It's a self-isolated Coronavirus special as we discuss with our quarantined special guest how COVID-19 is making itself felt in the world of cybersecurity, and we offer tips on how to better protect yourself if you're unexpectedly working from home.
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Malicious Life's Ran Levi from his attic.
Visit https://www.smashingsecurity.com/170 to check out this episode’s show notes and episode links.
Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Special Guest: Ran Levi.
Sponsored By:
- LastPass: LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
- But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
- Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
- DomainTools: DomainTools helps security analysts turn threat data into threat intelligence. Its solutions give organizations the ability to use and create a forensic map of criminal activity, assess threats and prevent future attacks.
- Learn more about their products at domaintools.com, or visit domaintools.com/smashing to enter their Capture The Flag competition and be in with a chance to win a $100 gift card.
Links:
- CovidLock: Mobile Coronavirus Tracking App Coughs Up Ransomware — DomainTools.
- CovidLock Update: Deeper Analysis of Coronavirus Android Ransomware — DomainTools.
- Israel to use anti-terror tech to counter coronavirus 'invisible enemy' — Reuters.
- Coronavirus: Sophie Trudeau had event with Idris Elba, Lewis Hamilton — Business Insider.
- Porn Sets Asked to Stop Production to Help Slow the Spread of Coronavirus — VICE.
- People who work from home earn more than those who commute—here's why — CNBC.
- Twitter orders all employees worldwide to work from home — The Verge.
- NASA chief urges space agency employees work from home amid coronavirus outbreak — Space.
- JPMorgan tells employees around the world to work from home — CNBC.
- Pornhub handing out free premium subs to help Italy fight coronavirus — The Next Web.
- Tweet from ProtonVPN.
- PornHub Insights.
- Coronavirus insights — PornHub Insights.
- A global map of wind, weather, and ocean conditions.
- Cold podcast — Wondery.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
RAN LEVI. But I think that if I wanted to make money fast, this is a good scam. I mean, it's fast and you make some money.
CAROLE THERIAULT. So, um, listeners, please don't take Ran Levi's advice.
ROBOT. The hosts of Smashing Security do not necessarily agree with the opinions or support in any way the views of the guest. Smashing Security, Episode 170: Pornhub, Coronavirus Apps, and Remote Working with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 170. My name's Graham Cluley.
CAROLE THERIAULT. And I'm Carole Theriault.
GRAHAM CLULEY. And Carole, we are joined this week.
CAROLE THERIAULT. We are very lucky to be joined this week.
GRAHAM CLULEY. Well, it's not like he had anything else to do because he's been isolated in his Tel Aviv apartment Ran Levi from the Malicious Life podcast. Hello, Ran.
RAN LEVI. Hello. Hello. It's great to be back.
CAROLE THERIAULT. Ran, how are you handling doing your own podcast being locked in in your flat with your family?
RAN LEVI. Oh, man, it's difficult. Actually, in the last week and a half, I'm just releasing reruns because recording in my attic, the sound quality is not too bad, but it's different than the usual sound quality, different environment. So I'm leaving the quarantine in like 2, 3 days. And then I'll return to normal scheduling.
GRAHAM CLULEY. But tell us what happened. How have you ended up in self-isolated quarantine? What occurred to you?
RAN LEVI. Yeah, such bad luck. I commute by train every day. And like there are, I don't know how many tens of trains every day to and from my house to Tel Aviv. But apparently a corona patient, one of the very first corona patients in Israel, boarded my train at exactly the same time. And you know how it is. I mean, it's a long train, probably 1,000-plus people on on the train.
GRAHAM CLULEY. All right.
RAN LEVI. And they just said, you know what, all of you quarantine now. And actually, it was my wife who kicked me up to the attic.
GRAHAM CLULEY. She said, what is that? Something she's done before? She banished you to the attic in the past?
CAROLE THERIAULT. Have you been up there for like 10 days?
GRAHAM CLULEY. Yes, I have.
RAN LEVI. Really?
CAROLE THERIAULT. Seriously?
RAN LEVI. Yeah, it's not too bad because this is my basically my home office in, you know, day to day. But if you won't, if you don't leave the same room for like 10 days, At some point, I kept forgetting what day it was, because every day seemed like the last one.
GRAHAM CLULEY. So is it Sunday?
RAN LEVI. Or is it Monday?
GRAHAM CLULEY. I don't remember.
RAN LEVI. Does it even matter?
CAROLE THERIAULT. I remember this podcast about this guy who went and lived on his own in a cave to see how long it would take him to go mad. Like no light, nothing, like we're just on sensory deprivation, effectively. It was in France somewhere in a cave. And he went apeshit, I think, after a few weeks.
RAN LEVI. I can relate.
CAROLE THERIAULT. Don't worry, we've got you.
RAN LEVI. You know what's worse than the isolation? Because, you know, I've got internet and computer and everything.
CAROLE THERIAULT. You have no bugs.
RAN LEVI. You have no toilet.
GRAHAM CLULEY. It's going out the window.
RAN LEVI. I've got a toilet.
CAROLE THERIAULT. Thank God.
RAN LEVI. I can handle that.
GRAHAM CLULEY. Thank goodness.
RAN LEVI. It's the lack of contact, personal contact. I haven't touched a human being for almost two weeks. And I mean, I can feel it. I can. I mean, I wanna touch my kids and you want to hold something.
GRAHAM CLULEY. Ran, you know sometimes you can sleep on your arm and you get a dead arm.
RAN LEVI. Have you?
GRAHAM CLULEY. I mean, if you're desperate.
RAN LEVI. I do have my cat who's not afraid of me.
