Smashing Security podcast #422: The curious case of the code copier

Do you know what it means, Carole?

Yes, I've had many interns in my time.

Oh, really?

Yes.

I can't stress this enough. If you were to end up as an intern at, oh, I don't know, the White House, for instance, serving the president's pleasure, that kind of thing gives interns a bad name.

Oh my God, was that a Monica Lewinsky reference?

Yes. Smashing Security, Episode 422: The Curious Case of the Code Copier with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 422. My name is Graham Cluley.

And I'm Carole Theriault.

Carole, what's coming up on the show this week?

Well, first, let's thank this week's wonderful sponsors: Flare, Vanta, and 1Password. It's their support that helps us give you this show for free. So coming up on today's show, Graham, what do you got?

I'm gonna be talking about the curious case of the GCHQ intern.

Ooh, okay. And I will be talking about the hacker who maybe should have been called Icarus. All this and much more coming up on this episode of Smashing Security.

Now, chums, today we are heading into the world of espionage, secrets, and someone who clearly didn't understand what being an intern involves.

Do you know what that means?

Hmm?

Do you know what it involves?

Yes, yes, yes, yes. It's about— it's the kind of job where you're told to race out and fetch the lattes and cappuccino and oat milk flat whites for the rest of the team. It's about tidying up after meetings. It's about cleaning out the office fridge. Do you know what it means, Carole?

Yes, I've had many interns in my time.

Oh, really? Really?

Yes, when we worked at the same company, I used to take them in. Don't you remember?

Oh, but you haven't been an intern.

No, I have not been an intern, but I also didn't get them to make my latte and fold my socks or whatever you were doing.

Well, being an intern, and I can't stress this enough, Carole, if you were to end up as an intern at, oh, I don't know, the White House, for instance, serving the president's pleasure, that kind of thing gives interns a bad name.

Oh my God, was that a Monica Lewinsky reference?

Yes. Basically, an intern can be treated as a bit of a dog's body. I'm not saying they should be, but they can be in certain organisations, can't they? They can be the people who get the jobs that no one else wants to do. But you do it because you want to get a leg up, or you may even be doing it for no money, which just seems like a terrible thing to me, or for a pretty paltry salary. But it can open doors, and there are organisations which exploit that, of course. And what if you were fresh out of college or university and you wanted a career in, I don't know, cybersecurity, just chosen at random, cybersecurity.

Okay. Everyone's dream.

Imagine you're in a position on that and you look at all the jobs which are being advertised and it's basically saying junior cybersecurity person. It says only requires 10 years' experience. So you're thinking, well, how am I meant to get a job like that? And you're thinking, well, you know, what can I do? And you think, well, maybe I should aim for the top. Why don't I head to somewhere like the Cheltenham Doughnut? Are you familiar with the Cheltenham Doughnut?

Yes, I am. That's quite a big doughnut. Very important doughnut.

It's a big doughnut, isn't it? It's the UK's GCHQ. It's a building in Cheltenham in the UK shaped like a giant doughnut. Really, it is. And it's packed with cryptographers and mathematicians and hackers turned defenders and cybersecurity experts. And they've all been put there to work for His Majesty's Government, protecting the realm from cyberattacks and maybe occasionally attacking other countries as well digitally. But that's where it's all going on in the UK. And they have an internship programme. You could be spending your summer holidays this year, Carole, at GCHQ, helping them out if you wanted.

Yeah, I might not be in the right age bracket.

Well, who knows? But this is a 10-week long internship where GCHQ says that you will be working alongside their permanent staff with access to genuine case studies, showing off your passion for puzzles and Sudoku, whatever it is you're really good at, your interest in new technologies.

Yeah. Is this a paid role?

Well, this is the good news. Yes, it is paid. You'll be paid £300 every week and free accommodation. Not bad.

Yeah, because Cheltenham is not cheap, right? It's expensive to live there.

Oh yeah.

So yeah. I'm thinking coming out of university, that isn't bad.

Not bad at all, because you weren't earning £300 a week most likely when you were at university, and your accommodation wasn't for free.

