This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

---

---

GRAHAM CLULEY. And the FSB, for people who don't know, that's like the modern name for the KGB, isn't it?

---

CAROLE THERIAULT. Yes, the modern name.

---

LISA FORTE. Yes, the rebranded version.

---

GRAHAM CLULEY. Yes, it's like New Labour and Labour.

---

CAROLE THERIAULT. Circa 1985. Okay.

---

LISA FORTE. Anyway, it's like New Labour.

---

CAROLE THERIAULT. God, I know, just don't.

---

UNKNOWN. Smashing Security, episode 163: Russian Heists and Ring-Rong. With Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 163. My name's Graham Cluley.

---

CAROLE THERIAULT. And I'm Carole Theriault. Still.

---

GRAHAM CLULEY. You're still Carole Theriault. Wonderful. Still haven't got the upgrade. Never mind. And we are joined this week by returning guest Lisa Forte. Hello, Lisa.

---

LISA FORTE. Hello.

---

CAROLE THERIAULT. Welcome to the show.

---

GRAHAM CLULEY. Well, she's been on before.

---

LISA FORTE. Thanks so much.

---

CAROLE THERIAULT. I know, but what, do you never welcome a guest when they come into your house for a second time?

---

GRAHAM CLULEY. Lisa, you have just returned to old Blighty, haven't you, from America? Did you leave pre-election or post-election?

---

LISA FORTE. I left pre-election.

---

GRAHAM CLULEY. Right, so you've come back to this dystopian nightmare that we're now living in, in the final days before the Brexit bell tolls. It's coming this Friday, isn't it?

---

CAROLE THERIAULT. I am actually flying into the UK On the morning of February 1st, at something like 7:00 AM.

---

GRAHAM CLULEY. That's what you think?

---

CAROLE THERIAULT. So I may be, yeah. So as long as I don't get the coronavirus, I'll be one of the first people to come into the country under its new guise.

---

GRAHAM CLULEY. Ah, lovely. Good to have you back. What's coming up on the show this week, Carole?

---

CAROLE THERIAULT. First, let's thank this week's sponsor, LastPass. Its support helps us give you this show for free. Now Graham looks into how Maryland might make Malware possession a crime? Lisa tells us a crazy Russian heist story. And I give Amazon a bit of a spanking. Plus, we have a bonus featured interview for you today, thanks to our friends at Thinkxt. Stay tuned to hear all about their Canary tool, which Graham and I both think sounds pretty darn cool. All this and so much more coming up on this episode of Smashing Security.

---

GRAHAM CLULEY. Now, chums, chums, malware. Do you have any in your pocket? Have you secreted any about your person?

---

CAROLE THERIAULT. What do you mean, like an infected USB?

---

GRAHAM CLULEY. Well, maybe, I don't know. Have you got some hidden away on your hard drive? Well, watch out. Take heed because the state of Maryland in the good old US of A is proposing a new law that could ban the possession of malware, actually make it a crime to be carrying Malware.

---

CAROLE THERIAULT. Okay, I am so glad that Lisa's on the show. Lisa, is it not a crime already to be in possession of malware?

---

LISA FORTE. Oh, I don't know.

---

CAROLE THERIAULT. Oh, sorry.

---

GRAHAM CLULEY. Well, I can tell you, no, it's not. So why should it be?

---

LISA FORTE. I think— pretty sure it's the use of it at the moment. But what's kind of interesting to me is that actually, when you look at what the bill is that they've put forward, it says possession and intent to use. Yes. And what I don't understand is, why can't it not just be strict liability? You know, in the same way that in the UK, possession of a firearm or possession of Class A drugs, you know, the fact that you've got it on you is the crime. I don't understand why that wouldn't be the situation.

---

GRAHAM CLULEY. Oh, well, you see, I think you should be able to possess malware. And I speak as someone who used to be employed by an antivirus company which had millions of pieces of malware on its network for completely legitimate reasons, for analysis and research. And it would have been a complete nuisance if we hadn't been able to store the stuff and indeed share it with other researchers. And so distributing malware, I don't think should be a crime either.

---

CAROLE THERIAULT. I think it would be fair for the general public to assume that companies get a special, like, rights to view and manage and work with malware. Like, you'd like to think that was what was going on and that people that shouldn't actually have access to that stuff, it's illegal. And the reason it's a problem is because computers are not vaults, right? So if you've got malware sitting somewhere, that is maybe not fully secure and that gets out, that can cause all kinds of havoc.

---

GRAHAM CLULEY. Oh yeah, that would be a problem, of course. But who says that you shouldn't be allowed to have a virus-infected computer if you want to have a virus on your computer or a piece of ransomware?

---

CAROLE THERIAULT. I would like to think that legislation would. I'm a little surprised it doesn't actually. I'm—

---

GRAHAM CLULEY. Carole!

---

CAROLE THERIAULT. What?

---

GRAHAM CLULEY. It's terribly right-wing of you. Really? Oh, right.

---

CAROLE THERIAULT. Yeah, make it a partisan issue.

---

GRAHAM CLULEY. Well, no, I just think that, you know, people should be allowed to do what they like with their computer, if they've got malware on it, it's not— if it's not doing any harm to anybody else, where's the problem?

---

CAROLE THERIAULT. I have no problem if the computer is completely offline and not connected to the good old internet. But if it is, doxing.

---

GRAHAM CLULEY. It's a bit of argy-bargy this week. All right, just imagine this, right? Imagine you are a 19-year-old student and you're really interested in computer security and you would love to have a job working for an antivirus company, but none of them will give you a job. Because you haven't been able to demonstrate your expertise. And so you think, right, I will become an independent security researcher. There's a piece of ransomware which is spreading right now. Let's imagine, for instance, the WannaCry worm, right, which hit the NHS. And I will analyze it on my computer and I will try and work out some kind of antidote or some way of stopping it. Should that person be guilty of a crime simply because they possess the ransomware? I would argue, no, they shouldn't.

---

CAROLE THERIAULT. But maybe they should go through proper channels in order to be able to say, I am, like, in the same way the cops, you have to go into the evidence room, and if you have to sign in and sign out to say, "Yes, I've got possession of this now and I'm looking at it," it'd be nice to have a log of that, don't you think?

---

GRAHAM CLULEY. Or you're suggesting maybe people should have some kind of license. So maybe companies or individuals who are in the business of analyzing malware should have some sort of checks done to make sure they're not, you know, don't have a neckbeard.

---

LISA FORTE. But you know what? What about the exemptions though? You know, like, if you think of cocaine, and someone, I don't know, the police confiscating it and sending it then to a lab to test that it was in fact cocaine. That lab is in possession of cocaine at that moment in time, but they're exempt from being charged with the strict liability offense of possession of a Class A drug. So I think we're talking about sort of outlying people, but I think the general public who are not interested in analyzing malware, um, certainly not in my household, um, Why should they have that on their computers anyway?

---

CAROLE THERIAULT. I think we're missing a much bigger point here, though. Is the big point going to be that, oh, I got hit by ransomware, therefore there's ransomware on my network computer, therefore I'm breaking the law?

