Smashing Security, Episode 003: ELEXR, Get Me an Axe, with Carole Theriault, Vanja Švajcer, and Graham Cluley. And we're live. Here we are, Episode 3, Smashing Security, 12th of January 2017. I'm joined by my good buddies Vanja Švajcer and Carole Theriault. Hi guys, how you doing? Hi, Graham. Good, can I just, that's a pretty good intro, Graham.

You liked that one, did you?

Liked.

Not gonna get the usual barrage of abuse at this point.

Oh, you poor sausage.

Oh, talking of poor sausages, you know, I don't even know if we should talk about this because it is everywhere, right? The big computer security story of the week and it's changing by the hour. He's of course, he's actually a friend of the show, friend of the podcast, Donald Trump. Can't come on today, unfortunately, he's a little bit busy. But he has been talking yet again about hacking. And as I'm sure you guys have seen, there've been a lot of developments over the last few weeks, and in particular in the last few days with the secret dossier being released, allegedly compiled by an ex-MI6 operative, who collected intelligence on Trump and his dealings with Russia and his team and all kinds of allegations there, some of which a little bit salacious and seedy, I have to say.

It's really a get-a-popcorn moment, isn't it? Sit down and just watch it. It is insane. But you know, Carole, I don't like my popcorn soggy. I like it crisp. And I would worry Yeah, I mean, obviously everyone's thinking about that bit of the report, but I think there's other concerns there as well.

But yeah, maybe the important, the best part of the reports are the ones that actually talking about how Russian intelligence agencies are using and recruiting people to write malware and what kind of attacks and how do they target different layers of organizations, which wasn't highlighted in the report. But that was kind of interesting.

Right.

And there are some other interesting claims in there. For instance, there is a claim that maybe Telegram, which is a very popular secure messaging app, may have been compromised by Russian intelligence. Telegram's long been in a battle with Moscow, and if it has been compromised— of course they've denied it. But all of these claims are, frankly, we have no idea whether they are true or not. And what interests me is that these claims have apparently been circulating amongst the media and people— oh, Carole, do you want to get that? These claims have been circulating amongst high-profile politicians and amongst intelligence agencies and the media for a while, but the media have chosen not to publish it, you know, until now. And then of course CNN wrote that story following the Mother Jones report from last October, and then BuzzFeed took— oh, we're just going to post up the entire And that has enraged some people, none less than the president-elect, of course.

Well, it's difficult because those reports can't be verified, really. I mean, I read the report, the full dossier, and it's reasonably well written. But then on the US side, on whatever opponent side, there may be people who are skilled, and they can write a report like that. It sounds pretty plausible.

Yeah.

Look, I hate to sound like a conspiracy theorist, but this is just so much coming out and so much— it's just so juicy. Everything just seems like a smokescreen for something. I don't know what. I don't know if I'm paranoid. Maybe I'm paranoid.

I know we work in computer security. We're kind of paid to be paranoid, aren't we? And to be skeptical. And I think there is always the concern whenever these sort of big stories grab the media's attention, whether in fact it's happening in order to divert us from something more important. I don't like to be a conspiracy theorist either. I guess we just have to wait and see, because if even a tiny proportion of these allegations are true or have some merit, then that's something which surely the US intelligence services will be investigating as a matter with real priority, because they'll want to get to the bottom of it and make sure that the incoming government isn't compromised in some fashion.

Yeah, I'm fairly sure they are investigating it right now because it's going to be serious if it proves to be.

Yeah. Yeah, but it's great, it's great that you're going to be president in, what, 10 days? And you're fighting with your intelligence community, you're fighting with the Russians, and you're fighting with the press. And so yeah, it's crazy times.

