Remember those brief days of sunlight when we held out hope WikiLeaks might have stopped acting like arses, and might have decided to act in the interests of everyone who relies upon technology for their security and privacy?
Well, as predicted, there are clouds on the horizon.
As Motherboard reports, WikiLeaks’ Julian Assange may be making unreasonable demands about how he will share details of the alleged zero-day vulnerabilities that have been leaked from the CIA:
This week, Assange sent an email to Apple, Google, Microsoft and all the companies mentioned in the documents. But instead of reporting the bugs or exploits found in the leaked CIA documents it has in its possession, WikiLeaks made demands, according to multiple sources familiar with the matter who spoke on condition of anonymity.
WikiLeaks included a document in the email, requesting the companies to sign off on a series of conditions before being able to receive the actual technical details to deploy patches, according to sources. It’s unclear what the conditions are, but a source mentioned a 90-day disclosure deadline, which would compel companies to commit to issuing a patch within three months.
Is 90 days a reasonable time to fix a vulnerability?
I think that’s very hard for someone outside of a technology vendor’s programming and quality assurance team to say with any confidence.
It makes me very uncomfortable when outsiders make determinations of how hard a problem should take to fix (and, of course, how long it will take to test that the fix works reliably in all scenarios and setups), when they have no knowledge of what else teams might be working on – including other vulnerabilities they might already be working hard at fixing – some of which may be of even higher importance.
Of course, I don’t think we should allow technology firms with unpatched vulnerabilities in their software and hardware to rest on their laurels, or treat it as anything less than serious.
But I also want to feel confident that bugs are patched properly and that fixes do not themselves introduce more problems than the problem they are trying to address.
Who is Julian Assange qualified to say that 90 days is enough? There are ways of putting pressure on technology firms to fix bugs, and highlight if you think they are taking too long, without dangling a sword of Damocles over their heads if flaws are not fixed on your own determined schedule.
You can hear some of my personal concerns about whether WikiLeaks will share details of the alleged zero-day vulnerabilities with technology firms in this week’s “Smashing Security” podcast, where I was joined by Carole Theriault and special guest Nick FitzGerald.
The discussion about WikiLeaks starts at about 10 minutes in, but you might enjoy the rest of the podcast too!
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
And the last one, which is questionable for a name for a perfume, they've called it Phish.
With a PH, presumably.
Yes, with a PH. Catch your deepest love. Who's gonna wear Phish?
Smashing Security, Episode 12: Ode to Eugene Kaspersky, with Carole Theriault and Graham Cluley. Hello, hello, and welcome to episode 12 of Smashing Security.
As usual, I'm joined by my buddy Carole Theriault. Hello, Carole, how are you doing?
As usual, I'm joined by my buddy Carole Theriault. Hello, Carole, how are you doing?
I'm very well, thank you. How are you?
I'm gorgeous.
And where are you?
Oh, well, I'm somewhere a little bit unusual. Maybe it sounds a little bit different as well. I am in a country I've never been to before, the country of Kuwait.
Oh, can you believe where I'm talking? I've just given a talk about attacks on industrial control systems.
Oh, can you believe where I'm talking? I've just given a talk about attacks on industrial control systems.
Yeah, well, I know that you're very much an expert on that.
Oi, careful, they won't hire me again. I'll tell you what's interesting though is I've arrived in Kuwait during a sandstorm.
It's my very first sandstorm and it's such a bizarre experience looking up in the sky and it's yellow rather than blue.
It's my very first sandstorm and it's such a bizarre experience looking up in the sky and it's yellow rather than blue.
And we're having an Assange storm as well.
Oh, is that a pun you've just tried?
It's a good one, right? It's morning here, so I'm, you know, I'm full of pep.
Oh, it's morning where you are, but it's late night where our special guest is.
We are joined all the way from Christchurch, New Zealand by Nick Fitzgerald, computer security expert. Hello, Nick.
We are joined all the way from Christchurch, New Zealand by Nick Fitzgerald, computer security expert. Hello, Nick.
Hi, guys.
Hi.
Oh, Nick, how are you?
Carole, I'm good. It's a great pleasure to hear your voice again. And Graham's too, I guess.
I'm going to like this podcast.
Now, Nick is a veteran of the computer security industry and has held jobs at computer security firms and used to be editor of Virus Bulletin magazine back in the day.
I think that's where I probably first met you, Nick.
I think that's where I probably first met you, Nick.
Yeah, that's where I met you.
Oh, actually, actually, the very first interaction you had with me, you sent me a pair of socks.
Wow, Graham.
Well, you see, rolling out the red carpet. Was that in my Dr. Solomon's days?
Yeah. And that was when I was still in Christchurch.
I should explain. So Alan Solomon, who ran Dr.
Solomon's, the marketing team got together with him and said, we need some giveaways, we need some t-shirts, we need some— and Alan said, why don't we give away socks instead?
Because his view was that people wouldn't wear t-shirts to the office, but everyone needs a nice pair of socks.
Solomon's, the marketing team got together with him and said, we need some giveaways, we need some t-shirts, we need some— and Alan said, why don't we give away socks instead?
Because his view was that people wouldn't wear t-shirts to the office, but everyone needs a nice pair of socks.
