How would you track someone who owed you money? What was the colossal flaw Facebook left on its website for anyone to exploit and hijack accounts? And what excuse are insurance companies giving for not paying victims of the NotPetya malware millions of dollars?
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Joe Carrigan of the Information Security Institute at Johns Hopkins University.
Follow the show on Twitter at @SmashinSecurity, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, Castbox, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Special Guest: Joe Carrigan.
Sponsored By:
- Recorded Future: For anyone who is baffled by threat intelligence, and the benefits that it can bring to your company, this is the book for you.
- "The Threat Intelligence Handbook" is an easy-to-read guide will help you understand why threat intelligence is an essential part of every organisation's defence against the latest cyber attacks.
- Download it for free at smashingsecurity.com/intelligence
- LastPass: LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
- But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
- Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
Links:
- In first such case, Chinese police arrest hacker for selling tracking app to debt collectors — Global Times.
- Ravenous Bugblatter Beast of Traal — Urban Dictionary.
- "I just had to download a software update for my shoes" — Thread from @GK3 on Twitter.
- Marty McFly Gets Power Laces — YouTube.
- Nike Adapt BB Self-Lacing Shoe — SneakerNews.
- Here's Why the Nike Adapt BB Is Worth $350 — YouTube.
- Facebook CSRF protection bypass which leads to Account Takeover — Samm0uda.
- Everything you need to know about the Petya, er, NotPetya nasty trashing PCs worldwide — The Register.
- The Untold Story of NotPetya, the Most Devastating Cyberattack in History — Wired.
- A Moment of Truth for Cyber Insurance — Lawfare.
- Manufacturers Remain Slow to Recognize Cybersecurity Risks — New York Times.
- UK and US blame Russia for 'malicious' NotPetya cyber-attack — BBC News.
- thispersondoesnotexist.com.
- This website uses AI to generate faces of people who don't exist — Mashable.
- ESPN+
- Trevor Moore: The Story of Our Times - "My Computer Just Became Self Aware" — YouTube.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
CAROLE THERIAULT. You could just see the tech workers running into conference rooms and unplugging all the machines. So it wasn't your typical day at the office.
UNKNOWN. It takes quite a lot for an IT guy to run as well. It's quite serious. Normally they're kind of slouching along, aren't they? Just loafing around. It's like, whoa, we've got a big problem here. Smashing Security, episode 116. Phishing, Stalking Debtors, Facebook Farce, and a Cyber Insurance Snag with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 116. My name is Graham Cluley.
CAROLE THERIAULT. And I'm Carole Theriault.
GRAHAM CLULEY. Hello, Carole. Hello. Hello. Well, we are joined today by a special guest. He's brand new to the show. It's Joe Carrigan. Is it Carrigan or Corrigan?
JOE CARRIGAN. Carrigan. With an A. Yeah.
GRAHAM CLULEY. Carrigan.
CAROLE THERIAULT. Welcome to the show, Joe.
GRAHAM CLULEY. I said it and then I wasn't sure. Nope, that's—
JOE CARRIGAN. you said it right the first time. I can't see.
GRAHAM CLULEY. I have so much self-doubt. Joe, you are, because you probably need reminding, a senior security engineer with the Information Security Institute at Johns Hopkins University.
JOE CARRIGAN. Oh yeah, that's right.
GRAHAM CLULEY. Yeah.
CAROLE THERIAULT. And you're the co-host of the Hacking Humans podcast, part of the CyberWire network.
JOE CARRIGAN. Yes, with Dave Bitner. Dave, who has been a guest on this show.
CAROLE THERIAULT. He has.
GRAHAM CLULEY. Bitner.
JOE CARRIGAN. Bitdefender.
GRAHAM CLULEY. I'll have to look back. I don't remember.
CAROLE THERIAULT. So is he not nervous that you might outperform him on the show?
GRAHAM CLULEY. He should be.
JOE CARRIGAN. I don't know if he's nervous or not.
CAROLE THERIAULT. We're going to find out on Twitter when he gets all riled up.
GRAHAM CLULEY. We'll rile him up for sure. So what do we got coming up, Carole?
CAROLE THERIAULT. Well, buckle up, listeners. We have a doozy this week. Cluley, you're investigating the novel ways a naughty app developer might track your whereabouts. Joe, you're sharing a Facebook snafu designed to fool even the tech savvy. And I've got a cautionary tale starring a malware victim and their cyber insurance policy. All this and oodles more coming up on Smashing Security. Don't move a muscle.
GRAHAM CLULEY. Now, fellows, fellows, word has reached us from China about what the police are doing over there. They have just arrested an app developer. Police in Nanjing, East China's Jiangsu Province, have arrested a 30-year-old man known only by the surname of Wu.
CAROLE THERIAULT. I kind of like that.
GRAHAM CLULEY. You like that?
CAROLE THERIAULT. Yeah, I'd love to have a name that was just two letters long. Everyone would remember it. Kind of cool.
JOE CARRIGAN. Carole Theriault is kind of hard to remember how to spell.
CAROLE THERIAULT. Yes, it's even hard for the French people.
GRAHAM CLULEY. Well, Mr. Wu, Uh, his full name is Mr. We, um, is a computer engineering graduate, and he created an app called App Detective.
CAROLE THERIAULT. Oh my God, I would download that just on the name alone.
JOE CARRIGAN. What does it do?
GRAHAM CLULEY. Well, App Detective breaks into a smartphone's instant message database. So imagine you're using WhatsApp or something like that, or the local Chinese equivalent, and it grabs the user's location. So far, Pretty creepy stuff, right?
CAROLE THERIAULT. Yeah, okay, I didn't— I wasn't thinking that.
GRAHAM CLULEY. No, it's not the kind of app you would want to install, quite frankly.
CAROLE THERIAULT. Right.
GRAHAM CLULEY. So why have police arrested him? What have they said that he's doing with his app? Well, apparently he was selling this app to debt collectors who would track their target's whereabouts. And some 4,000 people have paid as little as 1 yuan which is 15 cents, to get people's static location, or the extraordinarily high price of 10 yuan, which is about $1.50, to track their target's movements in real time.