GRAHAM CLULEY. Poor cat, poor cat. I think we should move on. Carole, what have we got coming up on the show this week?
CAROLE THERIAULT. First, thanks to this week's sponsors, LastPass and Domain Tools. Their support helps us give you this show for free. Now on today's COVID-19 special, Graham tells us how to avoid being duped by scammy apps. Ran is gonna talk about how Israel is using anti-terror tech to help combat the invisible enemy that is corona. And I will help you newbie homeworkers out there make sure you have all your cyber bases covered. All this and much more coming up on this episode of Smashing Security. COVID's Diary.
GRAHAM CLULEY. Now, chums, chums, we live in rather scary times.
CAROLE THERIAULT. Yeah, I've been saying it for like a month.
GRAHAM CLULEY. Yeah, yes, like Cassandra, you've been warning us, Carole, and now it's happened. They are walking amongst us. Some of them have the sniffles, some have sore throats, some aren't showing any signs of infection at all. They might be a bus driver, a cleaning lady, neighbours, partners.
CAROLE THERIAULT. It's like a zombie apocalypse.
GRAHAM CLULEY. It is. Even the hosts of rival security podcasts banished to their attics. Now, for a day or two, it seemed even the germaphobe-in-chief at the White House— he might be one of them, but he's now been given the all-clear— we are all quite understandably worried and concerned about not only catching the coronavirus, but also running out of toilet paper. Yeah, exactly. I've just— I've literally just come back from the supermarket again completely bereft of all loo paper.
CAROLE THERIAULT. But didn't you just score a stash there, Mr. Cluley?
GRAHAM CLULEY. My wife has ordered some loo paper online. It hasn't arrived yet.
CAROLE THERIAULT. Oh, so he got scammed.
GRAHAM CLULEY. But I don't know. Anyway, crazy, crazy times, right? The Health Authority boffins, they're warning us that most of us will catch it. But if enough of us manage to hold it off for long enough, maybe we'll be able to give the hospitals the best chance to cope with the increased demand. It's like, like you said, Carole, it's like a zombie apocalypse movie. Wouldn't it be wonderful to have a magic wand that we could use to wave in front of people to determine if they're catching a virus? Maybe— That isn't a dolphin impression. That's my Geiger counter, being able to tell who's got it. I would love one of those.
CAROLE THERIAULT. Yeah, it's just called virus testing kits, which, you know, our government didn't think it was important to have them.
GRAHAM CLULEY. They're a little bit difficult to come by at the moment.
CAROLE THERIAULT. Is it hard in Israel to get them, Ran?
RAN LEVI. Yeah, and we don't have them. Only the government has them.
GRAHAM CLULEY. Because they're the important people, and what would we do without them being in charge?
CAROLE THERIAULT. So if you say you suspected that you had contracted the illness, right? You got a fever, whatever. What is your Israeli national advice?
RAN LEVI. You don't go to the hospital because then you infect everybody around you. You call an ambulance. They come and they test you at home and you don't leave your home unless real life danger.
GRAHAM CLULEY. Is there a little bit of you though, Ran? Because I have met Israeli people before and I know what they can be like. They're beautiful people. They are beautiful people, but they're also rather tough. You don't want to get on the wrong side of an Israeli. Is there a bit of a macho bit of you which kind of thinks, oh, we can just sort of rough this out? Is that so?
RAN LEVI. No, that's a lot of them. I can rough it out. I don't need to go to the hospital. I mean, it's only the flu for most people. So yeah, I can rough it out.
GRAHAM CLULEY. Yeah, exactly. If you don't have a magic wand or a Geiger counter to be able to tell if someone's infected, maybe these days an app would be the solution, right? And turns out there are apps which claim to do that. They actually exist.
CAROLE THERIAULT. What do you mean, like an app that tells me whether I have the virus or not?
GRAHAM CLULEY. No, they tell you if there's someone near you who has it.
CAROLE THERIAULT. Oh, like confirmed cases. This is how close you are.
RAN LEVI. It's like Tinder.
GRAHAM CLULEY. It's like Tinder.
RAN LEVI. It's like, cross the road, cross the road!
CAROLE THERIAULT. It's the opposite of Tinder. It's the anti-Tinder.
GRAHAM CLULEY. So it tells you there's a guy called Ran. He's got brown eyes. He's 6'2". He likes to live in the attic. You know, he's been virulent for this long.
CAROLE THERIAULT. He's been shitting in a bucket.
GRAHAM CLULEY. Now, there is a website called —do not go to it! Do not go to it. People, do not type in that name of that website, because that website, which is by the way also run by a group of people who also run a website called Dating for Sex, which feels like tautology.
CAROLE THERIAULT. I'm sure I've gone to that site before. I'm sure.
GRAHAM CLULEY. But anyway, don't visit it. If you go there, you will be greeted by a world map of coronavirus infections, which you can zoom in on.
CAROLE THERIAULT. Oh, I'm totally addicted to those.
GRAHAM CLULEY. I've been looking at the Johns Hopkins one, like daily. Johns Hopkins one is legitimate, that's fair enough. But at the top of this particular one, it has a banner which pops up, which invites Android users to get a real-time number of coronavirus cases based upon your GPS location. Sneaky, sneaky.
CAROLE THERIAULT. That is so preying on people's—
RAN LEVI. Yeah. Social engineering at its best.
GRAHAM CLULEY. And it says, for the best experience, if you download the app, You should enable accurate reporting. So you basically turn on all the features. And of course, this is something people want right now, right? I would love to know if I should go down the bottom of the hill or not, or whether I should stay up here at the top of it, right? Where it's going to be safer. Now, this isn't a Google Play app. This is an app which you get from a third-party site. So it's a sideloaded app. And as we all know, although Google Play isn't perfect and there are malicious apps which get in it sometimes, it's a heck lot safer than downloading apps to your Android phone from any Thom, Dick, or Harry site.