Hey, Graham, this is supposed to be about Nick, this bit. Just FYI. All right, so Nick, sorry, sometimes we just have to.
So Nick, well, thank you very much for joining us on the show. Can you tell us if you've heard it before?
So Nick, well, thank you very much for joining us on the show. Can you tell us if you've heard it before?
Oh yeah, I've listened to, I've listened to several of the podcasts and the videos before them.
Yes, yes, glutton for punishment. You know how that, you know how this works, guys.
We are all choosing a story for the week, something which has caught our attention, happening in the computer security news, and we will give us our views on it.
So the thing which caught my attention was some interesting blog post posted by the guys at Check Point who discovered that two companies, two separate companies, a large telecoms company and a multinational technology company— they weren't any more specific than that— they discovered that those companies had in their possession 36 infected, malware-infected Android devices.
Now you're probably thinking, big deal, you know, Android phones do get infected with malware, certainly much more than iOS devices.
But what's unusual about these particular cases was the malware wasn't downloaded onto those devices as a result of the users doing something.
No, the malware arrived on those Android devices when those devices actually arrived at the company. So they were pre-installed with the malware.
Now, interestingly, the malware— Yes, Carole.
We are all choosing a story for the week, something which has caught our attention, happening in the computer security news, and we will give us our views on it.
So the thing which caught my attention was some interesting blog post posted by the guys at Check Point who discovered that two companies, two separate companies, a large telecoms company and a multinational technology company— they weren't any more specific than that— they discovered that those companies had in their possession 36 infected, malware-infected Android devices.
Now you're probably thinking, big deal, you know, Android phones do get infected with malware, certainly much more than iOS devices.
But what's unusual about these particular cases was the malware wasn't downloaded onto those devices as a result of the users doing something.
No, the malware arrived on those Android devices when those devices actually arrived at the company. So they were pre-installed with the malware.
Now, interestingly, the malware— Yes, Carole.
Sorry, by whom? So sorry, keep going. I was getting excited in the story here.
Oh, steady on. Well, exactly. Well, so who did it? Now, what we have seen in the past sometimes is there have been Android phone vendors who've actually sold malware-infected phones.
I remember there was a Chinese— as if there's anything which isn't a Chinese Android developer— but anyway, there was a Chinese smartphone on for sale up on Amazon.
I'll put a link in the show notes, which came pre-installed with malware. But in these particular cases, it looks like the ROMs themselves.
The official ROM supplied by the vendor, that wasn't infected. No, someone somewhere along the supply chain added the malware.
In some cases, they added it to the device's ROM using system privileges, meaning that it's really hard for a user to actually remove it. And so you'd have to reflash the device.
I remember there was a Chinese— as if there's anything which isn't a Chinese Android developer— but anyway, there was a Chinese smartphone on for sale up on Amazon.
I'll put a link in the show notes, which came pre-installed with malware. But in these particular cases, it looks like the ROMs themselves.
The official ROM supplied by the vendor, that wasn't infected. No, someone somewhere along the supply chain added the malware.
In some cases, they added it to the device's ROM using system privileges, meaning that it's really hard for a user to actually remove it. And so you'd have to reflash the device.
Shut the front door, this happened.
Is that a Canadian expression? Like, give me a solid or whatever it was you used last week.
Graham, I'll introduce you to Urban Dictionary. So, so you're saying to me that someone along the supply chain infected these phones before they were delivered to a company?
Yes.
And the company basically takes them out of the box, hands them over to the users?
Yep. Pretty spooky, isn't it? And this sort of thing has happened before. So, for instance, it's happened with networking gear.
One of the revelations by the Snowden leaks a few years ago was that things like Cisco and Juniper gear were being tampered with en route to companies.
And malware was being installed in these devices.
You've got to be really careful about what comes through your front door because it might have been tampered with at the vendor, it might have been tampered with en route to you as well.
One of the revelations by the Snowden leaks a few years ago was that things like Cisco and Juniper gear were being tampered with en route to companies.
And malware was being installed in these devices.
You've got to be really careful about what comes through your front door because it might have been tampered with at the vendor, it might have been tampered with en route to you as well.
So they were buying these devices new, it's not that they were in the presumably considerably more risky secondhand market?
Oh yeah, Nick, Nick, Nick, they weren't getting them off eBay, right? These are big companies, right? I don't know what you do, these are big companies, right?
So yes, they're buying these devices brand new and Check Point discovered they were hit by malware and it wasn't something which the users put on.
So yes, they're buying these devices brand new and Check Point discovered they were hit by malware and it wasn't something which the users put on.
Well, I've worked for some big companies that would buy them secondhand to save money.
Hey, look, I can't help it, Nick, if the only people who employ you are cheapskates. You know, that's not my fault, right?
The thing is, right, I don't know whether these particular companies were being specifically targeted.
All Check Point have said, they haven't named the companies who've suffered from this.
The thing is, right, I don't know whether these particular companies were being specifically targeted.
All Check Point have said, they haven't named the companies who've suffered from this.
Right, so it's more than one. It wasn't just sent to one particular company.
Right, so it appears to be a large telecoms company and a multinational technology company. That's all that Check Point have said. Oh, right.
