Time itself comes under attack as a state-backed hacking gang spends two years tunnelling toward a nation’s master clock — with chaos potentially only a tick away.
Plus when ransomware negotiators turn to the dark side, what could possibly go wrong?
All this and more is discussed in episode 442 of the “Smashing Security” podcast with cybersecurity veteran and keynote speaker Graham Cluley, and special guest Dave Bittner.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
So Bitdefender ransomware, as we're going to call it.
That's right.
By the way, I'd suggest a different brand name if you don't want to.
Well, we've already got Bitdefender coin, so.
Oh yeah, that's true.
That's how you pay for your Bitdefender ransomware. You pay for it in bitcoin.
Smashing Security, episode 442, The Hack That Messed with Time and Rogue Ransomware Negotiators with Graham Cluley and special guest Dave Bittner.
Hello, hello, and welcome to Smashing Security episode 442. My name's Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 442. My name's Graham Cluley.
And I'm Dave Bittner.
Dave, welcome back to the show. Always fun to have you on Smashing Security.
Well, I appreciate it. I'm happy to be back.
Well, I'm really grateful this week in particular because I'm actually on the road right now. I am at the NISC conference in Glasgow, Scotland. Oh.
I'm doing some speaking here and Well, I'm sort of the MC of the event.
I'm doing some speaking here and Well, I'm sort of the MC of the event.
Wow.
I've got my work cut out this week. I'm going to be running here, doing this, doing that.
I love doing events and things, but doing that and getting a podcast out the door, it's always a bit hairy.
I love doing events and things, but doing that and getting a podcast out the door, it's always a bit hairy.
Yeah. Who wasn't available so that they had to call you?
Well, there's at least one friend of the show who is showing up. Geoff White is going to be here of The Lazarus Heist fame.
Oh, good. Delightful.
He's doing a talk. Yeah. So he hasn't got here yet, but he will be.
But oh, the other thing which is accompanying me is they're actually doing some roadworks just outside my hotel window. So I do apologize.
There is a man with a pneumatic drill who's been at it for hours and is showing no signs of stopping.
But oh, the other thing which is accompanying me is they're actually doing some roadworks just outside my hotel window. So I do apologize.
There is a man with a pneumatic drill who's been at it for hours and is showing no signs of stopping.
Jackhammers, chainsaws, and leaf blowers are the natural enemies of podcasters.
It's true. It's true. Well, before we kick off, let's thank this week's wonderful sponsors, Danta, Drata, and Material. We'll be hearing more about them later on in the show.
This week on Smashing Security. We won't be talking about how 3 alleged members of the MeduZa stealer malware gang have been arrested by the authorities. What's unusual about that?
It's a Russian malware gang and they've been arrested by Russian authorities.
You'll hear no discussion of how a new wave of mobile malware in Eastern Europe is exploiting Android's NFC payment features to relay and clone contactless transactions.
And we won't even mention how a technical goof revealed the personal information of players of the UK's People's Postcode Lottery to complete strangers.
Now Dave, what are you going to be talking about this week?
This week on Smashing Security. We won't be talking about how 3 alleged members of the MeduZa stealer malware gang have been arrested by the authorities. What's unusual about that?
It's a Russian malware gang and they've been arrested by Russian authorities.
You'll hear no discussion of how a new wave of mobile malware in Eastern Europe is exploiting Android's NFC payment features to relay and clone contactless transactions.
And we won't even mention how a technical goof revealed the personal information of players of the UK's People's Postcode Lottery to complete strangers.
Now Dave, what are you going to be talking about this week?
I've got a couple of ransomware negotiators who have turned to the dark side.
Ooh. And I'm going to be telling you about some state-sponsored hackers who tried to hijack time itself. All this and much more coming up on this episode of Smashing Security.
Okay, before we go any further, I need to share a quick word with you about one of our sponsors today, Vanta. You know how everyone's got an AI assistant these days?
Well, imagine one that doesn't just write haikus about zero-day vulnerabilities, but actually does your audit work for you. That is Vanta.
It connects to all of your tools, gathers evidence, tracks compliance, and quietly helps you prove that yes, you do take security seriously. Vanta automates all of that.
It pulls everything together, keeps an eye on your systems, and basically makes sure you're ready for an audit at any time, which means no last-minute panic for screenshots and policies.
It also plugs into the tools you're already using and flags up issues before they become a right old mess.
So if that sounds like something that might save you from a few sleepless nights, check out vanta.com/smashing. And if you use that link, you'll get $1,000 off.
So don't forget, vanta.com/smashing. And thanks to Vanta for sponsoring this week's episode. On with the show. Now, Dave, I've got to ask you a personal question.
Do you ever feel like time is kind of out to get you?
Okay, before we go any further, I need to share a quick word with you about one of our sponsors today, Vanta. You know how everyone's got an AI assistant these days?
Well, imagine one that doesn't just write haikus about zero-day vulnerabilities, but actually does your audit work for you. That is Vanta.
It connects to all of your tools, gathers evidence, tracks compliance, and quietly helps you prove that yes, you do take security seriously. Vanta automates all of that.
It pulls everything together, keeps an eye on your systems, and basically makes sure you're ready for an audit at any time, which means no last-minute panic for screenshots and policies.
It also plugs into the tools you're already using and flags up issues before they become a right old mess.
So if that sounds like something that might save you from a few sleepless nights, check out vanta.com/smashing. And if you use that link, you'll get $1,000 off.
So don't forget, vanta.com/smashing. And thanks to Vanta for sponsoring this week's episode. On with the show. Now, Dave, I've got to ask you a personal question.
Do you ever feel like time is kind of out to get you?
Oh, every day, more and more.
Because I've been worrying about you. I think many of the listeners to CyberWire and Hacking Humans have been worrying about you as well.
You seem to have this sort of ongoing battle with time.
You seem to have this sort of ongoing battle with time.
What are you saying, Graham?
Well, you know, birthdays are coming around quicker. Your hairline is retreating. Maybe you're a little bit confused as to which podcast you're recording from day to day.
You know, it happens to us all, Dave. Don't worry about it.
You know, it happens to us all, Dave. Don't worry about it.
No, no, it's true.
