And the last one, which is questionable for a name for a perfume, they've called it Phish.

With a PH, presumably.

Yes, with a PH. Catch your deepest love. Who's gonna wear Phish?

Smashing Security, Episode 12: Ode to Eugene Kaspersky, with Carole Theriault and Graham Cluley. Hello, hello, and welcome to episode 12 of Smashing Security. As usual, I'm joined by my buddy Carole Theriault. Hello, Carole, how are you doing?

I'm very well, thank you. How are you?

I'm gorgeous.

And where are you?

Oh, well, I'm somewhere a little bit unusual. Maybe it sounds a little bit different as well. I am in a country I've never been to before, the country of Kuwait. Oh, can you believe where I'm talking? I've just given a talk about attacks on industrial control systems.

Yeah, well, I know that you're very much an expert on that.

Oi, careful, they won't hire me again. I'll tell you what's interesting though is I've arrived in Kuwait during a sandstorm. It's my very first sandstorm and it's such a bizarre experience looking up in the sky and it's yellow rather than blue.

And we're having an Assange storm as well.

Oh, is that a pun you've just tried?

It's a good one, right? It's morning here, so I'm, you know, I'm full of pep.

Oh, it's morning where you are, but it's late night where our special guest is. We are joined all the way from Christchurch, New Zealand by Nick Fitzgerald, computer security expert. Hello, Nick.

Hi, guys.

Hi.

Oh, Nick, how are you? Carole, I'm good. It's a great pleasure to hear your voice again. I'm going to like this podcast.

Now, Nick is a veteran of the computer security industry and has held jobs at computer security firms and used to be editor of Virus Bulletin magazine back in the day. I think that's where I probably first met you, Nick.

Yeah, that's where I met you.

Oh, actually, actually, the very first interaction you had with me, you sent me a pair of socks.

Wow, Graham.

Well, you see, rolling out the red carpet. Was that in my Dr. Solomon's days?

Yeah. And that was when I was still in Christchurch.

I should explain. So Alan Solomon, who ran Dr. Solomon's, the marketing team got together with him and said, we need some giveaways, we need some t-shirts, we need some— and Alan said, why don't we give away socks instead? Because his view was that people wouldn't wear t-shirts to the office, but everyone needs a nice pair of socks.

Hey, Graham, this is supposed to be about Nick, this bit. Just FYI. All right, so Nick, sorry, sometimes we just have to. So Nick, well, thank you very much for joining us on the show. Can you tell us if you've heard it before?

Oh yeah, I've listened to, I've listened to several of the podcasts and the videos before them.

Yes, yes, glutton for punishment. You know how that, you know how this works, guys. We are all choosing a story for the week, something which has caught our attention, happening in the computer security news, and we will give us our views on it. So the thing which caught my attention was some interesting blog post posted by the guys at Check Point who discovered that two companies, two separate companies, a large telecoms company and a multinational technology company— they weren't any more specific than that— they discovered that those companies had in their possession 36 infected, malware-infected Android devices. Now you're probably thinking, big deal, you know, Android phones do get infected with malware, certainly much more than iOS devices. But what's unusual about these particular cases was the malware wasn't downloaded onto those devices as a result of the users doing something. No, the malware arrived on those Android devices when those devices actually arrived at the company. So they were pre-installed with the malware. Now, interestingly, the malware— Yes, Carole.

Sorry, by whom? So sorry, keep going. I was getting excited in the story here.

Oh, steady on. Well, exactly. Well, so who did it? Now, what we have seen in the past sometimes is there have been Android phone vendors who've actually sold malware-infected phones. I remember there was a Chinese— as if there's anything which isn't a Chinese Android developer— but anyway, there was a Chinese smartphone on for sale up on Amazon. I'll put a link in the show notes, which came pre-installed with malware. But in these particular cases, it looks like the ROMs themselves. The official ROM supplied by the vendor, that wasn't infected. No, someone somewhere along the supply chain added the malware. In some cases, they added it to the device's ROM using system privileges, meaning that it's really hard for a user to actually remove it. And so you'd have to reflash the device.

Shut the front door, this happened.

Is that a Canadian expression? Like, give me a solid or whatever it was you used last week.

Graham, I'll introduce you to Urban Dictionary. So, so you're saying to me that someone along the supply chain infected these phones before they were delivered to a company?

Yes.

And the company basically takes them out of the box, hands them over to the users?