Well, he's a boxing ring kind of guy, isn't he? You know, I think that's the way he operates. He'd probably get a little bit bored if fists weren't swinging in one direction or another. But anyway, no doubt we will come back to this story and other stories like it. About the intelligence services and Mr. Trump as well. But today, tell you what, let's go back to our regular schedule. Let's look at some of the stories which have caught our attention this week. And I wanted to start with one which has all to do with MongoDB databases. Tens of thousands of them have been wiped. So attackers are finding these databases which are connected to the internet with no passwords, no attempt to authenticate who's going to access them. So they're open to the world. Hackers are able to gain access and they're wiping the databases and they're replacing the databases with messages saying, you've got to pay us so many bitcoins in order to get your data back. So there's demand for the safe return and tools like Shodan, which is the search engine which finds things connected to the internet rather than your traditional search engines. Make it so easy to find vulnerable servers like this, which anyone can really walk into.

And it's super easy because it used to be much easier with Google. You know, there were some Google search terms, they call them Google dorks, where you can actually enter to find all the vulnerable servers in a particular category. You can use Shodan for exactly the same purposes. And obviously there's a configuration issue when you install MongoDB by default, where that allows you some other remote access and editing of the data, which is pretty serious.

So I guess this is my beef is, you know, it's yes, obviously sysadmins who've installed this thing and left it wide open, you know, they have some blame in this, but surely MongoDB, Mongo, they need to fix this as well. It is too easy. To install this software and leave it wide open to attack. And now they're the ones who are dealing with this PR problem and damage to their brand.

I think what's interesting here as well is that now for the first time, maybe we are seeing this new, let's say ransomware-like model where actually there's no software that's installed on any of the victims' computers, but rather the victims are ISPs and the data that's being provided by them. So I think that may be a trend we'll start seeing maybe even more as the desktop or traditional kind of desktop defenses against ransomware will improve over time. And indeed, they have been improved over a couple of years.

You know, from the cybercriminal point of view, it's quite an efficient model if the end goal is to get cash, right? Rather than hitting one, you know, a particular client, a targeted attack. So, yeah.

Well, it is in some ways. The interesting thing is that we're now seeing reports which say that virtually none of the victims have paid the ransom, who've paid the ransom, have got their data back. And the reason is that once your Mongo database has been compromised, once it's been wiped, and because it's wide open, what's happening is other hackers are now coming in, going to the same database and replacing the ransom message with one of their own. Saying you have to give money to a different bitcoin address. And it's like—

awful.

So these guys haven't actually got the backup. I think there's a potential service here. It might be a bit illegal. Maybe there's a service someone could offer where they say, you know what, I'm seeing all these insecure Mongo databases. Maybe what I should do is not go in and wipe their data. I'll back it up for them. And when inevitably they get hacked, I'll say, oh, don't worry, I backed that up for you already.

Yeah, but then you're going to hold them to ransom to get the money? Are you planning to get payment to release the data you backed up for them?

Look, look, look.

You act as an internet vigilante that made this action before the bad things happen and you go, ta-da! And there you are, the backup for you.

Yeah, it could possibly go wrong. It's a bit like a car though, right? You want security settings in your car, airbags and seatbelts, to make sure that if you have a mistake, it will safeguard you. But at the same time, if you're not driving very well.

You have the same problem with backups as with cars. You don't really want to test them, you know. The thing is that actually backups are easier to test.

Yeah. And even if you do have backups and you've done everything right in

Yeah. And the problem is, I suspect that the common victims who are suffering from this particular attack are hospitals, small businesses, educational establishments who probably don't have huge IT resources. That's why they're using this software.

this situation, it still sucks to go try and reload from backups.

That's why it's not configured properly in the first place. They quite possibly aren't doing efficient backups either. And, you know, they're just installing it.

This is just not a situation you wish on anyone.

And so they may not be seeing the alerts. What we should do is in the show notes, we should link to the advice Mongo have distributed about how to set up your database more securely. But it is the very worst people who are getting hit by this, the ones who are least able to cope with it, I suspect.

The truth is that many developers are using MongoDB because it provides some distinct advantages. It's also the buzz of the couple of years. Maybe when they do it in the development mode, then they don't have to secure it as much. But once when they actually move it from development to production, then they need to be aware that they actually have to include the kind of security, secure the database management system.