CAROLE THERIAULT. Sorry, I'm really ignorant here, right? So I don't have an Android phone. I rarely download apps because I'm paranoid Android. Funny, funny. So how does that work? So I would just assume if it's not in the Play Store, don't get it. So how do people download that? How does that happen?
GRAHAM CLULEY. Well, there is an option in the Android operating system, which if you just click the button or uncheck it, then it allows you to download apps from anywhere.
CAROLE THERIAULT. So basically, I could borrow— you know, you could borrow your mom's phone, right, your teen, and go, hey, this is cool. Do you want to have a map to know if— and then mom would be like, wicked. Yeah, as long as it's free. OK, got you.
RAN LEVI. All you have to have is an APK file, and it's a regular application.
GRAHAM CLULEY. I mean, you remember Steve Jobs, you know, was a complete control freak, right? So when he built the iPhone and the iOS operating system, it was all about incredible levels of control.
CAROLE THERIAULT. Just because he wore a turtleneck does not make him a control freak, Graham.
GRAHAM CLULEY. Anyway, if you run this particular app, if you install it onto your Android, you are greeted by a message which has a sort of anonymous logo on it. And it says, your phone is encrypted. You have 48 hours to pay $100 in bitcoin or everything will be erased. And it claims to have grabbed your contacts, your pictures, your videos, all your social media accounts. And it says it will leak them publicly and the entire phone will be completely erased and it locks your phone. You can't use your phone anymore 'cause you have to enter the magic number, which you'll, it says you will only get if you pay the ransom.
CAROLE THERIAULT. Okay, another question. Hmm? So I've lost a number of phones and broken a number of phones in my life. Yes.
GRAHAM CLULEY. Right? 'Cause you're a klutz.
CAROLE THERIAULT. So, but what I've learned from that experience, certainly on iPhone, is that you could just reset it and everything gets downloaded from your cloud account.
GRAHAM CLULEY. Well, yeah, I guess if you've got a backup, then— so big dip, big whoop.
CAROLE THERIAULT. Don't be afraid if this happens to you. Just go, fine, screw off, I'll just reset.
RAN LEVI. I was always wondering how effective are ransomwares in general on mobile devices, because I mean, for most people, I think it's a given that your phone will fall down toilet at some point.
CAROLE THERIAULT. Yes, you're spending a lot of time there right now, of course, because you're dreaming you had a toilet, Ran.
RAN LEVI. Or down the bucket, whatever works at particular times. And then you, everybody, everything will be lost anyway. So I wonder if people actually pay these kinds of ransomware.
GRAHAM CLULEY. It is an excellent question, Ran, and we have the information. No, I'm so impressed.
CAROLE THERIAULT. You've got so much time to do research these days.
GRAHAM CLULEY. Don't be so impressed. This was because of some research done by the folks at Domain Tools who first alerted about this particular piece of ransomware. Turns out that this ransomware, which they've called Covid Lock, doesn't actually encrypt or steal your files at all. The ransomware is lying. All it has done is locked your Android phone.
CAROLE THERIAULT. Well, it's not like they've built a huge trust relationship with me already, since the map is a big pile of poop.
GRAHAM CLULEY. Oh, I see. So you're not feeling too let down by it. You're not disappointed. Once burnt, twice shy, dudes. Apparently, after you start the app, it just waits for about 60 seconds. So it's sort of mimicking that it's doing something. Doing things in the background. Yeah, phishing, or phishing. And then displays the ransom note. And so you think, "Oh crikey, it must have done all this stuff in the background." It's done nothing of the sort. And a new variant of the ransomware is now asking for $250 as opposed to $100. So the price has gone up. But according to the researchers, and this is where we come back to Rand's point, the bitcoin wallet which it's asking to be paid has so far received absolutely nothing.
RAN LEVI. Zero. It's been a failure. Nobody's buying it.
GRAHAM CLULEY. It's been a disaster. A complete disaster. If you thought the world was having enough disaster, here's another disaster compounded, which is that the ransomware authors are a load of old rubbish. They're not fulfilling their promises. They're not encrypting your data. They're not actually stealing your files, and they're not even making any money. Okay, but do—
CAROLE THERIAULT. Despite all their attempts. Grahamy, or chum, chum. Yes. Don't you think—
GRAHAM CLULEY. I don't know if it's a two-way chum thing.
CAROLE THERIAULT. Well, I could call you what I normally call you, but— Could you please stay at least civil?
GRAHAM CLULEY. 6 feet away, yes. Okay, clueless.
CAROLE THERIAULT. Oh. Okay, now couldn't this have been a test?
GRAHAM CLULEY. Oh, maybe.
CAROLE THERIAULT. Couldn't this just be test malware just to see if the whole thing kind of works and people download it and they're going, "See, I told you, boss. People are gonna fall for this.
GRAHAM CLULEY. Let's do it for real." Well, I suppose so. Certainly, it doesn't appear to be the most professional piece of Android ransomware ever seen. One of the interesting things, of course, is that if you were infected by this, and at the moment it looks like it's just security researchers downloading it, rather than actual real victims of this. But if you were to have your phone locked, the interesting thing is that the unlock code is actually hardcoded within it and is available for anyone to find. So it's not even something which changes. So the unlock code, I can tell you right now, is 4865083501. So all you have to do if, if you were unlucky enough to get infected, that's the solution. If only it was so easy to fix coronavirus, eh? Wouldn't that be good?
