Smashing Security podcast #440: How to hack a prison, and the hidden threat of online checkouts

They simply removed all the keyboards.

Touchscreen only for you.

Yes.

You can't Ctrl+Alt+Delete anymore.

Smashing Security, episode 440. How to hack a prison and the hidden threat of online checkouts with Graham Cluley. Hello, hello, and welcome to Smashing Security episode 440. My name's Graham Cluley.

And I am Scott Helmeee.

Scott, welcome back to the podcast. It's been a little while, hasn't it?

It has. And I think we've racked up a few of these now, and it must be, I was going to say over the years, just as a turn of phrase, but I actually think it must be over the years.

Well, the extraordinary thing is, Scott, last time you were on the podcast was 7 years ago. Can you believe that?

No way.

Come November, it will be 7 years. And I have to ask, what on earth have you been up to all this time?

Oh man, 7 years. I can't actually believe that.

What's been keeping you away from the podcast?

Oh, well, do you know, I have to say the number one thing is just work, actually. Such a boring thing to say, but kind of, because gosh, 7 years ago, it was right back at the start of Security Headers and Report URI.

Yeah.

So I've since sold Security Headers, built that up and grew it into quite a popular little thing, I guess, and that's now sold and moved on to pastures new. And I shifted my focus on to Report URI, and now we have staff members and a team and people that I have to kind of, you know, be responsible for. And we're currently in the progress of growing that into quite a respectable little organization.

Fantastic stuff. So the Scott Helmeee empire continues to roll.

I'm trying my best.

And for those people who haven't heard of it before, Report URI. What does it do?

We help websites look after their cybersecurity. So modern web browsers nowadays have some super cool features built into them by default, and we kind of guide organizations through how to configure them and turn them on so you can know exactly what's going on in your website. You can make sure that data is not being snaffled off by malicious JavaScript or ads or any other kind of trickery that shouldn't be happening. You can make sure that that's the case.

Great stuff. Well, before we kick off, let's thank this week's wonderful sponsors, Vanta, 1Password, and Anon. We'll be hearing more about them later on in the podcast. This week on Smashing Security. We're not going to talk about how a major outage hit Amazon Web Services, impacting many websites and online services, and even stopped Ring doorbells from working. You'll hear no discussion of how China says it has irrefutable proof that the United States was responsible for a cyberattack that has disrupted the country's communications, financial, and transportation networks. And we won't even mention how Nintendo has confirmed that hackers have accessed some of its infrastructure and stolen data. The high-profile hacking group Crimson Collective has claimed responsibility, meaning Bowser is in the clear this time. So, Scott, what are you going to be talking about this week?

Ransomware, compliance, but it's gonna be an interesting kind of topic. Very, very heavily cybersecurity related.

And I'm gonna be talking about the ultimate insider threat inside a prison. All this and much more coming up on this episode of Smashing Security. Alright then, quick shout out to one of our sponsors this week, 1Password, and more specifically, something that they've got called Travlicker. Now, be honest, do you actually know how many SaaS apps your company's using right now? Probably dozens, maybe hundreds, half of them signed up for by some guy in marketing with the company credit card. That's what Travlicker's for. It finds all of those apps, even the sneaky ones nobody admits to using, and gives you a proper overview of who's got access to what. So no more abandoned accounts sitting around waiting to be hacked. No more paying for licenses that no one's touched for years. It also makes it dead simple to bring new people on board, remove folks when they leave, keep track of who's got access to what, and stop your IT from turning into a tangled mess of old forgotten accounts. I've used 1Password for years. They've always been great at taking the hassle out of security. And now with Travlicker, they're going after the whole SaaS sprawl problem. If you want to tidy up your company's app chaos, take a look at 1password.com/smashing. That's 1password.com/smashing. And thanks to 1Password for supporting the show. Now, Scott.

Yes?

I want to take you to the plains of Transylvania in Romania. Now, I don't know if you've ever been in a Romanian prison, Scott. I was beginning to wonder if that's where you've been for the last 7 years or so.

I've just finished my sentence.

But if you go to a prison in Romania, there are some things you can be pretty sure you are likely to see. So there'll be bars on the cells, there'll be high walls, beefy guards patrolling up and down, and you may think to yourself, "Where's the security risk here?"

What could go wrong in a prison? Well, you definitely hope that there wasn't anything to go wrong. And if there was, they'd kind of foreseen that and put the necessary protections in place, wouldn't you?