CAROLE THERIAULT. Okay, okay, okay. So people that are downloading this are trying to keep track of what their, like, wife or husband or their kid or—
GRAHAM CLULEY. Well, this is the thing that you would normally expect that, wouldn't you? And there are plenty of apps, of course, which are sold on the basis of, you know, 'Oh, keep a caring eye on your partner, right, on your children.' Reality is, are they cheating on you?
JOE CARRIGAN. Those are owned and operated by creeps.
GRAHAM CLULEY. Yes, exactly. Well, in this particular case, he was selling it, it seems, primarily to debt collectors and bounty hunters. So people who are trying to track somebody down, and it can be very difficult tracking someone down. I remember you, Carole, do you remember years ago when I did a little bit of tracking for you? Me and our buddy Stevie Butts, we were around our friend Petra's house, and you said that there was a man in the neighboring pub who you wanted to keep track of. I think it was a potential boyfriend or something. And Stevie and I hid. We disguised ourselves quite well.
CAROLE THERIAULT. You guys took Petra's towel, put it over your heads, and then looked through the pub window to see if he was there or not. And Petra and I were watching you from the attic window, killing ourselves.
JOE CARRIGAN. How did you see through the towel? Did you cut holes in the towel?
GRAHAM CLULEY. Our principle was, if you've ever read Hitchhiker's Guide to the Galaxy and the Bugblatter Beast of Trull, right, the The beast is so dumb that it believes if it can't see you, you won't be able to see it. So we took the principle of putting a blanket over our heads. If we couldn't see, maybe they—
CAROLE THERIAULT. Absolutely no alcohol was involved in any of this at all, Joe, I assure you.
JOE CARRIGAN. I'm sure of that.
GRAHAM CLULEY. Yeah. If only it had been, that would've been more understandable. But yes, so I understand the difficulty of tracking someone and, you know, finding your quarry.
CAROLE THERIAULT. Nice segue.
GRAHAM CLULEY. But this, this app, it appears no towels were required, debt collectors just could simply trick their target into installing the app.
JOE CARRIGAN. Okay, now that's, that's actually my crux of my— the crux of my question. How, how does a debt collector trick someone they want to collect a debt from into installing this app?
CAROLE THERIAULT. Yeah, this, this.
GRAHAM CLULEY. How naive are you, Joe?
JOE CARRIGAN. Am I reading ahead?
GRAHAM CLULEY. It's so simple to do something like that. I mean, I think it's really up to the purchaser how they choose to want to do it, but if you were to offer someone something like a I don't know, 100 Sexy Wallpapers app or something like that, or free ringtones.
JOE CARRIGAN. Yes, free ringtones. That's the hook that always catches me.
GRAHAM CLULEY. Then some people would install it. But I agree with you, you know, you would—
CAROLE THERIAULT. But how do you weed out the people that you want to collect debt from versus the ones that are just—
GRAHAM CLULEY. Well, you would send a link, wouldn't you? You would send a link to the specific people.
JOE CARRIGAN. Yeah, you have their email addresses presumably, right? Yeah.
CAROLE THERIAULT. Okay, so I have a list of people that are in debt, an email address. I then try and hook them in with a little fishy email email saying, hey, hey, get this app, it's really cool.
JOE CARRIGAN. You phish them and they install this malicious app, and then bang, you know where they are.
CAROLE THERIAULT. So the idea is that people that go into debt really just want to track people? Oh no, no, they're, they're—
GRAHAM CLULEY. no, no, it's them being tracked by the people they owe money to, or at least the debt collectors who are going to collect it. So the heavies are going to come around. All they need to know is where you are at a particular time, and then Moose and Rocco show up.
CAROLE THERIAULT. Gotcha.
GRAHAM CLULEY. Yeah, helps them do this. And apparently the app was quite good at its job. It was capable of determining people's location with margin of error of about 20 meters. And in all, the app is said to have made about $60,000, which, um, you know, it's quite a lot of money when you consider that they were charging as little as 15 cents per go. There was a lot of activity going on here. Now, one thought I had was, well, hang on, why does the app need to crack an instant messaging app rather than just grabbing your location itself? And I think I've come up with a theory on that, which is Normally when you install an app on a modern phone, and I imagine most of the people being targeted here were running Androids, the operating system is going to pop up and say, "Ooh, this app requires—" Location information. GPS, you know. And you would think, "Well, why do I need that for my free ringtones and my sexy wallpaper?" And Joe would say, "No, I don't want to install that software." Right?
JOE CARRIGAN. That's too many permissions for free ringtones and sexy wallpapers.
GRAHAM CLULEY. But if the app manages to actually instead crack your phone to grab the information from your instant messaging app, if it's able to query that, maybe through a vulnerability, or maybe because you're running an old version of Android which doesn't have good enough security, then that might be a more effective way to do it. I don't know, but that's my theory as to why they're doing it that way. Yeah, yeah, it seems plausible to me. It's certainly plausible.
JOE CARRIGAN. I would, I would agree it's plausible.
GRAHAM CLULEY. Now, he has been prosecuted now, Mr. Wu, uh, for allegedly writing the apps and stealing personal information. And two other frequent users of the app have been nabbed and are awaiting prosecution. But All of this got me thinking, what other novel ways might there be of tracking people? After all, like we said, you've got to trick someone into loading the app onto your smartphone. And it was at this point that one of our devoted Smashing Security listeners, Sarah Gatsky, she tweeted me and she pointed me towards a thread on Twitter about a brand new pair of shoes. Now, do you guys remember Back to the Future 2? With Michael J. Fox. Not the original! Back to the Future 2, which has a pair of self-lacing shoes in it. He wears these Nikes which sort of do themselves up because he goes into the future.
JOE CARRIGAN. I do remember seeing that. I think that's the only Back to the Future I haven't seen. I've seen 1 and 3, but I don't think I've seen 2.