---

GRAHAM CLULEY. Yeah. If your day wasn't going badly enough already. Quite. Okay. So in respect to this law in Maryland, I have to backtrack a little bit because the specific Senate bill, which has been proposed, labels the possession and intent to use ransomware in a malicious manner as a misdemeanor punishable by up to 10 years in prison and a $10,000 fine. So you have to prove that they've also got intent to use it maliciously, which hopefully antivirus companies and security researchers don't have. So it's an interesting debate, this, you know, should all malware be banned? I, like I said, I personally don't think it should be, but Yeah, and intent is an interesting word, isn't it? Right.

---

CAROLE THERIAULT. I don't know about its legal parameters. Like, is it, you know, me going on Facebook and going, "God, I wish I could put some ransomware on this guy's computer." Done.

---

GRAHAM CLULEY. It certainly makes it a more difficult thing, I would imagine, to prove, as opposed to possession.

---

CAROLE THERIAULT. Yeah.

---

GRAHAM CLULEY. The problem really is that the main people possessing malware are, of course, the poor sods who've had their computers infected by it.

---

LISA FORTE. Yeah.

---

GRAHAM CLULEY. You know, and we wouldn't want to criminalize them because they're already having a tough enough time. So, If you look at this Senate bill that's been proposed in Maryland, it says a person may not knowingly possess ransomware with the intent to use the ransomware for the purpose of introduction into a computer or network or system of another person without the authorization of the other person. And I agree. I think existing computer crime laws pretty much cover that. And they say, you know, you can go on to other people's computers, you can break into their networks if you've got their permission. If you don't have their permission, if you don't have their authorization, then That's something which is obviously illegal. And similarly, so I don't see why this law is necessary because it's already committing computer crimes through the malware actually breaking into the computer without the permission.

---

LISA FORTE. Exactly.

---

CAROLE THERIAULT. Yeah, it seems like an added layer of something that may be already addressed in the distribution, you know, with intent.

---

GRAHAM CLULEY. Which makes me wonder, why did Maryland do this?

---

CAROLE THERIAULT. Mm-hmm. Good question. Tell me you've got a cool answer.

---

GRAHAM CLULEY. Oh, well, I see. I was thinking about this and I was thinking, could Maryland's Oh God.

---

CAROLE THERIAULT. Oh no.

---

GRAHAM CLULEY. I was thinking, you know, it might be a natural progression from the Maryland cookie debacle. So maybe with web— anyway, it's cookie— no, no, no, it's nothing to do with cookie legislation, Mary.

---

CAROLE THERIAULT. I don't even know what that means.

---

GRAHAM CLULEY. It's Maryland cookies, Carole. Do you not eat Maryland cookies?

---

LISA FORTE. Oh, you know what, I don't think people in Maryland know about Maryland cookies. Yeah, I don't know either.

---

GRAHAM CLULEY. They're a big hit here in Oxford in my household.

---

LISA FORTE. They're very yummy cookies or brownies or Graham's household will find this joke really funny, but everyone else, not so much.

---

GRAHAM CLULEY. Maybe we should be linking as a pick of the week to the Maryland cookies, I don't know. But anyway, look, the real reason is this, the real reason, I'm sure someone out there eats Maryland cookies.

---

CAROLE THERIAULT. Someone sniggered somewhere, yeah.

---

UNKNOWN. The real reason is that some cities in Maryland have of course had their run-ins with ransomware. Who can forget Baltimore in Maryland, which in the space of one year, the city of Baltimore was hit twice by ransomware. Once they had their 911 emergency dispatch system that was knocked offline. And the other time they were hit by the Robin Hood malware when a bunch of merry men rode in on their horses wearing green tight pants and installed malware onto the computer systems. Anyway, Baltimore refused to pay up, as we discussed way back in Smashing Security episode 151. And the mayor said, well, we're not going to give in to the extortionists. You know, we're just gonna recover from our backups. Although it later turned out that their backups were shit because they were—

---

CAROLE THERIAULT. You know what's interesting? Yeah.

---

GRAHAM CLULEY. They were only backing up to the same hard drive. So they just copied files to another folder on the same computer. So the backups weren't safe.

---

CAROLE THERIAULT. You know, this is why municipalities should offer a fairly good salary package for their IT security folks. Now, did I not read this week that New York is going to propose that paying ransomware is You know, paying for ransomware, what's it called? Paying ransomware.

---

GRAHAM CLULEY. Yeah, paying ransom demands.

---

CAROLE THERIAULT. Paying ransomware ransoms is going to be illegal.

---

GRAHAM CLULEY. Well, I don't know if it's illegal or not. Certainly they don't like it.

---

CAROLE THERIAULT. No, no, they're looking at putting a law to put it forward in New York. It's not illegal now, but they're thinking of doing that, which is interesting because they're basically saying you're helping fuel more ransomware attacks by paying them off, even though you get on your feet faster.

---

GRAHAM CLULEY. It definitely does encourage more attacks, the knowledge that many people will pay up, Without doubt.

---

LISA FORTE. Especially with insurers as well. If insurers say you must pay and you know someone's got cyber insurance, pretty good bet that they're going to pay.

---

CAROLE THERIAULT. Yeah, it's a lot less hassle than all the paperwork you have to go through.

---

GRAHAM CLULEY. And a lot less money. In Baltimore's case, I think the bad guys were asking for about $70,000 and Baltimore ended up paying about $6 million.

---

LISA FORTE. Yes.

---

CAROLE THERIAULT. Well, we examined where that cash went and it didn't look very—

---

GRAHAM CLULEY. No.

---

LISA FORTE. Yes.

---

GRAHAM CLULEY. So there have been initiatives by different cities. There's like a council of mayors or something where they're all sort of saying, we pledge not to pay ransoms in future. So I think people are beginning to move that way a little bit. Again, I'm not sure if it should really be legislation because sometimes a ransomware attack, you may have no option but to pay. You know, it's like your business goes bust if you can't recover the data.

---

LISA FORTE. Well, also I think the problem with black letter law, so I actually have a background in law and the problem with black letter law is that it's so slow to develop. I mean, if you think about in the UK and the US, It has to pass through a bicameral system. Two houses have to approve any piece of legislation. That's why in the UK, we're stuck with the Computer Misuse Act of 1990.

---

CAROLE THERIAULT. Yes.

---

GRAHAM CLULEY. I don't know if this bill is going to pass or not. Obviously, I'm encouraged by the fact that they're saying you have to have intent and you have to infect or attempt to infect without authorization.

---

LISA FORTE. How are they going to enforce it though? Because it's all well and good having any law you want, but if you can't actually detect these people, make arrests, is there any point?

---

GRAHAM CLULEY. Exactly. I doubt many cybercriminals are going to be pooping their pants over this, right? I mean, has making anything illegal ever stopped it from happening? The bad guys are making so much money anyway. I would have thought existing computer crime laws were enough to bring these guys to book if they've been identified. And if they haven't been identified, This isn't going to help do it, is it?

---

CAROLE THERIAULT. Yeah, I'm just looking right now at Maryland's current computer misuse laws.

---

GRAHAM CLULEY. Oh yeah.

---

CAROLE THERIAULT. And so misdemeanor computer crimes, a person who illegally accesses computer is guilty of a misdemeanor. So it's basically authorization is very much part of that.

---

LISA FORTE. Yeah.

---

CAROLE THERIAULT. It seems like it's already being handled.