Do you wish you could turn back time a little bit like Cher? You know, when she strode aboard that warship and belted out those immortal words. Would you fancy doing that?
Well, look, there's the old joke about how youth is wasted on the young.
Yes.
And I would love to have the wisdom that I have today that has been hard-earned through the years with the lack of an achy body that I had in my 20s.
I'd love to be able to sit down without having to announce it with a, you know, all those kinds of things. I noticed that I have knees.
When I was a young man, I never noticed that I had knees. You know, they just kept to themselves and did what they were supposed to do.
Now they draw attention to themselves, especially when I'm at a conference or something.
I'd love to be able to sit down without having to announce it with a, you know, all those kinds of things. I noticed that I have knees.
When I was a young man, I never noticed that I had knees. You know, they just kept to themselves and did what they were supposed to do.
Now they draw attention to themselves, especially when I'm at a conference or something.
Those are very philosophical words, I think. I think that's a lot of wisdom which you've shared with us there.
And if I had one piece of wisdom that I would share with you, it's that no good comes from turning back the clock.
Things can go badly wrong if you do accidentally return to your youth. I can imagine you there, you were in the 1950s, inventing rock and roll, bumping into your teenage mother.
I've seen the movie.
And if I had one piece of wisdom that I would share with you, it's that no good comes from turning back the clock.
Things can go badly wrong if you do accidentally return to your youth. I can imagine you there, you were in the 1950s, inventing rock and roll, bumping into your teenage mother.
I've seen the movie.
Yes.
But it hasn't stopped some people from messing around with time from time to time.
For instance, there was a highly organized, state-backed hacking group who for two years was creeping into part of a nation's most critical pieces of infrastructure.
Not a nuclear reactor, not a missile base, not even Amazon customer service trying to get a callback as to why haven't you delivered me this?
You claim you've delivered it, but you haven't in reality. Nothing like that. Something far more sneaky and some would argue even more essential. They went after time itself.
For instance, there was a highly organized, state-backed hacking group who for two years was creeping into part of a nation's most critical pieces of infrastructure.
Not a nuclear reactor, not a missile base, not even Amazon customer service trying to get a callback as to why haven't you delivered me this?
You claim you've delivered it, but you haven't in reality. Nothing like that. Something far more sneaky and some would argue even more essential. They went after time itself.
Hmm.
So let me tell you what these guys did. So there are agencies around the world, and this particular hacked agency, their job was to keep their country's clocks in sync.
So they were generating the official national time. Theirs was the clock which everyone else was judged by.
And it's used for everything from telecoms and stock markets to the electricity grid, defence systems. It's really essential.
You all want to know exactly what the right time is, otherwise you've got a problem, haven't you?
So they were generating the official national time. Theirs was the clock which everyone else was judged by.
And it's used for everything from telecoms and stock markets to the electricity grid, defence systems. It's really essential.
You all want to know exactly what the right time is, otherwise you've got a problem, haven't you?
Yeah, I mean, think about how GPS doesn't work without precise time.
Yeah. So if the time signal goes wrong, if it's messed with, everything from bank transfers to power stations, everything could potentially go kaput, could misfire.
And it's basically the pulse that can help keep a whole country alive. And somebody tried to hijack it.
Investigators say that the attackers spent months in preparation, exploiting a vulnerability in a phone messaging system to compromise employees' smartphones.
And of course, once they did that, they got hold of the workers' login credentials, their passwords, and they quietly slipped into this agency's network.
And over the next two years, starting in March 2022, the hackers allegedly deployed an entire arsenal of something like 42 customized specialist hacking tools.
Each tool had a specific job: probing, escalating privileges, exfiltrating data, burrowing deeper into the internal systems with one goal in sight.
Their goal was to reach the heart of the system, the ultra-precise piece of infrastructure that generated their country's official time.
And if the hackers had succeeded, as I said, the results could have been catastrophic.
Could be network outages, stock exchange mess-ups, power failures, traffic chaos, self-driving cars turning up before their passengers, Netflix thinking it's 2016, your Fitbit thinking you're 137 years old.
Everything could go bonkers.
And it's basically the pulse that can help keep a whole country alive. And somebody tried to hijack it.
Investigators say that the attackers spent months in preparation, exploiting a vulnerability in a phone messaging system to compromise employees' smartphones.
And of course, once they did that, they got hold of the workers' login credentials, their passwords, and they quietly slipped into this agency's network.
And over the next two years, starting in March 2022, the hackers allegedly deployed an entire arsenal of something like 42 customized specialist hacking tools.
Each tool had a specific job: probing, escalating privileges, exfiltrating data, burrowing deeper into the internal systems with one goal in sight.
Their goal was to reach the heart of the system, the ultra-precise piece of infrastructure that generated their country's official time.
And if the hackers had succeeded, as I said, the results could have been catastrophic.
Could be network outages, stock exchange mess-ups, power failures, traffic chaos, self-driving cars turning up before their passengers, Netflix thinking it's 2016, your Fitbit thinking you're 137 years old.
Everything could go bonkers.
Sure.
It's bad enough when we change the clocks, which we've just done here in the UK.
Yes, us too. Over the weekend. I'm bent out of shape about it.
Because you feel like, hang on, it hasn't gone back an hour or forward an hour. It went back, didn't it? Yes. We're in the fall back. Okay. So we fell backwards.
You know, you feel like, oh, I've somehow lost 14 years or something. I feel like I've woken up in a coma. I'm totally and utterly confused.
Now, officials say the hackers operated mainly between midnight and dawn, bouncing their attacks through servers in the United States and Europe and Asia to hide their origins.
They faked digital certificates to bypass security defenses and antivirus programs, and they used strong encryption because they didn't want to leave any breadcrumbs.
I've left breadcrumbs late at night in the past. It's got me into all sorts of trouble, so I don't think you want to do that.
Eventually, the authorities claimed that they spotted the attack, cut the command and control links, upgraded their defenses, neutralized the threat.
And the good news is they say that they've sorted it out. And they say they have ironclad evidence linking the hack to a foreign intelligence agency.
You know, you feel like, oh, I've somehow lost 14 years or something. I feel like I've woken up in a coma. I'm totally and utterly confused.