Or maybe it was with mum and dad, but maybe you need to get out of there pronto. You know, we know how it works.

And after an internship at GCHQ, you will be eligible to apply for a permanent role. And in 2019, a chap called Hassan Arshad did just that. He completed a work placement at GCHQ. He was an intern there while studying at the University of Manchester, and then he went back for another placement a couple of years later. So I guess he'd enjoyed it and he thought, I'll go back for some more. And it was during this second year, which was a year-long placement now, that things began to go a little bit wrong. So it's coming up to the end of his year-long placement in August 2022. Things seemed to be going well. It was literally days until he left. He's leaving at the end of the week. There's a leaving card going around. Maybe they're all planning to go down to the pub or something, have some leaving drinks. Arshad's manager has written in his leaving card in glowing terms, he said, oh, Arshad, you've had excellent ideas and suggestions. Let us know if you ever need a job. And so he's going away from there thinking this is going to be terrific. Everyone seems happy with him.

Okay.

But two days before his placement was due to finally finish at the end of August 2022, Arshad copied some data from GCHQ's network to a mobile phone, an actual mobile phone that he'd been supplied with by GCHQ. He took it home and then copied that data onto some hard drives at his house.

Question.

Yes.

What was the data?

Yeah, a great question. Well, what it was — well, first of all, it was a tiny amount. It was hardly worth mentioning. 61.8 gigabytes.

Oh, wow. And he didn't think that would trigger any kind of suspicious activities going on here, Guv?

I mean, he probably had to delete a lot of photos and movies from his phone before copying it over, wouldn't he?

It wasn't his phone. It was the GCHQ phone. And yeah, that's a big phone.

Yeah, he's gonna have to have some storage space on it.

Exactly.

Now, for perhaps understandable reasons, we don't know the full details of what he took. But according to prosecutors, he took code for a top-secret software tool that was estimated to have been worth millions of pounds, and that had been developed using a large amount of money. Obviously money which, like everything with the GCHQ, has been paid for by the taxpayer. So this was an important tool.

I'm finding this a bit crazy. Is this really for real?

This is for real.

He's not being set up?

He's not being set up?

No, no, no, no, no.

Arshad was part of a tech development team working on this tool and various techniques to obtain information about threats to the UK. So he was working on a team which was protecting the UK from attacks by foreign states and maybe others. And the files which he took, apparently they— not only was it the software code for this tool, whatever that might have been, this top secret tool, but it also contained the full names of 17 individuals who were working on the project. I guess that was in the README file or the commits as to which program had written which bit.

Wow.

So the next question is, why did he take it?

Well, I'm guessing he took it because he wanted to sell it on or something, or wanted to continue development on the project, or I don't know, a future ransomware attack. I don't know.

All plausible suggestions. Yeah, I mean, I initially thought, well, he was probably going to try and sell it to someone or maybe leak it to a foreign power. Maybe try and use it to impress dates. You know, if you're out in Cheltenham at a wine bar.

That would work. Yeah, that would work.

Get your source code out. Look what I got in my pocket. How many USBs would you need now? Probably one. One, I think.

It wouldn't even have to be that big, would it?

So, although investigators found information related to how much money could be made through bug bounties after information leaks on Arshad's PC— so they went round to his house and they searched his PC— it doesn't appear that he had a financial motivation. Instead, he said, he took the code out of, and I quote, curiosity. He said, I removed the data simply out of curiosity to further develop some of the changes I was unable to complete during the course of my work placement.

I do not believe that that particular piece of code was 61 gigs. You don't? No. I just have a feeling there might be a lot more stuff in that little trick-or-treat bag that he tried to fill.

Well, you don't know. I mean, there may have been a lot of data driving the tool as well. It does sound like a lot anyway. But anyway, this is what the prosecutor said.

A lot of associated tools.

Yeah. But it seems that he took the code. This is his claim. He took the code and he was aiming to improve it during his time away because he hoped to come back to GCHQ to do the job again or get another placement in the future, and wouldn't they be impressed with how much work he'd done? Now, that's taking a passion for your job to the extreme, isn't it?