You'd like to think so. You would hope everything's secure, that there's no backdoors, right? That there's proper security in place. Well, the danger, it turned out, in this particular set of prisons were web kiosks, because dotted around the prison are funny little computer stations where you can do a little bit of this, do a little bit of that if you're a prisoner. It's not like in the days of the Great Train Robbery, right? The prisons have gone online. Now, I'm not entirely sure what you do with a web kiosk inside a prison, to be honest.

Or why we even need one, Graham.

Maybe you can order some snacks from the tuck shop. Maybe you can book a night out at the local pizzeria. Who knows? My guess is that it's probably to reduce paperwork. Because if prisoners can serve themselves, it's a bit like how you and I, right? We both live in the UK. And if we want to deal with any sort of government organisation like HMRC or anything like that, you're always logging into a website these days, aren't you? You're not queuing up somewhere, you're not filling in paper forms, you're doing it online. I imagine it's similar for prisoners. Where rather than getting them to queue up and go to a little window, they're actually saying, well, serve yourself. Enter the information you need. So you're probably logging in on one of these computers and you're submitting a visitor request or dropping a note about your medical needs, or maybe tracking if you've got a sentence reduction because you've been good or something, or whatever it may be. And also you could use it to check out your financial balance while at the prison, because when you go into a prison, my understanding, Scott, and maybe you know much more about this than me. My understanding is that you have a different bank account, which you can use inside the prison. You've got a little float of cash, which you can use to go and buy yourself a bit of grub or—

Don't you already get fed though? Did I miss?

Well, yeah, I would think you may be able to get a little bit of extra chocolate or something, you know?

Okay, okay.

So you'd have some sort of tokens or something like that. This is just my imagination. I'm sure prisoners who are listening to us right now on their smuggled-in smartphones can email in and tell us if I'm not right about this. But that's what it is. Rather than having cash in your pocket, there'll be a little bit of digital cash inside the prison where maybe it's been deposited by your family, it's earned through working in the kitchens or in the gardens, and you can use that for little purchases.

Okay.

And maybe you're just using a computer system for working out if your library book is overdue. You know, whatever it is, the point is—

We need computer systems. Well, frankly, we would shrivel up and die, wouldn't we, if we didn't have computer systems? You and I. Yeah.

It's like trying to remove the smartphone from my child's palm. You know, he's gripping on. He's holding on to it for dear life. The thing is, these guys had access to a computer. And what one chap managed to do was find a way to bend the system a little bit. Now, there are many reports of this from the Romanian press. And I'll be honest with you, they've been through the Google Translate mincer for me this morning, trying to make head nor tail of exactly what happened. There's a confusing story. But it seems fundamentally that one way or another, he managed to find out the password of a member of staff.

Whoa.

Yeah. It's not a good start, is it?

Was it a terrible password? Should we hedge our bets?

My suspicion is that it probably contained one number and one capital letter. So it would have been capital P for password followed by the number 1. It's probably going to be something like that. But I don't know exactly how they got it. Maybe the staff member left their password on a sticky Post-it, or maybe they were watched as they were typing it in.

Bit of shoulder surfing in prison.

Yeah, or maybe they just let the prisoner have it for some reason. Who knows? It's not entirely clear. But the prisoner now has the login password for this prison worker. And it turned out that this password worked on this web-based portal, which they could access through these web kiosks for managing their time inside the prison.

Oh dear.

And these kiosks are normally fairly locked down in terms of what you can access and what you can do. Obviously, as you would expect, a bit like being in a school, I imagine. Hopefully even more locked down than that. And via some jiggery-pokery, this guy found that they had unlimited access to the prison database.

Oh no. So I'm guessing, no two-factor authentication, and now we're gonna go straight to super admin, are we?

Exactly. They became the admin. And once they had this newfound godlike power, what's the first thing he does? Does he delete his sentence?

I was gonna say, just set my release date to tomorrow, isn't it?

Not in this case. Does he transfer millions of pounds? No. Priority number one is to grant his buddies inside the prison access to porn. Yes, ladies and gentlemen, this man hacked into a government system, a law enforcement system, risked additional years on his sentence all so his cellmates could watch some adult content. But then he started doing other things. He started to meddle with the other prisoners' financial accounts. He started off by just adding zeros to the end of numbers. So, imagine Grandma has sent you $100. Let's make it $1,000. At one point, he got a little bit carried away with himself, and he added the equivalent of £850,000, that's over $1 million, to his prison account. I mean, seriously.

