Journalists spying on their rivals, the NHS rejects Apple and Google's approach to Coronavirus-tracing, and universities are hit by an old-fashioned sexy lady attack.
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by special guest Rik Ferguson.
Visit https://www.smashingsecurity.com/176 to check out this episode’s show notes and episode links.
Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Special Guest: Rik Ferguson.
Sponsored By:
- LastPass: LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
- But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
- Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
Links:
- Vote for Smashing Security in the EU Security Blogger Awards!
- Financial Times reporter accessed private calls at Independent and Evening Standard — The Independent.
- FT suspends journalist accused of listening to rival outlets' Zoom calls — The Guardian.
- Sky News admits it hacked Canoe Man’s email — Naked Security.
- Is it ever acceptable for a journalist to hack into somebody else’s email? — Naked Security.
- NHS rejects Apple-Google coronavirus app plan — BBC News.
- Threat Actors Repurpose Hupigon in Adult Dating Attacks Targeting US Universities — Proofpoint.
- Warwick University kept data hack secret from students and staff — Birmingham Live.
- JustWatch - The Streaming Guide.
- Just Watch — Apple App Store.
- Just Watch — Google Play.
- Fire for Kids Unlimited — Amazon UK.
- Kindle Limited for Kids — Amazon.com.
- J! Archive.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
GRAHAM CLULEY. Newsflash!
CAROLE THERIAULT. Newsflash!
ROBOT. Smashing Security has made it to the finals of the European Security Blogger Awards! If you can be arsed, please go to smashingsecurity.com/vote and vote for your favourite security podcast. Voting closes on the 11th of May, so don't delay or I'll electrocute your eardrums. That's smashingsecurity.com/vote. Now, on with the show. On with the show. Smashing Security, Episode 176: Hacking Hacks and University Attacks with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 176. My name's Graham Cluley.
CAROLE THERIAULT. And I'm Carole Theriault.
GRAHAM CLULEY. And Carole, we are joined this week by someone who's brand new to the the show. He hasn't been on before, but really warm welcome to Rik Ferguson. Hello, Rik.
RIK FERGUSON. Hello there. Thank you very much.
CAROLE THERIAULT. It's kind of embarrassing that Rik hasn't been on yet, actually. It's really embarrassing. Rik, I am so glad you're here. And it's so good that we— see, we kept best for last. Is this maybe our last show, Graham?
GRAHAM CLULEY. Oh, well, that we could be.
CAROLE THERIAULT. Just kidding, kidding, kidding, kidding.
GRAHAM CLULEY. Rik, I'm sure lots of people already know you, but how would you quickly summarise? Who are you? Why are you here? Why have we brought you onto Smashing Security?
RIK FERGUSON. I am the Vice President of Security Research at Trend Micro. I've had a couple of decades and a half of lifetime in this industry, and my basic responsibilities are about creating engaging and informative content and making sure people get to see it, read it, listen to it, whatever it might be.
GRAHAM CLULEY. Cool.
CAROLE THERIAULT. Can I say how I know Rik and why I remember Rik?
GRAHAM CLULEY. Oh, okay, yes.
CAROLE THERIAULT. Because I met Rik at a trade show And I remember meeting him very clearly, and there's a reason for that. It's because you, Rik, had just broken the tendon on an index finger.
RIK FERGUSON. Oh my God, yes.
CAROLE THERIAULT. And you told me about it in graphic detail to the point where I felt it. And you explained how it snapped, how you, I think you were putting a bed sheet, this is what I remember. This is maybe over 10 years ago, right? You were putting a bed sheet on or something and you tucked your fingers in and it just snapped off.
RIK FERGUSON. Exactly that. And it wasn't, the worst part of that story actually is that it wasn't my index finger.
GRAHAM CLULEY. Oh, some other part of your anatomy.
RIK FERGUSON. It was the middle finger next to my index finger.
CAROLE THERIAULT. Yes, that's right.
RIK FERGUSON. So I had to have it splinted for about 6 weeks, and I was still working and I was still giving presentations at shows and things. And it was my right hand, so whenever I'm holding the clicker, I'm holding the clicker in my right hand with a splinted middle finger. Um, and every time I'm waving my arms around talking to the audience, giving everyone the bird.
CAROLE THERIAULT. So, but every time I make a bed or I tuck something in, I think of it and I remember, I say, remember what happened to Rik? So there you go.
RIK FERGUSON. But the thing with breaking the tendon in my finger is I was, this is how stupid I am. I was kneeling on the bed attempting to tuck the sheet in on the far side. So of course the sheet wasn't moving very much because I was on it.
GRAHAM CLULEY. And that's how you become the vice president.
CAROLE THERIAULT. Security research.
GRAHAM CLULEY. Okay, Carole, what's coming up on the show this week?
CAROLE THERIAULT. Oh yes, we were digressing. First, thanks to this week's sponsor, LastPass. Their support helps us give you this show for free. Now on today's show, Graham tells us how a bunch of journos suffered a scoop snag. Rik finds out how the UK is getting on with its COVID infection tracing app. And I'm going old school, reminding us that good old phishing attacks are still big business for scummy scammers. All this and much more coming up on this episode of Smashing Security.
GRAHAM CLULEY. Now, chums, chums, it is truly a tough time for newspapers. Less and less of the things are being sold than ever because, well, I think people are getting a lot of their news for free online. Hoping to make money by going digital, selling subscriptions, have a paywall, monetizing the content via advertising. But even that isn't going well during this time of coronavirus. A lot of advertisers are actually choosing to block their adverts from appearing alongside C19-related content because they think it would basically leave a bad taste in people's mouth to see an advert for a holiday or whatever it was along something about coronavirus.