---

GRAHAM CLULEY. I think so.

---

CAROLE THERIAULT. Well, I'll put this link in your show notes so that people can go see what is currently being available in Maryland and you can see whether you think this is something that they need.

---

LISA FORTE. Can I just say, I have one more issue with this thing, right? Yes, yes. And it kind of comes around what lawyers love the most, which is like defining things within an inch of their life.

---

GRAHAM CLULEY. Making money, I'd have said. But anyway, yes, okay.

---

LISA FORTE. If you look at like, I was reading about this story, and if you look at the situation in the UK with legal highs, how they've done it is that they've defined the legal high by the formula. So then someone changes the formula ever so slightly, and that substance is no longer an illegal substance anymore.

---

CAROLE THERIAULT. Mm-hmm.

---

GRAHAM CLULEY. Oh, so if you want to make an illegal high, you've just got to look up the legislation and it gives you the recipe. Is that what you're saying?

---

LISA FORTE. And just change it a little bit and then it's not illegal because they've done it by the formula of the drug. So if you're starting to define ransomware, how does that work?

---

CAROLE THERIAULT. That's a really interesting point, Lisa.

---

GRAHAM CLULEY. And malicious software is a difficult thing to define as well, isn't it?

---

CAROLE THERIAULT. Yeah, and there's like potentially unwanted apps, right? So then it's like, where does it sit? It's kind of gray, you know, along the spectrum of bad to good.

---

GRAHAM CLULEY. Plenty of people would consider Windows 10 being pretty malicious, wouldn't they? Well, I just hope that legitimate security researchers never find that they have to go and apply at the local council office or sub-post office to apply for a license to handle malware, rather like getting a dog license or something like that.

---

CAROLE THERIAULT. I don't know what your issue is with that. I don't have a problem with that. Well, it's just a bit too much work for you.

---

GRAHAM CLULEY. I probably would, probably. And also, I don't know if I'd qualify, Carole. I don't have the neckbeard. You know, I'd probably—

---

CAROLE THERIAULT. Well, maybe you shouldn't be playing with malware. I certainly don't like the idea of you sitting there playing with malware on your computer. I don't think any of our listeners do either. Jeez.

---

LISA FORTE. Come on, Graham, get it together.

---

GRAHAM CLULEY. I do.

---

CAROLE THERIAULT. Every week, Lisa. Every week I do this.

---

GRAHAM CLULEY. Lisa, what's your story for us this week?

---

LISA FORTE. So my story is a very interesting one, and it actually starts 6 years ago.

---

GRAHAM CLULEY. Oh, topical.

---

CAROLE THERIAULT. Okay, I've got my popcorn, so ready.

---

LISA FORTE. It's a story unlike anything you've ever heard. So 6 years ago, two Russian gentlemen, Alex and Alexei, discover each other online, and they've never met, and they decide to start a cryptocurrency exchange together as a business.

---

CAROLE THERIAULT. How does that happen? What does that happen like? What, do they have just a few chats and they go, yeah, okay, I trust you, let's go?

---

LISA FORTE. Pretty much. I think that's how it goes down. And they developed this really unique USP to attract their customers, as all good entrepreneurs have to consider. And that is that they're not going to require anyone who invests to provide any ID. So no prizes here for guessing who this might appeal to.

---

CAROLE THERIAULT. Right.

---

GRAHAM CLULEY. Bad guys.

---

CAROLE THERIAULT. I mean, that's a good way to ensure privacy, right?

---

LISA FORTE. Totally. That's what they were really concerned about, I think. I'm reading between the lines, but I think roughly that's what it was. Anyway, so this cryptocurrency exchange becomes the third largest in the world. So they actually do really, really well out of it. And sort of in a celebratory kind of spirit, Alex says, well, let's go to Greece and take our families on holiday.

---

CAROLE THERIAULT. Okay.

---

LISA FORTE. So off they go to Greece. And Alex is on the beach enjoying the beach with his wife and kids. And suddenly out of nowhere, Greek police pop up and arrest him. And it turns out this was at the FBI's request. So his family quickly call Alexi, his business partner, and say, "Oh my God, you know, he's been arrested." So he quickly smashes up his laptop, runs to the airport to go back to Russia. Successfully. It transpires that the FBI have seized all of their stuff from their company because they were laundering stuff for people like the Fancy Bears and other criminals. So Alex is in a Greek jail and Alexi is now back in Russia. The FBI have seized all his stuff. So you might be thinking, what is an entrepreneur to do in this situation? Well, Alexey decides to recoup his losses by setting up another exchange.

---

GRAHAM CLULEY. Well, it worked before, didn't it? Let's have another go.

---

LISA FORTE. And he rakes in millions, and by millions I mean $450 million.

---

GRAHAM CLULEY. Barely anything.

---

LISA FORTE. Exactly. And we've all heard this story. He gets introduced to a Russian billionaire. We've all been there. And—

---

CAROLE THERIAULT. Some of my best friends.

---

LISA FORTE. Exactly. They're my best friends. And Alexi tells him, this billionaire, how much money he has in his company. And the billionaire says, "Oh, well, you should go and meet with these two FSB guys I know who will help you with your security." Oh, yeah.

---

CAROLE THERIAULT. Okay.

---

LISA FORTE. So Alexi's thinking, "Okay, yeah, this makes total sense.

---

GRAHAM CLULEY. This is awesome." And the FSB, for people who don't know, that's like the modern name for the KGB, isn't it?

---

CAROLE THERIAULT. Yes, yeah, the modern name.

---

LISA FORTE. We're just living under the rebranded version.

---

GRAHAM CLULEY. Yeah, yes, it's like New Labour and Labour, circa 1985.

---

LISA FORTE. Okay, anyway, it's like New Labour.

---

CAROLE THERIAULT. God, I know, just don't.

---

LISA FORTE. We'll go with it. Anyway, so Alexei goes and meets these two guys from the FSB, and they say to him, look, you've got to watch out for those pesky Americans, and we will, we will set up special FSB fund, and if you transfer your $450 million into this fund, we will keep it secure from them. Okay, so yeah, so Alexi's thinking, oh my God, this is a genius idea, why didn't I think of this, right? So he did it.

---

CAROLE THERIAULT. Uh-huh.

---

LISA FORTE. Um, so now Alexi goes back home.

---

CAROLE THERIAULT. He's feeling pretty smug, I'm guessing.

---

LISA FORTE. Well, he's actually feeling a little bit sick, and it's not because he's drunk some tea that's been poisoned. He's feeling sick because he suddenly realizes that this doesn't make sense. And it transpires that the billionaire, the FSB agents, and the $450 million have all disappeared into thin air.

---

GRAHAM CLULEY. Oh no.

---

CAROLE THERIAULT. So they totally— he got totally conned.

---

LISA FORTE. Yeah, totally conned. Now if you're listening to this and you're thinking, funnily enough, men posing as the FSB stole $400 million out of my account, you would report that to Action Fraud. Okay.

---

CAROLE THERIAULT. Yeah.

---

GRAHAM CLULEY. Just so we're all clear. Who then spring into action.

---

LISA FORTE. Yeah. And they've got a special folder for cases just like this.

---

GRAHAM CLULEY. It's fine.

---

LISA FORTE. Yes.