Anyway, I expect we're going to carry on seeing vulnerable Mongo databases for some time to go, and this is going to be a regular battlefield for the hackers to exploit. What else is going on, Carole? What else have you got for us?

Well, so I saw this story in the Daily Beast originally, and it's quite unusual, and I thought quite interesting really. So this is about ex-members of Microsoft's online safety team suing Microsoft for neglect. Now they both have been diagnosed. There's two guys, so I have their names, I'll get them in a second. So these two guys have both been diagnosed with post-traumatic stress disorder. So PTSD, because their jobs involved looking at all kinds of horrible images day in, day out. So we're talking, you know, child abuse, we're talking violent porn, we're talking murders, we're talking lots of gruesome, horrible things. And we all know what some things exist on the corners of the internet and we dare not go. These people basically had to look at this stuff all the time. So it just got me thinking, because Vanja, obviously, you used to work in the lab. So what's that like, looking at, you know, having to look at these awful images? I mean, this is the first time I've ever heard of a desk job leading to PTSD. And maybe it's happened before.

Well, I remember that we had to sign an addendum to our contract that would say, well, what you're going to see may be pretty gruesome in some cases. Yeah, I mean, we did this when we would receive a number of emails and we would look at the URLs, the ones that were not automatically classified as spam.

Right.

And occasionally you would see really pretty horrible things. And I can imagine the guys from the online safety team in Microsoft would have that multiplied, the kind of intensity they were seeing. So it is pretty tough. It's a tough work environment. And you probably do—

So you didn't get training, you didn't get any real training beforehand, before you did this? Because I imagined, you know, because it all grew and we needed people to do that, we never really thought about the impact of looking at these images all the time.

I think first we started looking at that. And then I guess there was, you know, we realised the need when some people started to complain that we have to acknowledge that, you know, we agree that as a part of our job, we will have to see some of those really awful stuff.

Because, yeah, I don't know, I would have assumed training would be something you'd really want to get someone prepared to see all this stuff. I wouldn't want to do it. And according to these two guys— sorry, Graham, go ahead.

I was just going to say, how prepared can you ever be? Really?

I mean, okay, but if you're going to be a cop, for example, right, if you choose to be a cop, you know that you're going to get yourself in altercations with people that may be violent. You're aware of that. And according to these guys, so it's Henry Soto and Greg Blower, I don't know how to say his last name. According to these two, yeah, they didn't ask for these jobs, right? They were kind of, they found themselves in these roles. It wasn't roles that they had mentally prepared for and, you know, wanted to do.

And that usually happens is, you know, the people from maybe technical support, because they know how to deal with those requests, they know how to handle requests, maybe they're moved to, let's say, promoted to a better role, and they think, oh, how cool, this is an online safety division, while in fact, this is a pretty tough job.

Well, it is a tough job because, I mean, you know, many of us have experienced horrible jobs and we don't like to take the work home with us, right? But there is something in imagery and so forth which may haunt you for months, if not years, potentially some of the things which you could see. And I would imagine as it accumulates over the years and the more things which you get to see, it begins to have an impact. So maybe companies like Microsoft need to make sure that they are doing enough to protect their workforce.

How do you address this issue? You have to kind of rotate people? When's the point when you say, well, now this is a kind of a critical point where you actually have to start thinking about allowing these guys to stop working in this position?

Yeah, but you know what, two things on that. This is not a job that many people I think could do for any long term time. So if you've got people that are complaining or expressing difficulty doing this job, I think a company needs to take it seriously. This is pretty, you know, this is pretty heavy stuff. And it's going to be interesting to see what happens because obviously Microsoft are saying that they did have support for them. So there's arguments on whether that support extended enough or really dealt with the issues that they were facing. But I think what I really wanted to say is for all those people out there who actually do this, who look at these images every day to try and make the internet a bit safer and to try to get it out so that I don't have to look at it. I just want to say high five. It's got to be a hard job.

Well done to everybody at the online safety and all the online safety teams of all the companies.