Okay, and to your point, Graham, that we've seen this before with other Android devices and networking gear, and as you referred to the Snowden— some of the Snowden revelations— I seem to remember Ross Anderson talking about some ATM machines being intercepted en route from the manufacturer to the final installation in the bank, and basically Trojanized hardware.
You know, I can't remember the details. I think in this case they added a card into the machine that intercepted some of the network traffic.
You know, I can't remember the details. I think in this case they added a card into the machine that intercepted some of the network traffic.
Wow. I mean, astonishing, isn't it?
Because you just— I mean, it's all very well thinking about consumer items and how they may have been meddled with, but something as big as an ATM machine, I mean, it's audacious on the part of the computer criminals, isn't it, that they would tamper with something like that before it gets delivered?
Because of course you just get this great big box, presuming you get a great big crate containing an ATM machine, you put into the hole in the wall and plug it in and off you go.
Because you just— I mean, it's all very well thinking about consumer items and how they may have been meddled with, but something as big as an ATM machine, I mean, it's audacious on the part of the computer criminals, isn't it, that they would tamper with something like that before it gets delivered?
Because of course you just get this great big box, presuming you get a great big crate containing an ATM machine, you put into the hole in the wall and plug it in and off you go.
It's got a different risk-reward element to it. I think what's attractive about it is the big payoff if they manage to do it.
Yeah.
Obviously, there's huge risk involved as well. You know, getting caught ain't going to be fun.
So in this particular case, Check Point have said, well, we're not sure whether these companies were being targeted because they looked at some of the different types of malware.
And there was also adware and some information-stealing trojans on here as well.
One of the pieces of malware was a piece of ransomware, and you do have to think, well, hang on a moment.
If you were targeting specific companies, would you really put ransomware on? I'm not sure necessarily you would because it would be too obvious.
If you were going to all of that effort with the supply chain to target a particular multinational telecoms company, for instance, wouldn't it be something more surreptitious which could steal information or open a backdoor potentially?
So it may be, and this is all conjecture, of course, we don't know exactly what's happened here, it may simply have been opportunistic rather than particularly targeting these companies.
And there was also adware and some information-stealing trojans on here as well.
One of the pieces of malware was a piece of ransomware, and you do have to think, well, hang on a moment.
If you were targeting specific companies, would you really put ransomware on? I'm not sure necessarily you would because it would be too obvious.
If you were going to all of that effort with the supply chain to target a particular multinational telecoms company, for instance, wouldn't it be something more surreptitious which could steal information or open a backdoor potentially?
So it may be, and this is all conjecture, of course, we don't know exactly what's happened here, it may simply have been opportunistic rather than particularly targeting these companies.
I have a question. Do you happen to know how they found out that this, that they were being spied upon or that the ROMs had been replaced?
I don't. I imagine that Check Point Solutions picked up something awry on the devices and then further investigation brought this to light.
But what we'll do is we'll put in the show links, we'll put a link to the report from Check Point so people can find out more there.
But what we'll do is we'll put in the show links, we'll put a link to the report from Check Point so people can find out more there.
Perfect.
Okay, well, I think it's time to thank our sponsor. And you know what that means, Carole?
No.
It means we have to play a little sponsor jingle. Wave your wand right now. Yay!
Yay!
Isn't it fantastic? Yes, we have the generous support of Recorded Future.
They, of course, are the real-time threat intel firm, and they're using some pretty cool technology, let me tell you, to analyze and scour the web, not just the regular web crawl, no, the dark web as well.
And they're looking into emerging threats and they're sort of taking a temperature gauge as to what's going on.
They, of course, are the real-time threat intel firm, and they're using some pretty cool technology, let me tell you, to analyze and scour the web, not just the regular web crawl, no, the dark web as well.
And they're looking into emerging threats and they're sort of taking a temperature gauge as to what's going on.
Oh, that sounds cool. And can you learn about this stuff?
Oh yeah, yeah, yeah, yeah.
So what you can do is you can either subscribe to their service as a company if you want to keep on top of what the latest threats are, or you can sign up for their free Cyber Daily newsletter and get the latest insights delivered into your email inbox.
And to do that, all you have to do is go to recordedfuture.com/intel. That's recordedfuture.com/intel.
So what you can do is you can either subscribe to their service as a company if you want to keep on top of what the latest threats are, or you can sign up for their free Cyber Daily newsletter and get the latest insights delivered into your email inbox.
And to do that, all you have to do is go to recordedfuture.com/intel. That's recordedfuture.com/intel.
Perfect. I'm going to sign up today.
And thanks to Recorded Future for supporting the show. We really appreciate it. So Nick. Back to you. What's caught your eye this week?
It's sort of inevitable given the line of work I'm in that there's been a lot of interest in the WikiLeaks release, which I know you guys talked about last week, but a development since you went to air last week was that looking through the actual release, it's obvious that there's an enormous amount of material that WikiLeaks presumably has but hadn't released.
And it's been clarified since the initial release of the Vault 7 hacking tools that a lot of the actual tools and the source code associated with them and whatever other resource material that WikiLeaks clearly has, WikiLeaks has announced that they're not actually going to release that until they've been able to coordinate with the affected vendors and the vendors have been able to reassure WikiLeaks that either they've already patched the vulnerabilities or that they have actually rolled out new patches.