---

CAROLE THERIAULT. Yeah, of course they do. So yeah. Wow.

---

LISA FORTE. What a story. Poor Alexei.

---

GRAHAM CLULEY. So he didn't do that.

---

CAROLE THERIAULT. Oh, well. Yeah, literally.

---

LISA FORTE. I don't think Action Fraud are that interested in these things happening to Russian people in Russia massively. But—

---

CAROLE THERIAULT. So how does someone just set up an exchange like that and suddenly rake in $450 million?

---

LISA FORTE. Excellent marketing strategy would be my guess.

---

GRAHAM CLULEY. I don't know.

---

CAROLE THERIAULT. I wonder if they're using the marketing affiliate scheme just like the crypto queen.

---

GRAHAM CLULEY. Or just describe yourself as the privacy-conscious cryptocurrency exchange, which doesn't require any ID, which is going to attract lots of cybercriminals and the fancy bears of this world to launder their money through it. You know, and before you know it, ka-ching, you're making a little bit from every transaction which is happening. But my goodness.

---

LISA FORTE. Yes, and if you can imagine, he's been through all this. He's basically lost all of his money twice now. And you think you've suffered from entrepreneurial burnout? And this must be the extreme version of that.

---

GRAHAM CLULEY. And don't forget, he also smashed up his laptop and threw it in the sea in Greece.

---

LISA FORTE. I know.

---

GRAHAM CLULEY. Right?

---

LISA FORTE. And it's holding his phone. That's expensive.

---

CAROLE THERIAULT. Yeah, he's got to get a new one of those. He's using Apple. Jeez.

---

GRAHAM CLULEY. Kroll, what have you got for us this week?

---

CAROLE THERIAULT. Well, we are gonna talk about Amazon Ring. This is the smart doorbell camera. And it is being snapped up like hotcakes. Online sales grew 180% last year compared to the previous year. And last month alone, shoppers bought around 400,000 of the things from Amazon and other retailers like, you know, your Best Buy, Costco, Home Depot, and that sort of thing.

---

GRAHAM CLULEY. It's amazing, isn't it? I mean, I'm just finding so many people now have got these installed. I was down the chess club the other night and my mate Liam— hello Liam— he showed me his phone.

---

CAROLE THERIAULT. He said—

---

GRAHAM CLULEY. of course he does— and he said, look what's going on outside my house right now. And he showed me.

---

CAROLE THERIAULT. Right.

---

GRAHAM CLULEY. Nothing was going on.

---

CAROLE THERIAULT. Because I have a neighbor who has a kind of a stone wall around his front garden with a gate at the top. And it has a little inlet, right? And he's been complaining that people who are a little bit worse for wear coming home from the pub on Friday night like to use that little enclave as a urinal.

---

GRAHAM CLULEY. A little tinkle.

---

CAROLE THERIAULT. Which is quite— and so he was thinking of getting a Ring so that he could actually start yelling at them, right?

---

SPEAKER_03. To move on. I don't know.

---

CAROLE THERIAULT. Anyway, so, so yeah, so there's lots of people that are really into this, right?

---

GRAHAM CLULEY. Nothing stops me mid-flow quite like having an Amazon Ring shouting out at me, I have to say. Very off-putting.

---

CAROLE THERIAULT. Boo!

---

GRAHAM CLULEY. Crikey.

---

CAROLE THERIAULT. Exactly.

---

GRAHAM CLULEY. Goes all over my shoes.

---

CAROLE THERIAULT. So Amazon, one of the biggest and richest companies in the world, has, turns out, it's been secretly packing these Amazon Rings with third-party trackers. And don't be confused by the word party here. This isn't like the party that any of you wanna be attending. By third-party trackers, I mean companies that Amazon agrees to do business with. And these guys get a proverbial front seat, you know, so they can hoover up all kinds of personal identifiable information from Ring users.

---

GRAHAM CLULEY. But what are they collecting? I mean, a Ring is just looking out from your door, isn't it?

---

CAROLE THERIAULT. Well, it's looking from your door, but it also has an app on your device.

---

GRAHAM CLULEY. Oh.

---

CAROLE THERIAULT. More specifically, your Android device. So 4 main analytics and marketing companies were discovered to be receiving information such as the names, private IP addresses, mobile network carriers, persistent identifiers, and sensor data on the devices of paying customers. So there are 4 of these. One of them is called AppsFlyer. It collected loads of stuff, but also collected info from the sensors. So that's like your magnetometer. I don't know how you say the word.

---

GRAHAM CLULEY. It's a measurement of how many Magnum ice creams you ate in the last 24 hours.

---

CAROLE THERIAULT. Magnetometer. I don't even know what that measures. There's a gyroscope, and I know there's internal calibration settings, There's also one going to our friends at Facebook. Oh, Facebook. So information delivered to Facebook, even if you don't have a Facebook account, like we don't, Graham, includes time zone, device model, language preferences, screen resolution, and a unique identifier which persists even if you reset the OS-level advertiser ID.

---

GRAHAM CLULEY. So I don't have the Ring app, obviously. It doesn't display ads within the app, I imagine.

---

CAROLE THERIAULT. No, it is just basically has a private deal with these, at least these 4 third parties. And according to the EFF, they are basically sending this data to them. Now, what was slightly ironic here, so all this information's going out of your phone, right? Going outta your phone via the Ring app to these third-party providers.

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. And the traffic that was observed was being encrypted using HTTPS.

---

GRAHAM CLULEY. That's good.

---

CAROLE THERIAULT. But what's more, the encrypted information was delivered in a way that eludes analysis. So it made it much more difficult, according to the EFF, for security researchers to learn and report of these serious privacy breaches.

---

SPEAKER_03. Ah, yes.

---

CAROLE THERIAULT. Because it seems as though they've snuck these trackers on. And of course, you know, they're sharing them with third parties for vast profit.

---

GRAHAM CLULEY. So I can, I can understand why Amazon might want to use some third-party services to understand how their app is being used, right? I can understand how they might want to understand the user's experience, or if there were problems, or work out what kind of devices they were being run on, and, you know, and try and troubleshoot problems like that. But I can't understand why they would be sending information to the likes of Facebook and some of these other firms.

---

CAROLE THERIAULT. For— for ka-ching.

---

LISA FORTE. Apart from the fact that sharing is caring, Graham. Sharing is caring, okay?

---

GRAHAM CLULEY. But what are these third-party companies doing with this data? That's what I don't understand.

---

CAROLE THERIAULT. Simply advertising. So all this information is allowing these third-party marketing firms to build up a unique fingerprint of your activity, location, behavior, which in turn allows them to market services or products or anything to you much more accurately.

---

LISA FORTE. Do you know what I get? I get this targeted advertising, and some— for some reason, all it ever sends me is like, is your piglet sick? Do you want to know how to know if your piglet is sick? Or is your sheep okay?

---

GRAHAM CLULEY. And I'm like, I swear We have been worrying about it.

---

LISA FORTE. People think I'm a farmer. I literally don't know why this is.

---

CAROLE THERIAULT. I'm just wondering, you know, and what's kind of annoying is that, you know, Amazon is going around. So they've been in hot water about Ring for a number of months now for different reasons. And they've been doing a lot of, excuse me, the security is fine in Ring. Actually, I think you'll find it's the user's problem because their Wi-Fi isn't secure enough or they're not choosing correct passwords or they haven't enabled two-factor authentication.