CAROLE THERIAULT. I remember this, definitely remember this, because I thought that why not just use Velcro, basically?
GRAHAM CLULEY. Because they don't do it automatically, Crow. That was the whole thing. Well, did you know that a few years later Nike actually produced a limited run of shoes like them. They sort of copied the design. Marketing geniuses. And in combination with Michael J. Fox's foundation, which fights Parkinson's and so forth, they auctioned off a few hundred of these for a vast amount of money, and they raised a lot of money for charity, which is obviously fantastic. Well, the third generation of these self-lacing sneakers called the Nike Adapt BB has just been released. Okay. And these shoes— you're wondering where I'm going with this.
CAROLE THERIAULT. Oh, they're not smart shoes, are they?
GRAHAM CLULEY. Well, these shoes, they will only set you back $350.
JOE CARRIGAN. Which is not bad, right, for self-lacing shoes. I would expect that to be a lot higher.
CAROLE THERIAULT. You wouldn't have to bend over, right?
JOE CARRIGAN. That would help me so much. I could breathe while tying my shoes.
GRAHAM CLULEY. They remember how tight you like your shoes. They pair over Bluetooth. They receive software updates. Oh, we'll link to the tweet where someone has actually put up a screenshot of their phone— of, sorry, of their shoes updating the software on your shoes being charged wirelessly on a USB-C charging mat. Oh, cute. No, while receiving a software update.
CAROLE THERIAULT. What's the point? What's the point?
JOE CARRIGAN. What is the point? Well, the future is stupid.
GRAHAM CLULEY. Yes, that's exactly— yes. All kinds of questions spring to mind here, right? Would you be allowed to take these on a plane?
CAROLE THERIAULT. Does it need batteries?
GRAHAM CLULEY. Oh yes, it needs batteries. They're not like a pair of AA batteries, Carole. They're rechargeable. A few double Ds around the ankle.
JOE CARRIGAN. Sellotape them to the side. Here's another issue I have with this. These batteries are on presumably a very mobile part of your body, probably the part of your body that endures the most G-force. Yeah. During the course of a day. Yes. How safe are those batteries?
CAROLE THERIAULT. Yeah. Loving lithium there. Right.
GRAHAM CLULEY. These apparently the BB stands for basketball. So you can imagine it would be quite a rough sort of, you know, it's not a gentle stroll, is it? Right.
JOE CARRIGAN. No, it's a lot of sudden stops and starts.
GRAHAM CLULEY. They have got a battery inside them, a microcontroller, an accelerometer, a gyroscope, a temperature sensor, a motor, lights. They've got little lights at the side.
CAROLE THERIAULT. Can they stop you if something dangerous comes across your path? They can't do that automatic braking.
GRAHAM CLULEY. Now, right now. And of course, by the way, there's an app. So you can actually go to your app to tighten the left or right shoe. Or you can press a button on the side of the shoe.
CAROLE THERIAULT. Does it alert you if there's any damage on the skin? Alert! Alert!
GRAHAM CLULEY. Small chafing of leather. I think the idea is that they monitor the temperature so that they can loosen over time. So if them— Oh. In case you get sweaty.
JOE CARRIGAN. They don't have fans that cool your feet off?
GRAHAM CLULEY. Now, now you are thinking, and I assumed the same, This app.
CAROLE THERIAULT. This is fucking ridiculous.
GRAHAM CLULEY. And these sneakers would be tracking your location and your activity and counting steps. Well, apparently they aren't yet, but it sounds like it'd be an easy thing to add via a firmware update or adding new features to the app. But it's kind of inevitable that they will do at some point, won't they? Or the next version will.
JOE CARRIGAN. Right. And you don't even have to update the firmware on the shoes. You just have to update the app. Right. Because the shoes probably don't have a GPS receiver in them. But the phone does. Right.
GRAHAM CLULEY. Yeah. And so it's being all collected. Now, you know, you have to wonder what will in the future shoe manufacturers be planning to do with all that data? And I'm thinking if you're finding it hard to get someone to install the app with the ringtones and the sexy wallpaper, send them a pair of sneakers. And your average person.
CAROLE THERIAULT. Or tell them they will get them. $350. Just send them willy-nilly. What kind of businessman are you?
JOE CARRIGAN. Okay, so let's look at the business model here for a second. I'm a collector. Collections person, right? Yes. So I have to spend $350 for a pair of shoes. So that means that I have to have a bill collected or a bill to collect that's worth— going to profit me at least $350, right?
GRAHAM CLULEY. You'll get the shoes back when you collect. You rip them off his feet and say, oi, they're mine. Anyway, and in the future, the sneakers will be cheaper as well. This is the future of sneakers, right? Already you don't need to put fuel in them, do you? They're all sort of—
JOE CARRIGAN. Well, you do have to charge them.
GRAHAM CLULEY. You do have to charge them. Yes, you have to charge them every fortnight. Apparently.
JOE CARRIGAN. That's pretty good for a pair of shoes. I would imagine that— I would have thought more than that.
GRAHAM CLULEY. But it's not just for debt collection, right? It's not just for tracking people. In the future, shoe manufacturers will know where you're going. They'll know if you stop for donuts. They know if you're exercising. They will be able to monetize that data. Yes, but it's going to be happening more and more.
CAROLE THERIAULT. Okay, great story.
GRAHAM CLULEY. And if you've got— if you're dumb enough to spend $350 on sneakers, you've got other money to burn, probably, which big companies are going to be able to exploit, aren't they? Yeah. I've just given you a vision of the future. You can call me Nostradamus if you wish. But I—
CAROLE THERIAULT. That's the first word that came to mind.
GRAHAM CLULEY. I am seeing an image of the future and where things are going. Oh, all right. So, Joe, have you got a story for us? Of course.
JOE CARRIGAN. Huzzah! So imagine that you are minding your own business, sitting at home, and someone sends you a URL that says something like, hey, take a look at this on Facebook.
CAROLE THERIAULT. Okay, I would be like, haha, I don't have Facebook. But imagine if I did. Lucky you.