RAN LEVI. Actually, you know what? I think it's very smart for the crooks to use social engineering in that way and not invest any time or effort in actually creating ransomware. Because think about it, I mean, they probably invested like, I don't know, 1, 2 hours, few hours working on that app and the website. And that's all. And if they get, I don't know, $100, $250, maybe $1,000 from like 4 or 5 people who really fell for that really silly scam, it's good money for a few hours of work. They didn't invest any time in actually creating ransomware. So yeah, it could be smart. Yeah, yeah.
CAROLE THERIAULT. The ROI is huge.
GRAHAM CLULEY. They've probably spent so much time washing their hands 48 times a day that they haven't had time to finish the coding, which is good news for all of us, isn't it? And it actually gives you some hope for the, for the For the future of humanity. This gives us hope that the economy will be restored, that we won't face financial apocalypse because of all this horror which is going on right now. Because we see actual entrepreneurial spirit in action, don't we? Because we're seeing these guys taking advantage of an opportunity.
CAROLE THERIAULT. They're so incredibly creative in their deception. We're going to give them a little award.
GRAHAM CLULEY. Well, not a physical award, Crow.
CAROLE THERIAULT. Right, but you sound impressed. I'm just saying.
RAN LEVI. No, I am actually quite impressed. I mean, this is— This is how bored you are.
CAROLE THERIAULT. We're not surprised you are impressed. You've been sitting in the same room for 10 days.
RAN LEVI. Yeah. I mean, any entertainment in my case is good entertainment. Yeah.
CAROLE THERIAULT. This is one of the best things you've done all week.
GRAHAM CLULEY. We know that.
RAN LEVI. But I think that if I wanted to make money fast, this is a good scam. I mean, it's fast and you make some money.
CAROLE THERIAULT. So listeners, please don't take Ran Levi's advice.
GRAHAM CLULEY. The hosts of Smashing Security do not necessarily agree with the opinions or support in any way the views of the guests. Well, it's with some dread now that I say, Ran, what's your story for us?
RAN LEVI. Yeah, okay. So now I'll give you a story straight out of Israel, of course. I think it was the last time that we spoke, I also gave an example story from Israel because we've got lots of interesting news going around. And actually, I think it was 8 hours ago, the government approved in a kind of a very hush-hush move and very like quick decision for the, it's called, just a second.
GRAHAM CLULEY. There's thunder. Hang on. What is going on? Is that the Palestinians? What's going on, man?
RAN LEVI. It's the apocalypse. The four horses of the apocalypse. One just landed above my house. Anyway, the government approved the Shin Bet, which is the, it's the equivalent of the FBI in Israel. It's the internal security force. Okay. To track Corona patients' cell phones and report to people around them if they were in the vicinity of someone who was infected.
CAROLE THERIAULT. I just feel like I've been in a time warp. How does this, Graham, this sounds very—
GRAHAM CLULEY. This sounds very much like the app which the ransomware guys were promising. Turns out the Israelis have actually written it.
RAN LEVI. It works. What they are doing, and that's, I mean, the headline of most news stories about it were kind of Israel uses anti-terror technology to counter coronavirus. This is a bit clickbaity because it's not actually anti-terror technology. It's a simple, you know, mobile tracking technology that you can contact the mobile companies, the mobile service providers. And if you have the, you know, from the court, you have the proper documents, they'll give you the information about whoever is their client and where in the world he is moving around. Basically the same technology that they use every day.
GRAHAM CLULEY. So how do you think this will be used in principle? Will it be used against individuals? So for instance, imagine there is a train where a known coronavirus victim has been on the train, and would they use this to track other people who had been on the train to identify them? Is that the sort of thing which is—
RAN LEVI. Yeah, the way they are planning to use it, and as I said, it's really just in the last few hours that the announcement was made is that when somebody is tested and is seen to be positive infected with coronavirus, they go back and see the records of all the places he was in the last 14 days. And then automatically they send messages to all the people whose phones were around this guy while he was moving around the world. So if, for example, in my case, if the corona patient that was on my train was say in my immediate vicinity in the train, they probably could tell that from the geolocation of the mobile device and they could have sent me immediately SMS saying, you know, this guy who right now was tested positive, a week ago he was near you in the train. So now go and test yourself or be quarantined. And I think it's a great idea basically because now you can really control the infection vectors. If somebody is detected, you can get ahold of the people who were near him and everybody's got a cell phone. And—
CAROLE THERIAULT. But think about it, like it's crazy as well though. Like don't think the world's not going to change. If one person in one train impacts what, 80 people? And they are then all in quarantine for two weeks, and that happens everywhere, it's going to be an interesting time for us all.
RAN LEVI. It is already. I mean, think about my case. I was in a train with some 1,000 other people. All of them were quarantined because we don't know where that guy's been specifically on the train. Exactly. If I knew he was in the same car as me in the train, I would be quarantined. But if we knew that he was in the back of the train, I was in the front of the train, I would probably be safe. I don't, I wouldn't have to be quarantined. So I think the potential of that kind of technology to really help control the epidemic sounds great. Really sounds great. I think the only caveat here is that that decision, specific decision, which is a good decision basically, it was gotten to in a way which is very problematic because there's no parliamentary oversight over that decision. And nobody prevents the government from abusing that. They just decided it. There's no oversight from judiciary system or the parliamentary system. So nothing stops the government from tracking political rivals, you know, abusing the power as we are always afraid of governments. So I think it's the process that's problematic here. And maybe the practical use.