Let's make sure we fly under the radar whilst doing this, shall we? Just go straight to multimillionaires in prison.

It's bonkers, isn't it? It's upgrading your cell. It's, well, I'm not very happy with this bucket they've given me. So what I'm going to have, I'm going to have a gold-plated toilet.

Gold toilet.

Yeah, and hope that nobody notices. Frankly, there are some people who should be in prison who do have gold-plated toilets. Anyway, this guy obviously thinks twice, because he switches it back from £850,000 to £853 instead. Still a lot of money for someone to have access to in prison.

You must be able to get a lot of goodies with that.

A lot of goodies. A lot of things from the tuck shop, I would expect. And this guy is spending something like four times the minimum wage in Romania every month. I mean, what are you buying in prison that costs that much? It's not you've got to pay for your lodging, is it? What is it? Is it sort of soft quilted loo paper? Is it artisan sourdough bread?

Ribeye steaks at dinner.

Right, yeah.

Everyone else is just on a sandwich.

Bread and water and gruel. And there you are, with some gorgeous T-bone steak. It's bonkers. Now, the Prison Union, they have chipped in about this because this has all now become public. Of course, they are far from impressed about all of this. And they say that this guy spent over 300 hours logged in as an admin. 300 hours. That's two weeks of full-time hacking and nobody noticed. You have to wonder what the IT guys were doing. And there are even reports, and again, it's confusing due to Google Translate, and some people in Romania say it's true and other people say, no, that definitely didn't happen. So it's a garbled message. But there are reports that he was even able to change the length of fellow prisoners' sentences. And apparently around 15 prisoners benefited from the hack. The way in which they did that was apparently you could earn, I think through good behaviour and things, you could earn sort of gratis days. So it's, well, we'll take one day off your sentence because you've been so good, 'cause you've worked so hard. And so as a result, you are going to be awarded that. And so he was giving these credits to other people.

How do they— 'Cause you could kind of understand, you know, the access to porn thing or the number of hours as an admin. I'm surprised that the accountants, bean counters, don't they? I'm surprised that the money thing wasn't the telltale thing here.

Well, this eventually was the way in which apparently they were caught out.

Oh, it was the bean counters.

Apparently it was the bean counters. A prison accountant apparently noticed that inmates were making purchases that their account balances weren't changing, because that is normally what would happen is they would buy something and then their account would be topped up again automatically as though no money had left their account. So someone was sitting there and they'd say, hang on a minute, Fred's just bought 40 packets of Lambert Butler king size, but he still has the same amount of money. How has this occurred? So they knew something was going on. And the prisoners were so keen on this system though, while it was working, that they apparently were even planning to clone the entire system and sell it on the black market because apparently there is demand for prison management software slightly used. You can imagine that people outside the prison might think, well, if we could access that portal, if we could hack into it and change things, then we could potentially make ourselves money or help our buddies who are in the prison through that system. So they were looking to actually—

It must have been used somewhere else, right? Unless it was, you know, super kind of specific.

Anyway, a fellow inmate apparently eventually grassed up the hacker to the prison authorities, but the authorities didn't do anything for a few weeks. They say now that they've implemented over 20 security measures. 20? You know what the first one should have been? Change the bloody password. That would have been the—

Right.

Yeah, well, one thing they did do is that it's a really simple and effective immediate solution. They simply removed all the keyboards at the web kiosks. It's okay.

Touchscreen only for you.

Yes.

You can't Ctrl+Alt+Delete anymore.

No keyboard. Now you might think that this hacker was a bit of a genius. You might think, well, you know, that's very creative of him. But I'm not so sure, because it turns out this guy was serving a sentence of 9 years and 10 months for laundering money for the Italian Mafia. And he only had 5 months left of his sentence before he was gonna be released. 5 months. He'd survived nearly a decade in prison. Probably had a countdown calendar. Yeah, exactly. Why? Why did he do that? He's thinking, I'm gonna risk everything just to give my buddies access to OnlyFans. This is crazy. Anyway, astonishing story. So, next time you hear about insider threats, I think maybe also think about the people who are already inside prison.

Quite literally an insider threat.

Yeah. For us weedy computer programmers out there, maybe we'll actually be able to survive if we do ever end up on the inside.