JOE CARRIGAN. I gotta tell you, I have used Facebook less and less. The only reason I keep it around is to communicate with family. But ever since I stopped just getting on there on a regular basis, I find myself living a much happier life.
CAROLE THERIAULT. Listen, people out there, listen to Joe. Get off it.
GRAHAM CLULEY. Yeah, no Facebook February, right? That's what we believe in. Give it a try. Try and stop for a month.
JOE CARRIGAN. Right. So you're astute. You look at the URL and it does indeed point to Facebook. It says facebook.com and it has some other stuff after it. And you say, okay, I'll look at this and bam, you very quickly lose control of your own Facebook account. How would this have happened? Well, is it—
GRAHAM CLULEY. so this isn't phishing, isn't taking you to a login page or—
JOE CARRIGAN. It is phishing. It's a phishing email that they're sending you. Or a phishing message or something, but it is going to a Facebook page. So what has happened is there is a researcher, Sam Ouda. I hope I'm saying that right. It's a hacker alias, I guess. The O is a zero. And he found a vulnerable endpoint on Facebook at the URL facebook.com/comet/dialog_do_not_use. What?
CAROLE THERIAULT. That's the kind of thing I would do in one of my files. Right. Okay, right.
GRAHAM CLULEY. It's like a button which says do not press.
JOE CARRIGAN. Yeah, don't press. Exactly. What is the first thing that a hacker does when you tell him or her not to use something?
CAROLE THERIAULT. What happens when you do that to a 2-year-old? Right.
JOE CARRIGAN. Same thing. Anybody. Do not use. Hmm, this looks interesting. Samo Uda did some investigating and found a cross-site request forgery attack. Right. Right. An attacker could craft URLs. Okay. Start with, you know, this do not use URL and allow an attacker to do some stuff they shouldn't otherwise be able to do. Like they could make a post on a user's timeline. They could delete a user's profile picture, or they could actually trick a user into totally deleting their account. Oh, wow. Oh, let's do more of that, please. There you go, Carole. It's going to be— this is your mission in life now, right?
GRAHAM CLULEY. Yeah.
JOE CARRIGAN. Yeah. And finally, the one thing that allows the account takeover is they could change the user's email address. And that's the key of taking over the account, because if you've changed the email address, now you click on a link that says, oh, silly me, I forgot my password. Send me an email to reset it. And you get, you get the email and then you go in, you can reset the password. And once you have access and once you've logged into the Facebook account, you can log the user out of all their other locations and you have control of the account.
CAROLE THERIAULT. Okay, so tell me, unless someone had the same usernames on other accounts, what is the joy of having access to a Facebook account? You know, you want to get, what does an attacker get out of it?
JOE CARRIGAN. I guess if they're just doing it for the lols, they can mess somebody's life up. They could impersonate somebody.
CAROLE THERIAULT. Yeah, it's the social engineering stuff, isn't it?
JOE CARRIGAN. Yeah, imagine that you're on Facebook and you start getting emails from, or Facebook messages from someone you trust and someone you know that's their account and you verify it's their account, and you know they're not using a spoofed account, which is another way that social engineering can take place on Facebook. But just imagine the difficulty of losing your Facebook account. How would you go back and restructure your Facebook account and reconnect with all your friends and then tell everybody that other Facebook account has been compromised? It would be just a nightmare for the individual user. It's horrendous.
GRAHAM CLULEY. And imagine, for instance, you could have a jealous stalker or something like that, or an ex-partner who wanted to read your messages and so they want to break into the account. Or maybe you are the administrator on a a Facebook page, and so cracking that personal account then gives you access to like a company or an organization's Facebook presence, and you could cause all kinds of problems.
JOE CARRIGAN. Yes, you could. There's a very good use case for this vulnerability. Yeah.
GRAHAM CLULEY. Oh, I don't want to give anyone ideas. Too late.
JOE CARRIGAN. It actually is too late because Sammo Uta informed Facebook about this bug on January 26th. Of this year. And by the 31st, only 5 days later, Facebook had fixed the bug and they issued on February 12th a bug bounty to Samu Uda in the amount of $25,000. Blow me away, that sounds almost reasonable, guys.
GRAHAM CLULEY. I wonder how they write the check for Mr. Samu Zero Uda.
JOE CARRIGAN. I don't know how they do that. I imagine that they actually have his real name and they probably put him through a non-disclosure agreement stuff.
GRAHAM CLULEY. Yeah, I mean, it seems like a pretty tragic error for them to make, leaving this thing with the— was their fix simply to rename it from "dialogue do not use" to "dialogue no really really do not use"?
JOE CARRIGAN. I would imagine that Facebook actually did fix it. Probably just took it down. They probably just turned that machine off.
GRAHAM CLULEY. But how many other things like this might be lurking out there? Well, you never know.
JOE CARRIGAN. There is absolutely no such thing as a perfectly secure system. That's something we tell people over and over and over again. The key of this vulnerability is that it was found on the Facebook network. So it would have appeared like a legitimate Facebook link. It would have worked and there would have been nothing that Facebook would have had cognizance about unless they were tracking the usage of the do not use address. Right? Yeah. So, but I would like to say kudos to Sam Uda for finding and reporting this bug. And kudos to Facebook. There's something you don't hear every day, right?
GRAHAM CLULEY. They'll be really happy to know that they've had some good news from us. They think, finally.
CAROLE THERIAULT. Wasn't it the UK government that called them digital gangsters last week? So yeah, they're going to be really touched. They're probably having tears of joy right now listening to your story, Joe.
JOE CARRIGAN. Kudos to Facebook for handling this so quickly and for paying a substantial bug bounty. Yeah. You know, one of my jobs here is to disclose vulnerabilities that we find, and 9 times out of 10, I disclose a vulnerability to a company and I never hear anything back from them. Nothing.
CAROLE THERIAULT. So, well, you know, a tiny silver lining on otherwise big, dark, crazy cloud of Facebook. Yeah, exactly.