RIK FERGUSON. But don't forget.
GRAHAM CLULEY. Yeah. Yeah. So they're choosing not to appear there. Right. They're actually blocking those words, which is a real problem for the press because all they're writing about at the moment is coronavirus. So the newspapers online are getting loads of traffic, which they're having to pay for, of course, in terms of servers and bandwidth. But they're not making enough advertising revenue.
CAROLE THERIAULT. Do you not think it's short-sighted of the advertisers not to put their name there? Because I can see from a direct standpoint, if you were saying, hey, holidays in the sun on sale right now.
GRAHAM CLULEY. Well, maybe that's an extreme example. But I think a lot of them are concerned that it's just something that they don't want to be associated with, or they don't want anyone to think, how can you have this advert alongside reports of thousands of people dying?
RIK FERGUSON. Because you know someone's going to screenshot that stuff and then it's going to be all over Twitter, all over Instagram, whatever it might be. So when there's that weird juxtaposition, people always catch it, share it, point it out, even when it's inadvertent like that.
GRAHAM CLULEY. Oh yeah, of course. It's not as though it's deliberate. And meanwhile, newsagents are all shut. People aren't commuting. People aren't picking up their free newspaper to get on the train and reading it that way. So Far fewer newspapers are being sold, and they're not making as much money from the websites. And there's a real crisis going on right now. Oh, really? As a result.
CAROLE THERIAULT. Is there? Oh, okay.
GRAHAM CLULEY. No, in the newspaper industry, Carole. Of course there's—
CAROLE THERIAULT. Okay, now I just—
RIK FERGUSON. I thought it was just a prolonged holiday.
GRAHAM CLULEY. Yeah, right.
CAROLE THERIAULT. I just thought people got bored of me or something and stopped calling.
GRAHAM CLULEY. So one of the newspapers which has noted this drop is the British newspaper, The Independent. They went fully digital 4 years ago. They haven't existed in paper form since 2016.
RIK FERGUSON. Do you know what? That shows how bad the news is because I didn't know that.
GRAHAM CLULEY. Right. And The Independent staff got told by their senior managers last week to get on a Zoom call to discuss salary cuts and furloughing. A lot of those workers must have been really worried about that. Not worried because I don't know if you saw this story which came out a few days ago, show about the phishing attacks which come out. So what the bad guys are now doing is they're disguising their phishing attack as a Zoom invitation from your HR department to talk about your performance. So imagine that, imagine getting one of these emails, it says, oh, you've got to have an urgent Zoom call with HR about your performance. You're going to be worried about that. That's not the kind of thing The Independent were worried about. It wasn't even Zoom bombing either. There's been lots of Zoom bombing, of course, people taking over the screen, showing pornographic content, playing loud rock music, Rik. Generally, that was a That was a rumour. That was a rumour. Generally being a bit of an arse, you know, that is a problem. Actually, what happened during the Independent Zoom call was the opposite of Zoom bombing because—
CAROLE THERIAULT. No one showed up?
GRAHAM CLULEY. Well, no. 100-odd people—
RIK FERGUSON. No, it was run silent, run deep.
GRAHAM CLULEY. 100-odd people did make the Zoom call, but they were joined by someone they weren't expecting.
CAROLE THERIAULT. Elon Musk showed up again.
GRAHAM CLULEY. No, no, no. They were joined by someone who didn't try and draw attention to himself, it turned out to be a reporter from a rival newspaper. According to The Independent, they checked their Zoom log files, and they saw that an account registered to a journalist who worked at the Financial Times, one of their rivals, briefly joined the video call, which was just intended for The Independent's own staff.
CAROLE THERIAULT. I wonder if he was still on the mailing list. Did he used to work?
GRAHAM CLULEY. No, no, no.
RIK FERGUSON. Okay.
GRAHAM CLULEY. He's never worked for them.
CAROLE THERIAULT. So he just somehow, he got a leak that this is the call number and he just joined.
GRAHAM CLULEY. I guess he's got a buddy who works there who sent him the link or something like that. Anyway, what happened was this. This interloper, his video camera was switched off. And no one saw his face. But briefly, in the 16 seconds that he was connected, the name flashed on screen of Mark DiStefano. And DiStefano used to work at BuzzFeed, but is now the media and tech reporter at the Financial Times. And so he briefly— 'cause of course you get people's names when they're on the Zoom call, right? At the bottom of their window.
CAROLE THERIAULT. Is that why he pulled out?
RIK FERGUSON. And if you've got it on speaker view rather than gallery view, which is a per-user choice, right? So if you have it on speaker view, if he made a little bit of noise at his end, even tapping the table or whatever, then his black screen with his name on it is gonna have filled the screen of anyone who has it in speaker view.
GRAHAM CLULEY. I suppose that's right, yeah. But he was only connected for 16 seconds. So how much useful information could he have taken?
CAROLE THERIAULT. Why was he only on there for 16 seconds? I think because his name showed up. I think he thought he could sneak on and then went, oh, oh, oh.
GRAHAM CLULEY. He scarpered. He scarpered after 16 seconds, maybe realising that he was still logged into his Zoom account, which was revealing his name. Because then someone anonymously connected to the video call. Again, with his camera turned off.
CAROLE THERIAULT. So, oops, oops.
RIK FERGUSON. Makes me think of Mr. Ben, as if by magic, a shopkeeper appeared.
GRAHAM CLULEY. And they stayed until the very end of the call, listening in. And while this call was—
CAROLE THERIAULT. No one noticed at the time, right?