Now, officials say the hackers operated mainly between midnight and dawn, bouncing their attacks through servers in the United States and Europe and Asia to hide their origins.
They faked digital certificates to bypass security defenses and antivirus programs, and they used strong encryption because they didn't want to leave any breadcrumbs.
I've left breadcrumbs late at night in the past. It's got me into all sorts of trouble, so I don't think you want to do that.
Eventually, the authorities claimed that they spotted the attack, cut the command and control links, upgraded their defenses, neutralized the threat.
And the good news is they say that they've sorted it out. And they say they have ironclad evidence linking the hack to a foreign intelligence agency.
Aha.
Yes. I always love a bit of attribution, don't you? Well, I love a bit of finger-pointing in cybersecurity. It's not always reliable though, is it?
No.
There's been a long history of people pointing the finger in the wrong direction and making mistakes.
But you know, a hack like this, I think there are certain countries who you'd naturally point a finger at. So China, Russia, Iran, North Korea, those sort of people, right?
But you know, a hack like this, I think there are certain countries who you'd naturally point a finger at. So China, Russia, Iran, North Korea, those sort of people, right?
The usual suspects.
The usual, they are the usual suspects. And perhaps you're thinking this attack was on the UK's National Physical Laboratory, or maybe the US Naval Observatory's Master Clock.
Or in Germany, they have these PTB atomic clocks. But here's the thing. The country claiming to have been attacked is actually China.
And the alleged attacker, Dave Bittner of Maryland—
Or in Germany, they have these PTB atomic clocks. But here's the thing. The country claiming to have been attacked is actually China.
And the alleged attacker, Dave Bittner of Maryland—
Oh boy, here it comes—
Is apparently the United States of America. The NSA, the National Security Agency, has been fingered by the Chinese as being the culprits. So I put it to you, Dave Bittner.
Those rascals.
Here I am in old Blighty. I'm not responsible for this. You've been trying to mess around with China's time.
Sure.
So according to China's Ministry of State Security, the NSA spent two years trying to hack China's National Time Service Center, the institution responsible for generating Beijing time.
And China says that it caught the operation as it was happening and it's gone public. It posted about it, 'cause this is how they make announcements in China.
They posted it on WeChat. So if you're a cyber criminal, you post up on Telegram. If you're China, you post up on WeChat.
And China says that it caught the operation as it was happening and it's gone public. It posted about it, 'cause this is how they make announcements in China.
They posted it on WeChat. So if you're a cyber criminal, you post up on Telegram. If you're China, you post up on WeChat.
Right.
If you're America, you post up on Truth Social.
Truth Social, yeah. Yeah.
Everyone's got their place for making these official pronouncements.
Sure.
It's a bit like the UK announcing one of its nuclear power plants has been hacked by releasing a TikTok video. This is what the world's come to today.
Yeah.
So the USA predictably hasn't confirmed or denied anything, which initially you think, well, why, if you didn't do it, why didn't you, why don't you say that you didn't do it?
But of course, that's not the way it works, is it? It's always a policy.
Well, we're never going to confirm or deny anything because if we deny some things, then one time when we don't deny it, you're going to know that we're confirming it.
But of course, that's not the way it works, is it? It's always a policy.
Well, we're never going to confirm or deny anything because if we deny some things, then one time when we don't deny it, you're going to know that we're confirming it.
Yeah. Although I will note that it is routine for China to deny everything.
Yes, they definitely have never, ever hacked anybody.
No.
And they're quite— they don't say, well, we can't confirm or deny. They just say, nope, not us, not us. It's all propaganda.
Right. And so I'd shed some question on the reliability of this report in general. But let's proceed as if perhaps it is true.
This is the thing. This sounds like a huge story. And what I think is actually interesting about it is the reaction outside China has been pretty quiet.
It hasn't been written about that much. It didn't really make the headlines.
And there has been a lot of skepticism, just like you've expressed there, a little bit of caution, because I think the media are nervous about just simply reporting China's allegation.
Yeah, there's a long history of Western nations calling out cyberattacks from Russia and China and North Korea and Iran, and it's become almost routine.
To point fingers in those directions and sanctions to be imposed. But now we are seeing China flip this script using the same playbook against the United States.
And it's almost like, well, you know, can we believe you? Have you actually given us the evidence to be convinced?
By the way, I saw that this story actually broke just before I think Donald Trump visited Asia and was over there doing some sort of agreement with China.
So again, you have to wonder, is this some jockeying around which was happening? In the run-up to that event.
It hasn't been written about that much. It didn't really make the headlines.
And there has been a lot of skepticism, just like you've expressed there, a little bit of caution, because I think the media are nervous about just simply reporting China's allegation.
Yeah, there's a long history of Western nations calling out cyberattacks from Russia and China and North Korea and Iran, and it's become almost routine.
To point fingers in those directions and sanctions to be imposed. But now we are seeing China flip this script using the same playbook against the United States.
And it's almost like, well, you know, can we believe you? Have you actually given us the evidence to be convinced?
By the way, I saw that this story actually broke just before I think Donald Trump visited Asia and was over there doing some sort of agreement with China.
So again, you have to wonder, is this some jockeying around which was happening? In the run-up to that event.
Right. Did it come up in their meetings?
Yeah.
In our own editorial meeting when this story hit, someone said China says that we're messing with their clocks. And someone's response was, well, China says a lot of things.
Are you saying that it's a case of calling wolf too often? What's the phrase? Crying wolf?
No, I mean, look, it's all of this is plausible and it's certainly within the, I would say, both the capabilities and the interests of the NSA to do such a thing.
And if we were caught in there with our hands in the cookie jar, then I suspect China would call it out.
But as you point out, they've released no evidence other than the accusation. So all we have is an accusation.
And if we were caught in there with our hands in the cookie jar, then I suspect China would call it out.
But as you point out, they've released no evidence other than the accusation. So all we have is an accusation.
Yeah.
And not a whole lot you can do with that.
And increasingly, I think cyber attribution, you know, when we are deciding who was behind a particular attack, it has become a game of sort of narratives and credibility.
It is not just about technical evidence.
And it is so difficult with cybersecurity to properly identify who was responsible beyond all doubt, because it could have been Belgium, quite frankly, who are bouncing it off some laptop in Florida before going into China and trying to break into Beijing time.