Yeah, I'm not buying it.

You're not? You're a bit sceptical?

No, I am a little sceptical. I think does he admit that, yeah, maybe that wasn't a very clever thing, or he just says, well, what could I do? I was curious. What am I going to do about that?

I think you're underselling here, because if that was the truth, it was obviously an idiotic thing to do.

Yeah, you wouldn't want him working for GCHQ.

So he said, I'm sorry for my actions. I understand the stupidity of what I've done. I understand the potential damage and risk. I've accepted that.

Sorry.

I've removed the data.

I screwed up big time, guys.

The other question I have is, why on earth was he able to take his phone in with him to the office? I can understand GCHQ giving him a phone. It's if we've got a problem on the project, we want to be able to call him when he's out on the razzle in Cheltenham. But why are they allowed to take their phones in?

I'm pretty sure that— maybe it depends on where you are in the building, but I am pretty sure, I have it on good authority, that you can't and don't.

That's what I would have thought.

I contact someone who's working there, they call me after job, right? Or during a break from outside, not during work hours.

I don't know, but I would expect that they have maybe lockers. So when you arrive, you can put it in your locker and then you go through some sort of security check.

Who knows? Yeah.

It's all a mystery inside the donut. Now, the good news, as I said, is that, of course, GCHQ, surprise, surprise, spotted the 61.8 gigabytes of its data had been exfiltrated. And within the month, police had raided this chap's house. He is now serving time at His Majesty's pleasure. Total of 7.5 years he is going to be in the clink, including 18 months for some frankly unpleasant sexual offences, which we won't dive into here. But the majority of his time served is to do with this cybercrime instead.

Wow. So he got 7 years.

7.5 years in total, yeah.

Interesting.

So what can organisations take away from this? Well, obviously, be careful when granting access. Anyone with access could be a threat, so you've got to monitor it diligently. And obviously GCHQ did in this case. And I'm afraid it's not a defense to say, "I was just being curious," as this chap did. Carole, what's your story for us this week?

I want you to meet David Kee Crees. Yes, that seems to be his name.

David Kee Crees.

Yeah, David K-E-E and then C-R-E-E-S. So this guy, 26, has built quite the hacking portfolio, and I thought I could share his story with you. So you might be thinking at the age of 26 that perhaps he might be still a bit of a noob or no. Would you think that by then you're old hat?

26? Oh, in this— I think the hackers start young these days. They start at 12 or 13, don't they? And then of course they get their internships at GCHQ along the way.

Yeah, well, Australian-born Keykrees first came to the attention of the authorities when he was— he still had baby smooth skin. And he did this because he claimed responsibility for the hack of Aussie's travel cover known as ATC under his hacker name at the time, which was Abdillo. And this is way back in 2014, so 10 years ago, when Keys was just 16. Now, ATC is one of Aus's largest travel insurance companies. A shed ton of personal information of travel insurance clients, including names, phone numbers, email addresses, travel dates, how much policies cost, all that was pilfered. Plus, at the time, there was no legislation in Australia compelling companies to disclose data breaches to customers. So they didn't. Friend of the show Troy Hunt said at the time that the data showed about 3/4 of a million records of personal information that had been stolen. And ZDNet wrote that the hacker exploited an SQL injection vulnerability to exfiltrate the records. And according to the hacker's own claims posted on Pastebin, he had used the same technique to compromise dozens of sites.

Well, SQL injection attacks, sadly, they still are quite common, aren't they? But they were particularly prevalent back then. And so it's a great way to get websites to spill out a huge amount of data.

So following that December 2014 attack, a string of exploits, including attacking Australian government sites, started to happen. He had 8 targets in mind, including Australian Communications and Media Authority, ACMA, the Victoria Police, the Australian Nuclear Science and Technology Organization, and the Australian Public Service Commission. So these are all in this guy's sights and key sites.

And why is he doing this? Just for laughs? Is he just being curious?

Yes, probably just being curious.

He's just doing it for a laugh.