GRAHAM CLULEY. Well, I think someone probably did notice, or maybe it was being recorded for other staff, because there were some staff in the US, for instance, who weren't able to actually get on the call. They were going to be briefed about the changes later on. But what was happening was at the same time as the call, The Twitter account of Mark DeStefano at the FT was basically live-tweeting information about what was going on on the call.
RIK FERGUSON. So he definitely wasn't on the call.
CAROLE THERIAULT. What? Scoop!
GRAHAM CLULEY. And so he was given the highlights. And later on, he posted a story and he quoted sources who were on the call. Well, yeah. Sources who were on the call. I.e., himself. According to The Independent, They said the anonymous user account was linked to the mobile phone of Mark DiStefano. And of course, he published all this information. The Independent weren't very impressed.
CAROLE THERIAULT. Yeah, well, I'm— okay, can we talk about this?
GRAHAM CLULEY. Let's talk about it.
CAROLE THERIAULT. Can we talk about whether he did anything wrong here?
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. Because we know that Zoom can be set up in a way to allow people entry, vet people, send specific links, all that kind of stuff.
GRAHAM CLULEY. So, Well, there's that, but I think there's the fundamental sort of question of—
CAROLE THERIAULT. I mean, it is newsworthy. I'm sure he got a lot of clicks for it.
RIK FERGUSON. I think the thing is he went against the code of conduct of his employer.
GRAHAM CLULEY. Yes.
RIK FERGUSON. At the end of the day, right? The employer says you can't do that.
CAROLE THERIAULT. Okay, what's the code of conduct?
GRAHAM CLULEY. So the FT's code of conduct specifies that their journalists mustn't seek or obtain or publish material gathered by intercepting private or mobile telephone calls or messages or emails. You cannot misrepresent yourself. You cannot use subterfuge. Anything like that can only be done if it's in the public interest and only when the material cannot be obtained by other means. And The Independent say, we had a press release all ready to go. So if they'd just simply asked us for a statement as to what was happening at our newspaper, we would have told them. But because he was publishing details of it before they went public, there were employees, maybe stateside and who weren't able to make the Zoom call, who found out because of him at a rival newspaper, which isn't very nice to find out that maybe you've lost your job. Right?
CAROLE THERIAULT. Did he lose his job or— we don't know yet.
GRAHAM CLULEY. Di Stefano has been suspended by the FT as a result of this.
RIK FERGUSON. All of those policies and things are all in the wake of what became known as the phone hacking scandal.
GRAHAM CLULEY. Yes.
RIK FERGUSON. In reality, it's no different to that. It just happens to take place on a computer rather than in your voicemail box.
CAROLE THERIAULT. Wendy Deng's finest moment.
GRAHAM CLULEY. I mean, I wouldn't really say this was hacking. But then phone hacking wasn't really hacking, was it?
RIK FERGUSON. No, absolutely. Just in the public imagination, I guess that's what hacking is, right?
CAROLE THERIAULT. Yeah, okay. So, did The Independent scream bloody murder? Or what do they want from it? They want his skin?
GRAHAM CLULEY. Well, I think right now what they're asking for is some kind of explanation, because they say, look, this was inappropriate. It was unwarranted intrusion into our employees' privacy. And they want to make sure that it's not going to happen again. Now, the funny thing is, that people have gone back through Mark DeStefano's tweets over the last few weeks. Turns out, at the beginning of April, he reported on an internal video call at another newspaper, the Evening Standard.
RIK FERGUSON. No!
CAROLE THERIAULT. According to sources on the call?
GRAHAM CLULEY. Well, yes, exactly. And they've looked through their logs, and it appears, again, linked to the same mobile phone. So it appears there might have been a bit of a history of this.
RIK FERGUSON. Like I said, there's a history with phone hacking.
GRAHAM CLULEY. Yeah.
RIK FERGUSON. Anyway, right. Dating back decades now. So it seems to be part of a standard journalistic toolbox now is that anything is fair game if you can get access to it.
GRAHAM CLULEY. And I think there's pressure on the journalists, obviously, to have scoops and to be the first out with the news. And so that's a conflict which is going inside them. But my feeling is, if this isn't really in the public interest and some of this information could have been gathered via traditional routes rather than unauthorized access to a private Zoom call, then that does begin to sound a bit like the computer misuse act, doesn't it? Even if it's not technically hacking, it's unauthorized access. And I know as security researchers, and you must have this as well, Rik, at your company, there are quite clear rules. Even though you might be capable of doing something, there's a lot of things that you will not do because it would have breached computer crime laws.
RIK FERGUSON. Yeah, some of it is unethical, some of it is illegal, and in many cases, the other thing that you have to consider is admissibility of evidence. If you are gathering stuff which is gonna be passed to law enforcement for an eventual prosecution, you want that stuff to be able to be used in court. And if it's been obtained illegally or unethically, you can't do that.
CAROLE THERIAULT. Okay, so I'm still noodling on this, right? So if, say, this meeting was happening in a restaurant and I happened to be at the next table and I could overhear it and I was a journo and taking notes, that would be okay, presumably.
GRAHAM CLULEY. Because there's no—
RIK FERGUSON. Right, 'cause it's taking place in a public forum.
CAROLE THERIAULT. Yes, and there's no presumption of privacy.
GRAHAM CLULEY. Somehow that to me feels okay. What wouldn't feel okay would be if you'd snuck into the offices—
CAROLE THERIAULT. And dressed like a plant.
GRAHAM CLULEY. —of the company and hidden in a cupboard.