Right, exactly. It's a hard job. I remember people in my old jobs having a lot of trouble doing this, and, you know, I'm not surprised that people are suffering from it.

I'm just not sure if computers and technology is ever going to get smart enough to do that reliably for us, or whether we're always going to require some sort of human element.

A lot of it is automated and they only see those exceptions once, which, you know, they are unable to classify immediately, but still, there's gonna be a number of those every day.

You must remember though, in the early days I used to kind of have accidental, I don't know, maybe I type a URL in wrong, but I would get some pretty incredible things that I would see that would just pop up on my screen. You know, maybe it was popups, you know, it seems a lot safer now, but maybe it's because we have so much layers of security on my system.

I remember you used to say it was accidental, certainly. Yeah. Oh my.

Well, your turn, Vanja.

Thanks for that depressing story, Phil.

So we have a little bit more kind of, I guess, lighter subject to finish with. And it's all around, again, privacy of Internet of Things. There was a news that a little girl in San Diego managed to order a dollhouse using her Amazon Echo device, which basically, when the TV covered this story, many other Amazon Echo devices attempted at least to order the same dollhouse because they listened to the girl saying, Alexa, Can I play dollhouse with you? And can you get me one, please?

Don't say it, Vanja! You just said it, for goodness' sake! You mentioned Voldemort's name!

Sorry, Graham, I know.

Yeah, but not just me. It's also the tens of people who are listening to this as well. You know, they potentially could have one too. You know what I think? I think it's— what if your partner's name is actually Alexa? What do you mean?

One of my good friends is named Alexa. I should ask her. Yeah, I should get her a device and see how horrible that goes.

No, I think you are able to change the name of that.

I'd never thought about that before.

So obviously one of the issues here is the fact that those devices, IoT devices, things like Siri and Amazon Alexa and Google Home and whatever, Cortana, are listening on the microphone all the time for those activation words. And from then on, they send the request in a protected way encrypted to Amazon servers in this case where it's processed and then the response comes back.

It is kind of creepy how many devices now are listening to us all the time. You know, we have effectively put bugs into our own home, haven't we?

Yes. Well, except that data when they're listening to those activation words, at least allegedly, that's not uploaded at any time.

Yeah, yeah, yeah.

I get that, Vanja, but just wait until those devices are hacked. Okay, they have the hardware, they have the technology to listen all the time. And yeah, I'm sure that they're recognizing it locally, yadda, yadda, yadda, you know, so that's kind of less scary. And they're only sending the message if you really want the message to be sent. But at some point, some smart cookie is going to work out how to hack these things so actually they can listen to you all the time, or someone's going to produce a cheap knockoff, one of these in China, which doesn't have proper security built into it, which does get compromised.

Interesting, because there was another story this week as well that the police is actually investigating some of the data or trying to get Amazon into supplying the data from a murder case that may or may not show some of the activities. So what they're actually hoping, I guess, to hear is if anybody's used Alexa, because then Alexa is recording what happens in the background, not just the person who wants to say, to give an order, but all the other sounds.

Alexa, can you please buy me an axe and get it here really quickly? What exactly is going on with these murder victims? What are they doing?

There's 4 microphones on this, or at least 3, right? What are they offering? Do you know? Okay, I'm obviously—

I don't know, but there was another. Maybe you can say, Alexa, somebody's killing me.

Killing me softly with— oh, hang on, copyright.

Yep.

Okay, okay, I know I'm showing, you know, my age is going to be displayed by this comment, but don't you guys miss those 1970s stereo system, those buttons?

Carole, you are such a hipster. Really, seriously. There you are, you just want everything to be analog.

So you know, when you had a tape deck, you had that really strong— don't you wish you had that for video and microphones?

Although actually, I kind of agree with you. I kind of miss that as well. And it was a bit of an analog experience trying to get this Google Hangout to work today, I have to say, because we had to press so many buttons to try and activate it.