Yep. Pretty spooky, isn't it? And this sort of thing has happened before. So, for instance, it's happened with networking gear. One of the revelations by the Snowden leaks a few years ago was that things like Cisco and Juniper gear were being tampered with en route to companies. And malware was being installed in these devices. You've got to be really careful about what comes through your front door because it might have been tampered with at the vendor, it might have been tampered with en route to you as well.

So they were buying these devices new, it's not that they were in the presumably considerably more risky secondhand market?

Oh yeah, Nick, Nick, Nick, they weren't getting them off eBay, right? These are big companies, right? I don't know what you do, these are big companies, right? So yes, they're buying these devices brand new and Check Point discovered they were hit by malware and it wasn't something which the users put on.

Well, I've worked for some big companies that would buy them secondhand to save money.

Hey, look, I can't help it, Nick, if the only people who employ you are cheapskates. You know, that's not my fault, right? The thing is, right, I don't know whether these particular companies were being specifically targeted. All Check Point have said, they haven't named the companies who've suffered from this.

Right, so it's more than

Right, so it appears to be a large telecoms company and a multinational technology company. That's all that Check Point have said. Oh, right.

Okay, and to your point, Graham, that we've seen this before with other Android devices and networking gear, and as you referred to the Snowden— some of the Snowden revelations— I seem

one. It wasn't just sent

to remember Ross Anderson talking about some ATM machines being intercepted en route from the manufacturer to the final installation in the bank, and basically Trojanized hardware.

to one particular company.

You know, I can't remember the details. I think in this case they added a card into the machine that intercepted some of the network traffic.

Wow. I mean, astonishing, isn't it? Because you just— I mean, it's all very well thinking about consumer items and how they may have been meddled with, but something as big as an ATM machine, I mean, it's audacious on the part of the computer criminals, isn't it, that they would tamper with something like that before it gets delivered? Because of course you just get this great big box, presuming you get a great big crate containing an ATM machine, you put into the hole in the wall and plug it in and off you go.

It's got a different risk-reward element to it. I think what's attractive about it is the big payoff if they manage to do it.

Yeah.

Obviously, there's huge risk involved as well. You know, getting caught ain't going to be fun.

So in this particular case, Check Point have said, well, we're not sure whether these companies were being targeted because they looked at some of the different types of malware. And there was also adware and some information-stealing trojans on here as well. One of the pieces of malware was a piece of ransomware, and you do have to think, well, hang on a moment. If you were targeting specific companies, would you really put ransomware on? I'm not sure necessarily you would because it would be too obvious. If you were going to all of that effort with the supply chain to target a particular multinational telecoms company, for instance, wouldn't it be something more surreptitious which could steal information or open a backdoor potentially? So it may be, and this is all conjecture, of course, we don't know exactly what's happened here, it may simply have been opportunistic rather than particularly targeting these companies.

I have a question. Do you happen to know how they found out that this, that they were being spied upon or that the ROMs had been replaced?

I don't. I imagine that Check Point Solutions picked up something awry on the devices and then further investigation brought this to light. But what we'll do is we'll put in the show links, we'll put a link to the report from Check Point so people can find out more there.

Perfect.

Okay, well, I think it's time to thank our sponsor. And you know what that means, Carole?

No.

It means we have to play a little sponsor jingle. Wave your wand right now. Yay!

Yay!

Isn't it fantastic? Yes, we have the generous support of Recorded Future. They, of course, are the real-time threat intel firm, and they're using some pretty cool technology, let me tell you, to analyze and scour the web, not just the regular web crawl, no, the dark web as well. And they're looking into emerging threats and they're sort of taking a temperature gauge as to what's going on.

Oh, that sounds cool. And can you learn about this stuff?

Oh yeah, yeah, yeah, yeah. So what you can do is you can either subscribe to their service as a company if you want to keep on top of what the latest threats are, or you can sign up for their free Cyber Daily newsletter and get the latest insights delivered into your email inbox. And to do that, all you have to do is go to recordedfuture.com/intel. That's recordedfuture.com/intel.

Perfect. I'm going to sign up today.

And thanks to Recorded Future for supporting the show. We really appreciate it. So Nick. Back to you. What's caught your eye this week?

It's sort of inevitable given the line of work I'm in that there's been a lot of interest in the WikiLeaks release, which I know you guys talked about last week, but a development since you went to air last week was that looking through the actual release, it's obvious that there's an enormous amount of material that WikiLeaks presumably has but hadn't released. And it's been clarified since the initial release of the Vault 7 hacking tools that a lot of the actual tools and the source code associated with them and whatever other resource material that WikiLeaks clearly has, WikiLeaks has announced that they're not actually going to release that until they've been able to coordinate with the affected vendors and the vendors have been able to reassure WikiLeaks that either they've already patched the vulnerabilities or that they have actually rolled out new patches.