And it's been clarified since the initial release of the Vault 7 hacking tools that a lot of the actual tools and the source code associated with them and whatever other resource material that WikiLeaks clearly has, WikiLeaks has announced that they're not actually going to release that until they've been able to coordinate with the affected vendors and the vendors have been able to reassure WikiLeaks that either they've already patched the vulnerabilities or that they have actually rolled out new patches.
To remind everybody, what WikiLeaks did was they got hold of some CIA, it appears CIA documents, right, thousands of CIA documents, some of which contained details of what are known as zero-day vulnerabilities.
These are vulnerabilities which haven't been patched by vendors, so there's no fix for them, which they claimed the CIA were exploiting in order to spy on people and steal information and so forth.
And there's been some speculation that some of these zero-days may already have been fixed, which would be great news if they're old vulnerabilities which have since been patched.
Maybe the information WikiLeaks has is out of date. But there was concern that WikiLeaks wasn't going to tell the vendors who are affected which means none of us get patches, right?
These are vulnerabilities which haven't been patched by vendors, so there's no fix for them, which they claimed the CIA were exploiting in order to spy on people and steal information and so forth.
And there's been some speculation that some of these zero-days may already have been fixed, which would be great news if they're old vulnerabilities which have since been patched.
Maybe the information WikiLeaks has is out of date. But there was concern that WikiLeaks wasn't going to tell the vendors who are affected which means none of us get patches, right?
Yeah, but WikiLeaks, Julian Assange himself, said that they're going to contact the vendors and let them know what they've got and give them access to the material pertinent to their products.
And once the vendor — well, this is a little speculative, but presumably WikiLeaks will go through the normal vulnerability reporting and coordination process that any security researcher who might have found the same vulnerability would go through if they were doing a responsible disclosure type process.
And once the vendor — well, this is a little speculative, but presumably WikiLeaks will go through the normal vulnerability reporting and coordination process that any security researcher who might have found the same vulnerability would go through if they were doing a responsible disclosure type process.
There's a lot of ways this can go down though.
We've all been involved in situations where we've worked at firms where they've had a vulnerability and we were in that kind of eye of the storm of trying to deal with it.
And in some cases you will get people giving you a set amount of time to fix a vulnerability.
And sometimes that's very complicated, very difficult to do within that specific timeframe because of the complexity of the problem that's been discovered.
Other times, it can go as long as is required, right? It can go for a few months. But there's pressure on both sides.
Obviously, WikiLeaks wants to put all of this information out as quickly as possible while everyone's interested. On the other hand, they want to do it responsibly.
So it's a tough one for everyone, really.
We've all been involved in situations where we've worked at firms where they've had a vulnerability and we were in that kind of eye of the storm of trying to deal with it.
And in some cases you will get people giving you a set amount of time to fix a vulnerability.
And sometimes that's very complicated, very difficult to do within that specific timeframe because of the complexity of the problem that's been discovered.
Other times, it can go as long as is required, right? It can go for a few months. But there's pressure on both sides.
Obviously, WikiLeaks wants to put all of this information out as quickly as possible while everyone's interested. On the other hand, they want to do it responsibly.
So it's a tough one for everyone, really.
Yeah. Well, Assange said that he would give the affected firms adequate time.
So yeah, but exactly, that's exactly— if I was the company receiving that, right, I'd be like, oh God, yeah, what does that mean?
What is Assange's definition of adequate compared to other people?
It could be 72 hours.
It could be. Yeah, I'm afraid he has rather blotted his copybook in the past a little, hasn't he?
He has lost a little bit of opportunity, I guess.
This is his opportunity to show that he understands the value of responsible disclosure, and I think it would be great for all of us interested to see that.
This is his opportunity to show that he understands the value of responsible disclosure, and I think it would be great for all of us interested to see that.
So let's hope he does it promptly. Let's hope he does it appropriately.
Let's hope that there are no more disclosures of anything which could potentially put people in harm's way before these patches are out there and have been issued and there's been good time for people to update.
Assuming all that, I think we could give Assange a high five if we could reach him on his Ecuadorian embassy balcony.
Let's hope that there are no more disclosures of anything which could potentially put people in harm's way before these patches are out there and have been issued and there's been good time for people to update.
Assuming all that, I think we could give Assange a high five if we could reach him on his Ecuadorian embassy balcony.
Well, maybe a high two, a high two.
A haiku, I think.
This is pun-tastic today.
Oh yeah, sorry about that. But you know, there is a lot of pressure on companies, isn't there, to respond?
Because of course we've had the headlines of, you know, maybe Microsoft, Google vulnerable and so forth.
And if they haven't been given the details properly yet by WikiLeaks, it's hard for them to reassure their customers if they're whether there's a real problem or not.
Because of course we've had the headlines of, you know, maybe Microsoft, Google vulnerable and so forth.
And if they haven't been given the details properly yet by WikiLeaks, it's hard for them to reassure their customers if they're whether there's a real problem or not.