---

LISA FORTE. Right.

---

CAROLE THERIAULT. And they've been kind of wiping their hands of all this responsibility. And this is just a little bit dirty because according to the EFF, they are not clearly stating in any policy and getting clear consent from anyone in all this.

---

GRAHAM CLULEY. So has Amazon said anything in response to this EFF report about this?

---

CAROLE THERIAULT. Not that I have seen at the time of recording, but I'm sure they will.

---

GRAHAM CLULEY. Well, you know what? I'm going to WhatsApp Geoff Bezos right now because I've got him in my contacts. I'm sure I can get him some of his attention if I send him a movie file. Hang on, let me just do this and see.

---

CAROLE THERIAULT. What's interesting though is like we as Smashing Security, for example, pulled off Facebook, right? We just said, look, your practices aren't very cool. We don't like them. We are, even though it's, you know, better for us to be on Facebook because it helps us promote our show and do all that stuff. It makes you wonder whether we as a collective should be actually giving the richest man in the universe more money.

---

LISA FORTE. Well, funnily enough, didn't Amazon Ring literally a few weeks ago have an insider threat issue where that some of their employees were watching the Ring feeds.

---

GRAHAM CLULEY. Yes.

---

LISA FORTE. And they just basically said, oh well, we've terminated their contracts. And that was kind of like the end of it, as if to say, well, it's fine, and they're gone. So that's that problem solved.

---

CAROLE THERIAULT. And you know, maybe we only have Rings because, right, so we got addicted getting our packages really fast, right? So we're very happy to get people to pay less than minimum wage to be working 12-hour shifts peeing in bottles so they can get you your fuzzy whatever you ordered quickly to your door. But then the problem was that people were stealing these packages, 'cause they're getting delivered at all times of the day. And so basically, I think he's been onto this for a long time. He's like, now I can give you doorbells so you can watch your packages be, you know, mount up on your doorstep and make sure no one steals them.

---

GRAHAM CLULEY. Well, I think a good advertising campaign for the Amazon Ring would be that now you can watch your Amazon delivery person taking a leak by your wall at the front of your garden, because he's not got any time to do it any other time, just like your friend, Carole.

---

LISA FORTE. Exactly.

---

CAROLE THERIAULT. You know what though?

---

LISA FORTE. I just don't think— I know it sounds like a terrible thing, and you and I and the rest of the infosec community really care about all this, but normal people don't care. Like, I say this to people and they say, I don't really care if people have that data.

---

CAROLE THERIAULT. I don't really—

---

GRAHAM CLULEY. what?

---

CAROLE THERIAULT. Our listeners care, Lisa. Don't you guys? You do care. Listen, listen to them all screaming, yes, we care.

---

GRAHAM CLULEY. Maybe they could make even more people care if they told their friends to also listen to Smashing Security.

---

LISA FORTE. Oh, I like what you did there. You did a Geoff Bezos there.

---

CAROLE THERIAULT. Yeah, Geoff Bezos, he'd be proud. Anyway, go read the article, uh, on the EFF. It's penned by Bill Buddington. Go read and go care.

---

GRAHAM CLULEY. Cool.

---

CAROLE THERIAULT. Hey, Graham.

---

GRAHAM CLULEY. Yes?

---

CAROLE THERIAULT. There are people out there with companies a little bit bigger than ours, and one of the issues that they face is visibility and oversight. And when it comes to cybersecurity, that is super important. So listeners, listen up. If you do not have a password manager in your organization, please check out LastPass Enterprise. They offer centralized admin oversight and control, shared access, and automated user management. All this stuff makes your life easier. Plus, you can even use LastPass single sign-on to protect all your cloud apps and give seamless access to employees. Check it out at lastpass.com/smashing. Let me try that again, folks. Check it out at lastpass.com/smashing.

---

GRAHAM CLULEY. And welcome back. Can you join us on our favorite part of the show, the part of the show that we like to call Pick of the Week?

---

CAROLE THERIAULT. Pick of the Week.

---

LISA FORTE. Oh, Pick of the Week.

---

CAROLE THERIAULT. Thanks for the enthusiasm.

---

LISA FORTE. You get one or the other. You either get lots of enthusiasm or nothing.

---

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily.

---

CAROLE THERIAULT. Shouldn't be.

---

GRAHAM CLULEY. Enthusiastic crow. Well, my Pick of the Week—

---

CAROLE THERIAULT. I'm just taking after Lisa.

---

GRAHAM CLULEY. My Pick of the Week is not a funny story, a book that I've read, a TV show, a movie, a record, a podcast, a website, or an app. It is a whatever, because my pick of the week is a person who sadly died this week. Who? Nicholas Parsons has died. Oh no. Oh no, are you finding out live on the show, Carole? Oh crumbs. So Nicholas Parsons died on Tuesday morning, and he was the host of a very long-running, over 50 years, a radio show called Just a Minute. Which is broadcast on the BBC World Service and Radio 4 here in the UK. And if you have access to the BBC Sounds app, you can also download episodes there. And Just a Minute was a terrific game show where you had to—

---

CAROLE THERIAULT. Mostly because of him.

---

GRAHAM CLULEY. Well, he has obviously been an absolute institution. He was the moderator of the quiz. And the point of the quiz, for anyone who hasn't ever heard Just a Minute, is to speak for 60 seconds without repetition, deviation, or repetition.

---

CAROLE THERIAULT. Did you say repetition twice there?

---

GRAHAM CLULEY. Yes, I did.

---

LISA FORTE. You've got very far on the show. Nope.

---

GRAHAM CLULEY. What is it? It's repetition.

---

CAROLE THERIAULT. Deviation, repetition, or—

---

GRAHAM CLULEY. The other one. Oh, I've forgotten now. You see? Isn't that irritating?

---

CAROLE THERIAULT. That is the worst. And we listen, so I listen to the show.

---

GRAHAM CLULEY. Without hesitation, repetition. Hesitation. Or deviation. There you go.

---

CAROLE THERIAULT. Yeah.

---

GRAHAM CLULEY. Well, I've been listening to this ever since I was a kid. I remember it in the glory years of the 1970s.

---

SPEAKER_03. It started in 1970.

---

CAROLE THERIAULT. 1960-something?

---

GRAHAM CLULEY. About 1967, I think. So it's been going an awfully long time.

---

CAROLE THERIAULT. And he was the host the entire time, guys.

---

GRAHAM CLULEY. The entire time. He just died at the age of 96. Oh wow. And I remember it back in the 1970s, the glory years of Kenneth Williams being a contestant. He was incredibly funny, very, very rude about Nicholas Parsons. It was just extremely entertaining. So I'm going to put in a couple of links where you can read more about Nicholas Parsons and the Just a Minute show. And I've also included a link in the show to a video of Nicholas Parsons at the age of— well, he must have been in his mid-90s— being interviewed very recently by comedian Richard Herrin. And you will see that he was just as sharp as anything right at the end of his life. Very funny and an absolute star.

---

CAROLE THERIAULT. Legend. Legend. A legend.

---

GRAHAM CLULEY. There you go. So that is my pick of the week.