Quite why Belgium would want to do that or not, I'm not sure, but it's always possible.
It is not just about technical evidence.
And it is so difficult with cybersecurity to properly identify who was responsible beyond all doubt, because it could have been Belgium, quite frankly, who are bouncing it off some laptop in Florida before going into China and trying to break into Beijing time.
Quite why Belgium would want to do that or not, I'm not sure, but it's always possible.
And you also wonder when whoever did this, and let's for argument's sake say it was the NSA, whoever did this got caught, was getting caught part of the plan?
Is it saying to them, yeah, we've been in your system for two years and hey, if we're in your clock system, if we're in your time system, who knows where else we are?
Maybe you need to be looking over your shoulder. We did this at a time of our choosing, at our leisure, and yeah, you caught us.
We find China all over our systems pretty regularly, so I guess this is just a regular part of espionage these days.
Is it saying to them, yeah, we've been in your system for two years and hey, if we're in your clock system, if we're in your time system, who knows where else we are?
Maybe you need to be looking over your shoulder. We did this at a time of our choosing, at our leisure, and yeah, you caught us.
We find China all over our systems pretty regularly, so I guess this is just a regular part of espionage these days.
So in some ways, what you're saying is it could almost be psychological warfare of destabilizing them.
Yeah, letting themselves be caught, say, we were here, we could be anywhere else as well, which means that of course they then begin to distrust all manner of systems which could have been compromised by other nations.
Yeah, letting themselves be caught, say, we were here, we could be anywhere else as well, which means that of course they then begin to distrust all manner of systems which could have been compromised by other nations.
Right, right.
There's this old joke about the thief who breaks into someone's house and doesn't steal anything, but just rearranges all the furniture and how, how disconcerting that would be for someone to come home and find, right?
There's this old joke about the thief who breaks into someone's house and doesn't steal anything, but just rearranges all the furniture and how, how disconcerting that would be for someone to come home and find, right?
My Auntie Liz once, just before Christmas, a burglar broke into her house and he opened all the presents under the Christmas tree and left them all.
He obviously thought they were all rubbish.
He obviously thought they were all rubbish.
That's despicable.
It probably did more harm to the family than if they'd stolen something.
Yeah. Wow.
Maybe my cousin opened them and just blamed it on a burglar. Oh, now see, I'm beginning to wonder.
Ah, right. See, must have been a burglar. Must have been someone from the US.
Must have been the NSA.
Right.
Okay, time to hear now from another one of our sponsors, which is Material Security.
Now, your company's Google Workspace is full of valuable data, and cybercriminals, they know that.
One successful attack can expose sensitive files, hijack accounts, and spread across your entire environment before you even spot it. And that's where Material Security steps in.
It's the first detection and response platform built specifically for Google Workspace.
Material Security automatically catches sophisticated email attacks that slip past native controls, cleans up risky file sharing, and locks down accounts showing suspicious behavior, all without agents, rule sets, or extra noise.
It runs quietly in the background using automation and AI to detect, investigate, and remediate threats across Gmail, Google Drive, all your accounts before they spiral into something worse.
One platform, total visibility, less chaos. See how it works for yourself at smashingsecurity.com/material. That is smashingsecurity.com/material.
And thanks to Material Security for supporting the show. Right, let's get on with the rest of the show. Dave, what's your story for us this week?
Now, your company's Google Workspace is full of valuable data, and cybercriminals, they know that.
One successful attack can expose sensitive files, hijack accounts, and spread across your entire environment before you even spot it. And that's where Material Security steps in.
It's the first detection and response platform built specifically for Google Workspace.
Material Security automatically catches sophisticated email attacks that slip past native controls, cleans up risky file sharing, and locks down accounts showing suspicious behavior, all without agents, rule sets, or extra noise.
It runs quietly in the background using automation and AI to detect, investigate, and remediate threats across Gmail, Google Drive, all your accounts before they spiral into something worse.
One platform, total visibility, less chaos. See how it works for yourself at smashingsecurity.com/material. That is smashingsecurity.com/material.
And thanks to Material Security for supporting the show. Right, let's get on with the rest of the show. Dave, what's your story for us this week?
Well, my story comes from the folks at the Chicago Sun-Times, and this is about a couple of cybersecurity folks who allegedly decided to switch teams, according to some prosecutors in Chicago.
This story centers on some folks who work professionally as ransomware negotiators.
And according to the FBI, this pair of men, one Kevin Martin, who was a ransomware negotiator at a company called DigitalMint, and Ryan Goldberg, who was an incident response manager for Signia, allegedly they joined forces with a third accomplice to extort businesses for millions.
So the investigators say that they use ransomware to lock down corporate servers, and they hit a Florida medical company and demanded $10 million in ransom.
This story centers on some folks who work professionally as ransomware negotiators.
And according to the FBI, this pair of men, one Kevin Martin, who was a ransomware negotiator at a company called DigitalMint, and Ryan Goldberg, who was an incident response manager for Signia, allegedly they joined forces with a third accomplice to extort businesses for millions.
So the investigators say that they use ransomware to lock down corporate servers, and they hit a Florida medical company and demanded $10 million in ransom.
Crumbs.
Yeah. Allegedly only one target paid, so they got a paltry $1.2 million in cryptocurrency. I don't know about you, Graham, but that would be a lifestyle upgrade for me.
Yes. I wouldn't have called it paltry. I'd have been quite happy with that.
Right. And then allegedly they laundered it through some of these mixing services and using multiple wallets.
Yes.
So the story is calling out the irony, of course, that these gents had built their careers advising companies of how to avoid paying ransoms.
Indeed, you might say that they were experts about this subject. They had spoken at cybersecurity conferences.
Indeed, you might say that they were experts about this subject. They had spoken at cybersecurity conferences.
Oh, really?
Yeah. And they're under investigation for launching them themselves. The companies they work for, of course, say they have no knowledge of the scheme and nothing to do with it.
DigitalMint fired the gentleman who worked with them, and Signia says that they have nothing to do with this and they're working with law enforcement, which is good.
DigitalMint fired the gentleman who worked with them, and Signia says that they have nothing to do with this and they're working with law enforcement, which is good.