Yes. And the material that's already been released is very— there's extremely little information.
But from talking to some friends and colleagues, it would appear that at least some of the vulnerabilities, based on the very limited information— and we know that some of this material does date back at least to 2014, if not earlier.
Yeah. At least some vendors, it would appear, are quite confident that perhaps many— one would hesitate perhaps to say most because we don't know.
Yeah, we don't know when this material was taken. A lot of the commentators and analysts are saying it was most likely taken by a contractor.
And so there's obviously a cutoff date at some point in history where anything the CIA discovered after that's not going to be in this pile of stuff.
So there will be some new stuff, but how much and how much of it is older stuff that maybe has been found through other disclosures or has been just incidentally fixed due to changing the architecture of how the product works.
It's all very much up in the air. I think I heard or read somewhere that only about 1% of the files that WikiLeaks have have actually been released so far.
So even if they trickle this out on a vendor-by-vendor basis, you know, so let's, you know, Microsoft say, you know, we fixed all these vulnerabilities and then they release all the Microsoft stuff.
But from talking to some friends and colleagues, it would appear that at least some of the vulnerabilities, based on the very limited information— and we know that some of this material does date back at least to 2014, if not earlier.
Yeah. At least some vendors, it would appear, are quite confident that perhaps many— one would hesitate perhaps to say most because we don't know.
Yeah, we don't know when this material was taken. A lot of the commentators and analysts are saying it was most likely taken by a contractor.
And so there's obviously a cutoff date at some point in history where anything the CIA discovered after that's not going to be in this pile of stuff.
So there will be some new stuff, but how much and how much of it is older stuff that maybe has been found through other disclosures or has been just incidentally fixed due to changing the architecture of how the product works.
It's all very much up in the air. I think I heard or read somewhere that only about 1% of the files that WikiLeaks have have actually been released so far.
So even if they trickle this out on a vendor-by-vendor basis, you know, so let's, you know, Microsoft say, you know, we fixed all these vulnerabilities and then they release all the Microsoft stuff.
Do you know what though?
It will be news. It will be a rolling news story for many months, I imagine.
If, only if the rest of the 99% is actually of any interest. Right? Yeah, it could be, it could just be a lot of fat as well.
So everyone's at least a little bit interested in this because we've had Kellyanne Conway talking about how TVs can be turned into spying devices.
Yeah, suggesting that maybe something like that was used against the now President of the United States, or the microwave if he was heating up some Pop-Tarts or something like that, it could have been that way as well.
Do you make Pop-Tarts in microwaves? I always thought it was a toaster. Oh, they're great. I love Pop-Tarts.
You know you can get internet-connected toasters now, don't you, Carole?
I don't. I'm not interested in any internet. Not interested. Not interested.
I believe the first Internet of Things device was actually someone connecting a toaster to the network at some point. University in the US.
And everyone knew about the Coke machine, that if you pinged its IP address, it would dispense a bottle of Coke. But I think someone actually hooked a toaster up before that.
And everyone knew about the Coke machine, that if you pinged its IP address, it would dispense a bottle of Coke. But I think someone actually hooked a toaster up before that.
But in fact, okay, but listen, you've just joked about Kellyanne Conway. And to be fair to her—
I take her very seriously, to be honest.
But to be fair to her for a second, right? She's got her— she's not a computer security expert.
She has got her information from the newspaper headlines and maybe from WikiLeaks press release. And that's one of the problems.
If WikiLeaks keep on trickling out information about these vulnerabilities, they need to do it in a responsible way.
Because when they did talk about the TV, for instance, being hackable, they didn't make clear that it could only be done via a USB stick. It couldn't be done remotely.
And some of the other vulnerabilities which they spoke about, such as, for instance, breaking WhatsApp encryption and Signal encryption, were a load of old nonsense because in fact what they were talking about was hacking the phone individually, and then of course all bets are off.
Yeah, so I would urge everyone, as we see further revelations, to maybe take it with a little pinch of salt because, dare I say it, you could be being fed fake news.
She has got her information from the newspaper headlines and maybe from WikiLeaks press release. And that's one of the problems.
If WikiLeaks keep on trickling out information about these vulnerabilities, they need to do it in a responsible way.
Because when they did talk about the TV, for instance, being hackable, they didn't make clear that it could only be done via a USB stick. It couldn't be done remotely.
And some of the other vulnerabilities which they spoke about, such as, for instance, breaking WhatsApp encryption and Signal encryption, were a load of old nonsense because in fact what they were talking about was hacking the phone individually, and then of course all bets are off.
Yeah, so I would urge everyone, as we see further revelations, to maybe take it with a little pinch of salt because, dare I say it, you could be being fed fake news.
Oh, more dreaded alternative facts.
But there's other stuff coming out of WikiLeaks right now.
I hear that Julian Assange might be releasing soon some information of CIA and NSA intercepts of Angela Merkel, the German Chancellor, which could be embarrassing for her.
I hear that Julian Assange might be releasing soon some information of CIA and NSA intercepts of Angela Merkel, the German Chancellor, which could be embarrassing for her.
Yes, there were just reports earlier today on that, eh?
Yeah, because she's meant to be meeting up with the Donald, and that could cause some awkwardness, couldn't it?