---

CAROLE THERIAULT. Oh, that is so sad.

---

GRAHAM CLULEY. Sorry about the repetition and the hesitation. And quite a lot of deviation, probably.

---

CAROLE THERIAULT. Constant deviation.

---

GRAHAM CLULEY. So Lisa, what is your pick of the week?

---

LISA FORTE. Well, mine is another game. As you remember, my last episode, it was also a game. So this game is called Her Story, and it's by a guy called Sam Barlow, and it's, it's a really fascinating game. Basically, you are given access to a fake police database and you're asked to review files to solve a murder that happened back in the early 1990s. So you have to start watching a few videos and pick out pieces of vital information that the victims or that, you know, friends and family and whatever give. So it may be that they say something about the company that the victim worked at, and then you search for the company name and pull up employee videos and so on and so forth. And there's so many avenues to go down, like you can literally go down the wrong avenue for ages and then realize it was a red herring. Um, but it's an amazing game, um, that's kind of a new genre of gaming in a sense.

---

CAROLE THERIAULT. Um, it came out a few years ago because I've played this.

---

GRAHAM CLULEY. Oh, have you?

---

LISA FORTE. Yeah, and it's, as Graham said to me, it's quite old.

---

CAROLE THERIAULT. I loved it. I loved it.

---

LISA FORTE. It's kind of like, um, yeah, yeah.

---

CAROLE THERIAULT. And you have to make decisions and choices and decide how you're going to go about finding out who the whodunit. Yeah, it's wonderful.

---

LISA FORTE. And you have to be so observant because you have to look at like the time of the video and little things they say and pick things out.

---

CAROLE THERIAULT. Great pick of the week, Lisa. I would never have remembered this. Excellent.

---

LISA FORTE. It just so happens that they've actually got a sequel that got released in August 2019. And this is like an NSA database that's been loaded onto a stolen laptop and you have to start piecing together that story. So it is really, really good. You have to pay for it, but it does mean that you don't get served up ads and have to buy additional credits and stuff like that.

---

GRAHAM CLULEY. It's certainly very different from the typical video game, isn't it? I watched the trailer for this, a little video, and the fact that you're sort of having to watch police interviews and videos and sort of then pick apart from the statements that people are giving you, it looked really interesting, all the different avenues which you could go down.

---

LISA FORTE. It does look a little bit weird if you're playing on the train because it kind of looks like you're just watching loads of police videos of people crying, but I mean, At least people don't sit next to you then.

---

GRAHAM CLULEY. Cheap thrills, right? Wherever, wherever flights should go.

---

LISA FORTE. Yeah, totally.

---

GRAHAM CLULEY. Okay, well, we will put links in the show notes for people who want to explore them even more.

---

CAROLE THERIAULT. Yeah, and I second it. Great, great, great pick of the week. Excellent.

---

GRAHAM CLULEY. Krowall, we've had two awesome picks of the week. What have you got for us this week?

---

CAROLE THERIAULT. So I just wanted to carry on with my Bezos theme, right? So my pick of the week is an article penned by The Guardian columnist Marina Hyde. Do you guys read her ever?

---

GRAHAM CLULEY. I do. She's quite funny, I have to say.

---

CAROLE THERIAULT. Well, scathing.

---

SPEAKER_03. Well, yes, that's—

---

GRAHAM CLULEY. but she's a great columnist. She's very witty. There's only one thing I don't like about her.

---

CAROLE THERIAULT. I know what it is.

---

GRAHAM CLULEY. I think, I seem to recall, I seem to recall that she had some kind of relationship with Piers Morgan.

---

CAROLE THERIAULT. Oh no, they were certainly email pen pals.

---

GRAHAM CLULEY. She lost her job at one point. I think she was working for The Sun and he was the editor of The Mirror. They were secret, probably because she's quite witty and attractive in that fashion. Maybe he was, uh, sharp enough to her, who knows.

---

CAROLE THERIAULT. She's also a bit famous because Elton John once brought a libel suit against her.

---

GRAHAM CLULEY. Oh really?

---

CAROLE THERIAULT. Because she wrote, she used to write this jesty piece, kind of like a peek in the diary of X, right? This is like a weekly column thing. She did one on Elton John and he was not amused. But as he's not the actual queen, the judge threw it out.

---

GRAHAM CLULEY. Which is strange because normally he's considered so level-headed, isn't he? He's not someone who gets upset easily.

---

CAROLE THERIAULT. Well, anyone who wears those glasses has definitely got a level head in my view. Anywho, anywho, anywho, Marina wrote about the whole Saudi Arabia Geoff Bezos scandal that you were alluding to at the end of my story.

---

SPEAKER_03. I was.

---

CAROLE THERIAULT. Right, so this is like, what was it, end of January, UN investigators alleged that the de facto ruler of Saudi Arabia may have been the one responsible for hacking doxing Geoff Bezos's mobile phone. And according to a forensic report prepared for Bezos, Bezos got the infected video file on WhatsApp, and, um, claims that it opened a backdoor on Bezos's phone, and that's how all the pictures got leaked. Right now, of course, of course, uh, there's the Saudi Embassy in Washington is saying this is absurd. But, uh, Marina wrote about this, and she had some— let me just read a little, a little, just a little excerpt for you. Guys, so she says, what elevates the story of how Bezos's underpanted selfies may have made their way into the public domain is the identity of the hacker, who was probably none other than Saudi bear and human lumberjacker Mohammed bin Salman. From here on in, we will refer to the Crown Prince by his desired nickname, MBS, which he has no idea sounds like a dinosaur carpet warehouse on the Ring Road, or the name slapped on the off-brand trainers your mum picked up at the supermarket, which she insists are exactly the same as Nikes except for a couple of tiny bits that no one's going to notice. Cute, right? She's got a real cute way about her.

---

GRAHAM CLULEY. Who can blame Piers Morgan? I mean, that is quite funny, isn't it?

---

CAROLE THERIAULT. Exactly. Even you can. So I say read it.

---

LISA FORTE. Yeah.

---

CAROLE THERIAULT. And I've put a few links to a few of my other favorite stories she's written about. But she's, you know, sometimes in this world of very, very— a lot of news can be pretty dry. Sometimes you need someone with a bit of Sass.

---

LISA FORTE. I agree. You need that sometimes because it's so monotonous otherwise.

---

CAROLE THERIAULT. So yeah, and scary and awful. So you can read the stories and you yourself can make up your own mind as to whether Saudi Prince hacked the Amazon King.

---

GRAHAM CLULEY. Well, great pick of the week, Carole. Now, before we say cheerio to everyone, we've got a little bonus.

---

CAROLE THERIAULT. Oh yes, we do.

---

GRAHAM CLULEY. Coming up, haven't we, Carole?

---

CAROLE THERIAULT. Yes.

---

GRAHAM CLULEY. Carole and I, we met up with Adrian from Thinkxt, who wanted to tell us all about his really rather cool-sounding Canary tool. And we think think you'll be interested too.

---

CAROLE THERIAULT. Enjoy. So we have a featured interview for you today on Smashing Security. Meet Adrian Sanabria. Now he works at a company called Thinkst and Thinkst creates this pretty nifty little tool. Uh, Graham and I got a demo last week and we both thought it was so cool that you might want to hear about it from the horse's mouth. Well, not a horse's mouth, but Adrian's mouth.