GRAHAM CLULEY. Yeah, I mean, it's, I mean, I can imagine if this was used outside of Israel in the rest of the world. Maybe other countries will. Let's take an example, for instance, Justin Trudeau, the boss of Canada, he's been self-isolating and his wife, I believe, was infected by coronavirus. Now, I then heard that Idris Elba, the actor, also infected. He's also infected. Turns out he met up with Justin Trudeau's wife. And now I'm not I'm not pointing any fingers here, but we all know what Idris Elba's a bit like with the ladies in terms of the ladies' reaction. I'm just saying, they were clearly in proximity, and that's possibly how it happened. Maybe it happened at a conference instead.
CAROLE THERIAULT. I cannot believe you're bringing my mother country's leaders into such disrepute.
GRAHAM CLULEY. Idris Elba isn't British Prime Minister yet, Carole. He's not actually our leader. But maybe one day, I'm sure it won't happen. Anyway, I'm just saying there's clearly privacy angles here and this information could be used.
CAROLE THERIAULT. Who could blame her anyway?
GRAHAM CLULEY. If just for gossip. That's what I was expecting. That's what I was expecting.
RAN LEVI. I mean, it raises the question of, I mean, what's the role of right for privacy in such extreme situations? Well, exactly.
CAROLE THERIAULT. Even a normal day, it's hard, right?
RAN LEVI. Exactly. And I mean, people in Israel, of course, are talking about it, saying, well, this is This is obviously an invasion of privacy, but the consensus is that, okay, this is probably a good idea in the short term, not a good idea in the long term.
GRAHAM CLULEY. Seriously, guys, you don't have to worry about that because we're all going to be dead anyway. So I think stop worrying about these hypotheticals.
RAN LEVI. I'm not going to be dead.
CAROLE THERIAULT. I haven't left my house in two weeks. Okay.
RAN LEVI. We're going to be all dead, but our butts are going to be very clean.
GRAHAM CLULEY. Everybody's buying toilet papers like crazy.
RAN LEVI. What are they all doing with that?
CAROLE THERIAULT. I have a conspiracy theory about that.
GRAHAM CLULEY. Carole, what's your story first?
CAROLE THERIAULT. I'll tell you after the show. Okay. You know, you guys though, you keep thinking about yourselves in this time of crisis, and you're forgetting a very important industry that is seriously impacted by this. Can you think what it is?
GRAHAM CLULEY. Ice cream salesmen? What do we— well, I don't know.
CAROLE THERIAULT. Uh, the porn industry. Oh, the porn industry. Not only can they not get their hands on any antibac wipes, just the requirement of the job puts them at risk. Maybe actually, maybe there's probably some niche hazmat suit smut somewhere or something.
GRAHAM CLULEY. I bet there is. I bet there is too.
CAROLE THERIAULT. You think I'm kidding, really? You think I'm kidding? But if the Free Speech Coalition said in an announcement that it's asking the producers to voluntarily cancel all shoots through to March free first so that performers stop shooting new content with people who aren't part of their households. I've never heard it called shooting new content.
GRAHAM CLULEY. Okay, but that is not my story today.
CAROLE THERIAULT. I know you wish it were. Good, good.
GRAHAM CLULEY. That's unthinkable. I can do without the economy, but the truth is that we have run out of porn, so we do need more to be made. It's not like there isn't an awful lot out freely available. You don't have to go down the supermarket and find it on a shelf. It's everywhere, for goodness' sake. Why, why would you need more?
CAROLE THERIAULT. Well, there's something else to consider in all this, right? Especially if there's a dearth in porn. Apparently China has announced a spike in divorce requests, claiming that the coronavirus has forced couples to spend too much time together during their quarantine, and they're just like, I have married a frickin' bozo.
GRAHAM CLULEY. I can relate. Ran's wife had the answer to that. She just sent him to the attic.
CAROLE THERIAULT. Put them in the attic.
RAN LEVI. Can someone divorce with their kids after two weeks though?
CAROLE THERIAULT. However, we digress. My story, which I've mentioned many, many, many times before, is about the need for social distancing. And that's one of the ways we're trying to contain the spread of this contagion. And for a lot of us, that means working from home, which turns out is a big opportunity. Those of us that have that opportunity should be feeling really blessed right now because there are millions of people that don't have that. Now, from those of us that have been doing it for some time, we've inadvertently optimized our situations over the years, haven't we? And we've made our environments pretty bearable. Like, we know our neighbors, we have a snack cupboard, you know, we have hobbies and daily routines to try and manage all that stuff— entertainment, productivity, all that stuff, talking to people.
GRAHAM CLULEY. Can I just say that the whole reason I started working from home was to stop talking to people? Because in the office, it was kind of obvious that I was choosing not to talk to people, but now at home, I can get away with it much more easily.
CAROLE THERIAULT. Well, okay, so I wanted to know how many people do you think in the UK work from home as their main job? So I looked up 2019 statistics just to try and bypass this stuff. I don't know, 1 in 10. So 1 in 40. Oh, really? So 1.5 million people work from home. So 1 in 40 of workers work from home. And in the States, it's closer to 1 in 30. Yeah. So that means there are millions of people out there that are currently being asked to work from home for the first time. Twitter has told people to work from home, Amazon, Google, NASA, JP Morgan, Samsung, the list goes on.
RAN LEVI. My company's team is working from home.
CAROLE THERIAULT. Right. Yeah. Yeah. Yeah. Because you probably spread the disease, Ran.
GRAHAM CLULEY. No, nobody's sick, but everybody's been ordered home. Yeah.