But now they've heard about the idea, they might be tempted, you know, to set up a new business. No, no, no, no, no, of course not. Of course not.
Well, I want to get to that in a second here. Let me just wrap up the story here. So they've both been indicted on conspiracy, extortion, and computer damage charges. Mr.
Goldberg is in custody. Mr. Martin was released on bond. And the prosecutors say that these attacks spanned about 2 years before the FBI caught up with them.
And one of them tried to flee to Paris on a one-way flight but got stopped at the airport.
But I have often wondered, Graham, and I'm curious for your insights on this, your take on this, how many cybersecurity professionals out there in the back corner of their mind have as a backup plan, right?
Just in case the retirement savings doesn't work out, right? In case the Social Security just— they can't meet ends meet, right?
How many of them just have in the back of their minds what I would call nuisance ransomware, right? A few hundred bucks a month, just enough to make ends meet.
Not enough that you would draw law enforcement to your front door.
Goldberg is in custody. Mr. Martin was released on bond. And the prosecutors say that these attacks spanned about 2 years before the FBI caught up with them.
And one of them tried to flee to Paris on a one-way flight but got stopped at the airport.
But I have often wondered, Graham, and I'm curious for your insights on this, your take on this, how many cybersecurity professionals out there in the back corner of their mind have as a backup plan, right?
Just in case the retirement savings doesn't work out, right? In case the Social Security just— they can't meet ends meet, right?
How many of them just have in the back of their minds what I would call nuisance ransomware, right? A few hundred bucks a month, just enough to make ends meet.
Not enough that you would draw law enforcement to your front door.
Oh, I see. Because they'll be dealing with all the people who are asking for millions of dollars. Right. Whereas your plan, Dave, so Bittner ransomware, as we're going to call it.
That's right.
By the way, I'd suggest a different brand name if you don't want to.
Well, we've already got Bitdefender coin, so, you know.
Oh yeah, that's true.
Yeah. That's how you pay for your Bittner ransomware is you pay for it in Bittner coin.
Right. Okay. So you're just going to ask for just a few hundred dollars a month.
Well, think about— so if I were going to do this, I would say you target, let's say, senior citizens for $50.
Right.
And it's not going to ruin their lives, not really going to change their lives very much. But let's say you hit up a few people for $50 per day. Well, it adds up.
Yeah.
And now you can make ends meet. Chances are you're not gonna be tracked down by law enforcement because you're just a low-level nuisance operator.
Right.
So I just wonder, because obviously the thought has crossed my mind clearly, and now you're telling everybody it's crossed your mind.
It's very interesting.
Right, exactly. I put a big target on my back.
I doubt that I have the technical capabilities to pull off such a thing, although I'm a fairly quick learner, but I think someone like you, Graham, who has—
I doubt that I have the technical capabilities to pull off such a thing, although I'm a fairly quick learner, but I think someone like you, Graham, who has—
Hey, don't bring me into it.
You have more technical capabilities than I do. And certainly a history of knowing all about cyber threats, perhaps you've done reverse engineering and so on.
I'm just putting it out there as a possibility.
I'm just putting it out there as a possibility.
Yes, you are, aren't you? You are putting it out there.
So listen, so when you started telling me this story about these guys who were involved in ransomware negotiations and then they turned a bit rogue, I didn't imagine that they were actually planting ransomware on victims' computers to steal the money.
I thought they were somehow trying to exploit the ransomware attacks which were being brought to their attention.
So people are coming to them saying, we've been hit, can you negotiate for us?
I thought you were going to say that the negotiators were going to speak to the ransomware gang and say, look, I'm negotiating for these guys, right?
How about we do a little bit of a deal? They're going to pay me X, but I'll give you Y. 'But I'll tell them this is a really good deal for them, and you still get some money.' Right.
You know, clearly these negotiators are getting paid somehow, but I wondered if maybe—
So listen, so when you started telling me this story about these guys who were involved in ransomware negotiations and then they turned a bit rogue, I didn't imagine that they were actually planting ransomware on victims' computers to steal the money.
I thought they were somehow trying to exploit the ransomware attacks which were being brought to their attention.
So people are coming to them saying, we've been hit, can you negotiate for us?
I thought you were going to say that the negotiators were going to speak to the ransomware gang and say, look, I'm negotiating for these guys, right?
How about we do a little bit of a deal? They're going to pay me X, but I'll give you Y. 'But I'll tell them this is a really good deal for them, and you still get some money.' Right.
You know, clearly these negotiators are getting paid somehow, but I wondered if maybe—
That's a really good— yeah, because the negotiator could say, "Listen, I worked out a great deal for you. Instead of a million dollars, I've got it down to half a million.
Here is the bitcoin account that you need to make the deposit in." Right. And then they make the deposit, and the negotiators come back and say, "Bad news."
Here is the bitcoin account that you need to make the deposit in." Right. And then they make the deposit, and the negotiators come back and say, "Bad news."
Yes.
"Bad news. We can't trust these ransomware operators. They just ran off with the money. Shall we try to keep negotiating?"
Well, the negotiators aren't being regulated as far as I know, are they? I mean, it does feel a bit of a Wild West out there.
I remember one case, there was a company near Oxford which got hit by a ransomware attack, a genuine ransomware attack.
They brought in their IT team to deal with it, as you would expect. And one of the IT guys went into the email of the chief executive who had received the ransom note.
He changed the email which they had received from the ransomware gang to change the bitcoin address to be one which he controlled rather than the ransomware gang.
And then he was turning up at these meetings inside the company. Should we pay the ransomware guys or not? And he was going, "Well, you know, it's difficult, isn't it?
But maybe you should."
I remember one case, there was a company near Oxford which got hit by a ransomware attack, a genuine ransomware attack.
They brought in their IT team to deal with it, as you would expect. And one of the IT guys went into the email of the chief executive who had received the ransom note.
He changed the email which they had received from the ransomware gang to change the bitcoin address to be one which he controlled rather than the ransomware gang.
And then he was turning up at these meetings inside the company. Should we pay the ransomware guys or not? And he was going, "Well, you know, it's difficult, isn't it?
But maybe you should."
Right, right, right.
I mean, okay.