I don't think we'd do very well, Graham. I'd have to say.

We know a little bit about programming.

Please don't beat me up. I can write some JavaScript for you.

Quick word about one of our sponsors today, Vanta. Now I know what you're thinking, oh good, another bit of software promising to make my security easier. But honestly, Vanta's actually pretty handy. Here's the deal. If you're spending half your week chasing down evidence for audits or updating endless spreadsheets or trying to prove that yes, you do take security seriously, Vanta automates all of that. It pulls everything together, keeps an eye on your systems, and basically makes sure you're ready for an audit at any time. No panic, no last-minute scavenger hunts for screenshots or policies you forgot to upload 6 months ago. It also plugs into the tools you're already using and uses a bit of AI magic to flag up issues before they become a proper mess. So if that sounds like something that might save you from a few sleepless nights, check them out at banta.com. Smashingsecurity.com/smashing. That way they'll know that you heard about them on this show. And if you use that link, you'll get $1,000 off, which is nice as well, isn't it? So thanks to Vanta for sponsoring this week's episode. And let's crack on with the show. Scott, what are you going to talk to us about today?

Well, it doesn't stack up as fun as literally insider threats inside prisons, but it is a compliance-related topic. And I spent all week last week actually in Amsterdam at an event specifically on the payment card industry.

Oh yes.

So we have this huge body, you know, Visa, Mastercard, Amex, JCB, all the card issuers and the payment card industry come together in the Security Standards Council.

Hang on, JCB are a card issuer? Yes. Aren't they the people with the steamrollers and forklift trucks and whatever they're called?

It's not the same, it's not a big yellow card that can crush all of the other cards.

Okay, so you're not gonna tell me that Tonka Toys are also a big payment service?

No, sadly not, sadly not.

Sorry, carry on, carry on.

Yeah, so the Security Standards Council is this gathering of all the card issuers, and they produce something called the DSS, which is the Data Security Standard. Yeah. And these big card issuers are like, hey look, it really sucks when somebody steals loads of credit card data because then we have to do an investigation and reissue the cards, and that's surprisingly expensive. And then they have to cover things like fraudulent transactions as well. So if the attacker's gone on a bit of a spending spree with 1,000 credit cards, American Express are generally not happy about that.

No, no, that won't do nicely.

Yes. And it gets to be quite expensive quite quickly. So over the years, the DSS has had several major updates. And obviously, like anything, it's always responsive to threats happening. You know, like a new threat emerges and it becomes popular. And then the industry kind of responds and brings out a new standard. And this one was all about taking control of JavaScript on web pages.

Right.

So I'm sure you and many of the listeners will have heard about things like cross-site scripting in the past, where you end up with this malicious JavaScript in your web page somehow. And it doesn't really matter how. What matters is that it got there. And then once an attacker can get that JavaScript on the page, the big thing for us then is really How good are they at writing JavaScript, which is even easier nowadays with all the LLMs to help you? And then how good is your imagination? Because if you want to write code to do something, yeah, your imagination is actually the kind of the first step. It's what do I want to do?

Yes, there have been some pretty nasty things which have happened in the past, haven't there? For instance, there have been a number of breaches where when you reached a website's checkout page, that page where you enter your credit card information, if there's some malicious JavaScript there, it could actually scoop up your payment card details as you enter them onto the website and hand them to the hackers.

So this is the number one thing that the council were most concerned with. Because if you cast your mind back, it's quite a few years now, and what you'll notice is those kinds of attacks don't really appear in the news anymore. But if we roll back a few years in our minds, you'll have the British Airways one for us living in the UK was probably the most notable one. British Airways, huge airline. Ended up with malicious JavaScript on their page. And as you said, customers are sat there punching in their credit card details. And you have to remember, when you're doing that, you're typing in the full card number, the security code, the expiration date, your name, your address, your postcode. And the JavaScript is just sat there watching you press those keys on the keyboard and sending a copy of the keys off to the attacker. So the transaction still goes through and you buy your tickets to France, and the attackers now also have a full copy of your card data. So they would sit there quietly for several months, just scoping up all this data, and then once they think, "Right, we've got enough card numbers now," that's when the big spending spree starts. And that's, weirdly, that's the first time that anybody sees the attack has happened. Because thousands and thousands, tens of thousands of Visa customers will all start reporting fraudulent transactions. And then tens of thousands of Amex customers will all start reporting fraudulent transactions.