CAROLE THERIAULT. What's his name? Hung from the ceiling.
GRAHAM CLULEY. Oh, like Thom Cruise. Thom Cruise, yeah. That sort of thing, it begins to feel like, well, you've actually trespassed on the property. In a way, you've trespassed on the Zoom call as well. So that's interesting.
CAROLE THERIAULT. That is really interesting. Like, does the same standards of privacy— I guess by the FT's code of conduct, Yes. And I don't know actually by the law, the Computer Act law.
GRAHAM CLULEY. Well, I guess it depends on whether they feel there's enough evidence or indeed if the paper wanted to pursue it and maybe wouldn't.
CAROLE THERIAULT. I'm surprised he still has a job, that he's done it more than once.
GRAHAM CLULEY. Well, it's only just come out that it appears allegedly Mark DiStefano has done this. But like Rik was saying, we saw phone hacking in the past. We have seen email accounts hacked. I remember this extraordinary story. Do you remember Canoe Man?
CAROLE THERIAULT. How could forget Canoe Man?
RIK FERGUSON. Oh my God. It says something to me. Tell me about Canoe Man, because I do remember him, but—
GRAHAM CLULEY. Canoe Man was a guy called John Darwin who faked his own death at sea about 20 years ago, and then he walked into a police station 5 years later claiming to have no memory of what had happened to him. And his wife acted all surprised and, oh, he's back from the dead, how fantastic. He couldn't explain where he'd been, and it later transpired that he and his wife had been in Panama buying property, and they'd been photographed with all the insurance money.
CAROLE THERIAULT. The best bit, for like 9 months, he had built hollow walls in his house. Yes. And so he was living inside the walls of the house. So she was obviously giving him food through a trapdoor somewhere. And he had a little air hole and lived there.
GRAHAM CLULEY. Yeah, he was dead. He was basically secretly living in a secret room of his house. Even his kids didn't know he was there. And he'd been going out sometimes for walks and things and got more audacious. But yeah, they'd claimed life insurance, pension policies, and they'd want to start a new life together. Yeah, in Panama. A Sky News reporter hacked into the email account of Canoe Man, John Darwin.
CAROLE THERIAULT. Oh, I didn't remember this.
GRAHAM CLULEY. Oh, yes, yes. I will put a link in the show notes to an article I wrote at the time about this. In order to try and find out more as to what they'd been plotting together. And again, like you were saying, Rik, the danger of that is, of course, you could compromise evidence.
RIK FERGUSON. The thing is, you could argue a public interest in that one because of the financial implications of them trying to make an illegal claim and so on and so on. So there's an arguable public interest. But in terms of, you know, listening into a Zoom call where people are being told some pretty bad news about their jobs, I mean, the Computer Misuse Act is pretty clear. It's also very gendered as well, I've just noticed. The only people who break the Computer Misuse Act are all called he.
GRAHAM CLULEY. Shall we clutch on to that as our defence?
RIK FERGUSON. Yeah, if Di Stefano identifies as they or she, probably they're okay.
GRAHAM CLULEY. Rik, what story have you got for us this week?
RIK FERGUSON. Well, obviously, you know, the news, as you said before, is full of coronavirus and COVID-19. COVID-19-related stories. We have a rolling blog on the, on the Trend Micro blog of all the different threats and criminal actors using it as leverage, whether that's business email compromise or phishing or malware. I mean, there's not a spike in cybercrime, but certainly cybercriminals have taken to using COVID-19 as a lure for things that they would be messaging otherwise if COVID-19 wasn't around. So you can't avoid COVID-19 in the news. And one of the news stories that caught my interest over the past few days actually is a global one, but also with a very strong UK focus. A lot of different countries are either deploying or talking about deploying mobile apps to track movements and keep people safe and notify people if they've come into contact with someone who later goes on to develop COVID-19. Yeah, and it's a veritable crazy how different it is from country to country. Right, and there are a lot of, so conversations I've had with people who don't work directly in the information security space, and even some that do actually, maybe who haven't done the reading or whatever, have some huge concerns about privacy. They're talking about, I don't want my location to be shared with the government at all times. And if you do a bit of reading, it's pretty clear that that's not what's happening. It's not GPS reporting, for example. They're not literally drawing a map of where you go and who you bump into in any way. Probably wouldn't have the accuracy required if you were using GPS to say whether or not you'd been near enough to someone who went on to become infected. So they tend to be using Bluetooth, but there are two conflicting models at the root of it all. There's a centralized and a decentralized way of doing this. Now, Australia rolled out their app earlier this week, and that is using a decentralized model. And what that means is that all of the data about the people that you've come in close proximity to is held on your own device. And it's only later when you, if you choose to identify as being diagnosed, being infected, that that data is then used in order to notify the other Bluetooth IDs, which are changed and rotated and so on.
CAROLE THERIAULT. So as you walk around, it's like, stay the fuck away from me, stay the fuck away from me.
RIK FERGUSON. But what'll happen is effectively you'll get a notification on your device that says, hey, a couple of weeks ago, you bumped into a person, and that person has later gone on to be confirmed as having COVID-19, you need to get yourself checked out, or you need to self-isolate, or whatever the local policies are around the next steps to take.
CAROLE THERIAULT. So would it give me their phone number?
RIK FERGUSON. Oh no, you as a person who've come into contact with somebody else, you don't need to know who they are, and you won't know who they are. You'll just know that you have come into contact with someone who later went on to be confirmed. So they've worked really hard, and actually two of the companies that have worked hardest, I think, to address those privacy concerns are Apple and Google being the major, you know, best buds, manufacturers. Yeah, they love each other, but they've actually, no, they've been working really closely and coming up with a very, what I think is a very good decentralized system. But then what I was really disappointed to read is that our National Health Service in the UK is effectively rejecting Google and Apple's model and they want to go for a centralized model.