I have no horse in this race, but it's a murky world.
But I've never heard of them actually installing the ransomware as well. I don't know how I feel about these professional negotiators.
It does seem a little bit, a bit like Dog the Bounty Hunter or something. It just feels a little bit unorthodox.
It does seem a little bit, a bit like Dog the Bounty Hunter or something. It just feels a little bit unorthodox.
Well, who watches the watchmen, right? You know, as you say, it's unregulated.
Yeah.
And with anything in a black market, you roll the dice and you take your chances.
Just like you've taken your chances by announcing your future career plans here on the podcast.
That's right. That's right. Well, if I need to flee the country suddenly, perhaps you have a spare bedroom I could crash in. What do you say, Graham?
Okay. No worries. Always available for you, Dave. So this episode of the show is sponsored by Drata, and I'm going to tell you why you should check them out.
Look, if you're in security or compliance, you know the drill. You're constantly wearing 10 different hats. Risk management, compliance, budgets. It's quite the handful.
Here's the thing, though. Drata actually helps with all of that.
Basically, they've made a platform that handles all the tedious compliance stuff that normally eats up your entire week.
What Drata does is automate the evidence collection, the compliance tracking, the security questionnaires. It just handles it.
They've got real-time monitoring, so you're always audit ready, which is nice because no one enjoys scrambling before an audit.
And they've even got AI assistance for questionnaires now, which honestly, thank the Lord.
The point is, instead of spending all your time proving that you are secure and compliant, you can actually focus on being more secure and compliant. Crazy, I know.
Anyway, if that sounds useful to you, check them out at drata.com/smashing. That's drata.com/smashing. And if you use that link, they will know that you heard about them on the show.
And thanks to Drata for supporting Smashing Security.
Look, if you're in security or compliance, you know the drill. You're constantly wearing 10 different hats. Risk management, compliance, budgets. It's quite the handful.
Here's the thing, though. Drata actually helps with all of that.
Basically, they've made a platform that handles all the tedious compliance stuff that normally eats up your entire week.
What Drata does is automate the evidence collection, the compliance tracking, the security questionnaires. It just handles it.
They've got real-time monitoring, so you're always audit ready, which is nice because no one enjoys scrambling before an audit.
And they've even got AI assistance for questionnaires now, which honestly, thank the Lord.
The point is, instead of spending all your time proving that you are secure and compliant, you can actually focus on being more secure and compliant. Crazy, I know.
Anyway, if that sounds useful to you, check them out at drata.com/smashing. That's drata.com/smashing. And if you use that link, they will know that you heard about them on the show.
And thanks to Drata for supporting Smashing Security.
And welcome back.
Can you join us for our favorite part of the show? The part of the show that we like to call Pick of the Week.
Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security related necessarily.
Better not be.
Ah, the old days. Well, this week, my pick of the week is not security related. I don't just love chess, you know, Dave. The Beatles. I love all kinds.
I've got wide interests, wide interests. And one of them is a board game called Micro Macro Crime City. So it's a physical board game and it looks really simple.
What you get is this huge printed map full of tiny cartoon people. Now, both you and I, Dave, are going to find this difficult because you do need your reading glasses for this.
I've got wide interests, wide interests. And one of them is a board game called Micro Macro Crime City. So it's a physical board game and it looks really simple.
What you get is this huge printed map full of tiny cartoon people. Now, both you and I, Dave, are going to find this difficult because you do need your reading glasses for this.
I'll need a magnifying glass.
You really do need a magnifying glass and bright light to use this properly.
But what you have is this giant city in cartoon form, and you can see all these people going about their lives, walking the dog, shopping, robbing banks, that kind of thing.
And hidden within the illustration are dozens of crimes to solve. And you're given a short case file and a clue, and you scan the map.
It's a bit like scanning a great big Where's Wally sort of thing. Piecing together what happened and this character is here. Where was he earlier on?
You can look around and say, ah, he was walking down here and he had a baguette in his pocket or whatever it was. And he— oh, there he is hitting someone over the head with it.
Or you see different things which are going on, or people who are having affairs, or someone who's spying on someone else. It's wonderful.
And you follow these characters through the streets, the parks, the dark alleyways of the city in this charming art form. And what really hooks you is how cleverly it's designed.
You just observe, you reason, you argue with whoever you're playing with about whether that man was carrying a baguette or not, or whether it was a bit of steel drainpipe.
And you think, oh, well, he was there at the murders. Was he at the murder scene 10 minutes later? It's hard to tell.
But it's the kind of game where you suddenly realize you've been hunched over a table for an hour looking at these tiny little pixel-sized clues and wishing you did have a magnifying glass.
But what you have is this giant city in cartoon form, and you can see all these people going about their lives, walking the dog, shopping, robbing banks, that kind of thing.
And hidden within the illustration are dozens of crimes to solve. And you're given a short case file and a clue, and you scan the map.
It's a bit like scanning a great big Where's Wally sort of thing. Piecing together what happened and this character is here. Where was he earlier on?
You can look around and say, ah, he was walking down here and he had a baguette in his pocket or whatever it was. And he— oh, there he is hitting someone over the head with it.
Or you see different things which are going on, or people who are having affairs, or someone who's spying on someone else. It's wonderful.
And you follow these characters through the streets, the parks, the dark alleyways of the city in this charming art form. And what really hooks you is how cleverly it's designed.
You just observe, you reason, you argue with whoever you're playing with about whether that man was carrying a baguette or not, or whether it was a bit of steel drainpipe.
And you think, oh, well, he was there at the murders. Was he at the murder scene 10 minutes later? It's hard to tell.
But it's the kind of game where you suddenly realize you've been hunched over a table for an hour looking at these tiny little pixel-sized clues and wishing you did have a magnifying glass.
What's the gameplay like? What's— how do multiple players engage with this?
Well, it's sort of collaborative.
It's sort of collaborative where you're playing with your friends, or I suppose you could see on a timer who manages to solve the different cases in a quicker time.
But they have just brought out a mobile version of this as well. Now that's anathema to me, obviously. I haven't downloaded it.
But it is available apparently for the iPhone and Android as well now. Haven't tried that out.
But the original board game version is really family friendly, and it's a different kind of thing to do.