Because it's not as though the hackers have broken into the British Airways IT infrastructure. They haven't necessarily broken into their network. They've somehow managed to sneak onto a British Airways webpage a little bit of script, which could have been planted inside some innocent piece of script, which BA uses for, I don't know, cookie consent forms or who knows what.

The irony of something being put there to protect you and then potentially being the thing that harms you.

Yes.

But yeah, you're exactly correct. This is ultimately how, and for people that follow the news as well, Ticketmaster was another very notable one around about the same time. And the problem with these is they sit there quietly, silently. They scoop and gather all this data and monitor for as long as they can, basically. And either when they think, oh, we might get caught, or somebody's rummaging around, or maybe they just look and think, gee whiz, we have enough credit cards to go on a huge spending spree. So all of these cards start getting hit with the fraudulent transactions, and then they do a forensic investigation. I've been involved with some of these historically, and they run something called a CPP report, which is a common point of purchase report. So if you have thousands of customers suddenly reporting fraudulent transactions, you look at those thousands of credit cards and say, where is the one place they've all shopped in the last 6 months? And then there's always one thing that pops onto that list, and it's, this is the only place that they've been all shopping together in the last 6 months. And usually you can be pretty confident at that point that you have identified the source of the breach. Now, you know, BA, Ticketmaster, Newegg, all of these huge big companies have been fined huge amounts from, first of all, the data regulator. So the ICO here in the UK, because you've lost my name and my address and my personal data. So you get a fine for the data breach. And then you get fined by the card issuers because Visa have to now reprint and physically reissue tens of thousands of cards and then refund all of these fraudulent transactions. And they had to do the forensic investigation, which costs huge amounts of money. So then they get fined by Visa and MasterCard and American Express. And then the American data regulator steps in and they're, hang on, you've lost tens of thousands of American citizens' data, so here is your fine for the data protection breach. Now, British Airways got really lucky, actually, because if you remember the timeline, it was just before COVID when this happened. The ICO actually fined them £180 million.

Wow.

But then British Airways went back when COVID had hit and was, this is basically going to end us. Is there anything we can do about the size of the fine? And if memory serves me correctly, I think they paid $18 million in the end as the fine. So, you know, this is huge amounts of money. Now, when was the last time you heard a story just that where somebody had managed to install a JavaScript skimmer and scoop, you know, thousands or tens of thousands of sets of credit card data?

I think you're right. I don't think I remember Magecart was the one we kept on hearing about, wasn't it?

Correct. That is the name of the collective.

Yeah, that was the one which seemed to be causing all the trouble. But yeah, I haven't heard one of those type of data breach stories for quite a while.

They probably started making huge headlines in 2015. And by 2018, 2019, I think the term Magecart was mainstream. Everybody knows who these people, group, whoever, however you refer to them are, because they were just decimating enormous companies, resulting in enormous fines. And I think the card industry was, enough is enough. This is getting super ridiculous, super expensive. These rules around controlling what JavaScript you have on your site started to come into play. So it was two years ago when the requirements were first introduced as kind of optional. Since March this year, they were mandatory. You must comply with them since March this year. So they gave everybody kind of a two-year runway to say, look, they're coming, you probably should get ahead of this, you know, ahead of time. But by March 2025, everybody must comply.

So without getting too nerdy, what are the rules? Is it a rule about what types of JavaScript you can put on page, or is it a simple, you can't have any external JavaScript, or how does it work?

The essence was, number one, you have to be able to inventory all of the JavaScript you're using.

Okay.

And this sounds like a crazy thing to say, but then when you think about it, most organizations don't really know exactly what JavaScript they have running on their websites because there's multiple people that can add it. And then we have tools like Google Tag Manager, so the marketing or the advertising team can inject different script tags maybe for monitoring or tracking or loading adverts. And it's a very dynamic, fluid environment on the website.

Yes.