And of course, she has been a victim of surveillance in the past when Barack Obama's gang allegedly spied upon her smartphone. Conversations anyway.
WikiLeaks, it isn't going away, is it?
And just I suspect he's going to be staying in that Ecuadorian ambassador's residence for some time as well, I suspect it's going to be here for a while.
And of course, she has been a victim of surveillance in the past when Barack Obama's gang allegedly spied upon her smartphone. Conversations anyway.
WikiLeaks, it isn't going away, is it?
And just I suspect he's going to be staying in that Ecuadorian ambassador's residence for some time as well, I suspect it's going to be here for a while.
I wonder if they have dinner every night.
Oh boy. Okay, Carole, what have you got for us?
Well, this isn't the biggest story of the week, but I thought it was so sweet and clever and quirky, I thought it deserved a mention.
So, I've always thinking outside the box projects. You know, the real grassroots stuff with, you know, even maybe a meager budget, but some strong ideas. And I love all that stuff.
And when I saw this little UK number, I had to share it. Because it's just a reminder that in the industry, we really need to get our creative juices flowing, right?
So, recently released at a PR event, at an Ooh La La London Soho restaurant is the brand new Kaspersky campaign.
Okay, now the security antivirus company, the Russian antivirus IT security company, this firm has launched, get this, Threat de Toilette, Pour Femme, and Pour Homme.
Okay, now how can you not love that?
So, I've always thinking outside the box projects. You know, the real grassroots stuff with, you know, even maybe a meager budget, but some strong ideas. And I love all that stuff.
And when I saw this little UK number, I had to share it. Because it's just a reminder that in the industry, we really need to get our creative juices flowing, right?
So, recently released at a PR event, at an Ooh La La London Soho restaurant is the brand new Kaspersky campaign.
Okay, now the security antivirus company, the Russian antivirus IT security company, this firm has launched, get this, Threat de Toilette, Pour Femme, and Pour Homme.
Okay, now how can you not love that?
This isn't about Threat de Toilette, this isn't about the old internet-connected lavatories being hacked? I remember that happening a few years ago.
Your French is appalling. It's a parfum, a parfum. So they do a little perfume. David M., spokesperson of Kaspersky, is on record saying fear awakens our senses.
Okay, so cheesy, but I love it. I love it. So it's just clever, right? So this is an IT company. They've been around 20-plus years, probably more.
Okay, so cheesy, but I love it. I love it. So it's just clever, right? So this is an IT company. They've been around 20-plus years, probably more.
Sorry, what are they doing? I'm sorry, to make it clear to me, what are they doing?
So they've hired UK beauty blogger Scarlett London. Now she has a respectful following of about 10,000.
I think that's her real name.
And they hired her to basically come out and help launch this new range of perfumes. There are four. One of them is called Ransom, reassuringly expensive.
You see where I'm going with this? The next, another one is called Malware, W-E-A-R, the wicked way to pierce the heart. I know, not poetry here.
One of my favorites, Social The Lure of the Men. So a little play on words of social engineering.
And the last one, which is questionable for a name for a perfume, they've called it Phish.
You see where I'm going with this? The next, another one is called Malware, W-E-A-R, the wicked way to pierce the heart. I know, not poetry here.
One of my favorites, Social The Lure of the Men. So a little play on words of social engineering.
And the last one, which is questionable for a name for a perfume, they've called it Phish.
With a PH presumably.
Yes, with a PH. Catch your deepest love. Who's going to wear Phish? Now, no one. I haven't seen anyone.
I sadly did not receive one of these little press packets and things, but they've tied with each of those explanations of what ransomware, malware, social engineering, phishing is, and they've given some top tips on how to stay safe online.
So what do you think of the idea? Do you think cute? Do you think, you know, as veterans, very old veterans of the industry? How dare you?
I sadly did not receive one of these little press packets and things, but they've tied with each of those explanations of what ransomware, malware, social engineering, phishing is, and they've given some top tips on how to stay safe online.
So what do you think of the idea? Do you think cute? Do you think, you know, as veterans, very old veterans of the industry? How dare you?
I'm sorry. So this is just to raise awareness of things?
Exactly.
This kind of ties into Graham's socks at the beginning.
It does.
Yes, it's this sort of thinking outside of the square marketing thing. Yeah, I just, I think maybe a little bit too far outside the square.
Oh, I don't— You know what, think about it this way. They are able to reach a whole audience that are online all the time, buying online, you know, and beauty blogs and whatever.
If this takes off, they'll be able to get a whole industry of people, people that are not interested normally in this, to share this information and maybe, you know, be more educated about how to be safe online.
I think there's something quite cute there.
If this takes off, they'll be able to get a whole industry of people, people that are not interested normally in this, to share this information and maybe, you know, be more educated about how to be safe online.
I think there's something quite cute there.
I mean, okay, okay, I'm trying to take this seriously, right? It's fun.
I suppose there is a certain truth in the fact that when we talk about computer security, we're often talking to the same people who already have an interest in this, and possibly the demographic of people who are following Scarlett London on Instagram is different from the typical IT engineer, and people who are interested in parfum— is that how you say it, Carole?