JOE CARRIGAN. But it is fixed, so you can't do this anymore. Well, not with that URL.
GRAHAM CLULEY. I wonder how he found it. I mean, yeah, it's a star, isn't it?
JOE CARRIGAN. Poking around. Yeah.
CAROLE THERIAULT. Crawl, crawl, crawl.
GRAHAM CLULEY. How are you able to poke around Facebook to that extent to find a URL like that? That suggests to me that maybe they haven't locked down some things. Or maybe it's an ex-employee.
CAROLE THERIAULT. Crawl through. Knows his way around. Could be an ex-employee. The gardens.
GRAHAM CLULEY. He probably planted it. Could be a current employee. Oh, the conspiracy theory. You're just—
CAROLE THERIAULT. what are you, Alex Jones? There is a similarity.
GRAHAM CLULEY. If you saw both of us sat behind a desk turning purple in anger. Oh, Carole, don't get me all riled up. What have you got for us?
CAROLE THERIAULT. Please, God. Let me take you guys back to the crazy summer of 2017. So this was the year that Trump was inaugurated, began befriending Kim Jong-un, and this podcast, Smashing Security, was just still a little wee baby. And during that summer of 2017, many a company faced the wrath of the not Petya malware. Now, we all know that NotPetya was this mass-spreading worm that used versions of the NSA's EternalBlue SMB exploit. Now, NotPetya successfully made huge companies buckle to their knees. Global ad giant WPP was taken offline. FedEx was badly hit. Shipping goliath Maersk was crippled. And Wired had this article giving the inside scoop in the company. So listen to this quote: within half an hour, Maersk employees were running down the hallways yelling to their colleagues to turn off computers and disconnect them from Maersk's network before the malicious software could infect them, as it dawned on them that every minute could mean dozens or hundreds more corrupted PCs. You can just see the tech workers running into conference rooms and unplugging all the machines. So it wasn't your typical day at the office.
GRAHAM CLULEY. It takes quite a lot for an IT guy to run as well. It's quite serious. Normally they're kind of slouching along, aren't they? Just loafing around. But it's like, whoa, they're running We've got a big problem here.
CAROLE THERIAULT. They even said like staffers were hurtling themselves over locked keycard gates, which had been paralyzed by the still mysterious malware. You should really read this article. It's fantastic. Another global giant that was hit was Fortune 500 company Mondelez. Do you know who they are, Graham? Joe, don't look.
GRAHAM CLULEY. Don't read ahead. I have read ahead.
CAROLE THERIAULT. Well, you should know Mondelez. They are Illinois-based company, and they employ around 100,000 employees worldwide. Yeah. They are the mom and dad to Kraft Foods, Oreo cookies, and Cadbury's.
GRAHAM CLULEY. So they're a big—
JOE CARRIGAN. yeah, they're big. So do they own Nabisco then?
GRAHAM CLULEY. What's Nabisco?
JOE CARRIGAN. It's short for National Biscuit Company. Nabisco.
CAROLE THERIAULT. Oh, really? I didn't know that. So they were hit by NotPetya, and they say they lost 1,700 servers and 24,000 laptops as a result of the malware.
JOE CARRIGAN. Oh my gosh.
CAROLE THERIAULT. So in its annual— in Mondelez's annual report, which they filed with the SEC in 2017, they stated that the net revenue loss amounted to $100 million. They also said that it had incremental expenses of $84 million.
JOE CARRIGAN. So that's $100 million in lost revenue and then $84 million in recovery. Yeah.
GRAHAM CLULEY. And it would have been so much less if those IT guys had just shifted their asses a bit faster. That's what— did they put that in the report?
JOE CARRIGAN. Well, those were the guys at MERSK that were running around. Oh, you're right.
CAROLE THERIAULT. But I'm sure they— I'm sure Mondelēz were doing exactly the same thing.
GRAHAM CLULEY. No, they weren't. They were stuffing themselves with Oreo cookies and Cadbury chocolate bars. They were popcorn and sweeties.
CAROLE THERIAULT. Exactly. Can you imagine? Kraft Dinner.
JOE CARRIGAN. Don't even put Oreo cookies in front of me.
CAROLE THERIAULT. You love them? I love them so much. So basically, Mondelez say they're almost $200 million out of pocket, right? Oof. And this is only 1% of their turnover for the year, by the way.
JOE CARRIGAN. But that's 1% of their revenue. Pretty substantial.
CAROLE THERIAULT. So now before you say poor, poor Mondelez, you should know that they had cyber insurance with a company called Zurich Insurance. Oh, thank heavens for that.
JOE CARRIGAN. I'm sure that they took care of everything.
CAROLE THERIAULT. Exactly, Joe. They're so smart, right?
JOE CARRIGAN. They're, they're a good insurance company, and insurance companies always pay out whenever you have an incident for which you have insured yourself.
CAROLE THERIAULT. Exactly. Just in case someone nips past your approved and reviewed defenses, you can insure yourself to recoup any losses. Great, makes perfect sense. So if you go to the Zurich Insurance website, it says enhance your cyber resilience with Zurich security and privacy coverage. Yes, let's do it.
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. Yeah, and the marketing blurb touts first-party coverage includes digital asset replacement, expense coverage, business income loss and dependent business income loss coverage, cyber extortion threat and reward payment coverage. Basically, we'll pay for everything. Just give us some money, right?
GRAHAM CLULEY. I'm signing up right now. Sounds worth it to me. I'm signing up.
JOE CARRIGAN. I'm signing up. The entire $200 million that, that Mondelez lost is coming back to them thanks to their policy with Zurich. Exactly.
CAROLE THERIAULT. I'm glad this story ends this way. You have to imagine it wouldn't have been cheap, right? It wouldn't have been chump change that they would have asked for to protect Mondelez, right?
JOE CARRIGAN. It's a big company, correct? Yeah, that policy could not have been inexpensive.
CAROLE THERIAULT. Perhaps no surprise to you both that the Kraft food company, Mondelez, put together an insurance claim. Yes. And filed the paperwork and waited for payday. Ka-ching! And they waited. And they waited. And they waited.
