to see. Say you wanted to buy one just so you can see how much they cost because these are not cheap.

Dubai chocolate bar.

Okay. So brands like Lindt are making their own knockoffs. Even Marks & Spencer's has jumped on the bandwagon. Yep.

Mind you, Marks & Spencer's been hit by ransomware, haven't they? They've probably got it in stock. Oh, oh, here it is. Okay, so it's come up on a— I'm on a store. £31.

There's people selling them on TikTok for thousands. So my pick of the week this week was going to be to make it, don't buy it, right?

Oh.

So during Easter, an arty friend of mine who's also a mean baker comes over having made this very chocolate bar using a recipe from The Guardian, which I included in the show notes.

Right.

And it was indeed very yummy. Not $20 yummy, but better than a Ferrero Rocher, right?

Okay. Is it unbelievably fattening or something? Why is it so yummy?

No, I don't know. I think it's just, you know, how do things go viral? Why? You don't know.

I do. I do like pistachio. I have to say.

Well, well, I said it was going to be my pick of the week, but apparently because of this stupid Dubai chocolate bar, there's a worldwide shortage of pistachios.

No.

And there's a resulting price hike. Google it.

Oh, I've just seen a little video of someone snapping one in half. It's all gooey inside.

Well, not gooey, kind of just softer. Yeah.

Okay. It doesn't look very nice. It is.

It is very nice. It is a nice chocolate bar. I would give it a 9 out of 10 for a chocolate bar. But I personally adore pistachios as well in all things, and they shouldn't just be for the uber-rich. So my pick of the week is don't buy pistachios or make this Dubai bar so that I could see them in my food markets once again. I thank you.

What's your favorite ice cream flavor, Carole?

I like pecan. Oh, I like rum raisin too. That's very good. And I love pistachio.

So if I have the choice, it's going to be pistachio or vanilla.

Pistachio and raspberry together. Sorbet, raspberry sorbet, pistachio ice cream is pretty spectacular.

Okay, everyone's now getting hungry. Well, that just about wraps up the show for this week. You can find Smashing Security on Bluesky, unlike Twitter, which wouldn't let us have a G. And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.

And big shout out to our episode sponsors Fanta and 1Password, and of course to our wonderful Patreon community. It's their support that helps give you this show for free. For episode show notes, sponsorship info, guest list, and the entire back catalog of more than 414 episodes, check out smashingsecurity.com.

Until next time, cheerio, bye-bye, bye!