---

GRAHAM CLULEY. It's not Mr. Ed.

---

CAROLE THERIAULT. Adrian, welcome. What an intro.

---

SPEAKER_03. Yeah, thanks for calling me names already. I'm not even on the show yet.

---

CAROLE THERIAULT. So maybe we should start with a pain point so everyone can kind of get cozy. Can you give me maybe a typical frustrating scenario for an IT security guy or gal out there?

---

SPEAKER_03. It's a narrative that we seen for decades in security, and it's that when attackers get past these preventative defenses we have, these exterior defenses, it always seems like they have just carte blanche to stroll around the network, take what they want, do what they want. And it's, you know, we're used to seeing these dwell time metrics in the hundreds of days where attackers have just been lounging about doing whatever they want to do, whatever they need to do on our networks. And it's frustrating, right? I'm sure it's embarrassing and it's frustrating to think that somebody might be in right now and you wouldn't know it. So that's what we go after.

---

GRAHAM CLULEY. It's a terrible thing. I mean, sometimes it takes months for businesses to realize that they've been breached. And if it's taken months and months, then the amount of data which could have been stolen is enormous.

---

CAROLE THERIAULT. And the first question would be, how long have they been there?

---

SPEAKER_03. Yeah, right.

---

CAROLE THERIAULT. That's what the boss is gonna ask. Ask. So what does Canary do? How does that address this problem?

---

SPEAKER_03. Yeah, so our Canaries are honeypots that you put on the internal network. You can make them look like various different things, anything from a SCADA device, you know, something from Honeywell or a Windows file server, something like that. And they look the part down to the MAC address, how they talk on the network. You know, they look and talk and walk like the ducks we make them to look like. You know, you put them places, there's some strategy behind it. You know, where are you going to place them, how many you're going to use, what you make them look like. You want them to look enticing to the attacker. You know, we want to be the first device that the attacker goes after so that you find out as quickly as possible that there's been an intrusion. And the idea is you have a chance to, you know, once they go after our device and we start sending off alerts, which is going to happen the moment they start messing with it, if they scan, if they try and log into it, do anything with it, that it's gonna scream Bloody Mary, let you know.

---

CAROLE THERIAULT. I guess when you, when you say enticing, you don't mean so enticing that they actually want to attack you. More that if they are sniffing around your network already, you want to have them go into a honey trap as opposed to on a real live, you know, bona fide data service.

---

GRAHAM CLULEY. Right.

---

SPEAKER_03. So, so the scenario here is they've already achieved some level of access to your network. They've already gotten in. You're going to have these canaries on your internal network So this works equally well for insider threats as it does for external threats.

---

GRAHAM CLULEY. And these are literally, I mean, let me get my head around this. These are literally little black boxes or can be little black boxes, which you plug in, you scatter around your network, maybe pretending to be some old Windows computers or running whatever operating system you wish, disguised as different things. And so if an intruder or if a malicious insider was snooping around, they might trigger it just by almost like trying the handle of the door. It's not like they can get into them, but just trying the handle will set off an alarm which you will pick up, but they won't even know that they've triggered it.

---

SPEAKER_03. That's exactly right. And what we're taking advantage of is, is the act of snooping, as you put it, requires you to do certain things, you know. And I like to say, unless the attacker's just extremely lucky and lands right on top of a very detailed Visio diagram of your network and how to get to the good stuff, they're going to have to do some snooping. They're going to have to take some actions to search the network to find what they're looking for. And we use that to detect those, those actions. We use these canaries.

---

CAROLE THERIAULT. Canary. These are actual physical devices, right? Like they, they're like plug and play. So it's not the— I remember you showing us how easy it was to set up and it kind of blew me away. So maybe you could kind of walk our listeners through that.

---

SPEAKER_03. And a lot of it goes back to that philosophy of making this as simple and painless for the customer as possible. It takes 3 or 4 minutes to set up these devices, whether it's the physical one that you mentioned or we've got VM versions where we've got an Azure, AWS, and Google Cloud versions all take 3 or 4 minutes to set up. We like to say you know, you could stay back from lunch, let your colleagues go out to lunch. By the time they get back, you could have 10 or 20 of these deployed and be done, right? Like, another philosophy is we don't want— we didn't want to create another product where you've got somebody in the organization labeled the canary guy. And what the canary guy does is he comes in, he logs into the canary console, and the canary console creates busywork for him to click things and tune things and gives the illusion that he's doing security work when he's really just got busy work inside of this console.

---

CAROLE THERIAULT. Yeah, that's such a good point, that idea that tinkering feels like work, but actually, you know, if it's properly set up to begin with, if you can get a nice, you know, kind of almost default setup where there's just only the basic configurations you have to do, it's so much more attractive to me, certainly.

---

SPEAKER_03. And I hate to offend anybody, you know, I'm sorry if you're the guy that manages the WAF or the SIEM, you know, you're probably familiar with what I'm talking about. I don't want to say that what you're doing isn't important, but there's a chance that it might not be all that helpful in the greater scheme of things. So yeah, we wanted to avoid that. And there's our devices update themselves once you've deployed them. There's nothing left to do except wait for them to send you alerts.

---

GRAHAM CLULEY. And what I like about this approach is, is rather different from the conventional security tools which many companies already have. It's not like you're saying run Canary tools, you know, put, put these in place across your network and chuck out your antivirus and chuck out all these other protection measures which you— this is something which very much complements your existing security.

---

SPEAKER_03. That's right. Yeah. And it's— and it does one thing very, very well. You know, it lets you know if something fishy is going on on your network or if we get into talking about the Canary tokens in other places, you know, so we've got tokens that you can put in your email on on file servers, on flash drives, even in physical places, you know, to allow you to trap and trick people in other ways.

---

GRAHAM CLULEY. So these tokens, they're almost like landmines, if you like, or they're some sort of sensor. So if someone— yeah, so if someone was to go into an email or maybe into an Amazon bucket and mess around there, you could trigger one of these things and you'd be thinking, whoa, what's going on here then? There's obviously some badness going on.

---

SPEAKER_03. Yeah, and we do have an Amazon S3 bucket token that'll do exactly that.

---

CAROLE THERIAULT. They don't actually have to activate anything, do they?

---

SPEAKER_03. No, but generally because we operate on the inside, you know, even maybe that initial device that they get onto, you know, that's the behavior we're looking for. And the problem with going any further out than that, we wouldn't ever recommend putting a canary on the public internet, for example, is all of a sudden you go from this device that we can easily get down to zero false positives. When it fires off and alerts you, you can be sure that something's going on that shouldn't be. When you move it to the outside, those types of activities are normal all day long. There are thousands of IPs that are just scanning the entire internet, trying to log into things, and all of a sudden you get that alert fatigue issue again and you're just just overwhelmed with maybes instead of higher quality alerts.

---

GRAHAM CLULEY. So this accidental triggering is an interesting idea because I'm wondering what happens if you get a pen test crew in? What if you actually challenge a company to see what your defenses are like? I would imagine they might stumble across some of these things and think that they've hit the motherlode, think that they've almost accessed some great big database or some such.