GRAHAM CLULEY. Yeah, well, sometimes it can take a while. It can take a while. You know, it's just the wheels are in motion. It'll come in soon. It'll arrive soon. The check's in the post. Yeah.
CAROLE THERIAULT. Well, in January this year, Instead of getting a check, Mondelēz got the news that Zurich Insurance weren't going to honor the payment. What? They were refusing to foot the bill. And I was like, I'm a guest. Really?
GRAHAM CLULEY. How shocking. An insurance company not prepared to pay up.
CAROLE THERIAULT. Well, the policy apparently clearly states that, quote, all risks of physical loss or damage, as well as physical loss or damage to electronic data, programs, software, yada, yada, yada, we cover. So how are they wiggling out of paying Bondolus? And it's because they're saying it was an act of war. So you might remember February last year, both the UK and the US government blamed Russia for the malicious NotPetya cyberattack. Experts believe that about 2,000 NotPetya attacks were launched, mainly aimed at the Ukraine. The Ukraine, as we know, has been locked in a simmering conflict with Russia. Since Moscow annexed Crimea in 2014.
GRAHAM CLULEY. So yeah, well, it just seems to me that maybe Mondelez need to sue the US and UK governments for concluding that it was Russia, because if they hadn't done that, they would have got their payout. And maybe Mondelez needs to threaten the US and UK governments with a bombardment of Oreo cookies.
CAROLE THERIAULT. You're shooting my low tourney, that's my big—
GRAHAM CLULEY. I'm getting there. Oh, sorry, sorry, great minds.
CAROLE THERIAULT. Very great minds. That never happened.
GRAHAM CLULEY. Joe, have you got any theories? Yes.
JOE CARRIGAN. Joe, how Mondelez can, can do this is they can, they can stop shipping Oreos and Cadbury bars to Russia. See, until they get their $200 million, hold them ransom.
CAROLE THERIAULT. Right. Yeah. To their sweet tooth.
GRAHAM CLULEY. Sorry, Carole. Carry on. I was fascinated.
CAROLE THERIAULT. So Moscow, of course, is denying being behind the attack and calls the claims Russophobic. But an assessment from the National Cybersecurity Centre in the UK clearly states that Russian military was almost certainly, and I'm quoting here, almost certainly responsible for the NotPetya cyberattack of June 2017. So it seems that companies can be collateral damage when governments publicly blame other countries for hacks. So now I'll insert what you just said, Graham. Earlier.
GRAHAM CLULEY. What's the point? What's the point of governments publicly blaming other countries for hacks anyway? Is there— because they never actually act, they never actually do anything afterwards. I mean, sometimes they might have a few sanctions or kick out a few diplomats or something, but it seems like they're doing more harm to the economy by blaming other countries. If this— I wonder how many other times this is happening.
CAROLE THERIAULT. Well, you know, in this case, in this case, don't you think the US would want to take the heat off itself because is the malware used an NSA bit of code. So it really wanted to kind of say, "Oh, you see, it wasn't our fault. It was stolen from us, used by the Russians. They're really, really great at hacking and stuff." So there is no precedent for calling a cyber event an act of war as yet.
JOE CARRIGAN. [Speaker:AARON_ROSS_POWELL] That was my thought, is that there hasn't been a clear definition of what constitutes an act of war based on a cyber attack. There's no clear boundary across the planet as to what that is.
CAROLE THERIAULT. Exactly. And it poses a bit of a pickle, right? Because now who's going to win? Is the insurance company going to be able to get out of this and think of the other clients it's been able to peddle its insurance to? Sorry, I shouldn't use that word. Sell its insurance to. Well, you know what?
GRAHAM CLULEY. It is kind of about time the insurance companies came out properly and positively from one of these things because so often they're paying out, can't they? And for them to suffer, you know, another— that would be really rough on them. So I'm glad that for once they're getting the benefit of the doubt.
JOE CARRIGAN. Something similar happened on 9/11 when all those people were killed in the World Trade Center and in the flight that crashed in Pennsylvania. Insurance companies said, "Well, this is an act of war. We're not gonna pay out." And the backlash was so severe that they just decided, "Okay, we're gonna pay out." Right.
CAROLE THERIAULT. Well, that's good news for Mondelez because they are seemingly a bit pissed at this response from their insurers who they've been paying for this exact reason. And they've decided to roll up their sleeves and fight for payday. Good. They're suing Zurich Insurance in Illinois courts for $100 million in damages. Only $100 million?
GRAHAM CLULEY. Only $100 million. I know. Presumably Zurich Insurance is itself insured against getting sued.
CAROLE THERIAULT. There is a lot of that. And that's one of the big problems in the whole chain, because insurers have backers that insure them against losses and then those insurers have backers. So there's this huge chain of money. And the problem— one of the problems they're seeing in the industry is that backers are going to demand more collateral. So anyway, it's going to be very, very expensive. And there's going to be a lot of little loopholes to watch out for. So the moral of the story is to take heed, listeners, when it comes to cyber insurance. It's not a tried and tested field yet. No one should think they're safe as houses just because they're paying a monthly fee that's extortionate. Do not assume they're going to honor the deal because we don't have a lot of precedent, a lot of time with this yet. So until there's a proper clarification on terminology, as you said, Joe, right? The terminology used by cyber insurers and the people they're trying to insure, it might be more cost effective for some firms out there to keep their own private pot of in-case-shit-hits-the-fan money.
JOE CARRIGAN. Right. So in other words, you're advising people to be cyber preppers.
CAROLE THERIAULT. Yeah, I don't know. I just think it's early days. Imagine getting the Mondelēz account, right? That is a huge win. I don't care how big of an insurance company you are. That is a huge win for a company. And you think they, of course, would get paid out because they're the ones, they're the crème de la crème. They're at the top, you know, the top tier of customer. And but the problem in insurance is the big guys have much bigger payouts. So everyone loses, it seems, in insurance. The little guy loses because they can't get any attention. The big guy loses because the payouts are too big.