GRAHAM CLULEY. So what have they got against what Apple and Google are proposing? What's, what's their issue?
CAROLE THERIAULT. Get on your soapbox, Rik, go for it.
RIK FERGUSON. So the basic point that the NHS are making, and I suppose this is something where a medical health professional would be far more qualified to have an empirical point of view, is that they will get a much greater view of how COVID-19 is spreading in the community if they have access to all of the data which is otherwise dispersed and decentralized and stored on individual devices. So if the NHS argues, if all of that decentralized data is centralized in a database that they have access to, then they can draw much greater conclusions about how the disease is spreading. But of course, it raises much greater privacy concerns. Exactly.
CAROLE THERIAULT. And you have one big centralized location, which, you know, I'm sure is going to be really, really anonymized and encrypted and looked after. But a lot of people are gonna have access to that data. So who is gonna have access? Which third parties? How will that be managed?
RIK FERGUSON. And there's a question of who now and who in the future. You know, that's— Right. Once you've given up data, it's not just about how do we use it today? How do you know that that data has been effectively secured, as you mentioned, but then how do you know that that data is being effectively aged out and effectively deleted and that it's not being repurposed and reused for something that you didn't consent to in the first place? These are all kind of the reasons why GDPR was born.
GRAHAM CLULEY. So we've talked a little bit about these tracing apps in the past and the different ways in which they could work. And one of my concerns is if all this data is being stored centrally, of course, is that going to affect take-up as to how many people want to actually install this app and are prepared to run it, or will people leave their smartphones at home? Now, we're obviously a security podcast, so we probably have a lot of— Not that obviously, actually. Well, we probably have a higher proportion of privacy-conscious listeners than the typical show. Absolutely. And so we probably have an audience which would be more reluctant to run an app which did something like this. But in this current crisis, I think even they, there would be a, probably a larger proportion who would be prepared to do it than—
RIK FERGUSON. Yeah, and in the age of conspiracy theories as well, you know, it doesn't take much for it to spread over whichever social network and put everybody off. To my mind, there are two key things that speak very strongly for allowing those operating system manufacturers and device manufacturers in some cases to play a leading role, at least in this. One of them is making the best use of the hardware, because it's gonna be on all the time broadcasting and transmitting and receiving all the time over Bluetooth. So you want something which isn't gonna suck up your battery life and kill your device super quickly. One, if your device is dead, the app's not going to work anyway. Two, if you find out that after installing that app, your battery runs down really quickly, you're going to remove the app, defeating the object. So the manufacturers will have a much better handle on power management. And in some cases, they have privileged access that the non-manufacturer app developers won't have. And the other one, yeah, is absolutely about product adoption. If you can't allay people's privacy concerns, then you're not going to get that critical mass of people that you need Installing the app and rendering it useless.
CAROLE THERIAULT. But yeah, but like we talked about last week, Columbia came up with a really cute workaround by giving you a free gig of data every month if you downloaded the app.
GRAHAM CLULEY. Oh, it doesn't help your battery life, does it though? But no, okay, no, I don't worry, chaps, I have solved this problem, okay? If this is being done without the sort of informed participation of Apple and Google, if the NHS are gonna go alone, what they will do is this. They will first of all tell you that you have to carry your phone with you all the time, and that your phone has to have the NHS app installed upon it, right? There'd just be a little bit of legislation, they roll it out saying that's the rule from now on. But the other thing will be that everyone has to wear a backpack full of batteries, which is going to permanently power your phone, and that way you can leave Bluetooth turned on all the time, it's not going to run out.
CAROLE THERIAULT. Better exercise, people will be fitter.
RIK FERGUSON. Yes, that's the thing I was going to say, every conspiracy theory needs, you know, a kernel of why is this conspiracy happening? What's the reason for it? And it's to tackle the obesity crisis.
GRAHAM CLULEY. And that's why the NHS are involved, you see. Carole, what's your story for us this week?
CAROLE THERIAULT. Okay, so we are heading to the land of higher education. Now don't worry, Graham. I know this is unfamiliar territory, but I gotcha.
GRAHAM CLULEY. You know that's really offensive, don't you? Is it? Yes. Why? Why is it offensive? I did get to higher education. I just didn't— it just wasn't formally called a university. What was it called? It was a polytechnic that I went to. And I went to a polytechnic. I got my Higher National Diploma. Good. And I— there you go.
CAROLE THERIAULT. I was just saying, if you were worried about, you know, being in university grounds, even digitally, I was here for you. That's all. I don't know why you're being all sensitive.
RIK FERGUSON. Do you remember when all the polytechnics changed to universities? And they all had to have new names.
GRAHAM CLULEY. Yes, and mine got renamed. I'm very annoyed about it, but it wasn't the university when I was there.
RIK FERGUSON. I was going out with a girl from Nottingham at the time, and her father was a lecturer at the traditional old Nottingham University. He was a lecturer in mining or something like mining technology, something like that. That's true. In fact, one of the things, this is my token of proof that it was true, he presented me with a mummified monkey wearing a waistcoat with a rope around its neck. Which they had found up a chimney in Nottingham.
GRAHAM CLULEY. A nice gift to receive from a prospective father-in-law.