If you wanted a developer to make a code change, that person would have to submit a change request. The pull request would be reviewed, it would go through a test suite, it would be checked over before it even thought about touching the website. But actually on the front end, it's just like, YOLO, here's some JavaScript into production. There's almost no equivalent kind of standard of checking. So the first one is that you have to be able to inventory it when you get audited, because if you're a merchant, you get audited once per year, they will say, okay, what JavaScript do you have there? And the other thing is you have to provide a written technical or business justification as to why it is there. Okay. So basically you have to say what it is and why do you have it? And the idea was then you can remove stuff that you don't need anymore because you would look at that and say, oh, the chatbot. Oh, well, we don't use the chatbot anymore, so maybe we'll just delete this. And this was one of the first things, was just keep the inventory, just know what is there and why it is there. The second one then comes on to, obviously now we have the inventory, we understand what's there. You have to introduce a method to make sure that only the stuff is there that you think is there. So again, if you do your inventory and you're like, hang on a minute, we've got all these extra bits of JavaScript and nobody can tell me what they do or where they came from. You have to have a method in place to make sure that that can't happen, that you can't have unauthorized JavaScript, as they call it. Right now. With compliance standards like this, they'll never say, this is the technical way that I want you to do it. What they'll say is, here is the objective. This is what I would like the outcome to be. The technical implementation is free. So you can go about this any way that you like. You can build it yourself or buy a product or use one of the many different technical approaches. We would just like this to be the end result. Because of course they don't want to lock you into one approach or one vendor or one technology. So compliance standards like this are generally quite open in their description. They do give some examples just to help guide you if you're struggling to follow on a little bit. But yeah, generally they specify the preferred outcome, not how you do it. So content security policies, of course, one of the examples that they give, but you can also get a little JavaScript agent that you install in the page that guards and protects you against all of the other JavaScript. Or you can have an external crawler that will crawl your website and look at all of your JavaScript and say, okay, well, you know, yesterday we went to your website, you had these 4 things, and today you have these 5. What's going on? What changed?

Yeah.

Really, for me, it's about introducing some of the standards that we would have if a developer wanted to write code and commit that to a production application. Just introducing some of those ideas and concepts into the JavaScript on the front end, because that is a little bit wild, wild west. And honestly, working in this industry for as many years as I have now, and I think it's fair to say, as you kind of pointed out, looking at the news headlines, how frequently do these kinds of attacks happen? I do feel we are seeing a decline over time in these types of attack and not just specifically stealing credit card data, but in other kind of similarly related areas as well.

Yeah, it sounds this is actually a good news story. What you're reporting to us is for once the industry got together, it's imposed some standards, people have actually put them into place and we are seeing the results because, okay, our headlines are full of ransomware and other ghastliness which is going on, but at least it isn't this particular thing and the impact, of course, of these kind of attacks wasn't just on the businesses, it was on consumers as well, because it was their payment card details which were being stolen. So obviously there was damage done to brands, which frankly, with ransomware these days, it's normally the enterprise which is getting hit rather than the end users. But back in those days, it was both sides of the fence, wasn't it?

And I feel it's important to point out the consumer impact for me. And I'm sure if I think back to the few interviews I've done before here as well, my focus is on the consumer side of things. It's great to protect these organizations. And yes, these standards are compelling the organizations to do it, but it is the consumer that's the true victim, at a minimum, of all the inconvenience. And many people will say to you, oh, well, if you're using a credit card, you're insured, you get the money back. I'm yes, you do, but you've clearly never been through that process because you just made it sound really easy. It's honestly a nightmare.

It's so much hassle, isn't it? It's so inconvenient.

It's terrible and it's stressful. And then you have to go update your credit card in a million different places because you've got a whole new set of credit card details and it's just an unpleasant experience. And also on top of everything else, it's just the feeling of having been the victim of something. Because this has happened to me as well, you know, really, I don't know, it gave me this weird feeling of anger or annoyance. Then stupidity for myself. I was, should I, you know, could I have done something about this? So I think there is a large impact on the consumer there who is ultimately the kind of end victim of this. And I feel that's also worth addressing. Yes, you know, the companies are interested in protecting their brand and the loss of revenue from the fines and all of this kind of stuff, right? But unfortunately, that's how you motivate companies is to hit them in their wallet. But yeah, for me, the end goal is protecting the consumer at the keyboard.