I know it's all slick and cool, I get it, you know, it's all slick, there's little lights, there's tiny little buttons, but I kind of want this big power button where I can go, "Turn

It was a bit playing play and record at the same time, go ka-chunk on it. But so if you do have an Alexa, what are they called, Echo device, an Amazon Echo, if you have some device which is running Alexa, the thing is that things purchases are enabled by default, voice purchasing. So it might be a night you may want to turn that off or you may want to have your own.

off," you know, and power it all off.

You always had to press pause and record, maybe even play at the same time. So 2 to 3 buttons, and I hated it because I had to record some radio songs. Obviously you record from radio, what else? Where do you get your music?

I know, but—

Sometimes I would just miss it.

Oh no, change her name to a secret name. It's almost a fairy tale that none of the kids or anyone knows. Only you know. So only you can do the purchases. It could be something Rapunzel or something.

Or you can do what Amazon is suggesting is to set up a PIN on purchases.

Yes, that's probably better.

No, well, easy, because what that will happen is they'll be saying on the TV or in the podcasts and excuse me for saying this. Yeah, exactly. Alexa, 1234. You know, everyone's going to have the same bloody password, aren't they? What a pain. OK, well, look, that cheered us up anyway. So we're now on episode 3 and we've had some feedback on the last episode as well. Thanks to everyone who gives us the feedback. We really appreciate it.

Yeah, we do.

It's terrific getting the likes and the comments as well. People are posting up on YouTube and on Twitter.

Yeah, see, Graham loves all the likes, but if you guys have feedback, you know, that's what we want. We want to make this as good as we can with some effort, but not— we want to keep it as real and natural as we can. Not too much effort.

Well, we did get some feedback today, well, not today, we did get some feedback on the last episode from John Crowther, and he said, I your episodes. Good man, John. The three of you have a nice dynamic. Not when we're in person with each other. And I could get used to making a habit of watching, listening. Oh, don't push yourself, John. Although you were all gorgeous people, it's fun to watch your expressions. I think I'll probably listen to a podcast in future. And he says 20 minutes is a good target. Well, we are certainly thinking we're definitely going to produce a podcast version of this, and we will let you know as soon as it is available for those people who don't want to look at our ugly mugs.

I'm with John 100%. I love—

Absolutely. I driving and listening to podcasts. Yeah.

Yeah, podcasts are great, aren't they? So anyway, thank you, John, for that feedback. And who else have we got here? Angelina Contini said, oh, Vanja, you should read this one out.

I vote Vanja's story. This is really fun. Keep it up, guys. Well, thank you, Angelina, for voting for my story. I don't even remember what the story was.

No, I'm not sure. It was about the Ukrainian howitzers. That's right. In fact, Angelina— Angelina was the only person who bothered to vote after we said, "Why don't we get the audience to vote on who had the least tedious story?" So thank you, Angelina. Angelina's all right with me. I know that she is a chess-loving, ballet-dancing security geek. What a fantastic combination that is. And we also have someone who has a crazy name. Kirill, maybe you can tackle this. Final bit of feedback we'll cover here.

Is it? I'm worried it's going to say something.

I dare say it.

Okay, because you've typed this in, so this could be it. Okay, so you can new canny tech. Yeah, so he says, actually, Vanja, for you, howitzers are not cannons as they have rifle barrels. Cannons are smooth.

Yeah, that's a great comment, and both Graham and I replied on YouTube.

Super.

Yeah, really cool comment.

Well, you know what? On that note, fantastic. If you want to catch up on the latest Howitzer-related nerdery, go and listen to the previous podcast. But maybe you want to find out more about security. Make sure you tune in next time when we'll be discussing the latest computer security stories. That just about wraps it up for us this time. Thanks for tuning in. If you liked the show, please tell your friends, maybe follow us on Twitter. We are @SmashingSecurity. Because the way Twitter works, we couldn't get the G on the end of Smashing. So it's Smashing Security, and you can find us there, and you can let us know what you think and give us feedback on the sort of things that you think we can talk about. But until then, on behalf of the guys, I think we should all say cheerio.

I thought he'd never shut up.

Bye.

Bye.