RIK FERGUSON. Anyway, he told me the story. I don't know if it's apocryphal or not, but Nottingham Polytechnic, they had to obviously change their name when they became a university, and they had settled on the name, totally logical name, of City University of Nottingham on Trent. And they'd gone with it, and they were very happy with it, and didn't realize until they got all their stationery printed up LastPass. That's, the acronym was unfortunate, to say the least.
GRAHAM CLULEY. Childish and slightly vulgar. Carole, continue.
CAROLE THERIAULT. Yeah, well, I was going to go down the security route, as this is a security podcast, and say that a lot of these institutions have security that's not always been stellar, shall we say. So for instance, this week, Sky News reported that the University of Warwick suffered multiple data breaches. Yes. And it was Smashing Security was hacked in 2019 when a staff member installed a remote viewing software, letting hackers gain access to student info, personal info, staff members, volunteers, the whole thing. But no one was informed because no one knew that it actually had been hacked because security was so poor on the system. They had no idea what was going on. Now they've all cleaned this up. There's someone new in charge. But this wasn't the only university-based security news this week. There's a new phishing attack which was reported by Proofpoint that has been targeting specific groups of people, including staff and students at US colleges and universities. Now, tell me, pretend you guys are phishers trying to dupe a user to click on a link and download something nasty, and you're targeting unis. How would you go about it? Graham, I'm not going to say this will be hard for you, okay?
RIK FERGUSON. But put yourself in the shoes of someone who has gone to university.
GRAHAM CLULEY. Sorry, am I targeting university students or university staff? Both, both. Well, I mean, students. Students is all free beer, isn't it? That's what you do. Oh yeah, that's good.
RIK FERGUSON. Entrance to the student union, because of coronavirus, you know, we're having to restrict entry and we're having a strict queuing system and you need to book your place in the queue to get into the union bar.
CAROLE THERIAULT. Oh, you guys would be good fishers. These guys just use sex. I mean, that's what they did. Bam! And we know maybe during these times of staying at home, there must be quite a few sex-starved students out there right now, right? They're probably climbing the walls at home with mom and dad in the other room, or— They're all gonna be on Zoom and FaceTime.
GRAHAM CLULEY. That's where it's all— I'm sure the sex is still happening, just not in the same room as the other person. Yeah, God, eh?
CAROLE THERIAULT. To have full visibility of that.
RIK FERGUSON. I'm sitting here in stunned silence. That's why there's no sound from this microphone.
CAROLE THERIAULT. So these guys got like an email, right? So the huge phishing campaign went out. Now I've sent you guys the image of the email inside the documents. You guys can take a look here. So it came just for our listeners, right? The subject is "Waiting for your reply." And then you go in and you have this in big font. It says, "Make your choice." And you have two scantily clad women, one blonde and one brunette. So, you know, they're not the same.
RIK FERGUSON. You know what it reminds me of from the birth of the commercial web? It reminds me of the website Hot or Not.
GRAHAM CLULEY. It does. It is a bit like Hot or Not, yeah.
CAROLE THERIAULT. Yes. And maybe it's using that same kind of trigger selection. It's quite clever psychologically because it doesn't say you can't choose one of these. It just says make your choice and you select.
RIK FERGUSON. Now, right. Yeah. You may have chosen not to click, which would have been the best choice.
CAROLE THERIAULT. This is the big reveal. No matter who you click on, you still get the prize of downloading the Hubigon remote access Trojan known as a RAT. Now, this RAT's been around for at least 10 years and has loads of features and capabilities like allowing people to access the infected machines, remote access it, has rootkit functionality, so it means, you know, webcam monitoring, it can log your keystrokes, steal your passwords. So all the stuff that, you know, we don't talk about a lot anymore. We don't really talk about RATs and Trojans as much, do we? But they're still out there. Oh yeah, they are very huge.
RIK FERGUSON. You know, we tend to talk about them, and I don't know whether this is Because cybersecurity companies don't do much consumer messaging anymore, or I don't see it very much anymore, but we tend to talk about them in an enterprise scenario, and they are APTs. They're Swiss Army knives in an enterprise scenario. If you can get, you know, a remote access Trojan on a system, then it gives you access to information, it gives you access to functions, it gives you access to architecture and infrastructure.
GRAHAM CLULEY. So, Carole, if— so you're saying that But this particular campaign with the scantily clad ladies, this was targeting university students, is that right?
CAROLE THERIAULT. Yeah, no, university students and staff.
RIK FERGUSON. I mean, looking at the screenshots, I'm amazed, but I suppose you could say that about quite a lot of widespread cybercriminal campaigns rather than targeted ones. I'm amazed it was successful because you make your choice and I don't know, the assumption is maybe that you are going to download some video, get some pictures, I'm not sure what, but what you get is a download for an executable called 'X Live.' Yes. So first of all, alarm bells should start ringing, but then you look at where it's coming from, and it's coming from gogominer.com. I mean, that's alarm bells, klaxons, foghorns, and what more do you want?
CAROLE THERIAULT. Exactly. Isn't this old school?
RIK FERGUSON. You don't need those executables to have a camera rendered in a browser, right?
CAROLE THERIAULT. It makes me think that the guy who's behind this is like in his 50s. It's old-school phishing.
RIK FERGUSON. It's not me, I'm just saying.
CAROLE THERIAULT. So, so there you go. So old-school stuff like this still works. And advice, because, you know, we're gonna see, I think, a little rise in consumer phishing scams. I know there's a lot out there, but I think now that people are trapped at home and don't have the IT person around the corner, I can imagine we're gonna see a lot of scams for like This is how you can make sure your Zoom call stays safe, right? Leading to something bad. And one of the real sweet spots here for the bad guys are the companies that have had basically always had a staff on site, haven't had to worry about remote workers, may not have a huge security budget 'cause they may be just a small SMB, and they're now having to have all their workers use their own machines from home to contact the network. And they may not have the security layers in place. Case. So, you know, companies beware.