JOE CARRIGAN. Right. I wonder, I wonder how this has affected Zurich's ability to sell their insurance.
CAROLE THERIAULT. Let's see how many listeners talk about it.
GRAHAM CLULEY. Go, guys. Right. Exactly. Everyone, they're all listening to this right now. Now they know.
CAROLE THERIAULT. Well, there's lots of good links in the show notes about this if you're interested. I'll keep an eye on the story and get Graham to tweet about it as appropriate.
GRAHAM CLULEY. Well, cool story, Carole Theriault. Really interesting. Thank you very much. Recorded Future provides deep, detailed insight into emerging threats by automatically collecting and analyzing billions of data points from the web. Every security team can benefit from that kind of threat intelligence. Grab yourself a copy of Recorded Future's free handbook, which explains why threat intelligence is an essential part of every organization's defense against the latest cyberattacks. Go and get it at smashingsecurity.com/intelligence. And thanks to Recorded Future for supporting the show.
CAROLE THERIAULT. Hey, what's your password for your email? Do you even know it? I don't. I trust LastPass Enterprise to remember it for me because it's so long, so complex, and so unique I couldn't possibly remember all my passwords for all my accounts. Let LastPass Enterprise do the hard work for you because they take security seriously and they're really responsive. Check out LastPass Enterprise at lastpass.com/smashing.
GRAHAM CLULEY. I'm on the show. And welcome back. And you join us on our favorite part of the show, the part of the show that we like to call Pick of the Week. Pick of the Week.
JOE CARRIGAN. Pick of the Week.
GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they like. Doesn't have to be security related necessarily.
CAROLE THERIAULT. Can sometimes be though, maybe.
GRAHAM CLULEY. Yeah, maybe. Doesn't have to be.
JOE CARRIGAN. Do you have a security related Pick of the Week?
GRAHAM CLULEY. I might. Okay. Well, my Pick of the Week is a little bit curious. My Pick of the Week is a website called— well, it does something rather startling. If you go to thispersondoesnotexist.com, every time you visit it, it will show you a picture of a random person. You just refresh the page, thispersondoesnotexist.com, tick, tick, tick, keep on refreshing, and you'll see different people popping up. And what's amazing about this is that these people don't exist. They're entirely computer-generated. They are all computer-generated? They are all apparently computer-generated.
CAROLE THERIAULT. Well, this one looks like he's computer-generated. He's got a weird ear.
GRAHAM CLULEY. Well, occasionally you get someone who looks a little bit odd with a weird ear or, you know, an extra eye or something. But the majority of them are really surprisingly convincing. And you can imagine them being on the About Us page for some tech startup startup, there's the head of engineering, that guy's clearly working in IT support, oh, he's a VP. So, this page has been created by a software engineer called Philip Wang, and he developed the site thispersondoesnotexist.com using an artificial intelligence algorithm called StyleGAN, which was developed by the dudes at NVIDIA. It's quite startling how realistic some of these images are. So I've been reading about this, right?
CAROLE THERIAULT. And there's a few hacks on how you can tell, apparently. I'm just trying to— and I haven't done them myself, so I was just going through the pictures while you were talking, so I didn't listen to anything you said.
JOE CARRIGAN. Yeah, tell me, because I'm looking at this site right now, and if these people don't exist, this is terrifyingly real.
CAROLE THERIAULT. So one of the ways apparently is looking for wrinkles both on the top of the face and the bottom of the face being kind of similarly aged. Aged, like in terms of someone being 18 and someone being 45 might have a different set of look, right? Color, skin tone as well. So they kind of bleed into each other. But occasionally, if you look at the very top and the very bottom, you'll say, oh, that's not the same person.
GRAHAM CLULEY. Yeah, but this might be true of some of them, but a lot of—
CAROLE THERIAULT. On Reddit, certainly, they were all like, of course, of course, very easy. It's very easy. I'm not sure it's that easy.
GRAHAM CLULEY. I'm looking at one at the moment. They're really rather hot. You know, it's like, I really rather wish they did. No, it's just like, ding dong, you know, they're quite attractive. Really? Yes. I'm looking at quite attractive ones. Where are you looking?
JOE CARRIGAN. Because I'm looking at all average looking people.
GRAHAM CLULEY. Oh no, I've got, well, you know, I don't know how picky you are, but some of them are like, oh yeah, you look quite nice.
JOE CARRIGAN. None of these men is Graham Cluley handsome.
GRAHAM CLULEY. Now, now, thank God. Now, you might be thinking, so it's a curious web page, and I think it has some interesting implications as well, because first of all—
CAROLE THERIAULT. Scary as heck, come with Joe.
GRAHAM CLULEY. Well, right. And I was also thinking, following our discussion in last week's episode, Carole, about catfishing and extortion scams, one of the pieces of advice you gave people is you should reverse image search the images that people give you, because what a scammer might do is find an image of someone on the internet, pretend that they are that person. Well, if you used a site like this, to generate the image, you're not gonna get any hits on that Google search. You aren't gonna get any hits at all, are you? Right.
CAROLE THERIAULT. And I wonder, I guess you would never have the same fake face doing different expressions. Of course you could.
GRAHAM CLULEY. Yeah, they may have to play around a little bit more. I think that's probably the way in which things are going, but it is.
JOE CARRIGAN. Right, if I could generate multiple pictures of the same person that doesn't exist, that would be great for that social engineering attack.
GRAHAM CLULEY. Yeah. So anyway, fascinating website, equally terrifying. Terrifying times, fascinating website. Right. But yeah, go and check it out for yourself. thispersondoesnotexist.com. And we'll put some links in the show notes. Joe, what's your pick of the week?
JOE CARRIGAN. Do you like rugby, Graham?
GRAHAM CLULEY. Is that the place in Yorkshire? Is that—
CAROLE THERIAULT. That's the one. That's the sport where people get cauliflower ears.