Sounds good. This episode of Smashing Security is supported by Anon. You know that feeling when you Google yourself and find, well, more than you'd like? Old forum posts, data broker listings, photos you forgot about, maybe even some dodgy things you now regret. Well, that's your life on the internet, and that's where today's sponsor, Anon, comes in. Think of it as your personal privacy clean-up crew powered by AI that actually does something useful for once. Here's how it works. Anon scans the web, yes, including the dark corners you don't want to think about, and it finds all the data tied to you. But here's the clever bit. It doesn't just show you a complete horror show of your digital past and wish you luck. It actually identifies which links might contain sensitive information and with one button press fires off removal requests to get them delisted from search results. Plus, it keeps monitoring for new data breaches and alerts you if your information turns up somewhere it shouldn't. It's like having a security researcher working for you 24/7, and you don't need to keep it fed with pizza and coffee. Want to take back some control? Head to becomeanon.com and use promo code SMASHING for 25% off. That's becomeanon.com. Find, monitor, and remove your data online with ease because your privacy matters. And thanks to Anon for supporting the show. And welcome back. And you join us to our favorite part of the show, the part of the show that we like to call Pick of the Week.

Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish. It doesn't have to be security related necessarily. Well, my pick of the week this week is not security related. My pick of the week is my new favorite program. It is not a TV program. This is a computer program. I thought that's where you were going with that. No, no, no, no. This is my favorite program on my Macs, which I have. So I'm using a program called Keyboard Maestro.

Maestro.

I love it. Yes, Maestro. And it is for automating virtually anything. Keyboard Maestro is a really powerful utility that lets you automate repetitive tasks. You can build custom workflows and if-then-else's, and you don't have to get into the weeds of writing code, but it's very, very flexible. So I can set up a macro to trigger when I press a specific key combination. And then get it to do things.

Okay.

It may trigger when I launch a particular app or connect to a certain Wi-Fi network or even at a scheduled time. So for instance, I was using a particular app and I didn't like the way that it was set up. I'd go into a particular part of the app and it always had a default kind of view and I couldn't change the default view and I'd have to go into the menus and say, well, I want that there and I want this here and I want that there. So I had to go into the menus. Oh, it's such a pain. And so I was able to write a macro that didn't just, I mean, I could have written one which just worked on a key press when I went into the app, but in fact what I did was I ended up writing one which detected when I went into that particular dialogue on that particular app and automatically hit that sequence of menu commands for me. And it happens in an instant, so it appears just as I want it. Or sometimes, I don't know about you, Scott, sometimes I leave my VPN on. When I don't want it on, right?

Ah, I do do that.

Yeah, and then I think, oh, why can't I access this or whatever? Oh, my bloody VPN's on. And so what I've done now is I've written a macro that turns the wallpaper on my computer red when I'm connected to the VPN and green when I'm not connected to the VPN. So it polls this automatically all the time. It's saying, is the VPN on? Is the VPN on? Is the VPN on? And if it is on, it changes the wallpaper. It's a very simple visual reminder of what's going on, but doesn't disrupt my work. Or I'll give you another example. You can tell I'm enthusiastic about this program. Sometimes when my Mac wakes up from sleep, it forgets that I like to use a particular external speaker for sound rather than the lousy internal speaker that my little Mac mini has. And so I wrote a macro that automatically detects when my Mac has woken up from sleep and it sets this sound thing automatically for me. Just happens all automatically. So I don't have to remember. There are dozens of other boring examples I can give you. This is an incredibly powerful program. Great utility. It's called Keyboard Maestro for the Mac. I know they don't have a Windows equivalent. I don't know if anyone else has produced a Windows equivalent, but for the Mac, Keyboard Maestro, brilliant little tool. And that is why it is my pick. Of the week.

Could you hook that? Because you just said about changing your desktop there. That's a really cool idea. Could you hook it into your smart lights? So when you go into VPN mode, you could dim the lights or turn them red or something, you know, kind of Matrix green or something.

Have you got an app on your computer which allows you to? Then you definitely could. You definitely could.

That would actually be really cool.

It's a scripting language on steroids. It's so much power. I mean, I've just scraped the surface of this thing.

It sounds the power may have gone to your head, Graham.

It has gone a little bit to my head. It is a rabbit warren, which I descend into and I thought, oh, I'm so— because I'm reading the forum thing. Oh, oh, the things I could do. The power, the power at my fingertips now. It's a great distraction from doing proper work, I have to tell you.

So I have this a lot on the command line. I create shortcuts for repetitive commands or long commands, but then—

You can run shell scripts and things. You can do all of that. It can run terminal commands.

See, this would be great. And I'm definitely gonna check it out actually, 'cause you've already twigged a couple of ideas for me there. I will check that out.

I think you'd enjoy playing with it.

I will definitely check that out.