CAROLE THERIAULT. As a precaution. Yeah. Okay. So, you know, we make jest, but it is super stressful, right? And I think all of us know something or two about security, and we know one or two things about working from home. So, I thought we could share a few of our tidbit advice with our listeners to help them get through this. So, let's get the boring security stuff out of the way first. So, my first piece would be that orgs really need to provide a to-do list for people to ensure that their home environment is safe for them to do work from and to access files and all the stuff they're supposed to do. Some home workers are going to be asked to use their personal machines. Others will have dedicated working machines. Others will be waiting for machines to be delivered. And the first big security nightmare, I think, is making sure that that home machine is safe to access work files and services. So big companies out there are gonna know what to do, right? But there are some companies that are facing this for the very first time. Yeah. I would say make sure you're not using the default password that was provided with your router.
RAN LEVI. That's basic security. Yeah.
GRAHAM CLULEY. 101. Yeah. You should always do that. Yeah. Yeah. Yeah.
CAROLE THERIAULT. And lots of people don't. So if you haven't, go do that. The other thing is locking your screen all the time. Mm-hmm. Some of you with kids out there, are gonna be having that problem of how do I get the kids, keep the kids off this machine so they don't play their games and don't get on it? Because not everybody has a house full of tech and this might be the only piece of decent equipment in the house. So making sure that the passwords are not known and not shared just because you can't be bothered to go put it in and don't let them play with it. And if they do, I think you need to report it to IT.
RAN LEVI. I would even go a step further and disallow the employee employees from working from their own personal computers. I think companies should provide them with laptops from work because for many people, I think the home machines are vulnerable because we download stuff and we browse unsafe websites, whatever. And I mean, I have like 6, 7 people working for me. I can never be sure what their home environment is. I can never trust it. So I would probably give them laptops from work and you only say you only access the company's, you know, IT infrastructure from these computers. Don't log in from your home computer. That's like probably a corrupted and virusful environment in the day to day.
GRAHAM CLULEY. I think that's a sensible investment for companies to make. I mean, if it may only cost them like £600 per computer. But exactly.
CAROLE THERIAULT. That's a ton of money if they're looking at being shut down if they don't get business ramp up in the next 8 weeks.
GRAHAM CLULEY. Well, yeah, and obviously they have to order these things and get them delivered. The hardware manufacturers are going to do well at least if they manage to keep their supply chains going. But I think from the security point of view, ideally they are going to be using an approved computer which has been checked over by the IT team rather than Lord knows what from Windows 95.
RAN LEVI. Yes, and another option is to maybe provide some sort of a virtual machine on that home computer. So, it's technically more difficult. You'd have to probably bring a technician to actually operate this or set up the install. But that's another option because giving the people the option to log in from, I mean, it's a horrible environment, the home computer with games from the kids and everything. There's probably a large percentage of malware ransomware hiding in those files anywhere. So I wouldn't give them the option to log in from their personal computers. That's too big a risk, I think.
CAROLE THERIAULT. It's a complicated one, but I think some will be forced to go down that route. And one of the things to think about is organizations really ought to have a route so that staff know what to do in case there's problems, like who to call, what are the emergency procedures. Think, for example, little Jimmy just stuffed a peanut butter sandwich into one of your laptops.
GRAHAM CLULEY. Right, so what do you do now? I'm on the IT support desk. Jimmy? Okay, oh yeah, it'd be the peanut butter thing, right?
CAROLE THERIAULT. Right, so even something as lame as that can put someone off work.
GRAHAM CLULEY. And give people the tools to do the job, right? If they're running a computer, whether it's one that your company has provided or one which they have themselves, then it needs to be up to date with security patches. It needs to be running up-to-date antivirus software. You're probably going to have to have two-factor authentication in place to allow them to log into the company network remotely. You've got 3 of my 5.
CAROLE THERIAULT. Carry on, you're doing great.
GRAHAM CLULEY. Password manager, have we mentioned? Anti-malware. Yeah, we mentioned that. Full disk encryption as well, because if you've got the sensitive data, company data, you don't want that laptop being stolen or mislaid at some point. And number— is— What haven't I mentioned?
CAROLE THERIAULT. And the last one is backing up, backing up, backing up.
GRAHAM CLULEY. Backing up, backing up.
CAROLE THERIAULT. So in a worst-case scenario, as we've seen from Graham's story, there are people out there scouring around trying to dupe you and in some cases, fake you into thinking you have ransomware, but in some cases, you really will. And in those cases, it is very nice to be able to wipe and reinstate from where you were. So keep a backup.
GRAHAM CLULEY. Carole, do you have any tips for porn stars who are worried about working from home?
CAROLE THERIAULT. Self-love is the way I'd go right now.
GRAHAM CLULEY. Oh, I guess so.
CAROLE THERIAULT. Over a webcam. And over to Pick of the Week!
GRAHAM CLULEY. This week's podcast is sponsored by Domain Tools. They help security analysts turn threat data into threat intelligence and help you assess threats and prevent future attacks. They've got something very cool I think you're going to like a capture the flag competition which can win you $100 in the form of an Amazon gift card. If you want to join in the fun, visit domaintools.com/smashing to enter the capture the flag competition before it closes on the 1st of April, and may the most geeky listener win.
CAROLE THERIAULT. So many of us now are realizing that moving to a fully work-from-home environment isn't always easy, but LastPass is here to make that transition easier ransomware, all without decreasing security. LastPass ensures your employees have secure access to their work applications and provides remote employees the ability to securely share passwords across teams in order to stay on top of critical projects. If you want to learn more, visit lastpass.com/smashing. On with the show.
GRAHAM CLULEY. And welcome back. Can you join us on our favorite part of the show, the part of the show that we like to It's called Pick of the Week.
CAROLE THERIAULT. Pick of the Week.
GRAHAM CLULEY. Pick of the Week. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily.
CAROLE THERIAULT. Oh, is it? Not entirely. Oh, Graham. Not really.