GRAHAM CLULEY. It's nasty stuff, and people are having to be their own IT department right now, aren't they? Because the IT department isn't necessarily available to sort them out.
RIK FERGUSON. Yeah. And how many of us are doing home support for our families and friends as well?
CAROLE THERIAULT. Basically, the upshot is if you want to avoid a mountain of pain, avoid clicking on fishes. That's it. Maybe you don't have a single single sign-on password manager, or maybe you do and you're not really happy with it. Well, why don't you start a free 14-day trial of LastPass Enterprise and you can manage every access point with integrated single sign-on and password management. Let me tell you about some extra features: central admin dashboard, easy user management, group management, directory integrations, federated login, more than 100 security policies, advanced reporting, multifactor authentication options, password sharing, and the list goes on. Check it out at lastpass.com/smashing. On with the show.
GRAHAM CLULEY. And welcome back, and you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
CAROLE THERIAULT. Pick of the Week. Pick of the Week.
GRAHAM CLULEY. Woo! Oh, impressive. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security related necessarily. Better not be. Now, my pick of the week this week is not security related, but it deals with an issue that many, many of us have, which is that someone will come into the living room and say, I really want to watch Paddington 2, or I want to watch Shark Attack 3 with John Barryman. And you think, oh, such a good film. It is a great movie. But you think, oh my goodness, Oh my goodness, where will I find it? And where will I find it the cheapest? It's like, okay, yes, it's there on Amazon, but then I have to pay for it. Is it on iPlayer? Is it on Netflix?
CAROLE THERIAULT. Have I— You're always looking for a deal, eh?
GRAHAM CLULEY. Well, yes, I am, Carole. Exactly. So the website which will help you out with this particular conundrum is called justwatch.com. And what it means is if you don't have a clue whether a particular movie or TV show is on Amazon or Netflix or iPlayer or something you need to splash some cash on, you just type in the name of your movie and it will tell you everywhere that it is and what you will have to pay, if anything, on those particular services. And very handy it is too, because you spend a lot less time wasting around when the kids want to watch some animated nonsense. You can find it for free instead of forking out for it. It's also available as an app. It's an app for the iPhone and Android as well.
CAROLE THERIAULT. I hate to poo-poo on your parade. Oh, go ahead. I would just say, just check the privacy notice first. I'm just looking at it now and there's a few little hmm.
GRAHAM CLULEY. What's your problem? What do you mean what my problem is? What's your problem with it?
CAROLE THERIAULT. What's it said? Well, collect information from my IP address and the browser I'm using. Well, yeah, every time. The site you came from. We might also give this to third parties. Yeah, okay, okay, but you know. Collect your zip code to find out what syllables are relative to you.
GRAHAM CLULEY. I haven't told it my zip code. I haven't told it that.
CAROLE THERIAULT. I don't know why. Okay, just— I know you didn't go to university.
RIK FERGUSON. I'm sorry about the university comment. Don't have zip codes. This is a zip codeless nation.
GRAHAM CLULEY. Oh, thank you very much, Rik. Yeah, so yeah. I told the North American. Very good. Rik, what is your Pick of the Week?
RIK FERGUSON. My pick of the week is something which I didn't know was a thing, and I definitely didn't know it was a thing that I could get really cheap, particularly during this pandemic lockdown period. He says toilet paper.
CAROLE THERIAULT. We're going to have like a crazy—
RIK FERGUSON. No, do you know what? I have an Amazon subscription for toilet paper, and it arrived about a week before lockdown, and we're like, we have like a house full of toilet paper. We get it like like once every two months, this massive box of it. So that's my, that's a top tip for the future. Subscribe for those, those things that you don't want bulking up your boot when you go shopping.
GRAHAM CLULEY. And if you want Rik's home address, just email us at .
RIK FERGUSON. It's gold leaf. My pick of the week actually is something which in the UK is called Fire for Kids Unlimited. In the US, I think it's called Kindle Unlimited for Kids. I'm an Amazon Prime member anyway. Like many, many people, and I discovered that for 99 pence I could get Fire for Kids Unlimited for 3 months, which means that my kids on their Paperwhites can access tens of thousands of books. So there's no reason for them to come to me and say, I'm bored, I have nothing to do, there's nothing new for me to do, I can't go to the bookshop, I can't— you know, you have tens of thousands of books, go read and leave me alone. I have a podcast to do with Graham and Carole, and I spent 99p on it.
CAROLE THERIAULT. You guys, you're like deal finders.
RIK FERGUSON. It was— it's just such a great deal. And if they use it, we'll carry on with it. But 99p for 3 months is perfect for this period. I think the deal is still out there.
CAROLE THERIAULT. Do they have to create book reports for you?
RIK FERGUSON. Yes, they have to do PowerPoint presentations.
GRAHAM CLULEY. Come back, kids, when you've read all of the books.
RIK FERGUSON. We may be allowed to go outside by then.
GRAHAM CLULEY. Carole, what's your Pick of the Week?
CAROLE THERIAULT. Oh, well, mine is free. There's no money. Okay. Do you know Jeopardy?, the TV show that is very popular in the American— What is Jeopardy!? Jeopardy! is like a game show. Do you know what that is? Oh, that was a joke. Oh, really? Oh, sorry, I didn't even get it. Oh my God, I'm so bad. Jesus Christ. I was just trying— 'Cause Graham had no idea. Graham, I just spoke to him before the show. He had no idea. So I just assumed. I had heard of Jeopardy.