You'll let me know at the end. I'll tell you the little story and you tell me why you think he did this, 'cause it's a mystery to me. He even stepped up his brazenness and streamed his exploits live online. At the time, Kreese published some of it online and admitted to ABC— this is Australian news, ABC— by internet chat that while he knew it was reckless, he wasn't worried about police. Perhaps, you know, maybe a bit foolhardy, but let's see, let's see.

Bold.

A bold statement.

A confident person.

Yes, a statement that someone between the ages of 16 and 20 might make, right?

Yeah. Perhaps.

Anyway, according to ABC, computer system after system fell to his simple SQL injection attack. Right? Databases spat out people's private information, and anyone watching the video stream could see it. He then posted the database structure of a US university based in Illinois. One of the databases was called email_list and appeared to contain message data and email attachments. Intelligence reports from Intel Crawler, a private IT company in the US, said Abdilo is a teenager living in Queensland.

Right.

So it didn't take long for the Australian government to raid his Queensland home with a 3LA order that demanded that Keys hand over his encryption passwords.

Did the police livestream their arrest?

No, I don't think they did.

They missed a trick there. They could have got lots of views of that one.

Okay, so now he's, you know, he's in a bit of trouble now, right? He's in a bit of hot water. So we're going to fast forward now to 2021 because an arrest warrant was issued in Colorado because remember he was attacking U.S. sites.

Oh yes.

And it was reported that Keys was caught after he sold data to and discussed the hacks with agents working for the FBI undercover. Keys was ruled eligible for extradition the following year by Australia. And subsequently flew to the US to face the poop storm of his own making, right? Basically standing trial on a 22-count indictment filed by a US grand jury. This is not small potatoes.

No, you don't really want to find yourself in that position, do you?

No. He's now facing a 22-count indictment. And in May earlier this year, he changed his plea. He said, look, I'm guilty of 14 of these 22 fraud charges.

Right.

And weirdly, he was then sentenced to time served. And this was pretty shocking. This is all according to Data Breaches. I mean, Chris had been detained in Australia for 2 years pending his extradition to the US.

Wow.

And then he had been in a federal detention center from February 2024 until this past May.

Right.

But just time served for a case that started with 22 counts. And so Data Breaches are scratching their heads — what could be going on?

Well, I guess that's part of the plea deal, isn't it? It's like, look, we want this to go away. I'm terribly sorry.

They brought the guy over. They bothered to extradite him from Australia.

It would obviously have been better if this had all been sorted out earlier. Now, what could be going on?

The problem is most of the court filings in this case are sealed, so it's not publicly known why the government took this approach. But another surprising aspect is there's no restitution to victims. None of that was ordered. So whatever the case, he must have thanked his lucky stars, right? Wondering at his amazing ability to slip through the net, because that is not the outcome I would be imagining had I been extradited to the States facing 22 counts in a federal court. Well, he should have waited before he counted his stars, because just last week, over a week ago, the US Immigration and Customs Enforcement said on its social channels that David Keys had been arrested. So, quote, ICE Denver agents arrested Australian alien David Keys because he had multiple computer fraud convictions, they posted online.

They're not deporting him to El Salvador, are they?

They are deporting him to Australia. It looks like the Australian national, now convicted hacker, will get a plane ticket back to Australia courtesy of Homeland Security in order to face the authorities and legal system down under.

Because of his earlier crimes.

His earlier shenanigans.

Oh my goodness.

All I can say, it's going to be very interesting how they welcome him back home. But I have to imagine if you had to do — I mean, if I ask you, if you had to do penal time somewhere and I said, okay, do you choose the US or Australia, where would you choose?

I'd probably choose Australia.

I definitely, without even questioning or waiting for the answer, Australia. But that's just me. So interesting. It's kind of like the story of Icarus, right? He went for it and got seriously burned, and the burning is not finished yet.

Icarus didn't go on a jumbo jet to America. I think your Greek myth knowledge is—

Maybe I'm mixing up my—

Yes, yes.