GRAHAM CLULEY. Okay. Because of course, We've talked about coronavirus and it is causing hardship.
CAROLE THERIAULT. I think we should call it COVID-19.
GRAHAM CLULEY. I think the world is calling it coronavirus.
CAROLE THERIAULT. Yeah, except that, you know, the Corona, the beer manufacturers' stock prices have, along with everyone else's, but they've had a special nosedive because of people calling it Corona.
GRAHAM CLULEY. Let's call it the Diamond Princess cruise virus then, or the Chinese virus, as I believe the germaphobe-in-chief is calling it.
RAN LEVI. Chinese really don't like it.
GRAHAM CLULEY. Quite right too. I wouldn't eat it. No, no, it wasn't me who said it first. So obviously lots of hardship being caused around the world, and it's a serious problem. And many people are like Ran, and they've been locked up in their houses. And we saw Italy—
CAROLE THERIAULT. We're watching Italy.
GRAHAM CLULEY. Yeah, Italy has been shut down and everyone's stuck in their homes. And hence, I was rather bemused to see an announcement from a website which said that it would be giving free access to its premium version to everyone in Italy for the entire month. And the name of that website is Pornhub. And so Pornhub, who are quite good on the PR department, they're quite good at getting their name in the press. Amazing. They are amazing. They announced that everyone in Italy can have free access to— apparently there is some premium version of Pornhub. I can't imagine what that gets you. But anyway, it— I mean, that's what more you need, really. But anyway. More porn. I suppose. But—
CAROLE THERIAULT. Jesus, Franco, enough with the pornhub. So there is an issue though.
GRAHAM CLULEY. They're not gonna be bored. Yes, what's that?
CAROLE THERIAULT. People are talking about the idea of can the internet handle all this high-def video streaming that people are doing around the world while, you know? Yes, yeah, that's right. Steam apparently it just celebrated 20 million users in one day, which broke all records.
GRAHAM CLULEY. Yeah, will they be able to keep it up or not is always the problem, isn't it? That's the question.
RAN LEVI. So the Italians have free Pornhub for— That's right.
GRAHAM CLULEY. So if you have an Italian IP address— Yeah, or a VPN, Ran. Exactly. Because this is what has happened. He's alone. He's alone. The kids are not allowed near him. Lots of people are using their VPN to pretend to be in Italy to access Pornhub.
CAROLE THERIAULT. It's going to be reruns though.
GRAHAM CLULEY. And in fact, the guys at ProtonVPN, They tweeted saying, we finally figured out why our Italian VPN servers are under such high load. So apparently they're getting swamped by lots more requests than normal. And they've had to— apparently they are adding new servers as fast as possible to cope with the demand. Obviously, there are supply chain issues.
RAN LEVI. So basically, I understand from what you're saying is that the Italians right now are mostly either watching porn or singing from their balconies. That's the two. See, they know how to live. I like the Italians. Actually, you know, I read another article. I think it was yesterday, something like that. From Pornhub, they have what's called Pornhub Insights. It's a regular website. It's not, you know, it's just, it's for research. Really, it's for research. It doesn't have any porn, but it gives lots of interesting insights on statistics. That they gather from the website.
CAROLE THERIAULT. And you just happened to be looking at that yesterday. Okay.
RAN LEVI. I'm a man of, you know, varied interests.
CAROLE THERIAULT. And bored out of your mind.
RAN LEVI. And bored out of my mind, exactly. And it turns out that, if I remember correctly, there, there has been about 7 million searches for the coronavirus in, in Pornhub. In the last 30 days or so.
CAROLE THERIAULT. What? What? Corona porn?
GRAHAM CLULEY. COVID? Actually COVID porn? So rather than coming round pretending to be a plumber to fix the dishwasher, they're instead coming round in a hazmat suit. Just need to check you for coronavirus. Just give you this little injection here.
RAN LEVI. It's something like that. Yeah. If somebody is searching for coronavirus on Pornhub, it's really interesting to think about what are they trying to find there? No, I mean, actually, Pornhub is a great place for statistics because that website gets tremendous amount of traffic. And they, I mean, browsing the insights is fascinating. I mean, it's not my pick of the week, but it's fascinating. Oh my God.
GRAHAM CLULEY. The insights, only the insights.
RAN LEVI. Ran, Ran, what's your pick of the week? Oh, my pick of the week is tamer. It's more down to earth. Oh, thank goodness. Literally. It's called earth.nullschool.net and it's a Google Earth-like visualization of global weather, winds, atmospheric pressure, ocean currents, etc. And I would really recommend visiting it. I mean, if you're a weather buff, it's like, it's amazingly pretty because the animation is fantastic. You can see winds and circulation.
GRAHAM CLULEY. I'm looking at it right now. Yeah.
RAN LEVI. Yeah. And it gives you a real sense of how the global weather systems are working together, like how various, you know, oceans and lakes contribute to the overall weather patterns. It's very interesting to watch that. I mean, everybody is usually focused on the weather in their specific location. But when you zoom out, yeah, the weather over the Mediterranean, and how the weather in the UK is influenced by what's happening in like Iceland. Is this live? Is this live? It is. I think it's refreshed every few minutes or so. It's almost live. Maybe there's a short delay, but it's taking the data from lots of various resources.
CAROLE THERIAULT. I wonder if it'll change with the change in traffic, air traffic patterns and the like, if there'll be any spotted differences, if it had any impact at all. Interesting. Interesting.
GRAHAM CLULEY. Yeah. So it's very recommended. It's very beautiful and calming, actually. That's earth.nullschool.net. And if you didn't catch that, we'll put it in the show notes. Terrific. Kryll, what's your pick of the week?