---

SPEAKER_03. That's actually something our customers really, really love. If you think about it, some companies have been doing pen tests for almost two decades now, and they're used to the pen testers coming to them and just laying down this laundry list of things that they should feel ashamed about. Look at all the ways that I pwned your systems. We hear stories like, like, uh, oh, you know, while waiting in the lobby for, for them to come get me and show me to the cubicle where I do my, my pen test work, I, I already broke in and I got domain admin. And, you know, we hear stories like that. Now from our customers, we hear the opposite. We hear, oh, we caught the pen testers in the first 10 minutes, or, or stories like, um, you know, the pen test was supposed to end on Friday, uh, but they continued on Monday, and we know because our canaries told I love it.

---

CAROLE THERIAULT. That could be your strapline. Canaries, get your smugness back.

---

SPEAKER_03. Yeah.

---

GRAHAM CLULEY. So another feature which I really liked was not just that you could set up these sort of fake computers and fake servers for the hackers to try and hack into, but you could also make it appear as though they had certain files on them, like an employee database or an HR spreadsheet and so forth. And although they wouldn't necessarily be able to download it, they could see the file name and they they would keep on trying to access this darn thing. And that's something you can do with the canary too.

---

SPEAKER_03. Absolutely. And, and actually, you can let them download them. Those files can, can have data in it that, that looks real. You could create a password spreadsheet with, with realistic looking passwords. Just get a password generator, get a bunch of real sites, and, and fill that thing with real data. None of it's actually real, but the attacker doesn't know and name it appropriately. And, and that spreadsheet will let you know anytime anyone opens it anywhere in the world. It's not dependent on being on your network. And also, this is a, this is a service we give away for free. You can go to canarytokens.org and you can create these for free. We've got over 100,000 people that use this, this free service. And the, the commercial version has a few more things that make it more polished, more nice to use in an enterprise But generally, most of the same tokens we have in the commercial version are available in the free version. And I know people that, for example, upload their resume and token the resume so they know if people have opened their resume after they've sent it off. When did they open it? How many times did they open it? Did they open it right before the interview?

---

GRAHAM CLULEY. Oh my goodness.

---

SPEAKER_03. Yeah, so generally with the canary tokens, the bit of information that's most important is that somebody's in there. Ransomware in the first place. And the information you get back varies. Like, for example, just a standard Word document token will at most let you know what IP address that they were coming from when they opened that Word doc and it reached out. So that'll be somebody's internet address. In my case, that'll be my AT&T broadband IP address. But in other cases, we have some macro Word and Excel And if somebody enables that macro, which you can do if you name it the right type of file, you know, a lot of accounting departments use macros in their documents. Maybe you can get somebody to enable that macro and that macro will pull your username, the hostname, and the internal IP address as well. So that's kind of the other extreme of the information you can get. You know, we're not putting like a remote access Trojan or anything like that.

---

GRAHAM CLULEY. No, no.

---

SPEAKER_03. It's just little bits of information. Yeah.

---

GRAHAM CLULEY. And of course, if someone is accessing something they shouldn't be with a web browser, then there'll be certain information about the web browsing client that they're using, I would imagine, and the operating system and the screen dimensions. So there's still some information.

---

CAROLE THERIAULT. This is like a really early heads up so that you can go and lock down whatever particular place you might think might be vulnerable.

---

SPEAKER_03. And that's the whole idea of the strategy behind the product is to give you this early detection so that perhaps you can do something about it before any damage is done.

---

CAROLE THERIAULT. Hmm. Cool. Before we go, how does this product fit in with threat hunting and all that stuff?

---

SPEAKER_03. Traditionally in threat hunting, you're searching for indications that, you know, somebody's already gotten in, you know, indications of threats that that weren't surfaced by your IDS or your WAF or the rules and signatures that are already in place to detect bad stuff. And with the canaries, the idea is, well, what if that would just come to you? What if we flip that model and we set up your network in such a way that badness would just reveal itself automatically?

---

GRAHAM CLULEY. Because the typical scenario at the moment is that a data breach occurs and the first a company knows about it is when the credit card companies, or more likely Brian Krebs, gives you a phone call, right? And tells you you've got a data breach. You don't know anything about it until it's brought to your attention that way. Something like this will hopefully catch an intruder much earlier on in the process and hopefully before any damage is done and data is stolen.

---

SPEAKER_03. Exactly.

---

CAROLE THERIAULT. Cool.

---

GRAHAM CLULEY. Very cool.

---

CAROLE THERIAULT. Adrian, thank you so much for coming to chat with us today. It has been fascinating. I love, I love I love businesses doing clever, clever things like this to help ease our lives. So thank you for existing.

---

SPEAKER_03. Thank you for having me on. It's— I love listening to the podcast because there's so much humor. You know, it could be such a dry topic. You guys, the banter back and forth.

---

CAROLE THERIAULT. Someone once called it bickertainment.

---

SPEAKER_03. That's brilliant. Yeah.

---

GRAHAM CLULEY. That just about wraps it up for this week. Lisa, thank you so much for coming on the show. I'm sure lots of our listeners would love to follow you online and find out more. What's the best way for folks to do that?

---

LISA FORTE. Twitter is a really good option, @LisaForteUK.

---

GRAHAM CLULEY. Terrific. And you can follow us on Twitter as well, @SmashingSecurity, no G. Twitter won't allow us to have the G. And don't forget that if you want to ensure that you don't miss a future episode of Smashing Security, you should subscribe to us in your favorite podcast app. Just go to the App Store, whatever flavor of smartphone you have, and check out a podcast player such as CastBox.

---

CAROLE THERIAULT. And a huge thank you to all of you for listening to us, supporting us on Patreon, and giving us swoon-worthy reviews. Also, a big shout out to this week's sponsor, LastPass, and to our special guest, Thinkst. Their support helps us give you this show for free. Check Check out smashingsecurity.com for past episodes, sponsorship details, and information on how to get in touch with us.

---

GRAHAM CLULEY. Until next time. Cheerio.

---

CAROLE THERIAULT. Bye-bye. Bye.

---

LISA FORTE. Bye.

---

CAROLE THERIAULT. Why are you laughing like that?

---

GRAHAM CLULEY. Nothing.

---

CAROLE THERIAULT. My parents have been listening to our show. Parents have been listening to this.

---

GRAHAM CLULEY. They didn't listen to last week's.

---

CAROLE THERIAULT. And my dad, who is now a retired, uh, MD, you know, medical doctor, is very concerned about your wheeze. He has brought it up to me about 4 times now, and the way he does it, goes, what's with the wheezing? What's with all the wheezing?

---

GRAHAM CLULEY. Hey, Carole, Graham—

---

CAROLE THERIAULT. he doesn't talk like that. He's not one of the freaking sisters out of the Simpsons.

---

LISA FORTE. I was going to say, it is a little bit like it kind of makes me feel like you have something to do with the mafia, but in a kind of fun— in an approachable way as well.

---

GRAHAM CLULEY. Do you think I'm funny? You think I'm funny, do you? I amuse you?

---

CAROLE THERIAULT. Yeah, the Quebec Mafia.

---

LISA FORTE. That's what I'm involved in.

---

CAROLE THERIAULT. Yeah, we eat poutine by night and listen to Celine Dion. It's amazing.

-- TRANSCRIPT ENDS --