And you can have some great fun trying to work out what has happened and to exercise your detective capabilities. I know how you like to exercise your little grey cells.
It's sort of collaborative where you're playing with your friends, or I suppose you could see on a timer who manages to solve the different cases in a quicker time.
But they have just brought out a mobile version of this as well. Now that's anathema to me, obviously. I haven't downloaded it.
But it is available apparently for the iPhone and Android as well now. Haven't tried that out.
But the original board game version is really family friendly, and it's a different kind of thing to do.
And you can have some great fun trying to work out what has happened and to exercise your detective capabilities. I know how you like to exercise your little grey cells.
I do.
Well, this is the kind of thing for you.
This appeals to me. And I have to say, it also reminds me of a scandal that occurred when I was a young lad.
We used to get the Baltimore Sun newspaper delivered to our doorstep every day. In fact, I was a paperboy for the Baltimore Sun.
We used to get the Baltimore Sun newspaper delivered to our doorstep every day. In fact, I was a paperboy for the Baltimore Sun.
Oh. Yep.
Bought my first computer with the money I saved up for from being a paperboy.
Anyway, the city of Baltimore was going to have their annual city fair where people would come together and there were rides and food.
And much like this drawing, there was a drawing like this game has with all the fun things to do at the fair.
And it was one of these drawings where you could spend a lot of time taking it in and looking and seeing what was all there. And the artist put lots of details.
Anyway, the city of Baltimore was going to have their annual city fair where people would come together and there were rides and food.
And much like this drawing, there was a drawing like this game has with all the fun things to do at the fair.
And it was one of these drawings where you could spend a lot of time taking it in and looking and seeing what was all there. And the artist put lots of details.
I love it. Yeah.
Yeah. Until someone discovered that on the merry-go-round, there was a gentleman.
Oh no.
And it was not a horse he was riding. Let's just say that.
Oh dear. Were you scarred, Dave, by this experience?
Yes, yes. The hours that I spent looking at that drawing really stayed with me.
Oh my goodness. Anyway, my pick of the week is Micro Macro Crime City. Go and check it out if it sounded interesting to you. Dave, what's your pick of the week?
Well, Graham, as you know, I have a great love for all things Star Wars.
Ah, yes.
And so I was very excited to find out that our local mega hardware store, The Home Depot— do you have Home Depots where you are?
Not really, no, no, I don't have those.
Well, Home Depot here in the U.S. is a giant warehouse of a hardware store.
Are these the stores where you can buy basically anything?
Almost.
Right.
The center of their bullseye is being a hardware store.
Okay.
But you can also buy holiday decorations. So they have Halloween and Christmas and all that sort of stuff.
Well, I was very excited to find that they were introducing for this Christmas season a nearly full-size Star Wars R2-D2, animated R2-D2 model.
Well, I was very excited to find that they were introducing for this Christmas season a nearly full-size Star Wars R2-D2, animated R2-D2 model.
Oh, it moves. It's an R2-D2 that moves.
Yeah. Yeah. He moves. He makes sound effects. His little head turns.
Yeah.
Does, I mean, it's almost everything you could want an R2-D2 to be, right? He doesn't go roaming around the house by himself, but for the money, it's a really good R2-D2.
How much money, Dave?
Well, only $300.
Okay.
Here's the thing. If you want to go to, let's say, Walt Disney World and buy a full-size R2-D2, fully functional R2-D2, the Disney Corporation will sell one to you for $25,000.
What?
Right?
So I'm off down to Home Depot.
Yeah, $300 doesn't seem so bad for your little R2-D2. So, of course now I have my sights set on getting one of these things, but they are in high demand and short supply, right?
So I joined a Facebook group dedicated to trying to find these Home Depot R2-D2s as they become available. And they turned me on to an online resource called trackalacker.com.
So I joined a Facebook group dedicated to trying to find these Home Depot R2-D2s as they become available. And they turned me on to an online resource called trackalacker.com.
Right.
And what this does is it allows you to put in the web page for something that you want to purchase that is out of stock.
And the moment that it comes back in stock on the website, Trackalacker sends you a text message. It says spring into action and buy your thing.
Now I will say I still don't have my R2-D2.
And the moment that it comes back in stock on the website, Trackalacker sends you a text message. It says spring into action and buy your thing.
Now I will say I still don't have my R2-D2.
So you're really going to buy one of these things?
Oh yeah. Oh yeah. I'm really going to buy one of these things.
Well, I've seen a photograph of it. It sort of has Christmas lights all over it.
Right. You don't have to put those on.
Right. No.
They know their audience and they know they've made that easy to not include if you don't want. That's optional.
Yes. Okay. Yes, of course. You wouldn't want those on all the time.
My only question, Graham, is whether or not I'm going to buy two. Two, one for my home and one for my office.
They might breed. Yes, you've got to keep them apart.
Yes, right. Don't feed them after midnight. Oh wait, that's a different movie.
No one liked C-3PO, did they? Everyone loved R2-D2.
Yeah, R2-D2 is the robot equivalent of a lovable dog, and C-3PO is kind of a whiny twit. So I did get an alert the other day on my phone, a text message that said they're in stock.
Unfortunately, I was in the car, so I was unable to— I mean, as much as I wanted to slam on the brakes, pull over on the side of the road and buy my R2-D2, cooler heads prevailed and I did not do that.
So the system does work, right? But I was not able to respond quick enough and they were sold out by the time I was able to get somewhere safe.
Unfortunately, I was in the car, so I was unable to— I mean, as much as I wanted to slam on the brakes, pull over on the side of the road and buy my R2-D2, cooler heads prevailed and I did not do that.
So the system does work, right? But I was not able to respond quick enough and they were sold out by the time I was able to get somewhere safe.
So it's not just the $300 of buying the R2-D2. You've also got to cover the expense of getting an Uber to work every day as well.
That's right.
Just in case you get the text message. Yes.
I'm ready to spring into action at any moment.
So technically my pick of the week is Track-a-Lacker, but my sub-pick of the week is the Home Depot R2-D2, which if anybody happens upon one in stock, please let me know.
So technically my pick of the week is Track-a-Lacker, but my sub-pick of the week is the Home Depot R2-D2, which if anybody happens upon one in stock, please let me know.