GRAHAM CLULEY. Yes. Physical sport. Physical sport. Rugby Union. Yeah. I don't really believe in physical sports. I view them as games. Oh, I view chess as a sport. I think these other things are just for kids, really.
JOE CARRIGAN. I think. Okay. Well, maybe this isn't going to be a great pick of the week for you then, Graham. Carole, do you like rugby? I'm going to be very enthusiastic.
CAROLE THERIAULT. Tell me everything, Joe.
GRAHAM CLULEY. She's a very sturdy winger. She'd do well. What?
JOE CARRIGAN. What, you used a term?
CAROLE THERIAULT. Yes, a sturdy word. Yeah. You been on the running machine today, Graham Cluley? No.
GRAHAM CLULEY. I will do after this. Carry on, carry on. Take that bit out. I know you will have anyway, Carole Theriault.
JOE CARRIGAN. So I got into rugby about 10 years ago when I was just flipping through the channel and I happened to see Ireland's team playing in the Six Nations tournament. And I kind of fell in love with the sport and I've been watching it or trying to watch it ever since. My interest grew, but I really wanted to see the Guinness Pro14 teams play rugby, which I couldn't do until this year. Thanks to ESPN here in the United States, they have a product called ESPN+. Now normally I wouldn't consider paying for a premium service like this. I'm not so into sports that, that I would pay for ESPN+, but But what you can get with ESPN+ is you can watch almost all the matches from the Guinness Pro14 here in the US. And also you can see the nascent here in the US again, Major League Rugby. It costs about $50 a year and I've been enjoying it.
CAROLE THERIAULT. Yeah, if you're a rugby fan, this is like, this is the bomb.
GRAHAM CLULEY. It's pretty great value, isn't it? It is. And for our other American listeners, we should explain that rugby is like American football, but without all the namby-pamby padding and helmets and all that stuff.
JOE CARRIGAN. It's nonstop action. In an American football game, you'll get like 11 minutes of action out of 60 minutes of play. And in a rugby game, they're 80 minutes long and you'll probably get 60 minutes of action out of it.
CAROLE THERIAULT. You guys like a lot of violent-y stuff though. Don't you guys have that Ultimate Fighting or something?
JOE CARRIGAN. Cage fighting? Yeah, yeah, we do.
CAROLE THERIAULT. And there's like people that pay money for that. Gladiators. Yeah, gladiators.
GRAHAM CLULEY. Feeding Christians to the lions. Oh, that wasn't the Americans, was it? Opposite. There's another, some other people. Yes. Yeah. There's a lot of that going on. That's cool. I think $50, I think if you're into rugby, that's a fantastic deal really, isn't it? $50 for the entire year.
JOE CARRIGAN. It used to be a lot more money for that. And there were, there were things like Rugby Pass, which you couldn't get in the US that are like $150 a year for watching rugby. But here you can get a lot of rugby for $50.
GRAHAM CLULEY. You don't have to do any craftiness like setting up a VPN or anything to pretend you're in another country. This has actually been served now to the United It is being served out to the United States right now.
JOE CARRIGAN. And when this app initially rolled out, they had some issues with authentication expiring rapidly. So every time I started up the app, I'd have to log in again. But now they've got that fixed and they've got some of the kinks worked out and it works pretty well.
CAROLE THERIAULT. This is the second time someone's talked sport, I think, on our show.
GRAHAM CLULEY. I think the first was John Laydon. I do mention chess a lot, Carole. It is a sport. Okay. What's your pick of the week, Carole?
CAROLE THERIAULT. So my pick of the week on this bleak February afternoon is funny. Right? Yay! We needed a bit of sunshine. So, it is a tiny bit computer-related. So sue me, Clue Lee. Sue me. So, this is the fun work of Trevor Moore. He's a musical comedian who cut his teeth at Saturday Night Live. And he's a little bit like the flight of the Concorde got wooed by Weird Al Yankovic, and they had a love child, and that child is called Trevor Moore. Okay. Yeah, so my pick of the week is his song and video called "My Computer Just Became Self-Aware." Now, I've only heard one other cyber-based song, and that was Kaspersky's "Packing the K" rap song.
GRAHAM CLULEY. Anyway, let's take a little quick listen to "My Computer Just Became Self-Aware." Feeling sad and depressed, so I packed me a hit and then computer said, "Dude, do you have more of that shit?" My computer just became self-aware and now it's fucked up on drugs and it is out on a tear. It's talking crazy and is updating its own software and it wants more, so humanity had better beware. My laptop is talking and this doesn't make sense. The first case of legit artificial intelligence. I guess the scientist guys are working on AI. Never gave cocaine or Monster Energy a try. How are you talking?
CAROLE THERIAULT. Funny, right? You can listen to the whole thing on YouTube. Happy February. I know you love it.
GRAHAM CLULEY. There you go. Fantastic. Well, thank you, Carole, and thank you, Joe, as well for joining us on the show for your first time. I hope you won't be a stranger and you'll come back again. If people want to follow you online, which I'm sure they will, what's the best way for folks to do that, Joe?
JOE CARRIGAN. They can follow me on Twitter @JTCarrigan.
GRAHAM CLULEY. C-A-R-R-I-G-A-N. Awesome. And you can follow us on Twitter @SmashingSecurity smashingsecurity, no G, Twitter won't allow us to have a G, and you can join in the discussion on Reddit as well. Just go to smashingsecurity.com/reddit where we are having a thriving little community chatting about everything on the show.
CAROLE THERIAULT. And please slap your hands together for this week's sponsors, LastPass and Recorded Future. Their support helps us give you this show for free. And high fives to all of you, our wonderful dear listeners. And before you do anything else, else, go check us out on Castbox. They are a podcast service that supports some brilliant shows, including Smashing Security. How brilliant is that?
GRAHAM CLULEY. Yeah, it's a great app for listening to all of your podcasts. Go and check it out and subscribe to us and you'll never miss another show. Until next time, cheerio, bye-bye, later skaters, see ya. Well, there we go. There we go. I'm going to hit stop recording. Don't close your bra—
-- TRANSCRIPT ENDS --