Scott, what's your pick of the week?

I found out about this a couple of weeks ago and I really started using it very recently. It's a little application. It's also only on Mac. And it's called Screen Studio. Now, I wanted to start making some little educational videos of using our website and our product. And I've got all the video editing software and I've got Camtasia and Audacity. You can really spend a lot of time on the production of this stuff. And I was no, I want quick, I want easy, I want effective. And I can't even remember how I came across it. I was— it's probably midnight when I was crying into my keyboard, video editing. Someone has to have made just a really simple way of not super duper extensive video editing, but just a quick and easy way to make a really good looking video on how to use a website. And Screen Studio is exactly that. It sounds that simple, but it's screen recording of using a browser, but it does all of the— follows the mouse around, or when you click it does little zooms and it shows you and it makes the cursor bigger. And it's just so slick. You can literally just go click around a website, do a voiceover with the microphone, and it will produce an amazing demo video.

Oh, I'm watching a little video of it in action right now. It does look very slick. I mean, this is how you would want one of those videos teaching you how to use an app or a web-based app. Really, this looks—

And you can do it on anything. It will grab any application window.

I think it's—

Last I checked, it's still only on Mac, but it will grab any application window. And if you want, you can pop your camera in the corner. So you can have your talking head there. But for me, I was just we just want super easy. How do we register, log in and set up our account for the first time? And I can do all the screen records and take them into Camtasia and do all the editing. And I was this is—

It's doing it all for you, isn't it?

Oh yeah. This thing was just honestly making the video takes about as long as recording the video. That's about it. And then you can control the zoom amount or the zoom delay and it's all just simple sliders and you just whip up these beautiful, really cool looking videos with absolutely no effort. And whilst Camtasia and my Audacity and everything else still has its place for these quick instructional videos that are 1, 2 or 3 minutes, this thing rocks and you can punch them out so quickly.

I think this looks great. In fact, it's the kind of thing I'd play with, even though I'm not sure I've got a use for it.

Yes, those are always the most expensive ones, aren't they?

Yes.

This just looks cool.

So it's called Screen Studio.

Yes, screen.studio is their website.

Oh, they actually have a .studio domain.

Yeah.

Very cool. Well, that just about wraps up the show for this week. Scott, thank you so much for joining us. I'm sure lots of our listeners would love to find out what you're up to, find out more about your business and follow you online. What's the best way for people to do that?

Oh, my blog is probably the best one, scotthelme.co.uk. From there, I link through to all my socials. So if you do have a preference on platform, you can click through to the one that you. And that also links through to my company's websites as well. So that's probably the one central source of truth.

Terrific. And of course, we're on social media as well. You can find me, Graham Cluley, on LinkedIn or follow Smashing Security on Bluesky. And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts. For episode show notes, sponsorship info, guest lists, and the entire back catalog of around about 440 episodes, check out smashingsecurity.com. Until next time, cheerio. Bye-bye.

Bye everyone.

You've been listening to Smashing Security with me, Graham Cluley. Thanks so much to Scott Helmeee for coming along this week, and also to this episode's sponsors, Vanta, 1Password, and Anon. And of course, to all those chums who've signed up for Smashing Security Plus over on Patreon. They include William Reddick, Sammy Doza, Alexander Ugehuiz, SMY, Just 3 initials. John Morris, Rich, Travis West, Dimitri, Robert Odegaard, Skidone, Lars, Ashley Woodall, Darren Kenny, Adina Bogut-O'Brien, Ask Leo, and Panda Bear. All of those lovely people and many more have signed up to support Smashing Security on Patreon, and one of the things that they get is that they get the chance to have their names read out at the end of the show every now and then. And as well as that, they also get early access to episodes with none of those pesky adverts. If you would like to join them, just go to smashingsecurity.com/plus. Of course, not everyone can support the podcast in that way. I completely understand. Times can be hard. So if you do want to support the show but can't splash the cash for very understandable reasons, you can still give us a 5-star reviews, say something nice about us, maybe tell somebody that you listen to Smashing Security. Spreading the word helps spread these podcasts far and wide around the world, and there is nothing lovelier than when I do get to travel around giving talks to have some complete stranger come up to me and say, "Hello, I listen to Smashing Security each week," and I say, "Oh, bless you, what a lovely person you are." Well, that's just about it for this week, and catch you again next week. Toodaloo, bye-bye.