If you're a security or IT professional, you've got a mountain of assets to protect: devices, identities, and applications. It's a lot, and it can create a mountain of security risks. Fortunately, you can conquer that mound with 1Password Extended Access Management.

Over half of IT pros say securing SaaS apps is their biggest challenge. With the growing problem of SaaS sprawl and shadow IT, it's not hard to see why. Thankfully, Trellika by 1Password can discover and secure access to all of your apps.

Trellika by 1Password inventories every app in use at your company. Then pre-populated app profiles assess SaaS risks, letting you manage access, optimize spend, and enforce security best practice across every app in your employees' use.

So take the first step to better security for your team by securing credentials and protecting every application, even unmanaged shadow IT. Learn more at 1password.com/smashing. That's 1password.com/smashing.

There are lots of threats out there affecting businesses, but what if you could see them all and exactly how they impact your organization all in one place?

Well, with Flare, you can. Flare gives security teams real-time visibility into cybercrime forums, Telegram channels, Stealer Logs, and darkweb marketplaces, so you're not blindsided by the threats.

Flare helps you prioritize real risks and kick off remediation fast so your team can move from awareness to action before any damage is done. Think of Flare as your exposure management platform built to help you detect, prioritize, and respond with lightning speed.

Sign up now for free at smashingsecurity.com/flare. That's smashingsecurity.com/flare.

And thanks to Flare for sponsoring the show.

Now, Carole, according to Vanta's latest State of Trust report, cybersecurity is the number one concern for UK businesses. And of course, Vanta can help you with that.

Whether you're a startup growing fast or already established, Vanta can help you get ISO 27001 certified and more without any of the headaches.

You see, Vanta allows your company to centralize security workflows, complete questionnaires up to 5 times faster, and proactively manage vendor risk to help your team not only get compliant but stay compliant.

So stop stressing over cybersecurity and start focusing on growing your business in 2025. Check out Vanta and let them handle the tough stuff. Head to vanta.com/smashing to learn more. That's Vanta, V-A-N-T-A, dot com, slash, smashing. And thanks to Vanta for sponsoring Smashing Security.

And welcome back. Can you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.

Pick of the Week. Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security-related necessarily.

Better not be.

Well, my Pick of the Week this week is not security-related. Good. A few years ago, I was watching a BBC TV program. I'm sure you're aware of it, Carole, called Would I Lie to You?

Yeah.

Where Bob Mortimer was a guest, and he was describing how he did his own dentistry and how he set his parents' house on fire. And the aim of the game, for anyone who hasn't seen it—

It's a great show.

I enjoy it a great deal, especially when Bob Mortimer is on it. So the idea of the game is, you tell a tall story and the other team have to work out if your story is true or not, whether it's a lie or whether it's the truth. It's a very funny show. And the reason why it's so good when Bob Mortimer is on it is because however preposterous the story is, in Bob's case, it could be true.

Isn't it that they have to find lies in a story? Like, they have to go, "I think that bit of the story is a lie." I think you're mixing it up with a Radio 4 show. Yes, maybe, yeah.

An Inconvenient Truth or something like that, which is along those lines. Now, in this case, it's either—

The whole story.

You've got to believe the whole story. Perhaps my favourite story of Bob Mortimer's on Would I Lie to You is when he showed off a cushion and he said he claims that he carried his pet owl around on it. And you have to watch it, really. I'll put a link in the show notes. See what you think of his storytelling then. But anyway, I find it very amusing. And so I was thinking, you know, what should I read? Because I'd finished a book and I thought I need to read something else. And I came across Bob Mortimer's autobiography. And I thought, he's a funny chap. Maybe I'll enjoy that.

I heard it's quite good, actually.

Yeah, it's called And Away... it's called. And he wrote it following having had open heart surgery, which, you know, turns out that's quite serious, Carole.

Yeah, I've heard it's not something that you want to do for fun.