I suppose there is a certain truth in the fact that when we talk about computer security, we're often talking to the same people who already have an interest in this, and possibly the demographic of people who are following Scarlett London on Instagram is different from the typical IT engineer, and people who are interested in parfum— is that how you say it, Carole?
Exactly that.
If I want to have the essence of Eugene about me, you know what, it's funny you've said that.
Listen, listen, so there was a rumour going around that there was a little bit of Eugene's DNA in every sample sent out. What?
Yes, though they think this was caused by a misreading of the ingredients, which included eugenol, a common phenylpropylene included in perfumes.
Yes, though they think this was caused by a misreading of the ingredients, which included eugenol, a common phenylpropylene included in perfumes.
Well, thank— let's hope it is eugenol, because I'd hate to think of where they've extracted Eugene Kaspersky's DNA from to put in each bottle. Oh dear.
So he's not— I mean, in my experience, he's not a smelly chap. He's a nice-smelling— I think. I'm trying to remember, actually.
He hasn't stuck out to me particularly in either a positive or a negative way. I'm sort of neutral on Eugene smell. What a bizarre thing for them to do, though.
I mean, but okay, but seriously, yes, maybe this is a way of reaching a different audience.
Obviously, the PR people had great fun at the restaurant, and hey, we're talking about it, aren't we? And we mentioned Kaspersky's name a few times.
So he's not— I mean, in my experience, he's not a smelly chap. He's a nice-smelling— I think. I'm trying to remember, actually.
He hasn't stuck out to me particularly in either a positive or a negative way. I'm sort of neutral on Eugene smell. What a bizarre thing for them to do, though.
I mean, but okay, but seriously, yes, maybe this is a way of reaching a different audience.
Obviously, the PR people had great fun at the restaurant, and hey, we're talking about it, aren't we? And we mentioned Kaspersky's name a few times.
It looks like most of the journos that attended wrote about it, and I think that means it's successful.
The only thing that's a bit, you know, there's a niggle for me is I'm surprised no one at Kaspersky spotted the potential of this being a global education campaign.
We could have hired bloggers in the States and a few other countries and done this as a kind of international launch.
I think they would have received a much bigger return on investment.
The only thing that's a bit, you know, there's a niggle for me is I'm surprised no one at Kaspersky spotted the potential of this being a global education campaign.
We could have hired bloggers in the States and a few other countries and done this as a kind of international launch.
I think they would have received a much bigger return on investment.
You know what, if this goes big, if this is successful in the UK, maybe they'll spend a bit more cash and get someone like Kim Kardashian to do it. Yes, they might do.
They might, they might go all out on this if this really does work for them.
They might, they might go all out on this if this really does work for them.
Well, they have hired big actors before, didn't they? Who was it they hired?
Jackie Chan.
Was it Jackie Chan?
Yes, there's a Eugene and Jackie Chan video.
Yes, there's also Packing the K, which is where they did— had some kind of rapper style. I think we should actually play that out tonight at our leading song, don't you think?
We'll have to play that out. Packing the K. We're gonna play that out. Listen to the end, everyone.
We'll have to play that out. Packing the K. We're gonna play that out. Listen to the end, everyone.
Carole, they're not sponsors, you know.
I don't care.
I don't care. It's such a great song, the Packing the K song.
You know what, I'm going to celebrate the fact that they've done it, you know, they're doing something a little bit creative, you know, they take a punt and I like that.
Oh, well, it's certainly unusual. Well, I think that probably just about wraps it up, doesn't it? Thank you, Carole.
Thank you as well, Nick, for joining us all the way from New Zealand on the podcast today. We really appreciate you being here. Hope you won't be a stranger.
Thank you as well, Nick, for joining us all the way from New Zealand on the podcast today. We really appreciate you being here. Hope you won't be a stranger.
My pleasure.
And the rest of you, if you enjoyed the show, please subscribe to us on iTunes, leave a review.
You can also listen to us on Google Play Music and Stitcher and TuneIn and Overcast and other podcast apps as well.
And new, I can reveal, we are now on iHeartRadio, which is available in some parts of the world at least. So tune into us there.
You can also listen to us on Google Play Music and Stitcher and TuneIn and Overcast and other podcast apps as well.
And new, I can reveal, we are now on iHeartRadio, which is available in some parts of the world at least. So tune into us there.
And big thank you to Recorded Future, who helped support the show. Remember, you can sign up to their cyber daily newsletter at recordedfuture.com/intel.
That's recordedfuture.com/intel.
That's recordedfuture.com/intel.
If you like the show, tell your friends, follow us on Twitter. We are at Smashing, without a G, Security. That's Smashing Security. And until next time, toodle-oo. Bye.
Good evening.
Shit don't happen.
When I'm packing the K, I can have a ball because he stands tall at the firewall.
When I'm packing the K, I'm as happy as a clam because I'm armed to the teeth with anti-spam.
When I'm packing the K, I can say with affection the K-Man gives me the best.
Graham, Graham, you know, I'd be happy if they just kept listening.
K is the key. What, just keep listening?
Yeah.
While we're playing the fucking K Music.
When I'm packing the K, I'm packing the K, oh, packing the K.