I think you've been very foolish, Dave.
You shouldn't really be publicizing these Home Depot R2-D2s when you can't get ahold of one due to lack of stock because Smashing Security listeners, they are going to be racing to buy these and the Micro Macro Crime City game now.
You should have announced this after you've managed to get one.
You shouldn't really be publicizing these Home Depot R2-D2s when you can't get ahold of one due to lack of stock because Smashing Security listeners, they are going to be racing to buy these and the Micro Macro Crime City game now.
You should have announced this after you've managed to get one.
True, true. Yeah, cat's out of the bag. But anyway, R2-D2 and Track-a-Lacker are my pick of the week.
Brilliant stuff. Well, that just about wraps up the show for this week. Thank you so much, Dave, for joining us.
I'm sure lots of our listeners would love to find out what you're up to follow you online, what is the best way for folks to do that?
I'm sure lots of our listeners would love to find out what you're up to follow you online, what is the best way for folks to do that?
You can go to thecyberwire.com and you'll find all of the podcasts that I am part of.
Brilliant. And please tune into those. They're all terrific. And of course, Smashing Security is on social media.
You can find us on Blue Sky and you can find me, Graham Cluley, on LinkedIn. And don't forget to ensure you never miss another episode.
Please follow Smashing Security in your favorite podcast app such as Apple Podcasts, Spotify, and Pocket Casts.
For episode show notes, sponsorship info, guest lists, and the entire back catalog of over 440 episodes, check out smashingsecurity.com. Until next time, cheerio, bye-bye.
You can find us on Blue Sky and you can find me, Graham Cluley, on LinkedIn. And don't forget to ensure you never miss another episode.
Please follow Smashing Security in your favorite podcast app such as Apple Podcasts, Spotify, and Pocket Casts.
For episode show notes, sponsorship info, guest lists, and the entire back catalog of over 440 episodes, check out smashingsecurity.com. Until next time, cheerio, bye-bye.
Bye-bye.
You've been listening to Smashing Security with me, Graham Cluley. Thanks a million to Dave Bittner for joining us today.
And also thank you to this episode's sponsors, Vanta, Material Security, and Drata. And of course, to the chums who've signed up for Smashing Security Plus over on Patreon.
They include Matt Weir, Michael Crumb, Greg Bailey, Jonathan Haddock, Maya McDonald, Sean, Robert Odegaard, Skidone, Henry Walshaw, Stephen Castle, Dan H., Alexander Hugh Huys, Roy Tate, Jessica Orth, Dr.
Herbalist, Andrew Davison, Frankie Gozikowski, Bobby Hendrix, Ted Wilkinson, John W., Travis West, and Hades.
Now, would you like to hear your name read out at the end of the show from time to time? If so, consider joining Smashing Security Plus.
For as little as $5 a month, you'll become part of our merry band and get early access to episodes without those annoying ads.
Just head over to smashingsecurity.com/plus for all the details to check it all out. Now, of course, I know not everyone can stretch to that, and that's perfectly fine.
There's absolutely no pressure to become a patron. The truth is you can support the show in plenty of ways that don't cost a penny.
You can like, you can subscribe, you can leave a 5-star review— please leave a 5-star review wherever you listen— tell your friends about the show, simply spread the word.
Every little bit helps, and it really does make all the effort worthwhile.
Okey-dokey then, about time for me to turn off the microphone for this week, but I will speak again next week, and I hope you'll be there to listen. Toodaloo, bye-bye.
And also thank you to this episode's sponsors, Vanta, Material Security, and Drata. And of course, to the chums who've signed up for Smashing Security Plus over on Patreon.
They include Matt Weir, Michael Crumb, Greg Bailey, Jonathan Haddock, Maya McDonald, Sean, Robert Odegaard, Skidone, Henry Walshaw, Stephen Castle, Dan H., Alexander Hugh Huys, Roy Tate, Jessica Orth, Dr.
Herbalist, Andrew Davison, Frankie Gozikowski, Bobby Hendrix, Ted Wilkinson, John W., Travis West, and Hades.
Now, would you like to hear your name read out at the end of the show from time to time? If so, consider joining Smashing Security Plus.
For as little as $5 a month, you'll become part of our merry band and get early access to episodes without those annoying ads.
Just head over to smashingsecurity.com/plus for all the details to check it all out. Now, of course, I know not everyone can stretch to that, and that's perfectly fine.
There's absolutely no pressure to become a patron. The truth is you can support the show in plenty of ways that don't cost a penny.
You can like, you can subscribe, you can leave a 5-star review— please leave a 5-star review wherever you listen— tell your friends about the show, simply spread the word.
Every little bit helps, and it really does make all the effort worthwhile.
Okey-dokey then, about time for me to turn off the microphone for this week, but I will speak again next week, and I hope you'll be there to listen. Toodaloo, bye-bye.
Host:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Guest:
Dave Bittner:
Episode links:
- Alleged Meduza Stealer malware admins arrested after hacking Russian org – Bleeping Computer.
- Tap-and-Steal: The Rise of NFC Relay Malware on Mobile Devices – Zimperium.
- Postcode Lottery’s lucky dip turns into data slip as players draw each other’s info – The Register.
- Chinese Ministry of State Security MSS WeChat post – WeChat.
- China blames US for cyber break-in, claims America is world’s biggest bit burglar – The Register.
- Chicago firm that resolves ransomware attacks had rogue workers carrying out their own hacks, FBI says – Chicago Sun Times.
- MicroMacro: Crime City.
- Star Wars 3.5 foot animated LED R2-D2 – Home Depot.
- TrackaLacker.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsored by:
- Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!
- Material – Email security that covers the full threat landscape – stopping new flavors of phishing and pretexting attacks in their tracks, while also protecting accounts and data from exploit or exposure.
- Drata – The world’s most advanced Trust Management platform – making risk and compliance management accessible, continuous, and 10x more automated than ever before.
Support the show:
You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.
Join Smashing Security PLUS for ad-free episodes and our early-release feed!
Follow us:
Follow the show on Bluesky, or join us on the Smashing Security subreddit, or visit our website for more episodes.
Thanks:
Theme tune: “Vinyl Memories” by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