No, no. So, I mean, he describes what the process is and you go, blimey. Yeah, okay, that's quite serious. And it seemed to him as good a reason as any to look back on his life and a great way to frame his autobiography. Anyway, I have been reading the autobiography. It's funny, it's heartwarming, it's sad, it's poignant. It's a great read and it's very funny and it encapsulates Bob Mortimer. So if you like him on the TV show or the other things which he's done, then maybe you would like to check out And Away, his autobiography as well. And that is my pick of the week. I have just got it from my library. It's on hold. Excellent. Carole, what's your pick of the week?

Okay, so I've chosen a pick of the week and it's a book and I have a lot of difficulty pronouncing the name of the author.

Has written this book.

I know. So forgive me before I start, but this is a 1990 book called Flow: The Psychology of Optimal Experience. It sounds a bit wanky, the title. I know, I know. But give it a second.

The Science of Optimal Experience.

Yes. And it'll make more sense when I finish.

Okay. All right.

So this is by Mihaly—

Mihaly Private Eye? How do I say his name? Hold on. It's a lovely name.

It's a great name. And he's a legendary psychologist, so I should be able to pronounce his name.

Right.

And this is his famous Investigations of Optimal Experience. And by that, it's what makes an experience genuinely satisfying?

Oh. So, you know, you might go to McDonald's and order a meal deal and think, oh, it's so good when you're eating it. And at the end, you're like, ugh, feel a bit gross. I might not.

No, no, no.

So according to this author, it's a state of consciousness called flow, right? So when people are in flow, they typically experience deep enjoyment, creativity, and a total involvement with what they're doing. And the argument is that basically the best moments in life usually occur when someone's body and/or mind are in this state. So they're stretched to their limits in a voluntary effort. To accomplish something difficult, worthwhile, that sort of thing. And how do you get into this mental state? Does it require a little bit of the old Mary Jane, a little bit of the jazz cigarette, or what does it involve?

Do you have things in your life where maybe when you were writing your computer game all those decades ago that maybe you were like, whoa, I just lost 5 hours because you were just totally into it?

Oh, absolutely.

And if someone had said to you, are you happy, are you sad right now, you'd be like, I don't know, I don't even want to think about that, I'm just in zone. I'm in the zone. I'm doing my thing.

Yeah. And I would forget to eat all day.

Exactly.

I was, you know, time just went zoom.

That's flow. Okay. That's flow. And the idea is that a lot can come from that experience because you're just in this Zen mode. Apparently it happens when your skills match the difficulty of the task. So if the task is too hard, you'll feel anxious and won't be able to experience flow.

Right.

And if the skills are higher than the challenge, you're going to feel bored.

Okay.

So this book is, what, 35 years old? And it still has many key elements that gelled with me. And it has a depth that I thought was quite impressive. So I could see that he really cared and was really trying to define something quite complicated.

I would imagine, Carole, you get into the zone when you are painting because you love painting and you're very good at it.

Well, amateur, you said last week, but yeah.

You have sold paintings for money.

Yes, I have, Graham. Thank you very much.

That's professional. Wow.

So the idea, the main question of this book is how can you make sure that your life is worth living? You need more flow because that equals long-lasting fulfillment. So that's kind of it in a nutshell. So that is Flow. What's the wanky second bit of the title? The Psychology of Optimal Experience.

So I've got a question for you, Carole. The title did put me off a little bit. Is it an easy read for someone like myself, or is it very sort of—

Well, you're not a dodo.

Thank you.

And you have quite a good vocabulary, so I suspect you'll be able to manage it.

Okay.

It's not complicated. I think, no, I think it's written for a reader. It's definitely someone who's a reader, but—

Right. There's not lots of drawings then, you're saying. Okay.

You can manage it, dude.

Thanks very much. Well, that just about wraps up the show for this week. You can find Smashing Security on Bluesky, unlike Twitter, which wouldn't let us have a G. And don't forget to ensure you never miss another episode. What have you got to do? Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.

And thank you to our episode sponsors, Flare, 1Password, and Vanta. And of course, to our wonderful Patreon community. It's their support that helps us give you this show for free. For episode show notes, sponsorship info, guest list, and the entire back catalog of more than 421 episodes, check out smashingsecurity.com.

Until next time, cheerio, bye-bye.

Bye.