I'm packing the K out of cybercrime.
When I'm packing the K, I feel secure that adware and malware get slammed at the door.
When I'm packing the K, the computer stalker, he flushes him out with Behavior Blocker.
Yeah, when I'm packing the K, there's no escape. He blocks pop-ups and phishers like a guy with a cape.
It's not that hard to fix. If they can't do it in 90 days, then there's something really wrong. Something that urgent has to be done quick.
What's not that hard to fix? How do you know it's not hard to fix? How do you know how long it takes to properly test that the fix works in all environments reliably and doesn't introduce its own problems? How do you know what else the vendor's team is currently working on that might be of greater importance to the testing team than what WikiLeaks is planning to disclose in 90 days? Should WikiLeaks' vulnerabilities be considered of greater importance just because they're creating an almighty stink about them?
The truth is that we don't know the answers to any of these questions. We don't know the detail of what the vulnerabilities are, and WikiLeaks doesn't know how difficult they are to fix.
They should share the details with the vendors without any strings attached. If they feel that the vendor is taking too long to fix them WikiLeaks could demonstrate the flaws to journalists to apply more pressure. Releasing proof-of-concept code or details that could aid other criminals does no good to any of us.
If Wikileaks has them, the exploits should already be deemed 'out there'. I think 90 days is reasonable; Google's ProjectZero also uses 90 days before it makes their findings public.
I think the reason Wikileaks uses this hard deadline is that it prevents vendors from keeping said exploits in their code, f.e. in the case such a backdoor has been ordered by a national security agency or government. And face it, even if a vendor refuses to sign off Wikileaks' request, the exploits will be made public anyway (or worse, exploited in the wild).
PS: has anyone performed a traceroute on wikileaks.org? Now that smells fishy.. (Mir Telematiki Ltd, Moscow, Russia)
90 days is plenty.
Someone needs to put pressure on Vendors and as we have seen it is certainly not going to be any Government……
No pressure, no fix. Same as potholes in the road.
There are ways of applying pressure without handing tools to others which will enable them to exploit these flaws.
I'm sure the vendors will be keen to fix the security holes as fast as they can. But it's not for WikiLeaks to demand it is done in 90 days with threats of disclosure.
90 days is pretty normal for responsible disclosure. The only ass here is the author.
Arse not ass.
But anyway, I think the "90 days" figure grew to prominence from Google's Project Zero team. They have brought Google into disrepute by releasing proof-of-concept code which exploits security vulnerabilities in other vendors' software before a patch is released – sometimes putting regular internet users at risk while failing to get Android's broken patching infrastructure sorted out.
The author's only intention here seems to be a little flame-baiting against WikiLeaks, as he has no clue of the actual contents of the documents nor is the grace period of 90 days something uncommon.
Wondering why this pointless post appeared on my Flipboard. Reported it.
WikiLeaks gets plenty of flames as it is – probably doesn't need more from me!
I don't see how WikiLeaks would be helping the typical internet users by releasing details of vulnerabilities after 90 days. If they want to apply pressure on vendors to patch bugs there are better ways of doing it.
No software company would ever have any qualms about "committing" to a 90 day deadline. They routinely commit and then fail to deliver on time. What is Julian going to do, get Ecuador to sue?
I would bet Wikileaks will soon be made redundant in this debate anyway. News says they weren't the first to get this material, and I have to think every hacker group on the planet was out there trying to get a copy from the moment the news broke.
An update from The Register – it appears that the vendors are afraid of fixing the issues for fear of jeopardising their lucrative contracts with the government:
"There's also the little hitch that these tools are classified US government property, and the tech giants are uneasy with handling this material, especially since they do lucrative contract work for Uncle Sam and have rules in place on who, internally, can and can't access sensitive reports and blueprints."
https://www.theregister.co.uk/2017/03/18/friday_security_roundup/
This is very poor Graham, as I researcher I regularly reverse patches and fully support the view that 90 days is sufficient. I understand why a lot of American and British "experts" in "cybersecurity" find reason to attack Wikileaks, for many Assange is undermining deep rooted and jingoistic tendencies that comes from an industry that sucks the government tit at every given opportunity.
To float the idea that 90 days is not enough time is ridiculous and I suggest you know it is regardless of what you commit to print. Its worth remembering the limitations placed on Wikileaks, more accurately on Assange himself; regardless of personal traits he has shown more courage and commitment to his beliefs in a way that I doubt most "experts" can ever understand not least accept. Disappointed Graham.
Thanks Sean.
I'm genuinely sorry to have disappointed you. But if you look back on my previous articles you'll realise that my position has nothing to do with WikiLeaks being involved in this.
I have been equally critical of Google, for instance, who were the main standard bearers for the "90 days is enough time to properly fix a vulnerability" position.
I believe that releasing exploit code and putting that power in the hands of any Tom, Dick and Harry should always be a last resort, and one not to be taken lightly. As I have described before there are ways to pressure companies who you believe are being slowly to patch bugs without sharing the details of how to do it to the world.
If all it is, is a 90 day deadline, then that's all Google themselves give other people to fix their issues; MS have made a big thing out of the occasions they have ran out that 90 day clock and Google has went and published anyhow.