CAROLE THERIAULT. Well, okay. I was going to not be— just because you lowered the tone, Graham, with your pick of the week. So I asked my other half, right, what he thought my pick of the week should be. And he said, have more sex. What? So I'm just—
GRAHAM CLULEY. Hang on, I think that's what your husband's answer is to everything, isn't it?
CAROLE THERIAULT. And then I said, "Oh, that's a good idea." I said, "That's a great idea. So people get pregnant and then they can't go to the doctors without risking infection? And what are they going to be called? What's the generation going to be called?" Oh. "Millenovids?" The COVID generation.
RAN LEVI. Yeah. Deadly boomers?
CAROLE THERIAULT. COVID boomers? And so he was like, well, what about safe sex then? And I was like, where are you buying your paraphernalia? Where are you buying your safe sex paraphernalia?
GRAHAM CLULEY. Paraphernalia? Sorry, what does he use?
CAROLE THERIAULT. Condoms and other things. All he needs is a condom.
GRAHAM CLULEY. He doesn't need a cloak. He needs a Zorb.
CAROLE THERIAULT. That's what I told him. He needs a Zorb.
RAN LEVI. Is there a run on condoms like there is a run on the loo paper?
CAROLE THERIAULT. Okay, if you needed to take the train, you're going to be taking the train soon. And let's say that infection levels are like at least 1 in 4, right? And you can't find gloves to save your life anywhere, would you consider putting two rubber— two condoms on each of your hands? I think I would.
RAN LEVI. I would be probably hospitalized in the psychiatric department.
CAROLE THERIAULT. I don't know how you get the second one on, to be fair. But anyway, that was my husband's recommendation. I am not taking his recommendation. I'm recommending a podcast that should cool him down because it is called Cold.
GRAHAM CLULEY. Oh, okay. What's that about?
CAROLE THERIAULT. Now it's about— okay, so let me just give you the premise here. So Susan Powell, okay, she vanished in, uh, 2009 and her body was never found. From the very beginning, police suspected it was her husband Josh Powell, okay, that he was responsible for the murder, right? But they've never arrested him. And this, uh, podcast is 24 episodes episodes, each an hour long. And it's by this host who's like an investigative journalist who I think is completely obsessed with this whole story.
GRAHAM CLULEY. If they've done 24 one-hour episodes, they probably are. Yes, right.
CAROLE THERIAULT. So his name's Dave Colley, and he, like, he seriously deep dives. He got all the paperwork from everybody. So he plays like the whole interview between, um, the, you know, the husband, the father, the one they suspect of murdering, and the cops. And you get to hear everything. And he's also interviewing the detective at the same time, so you get to hear his view 10 years on, on what he did right and what he did wrong. I don't know. There's just something quite glorious about it. You've got 24 hours of entertainment there if you need something to do other than talk about the virus. Sounds fantastic.
RAN LEVI. Yeah. I love true crime podcasts.
GRAHAM CLULEY. Has the husband been arrested now, or has he been detained? Maybe now. I'm not through it all yet.
CAROLE THERIAULT. I'm only at episode 10. I've listened to 10 hours, so I felt it was fair to come on the So anyway, I recommend if you like true crime and it's an unusual— he's, you know, I love it when, when someone really is into their topic, right? And you can tell they're just like nuts for it and they've really gone into it. So not only will this calm my husband down, so I recommended it to him, but any of you. Yeah. So if you need something hot, go to Pornhub. If you need something cold, check out Cold podcast from Wandery. It's quite difficult to find via search, so I will put a link into the show notes for you.
GRAHAM CLULEY. Could this chap who's been accused, could he not take legal action against the podcast or something? I mean, if he has—
RAN LEVI. You know, that's a good question.
GRAHAM CLULEY. I mean, it's a little bit uncomfortable, isn't it? The thought that someone could start a podcast about me claiming that I had murdered someone.
CAROLE THERIAULT. I'm already working on it, dude. I'm on it. It's going live soon. I've got a lot more time now to work on it.
GRAHAM CLULEY. And on that note— We swiftly wrap up the show. Ran, I'm sure lots of our listeners would love to follow you online and find out more about what you're up to. What's the best way for folks to do that?
RAN LEVI. Mm, yeah, so my podcast is called Malicious Life. It's about the history and the present and the future of cybersecurity. And you can follow me on Twitter @MaliciousLife or @RanLevi, R-A-N-L-E-V-I.
GRAHAM CLULEY. Very cool stuff. And you can follow us on Twitter @SmashInSecurity, no G, Twitter must have a G. And you can also join us on Reddit. Join us up on the Smashing Security subreddit.
CAROLE THERIAULT. As always, a huge thank you for listening to us, especially during a bleeping pandemic. Your support and kind words will get us through. Our aim is to keep going unless one of us gets sick. Also, a huge thank you to this week's Smashing Security sponsors, LastPass and Domain tools. Their support helps us give you this show for free. Check out smashingsecurity.com for past episodes, sponsorship details, and information on how to get in touch with us.
GRAHAM CLULEY. Until next time, cheerio. Bye-bye. Bye-bye. Next week, guys.
CAROLE THERIAULT. See you then. Speak to you then. Don't see you. Graham, do you think maybe we should think about doing more than one show a week?
GRAHAM CLULEY. Do you think people would like that? I don't know.
CAROLE THERIAULT. Do you think people would tell us whether they would like that?
GRAHAM CLULEY. Probably not. They'd probably just be silent. They would get no feedback at all. Unless, unless you know different, dear listener. Yeah. Interesting. Interesting.
CAROLE THERIAULT. Come on, you want more episodes, let us know. Bye.
-- TRANSCRIPT ENDS --