GRAHAM CLULEY. I just didn't know quite how it worked. But okay.
CAROLE THERIAULT. Yeah, but if I said to you, Alec Trebek, what would you say?
GRAHAM CLULEY. I don't know. Is he—
RIK FERGUSON. I think he could be an actor. I wouldn't even know what words you had just put together there. That just sounded like a sound.
GRAHAM CLULEY. Sounded like something Quebec. Trebek. He is like our Nicholas Parsons.
CAROLE THERIAULT. Okay? I was in a band called the Rockin' Thunders at university.
RIK FERGUSON. Oh. We were a joke band and we had a song, we wrote a song which should have been a hit, which was called A Night Out with Nicholas Parsons. The whole premise of the song revolved around a contest that had been set by Sarson's Vinegar to think of a slogan and the winner would get a night out with Nicholas Parsons.
CAROLE THERIAULT. Do you have a recording of that, Rik?
RIK FERGUSON. I think there is one in existence.
CAROLE THERIAULT. We could put it in the— we could put it at the end of the show, sign us and sing us out.
RIK FERGUSON. Well, the chorus is just the word shit repeated 5 times.
CAROLE THERIAULT. Maybe we'll leave it to everyone's imagination. Anyway, Alex Trebek has been the host of Jeopardy! since 1984. Yes. He's now— Mr. Trebek is sick and he's recently announced that he has survived one year of cancer. Right. And I was reading about this and he's one of those people you just love. You just— he's just one of those good people. I found this guy who is obviously a Jeopardy! fan. And if you click on the link in the show notes, he has created an entire website of every question that's ever been asked on Jeopardy! since 1984.
GRAHAM CLULEY. Oh, the J Archive. Yes. So— Oh, Carole doesn't use HTTPS. I know it doesn't use HTTPS. You complained about Just Watch's privacy policy. Oh my word.
CAROLE THERIAULT. I know, but you don't have to enter any information here, Mr. Graham. Just for those who don't know, the way the game show works is I put the answer in the form of a question and you give me the question in the form of an answer.
GRAHAM CLULEY. Okay, my brain has just warped. Okay, carry on.
CAROLE THERIAULT. Okay, it's not hard. So, I'm gonna ask you guys a few questions, okay? Okay. In the category for Drinks for $200, this children's cocktail is ginger ale and grenadine garnished with a maraschino cherry.
RIK FERGUSON. What is a gateway drink?
CAROLE THERIAULT. Yes, but that's not the right answer, Graham. And it starts with letter F. S, that helps.
GRAHAM CLULEY. Well, I don't know the names of any drinks. What is a Shirley Temple? Correct! Oh, very clever, very clever.
CAROLE THERIAULT. For the category of Visual Alliteration for 400, answer: This cheery literary feline left his smile behind when the rest of him disappeared. Who is the Cheshire Cat?
GRAHAM CLULEY. Correct! I knew that, but I thought I had to Buzz. Okay.
CAROLE THERIAULT. Okay. Now you guys have to really pay attention because you're both musos on this one. In the Dylan category for $800, take a load off and tell us the name of this group, formerly the Hawks, who backed Dylan starting in 1965.
RIK FERGUSON. Who are the Bucks? Correct! We have to buzz.
CAROLE THERIAULT. There you go. See, fun game. So if you click on the link, they give you the entire game grid that you get on the game show and you could actually play with friends, read out the questions, do it for fake money or for real money, have some fun.
GRAHAM CLULEY. Right, Graham? This is j-archive.com. I think this would give me a heart attack, Carole. That was quite a lot of pressure.
RIK FERGUSON. That was high stakes stuff. Yeah, really?
CAROLE THERIAULT. Yeah, my buzzer was broken. I was going to say you need to get out more, but yeah.
RIK FERGUSON. Yeah, don't we all?
GRAHAM CLULEY. On that topical gag, we've just about wrapped it up for this week. Rik, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that and find out what you're up to?
RIK FERGUSON. The best way is Twitter. I'm too old for Instagram and I'm too old for Snapchat. So it's Rik_Ferguson at Twitter.
GRAHAM CLULEY. No TikTok account?
RIK FERGUSON. No. My other half is addicted though. So I hear it a lot. I just don't see it much.
GRAHAM CLULEY. And you can follow us on Twitter at Smashing Security. No G. Twitter won't allow us to have a G. And you can also join the Smashing Security Reddit community. Just look for Smashing Security subreddit up there.
CAROLE THERIAULT. And as always, thank you, beautiful people. You are keeping Smashing Security alive by listening to us every week, literally. And for those of you that have kept supporting us via Patreon through all this, you're in for a pretty sweet treat very soon. Also, a huge, huge thank you to this week's Smashing Security sponsor, LastPass. Its support helps us give you this show for free. Check out smashingsecurity.com for past episodes, sponsorship details, and information on how to get in touch with us.
GRAHAM CLULEY. Until next time, cheerio. Bye-bye. Stay safe. See ya.
CAROLE THERIAULT. Wouldn't want to be ya. Yeah, I would. I would.
RIK FERGUSON. Yeah.
GRAHAM CLULEY. Now, Carole, you keep on saying our listeners are literally keeping us alive each week. Yes. And you emphasize literally. Yes. That's because she's American. Yeah, it's a habit my son seems to have got into, is everything is literally.
CAROLE THERIAULT. So he just calls me American and Graham doesn't even notice. Doesn't even notice.
-- TRANSCRIPT ENDS --