To remind everybody, what WikiLeaks did was they got hold of some CIA, it appears CIA documents, right, thousands of CIA documents, some of which contained details of what are known as zero-day vulnerabilities. These are vulnerabilities which haven't been patched by vendors, so there's no fix for them, which they claimed the CIA were exploiting in order to spy on people and steal information and so forth. And there's been some speculation that some of these zero-days may already have been fixed, which would be great news if they're old vulnerabilities which have since been patched. Maybe the information WikiLeaks has is out of date. But there was concern that WikiLeaks wasn't going to tell the vendors who are affected which means none of us get patches, right?

Yeah, but WikiLeaks, Julian Assange himself, said that they're going to contact the vendors and let them know what they've got and give them access to the material pertinent to their products. And once the vendor — well, this is a little speculative, but presumably WikiLeaks will go through the normal vulnerability reporting and coordination process that any security researcher who might have found the same vulnerability would go through if they were doing a responsible disclosure type process.

There's a lot of ways this can go down though. We've all been involved in situations where we've worked at firms where they've had a vulnerability and we were in that kind of eye of the storm of trying to deal with it. And in some cases you will get people giving you a set amount of time to fix a vulnerability. And sometimes that's very complicated, very difficult to do within that specific timeframe because of the complexity of the problem that's been discovered. Other times, it can go as long as is required, right? It can go for a few months. But there's pressure on both sides. Obviously, WikiLeaks wants to put all of this information out as quickly as possible while everyone's interested. On the other hand, they want to do it responsibly. So it's a tough one for everyone, really.

Yeah. Well, Assange said that he would give the affected firms adequate time.

So yeah, but exactly, that's exactly— if I was the company receiving that, right, I'd be like, oh God, yeah, what does that mean?

What is Assange's definition of adequate compared to other people?

It could be 72 hours.

It could be. Yeah, I'm afraid he has rather blotted his copybook in the past a little, hasn't he?

He has lost a little bit of opportunity, I guess. This is his opportunity to show that he understands the value of responsible disclosure, and I think it would be great for all of us interested to see that.

So let's hope he does it promptly. Let's hope he does it appropriately. Let's hope that there are no more disclosures of anything which could potentially put people in harm's way before these patches are out there and have been issued and there's been good time for people to update. Assuming all that, I think we could give Assange a high five if we could reach him on his Ecuadorian embassy balcony.

Well, maybe a high two, a high two.

A haiku, I think.

This is pun-tastic today.

Oh yeah, sorry about that. But you know, there is a lot of pressure on companies, isn't there, to respond? Because of course we've had the headlines of, you know, maybe Microsoft, Google vulnerable and so forth. And if they haven't been given the details properly yet by WikiLeaks, it's hard for them to reassure their customers if they're whether there's a real problem or not.

Yes. And the material that's already been released is very— there's extremely little information. But from talking to some friends and colleagues, it would appear that at least some of the vulnerabilities, based on the very limited information— and we know that some of this material does date back at least to 2014, if not earlier. Yeah. At least some vendors, it would appear, are quite confident that perhaps many— one would hesitate perhaps to say most because we don't know. Yeah, we don't know when this material was taken. A lot of the commentators and analysts are saying it was most likely taken by a contractor. And so there's obviously a cutoff date at some point in history where anything the CIA discovered after that's not going to be in this pile of stuff. So there will be some new stuff, but how much and how much of it is older stuff that maybe has been found through other disclosures or has been just incidentally fixed due to changing the architecture of how the product works. It's all very much up in the air. I think I heard or read somewhere that only about 1% of the files that WikiLeaks have have actually been released so far. So even if they trickle this out on a vendor-by-vendor basis, you know, so let's, you know, Microsoft say, you know, we fixed all these vulnerabilities and then they release all the Microsoft stuff.

Do you know what though?

It will be news. It will be a rolling news story for many months, I imagine.

If, only if the rest of the 99% is actually of any interest. Right? Yeah, it could be, it could just be a lot of fat as well.

So everyone's at least a little bit interested in this because we've had Kellyanne Conway talking about how TVs can be turned into spying devices.

Yeah, suggesting that maybe something like that was used against the now President of the United States, or the microwave if he was heating up some Pop-Tarts or something like that, it could have been that way as well.

Do you make Pop-Tarts in microwaves? I always thought it was a toaster. Oh, they're great. I love Pop-Tarts.

You know you can get internet-connected toasters now, don't you, Carole?

I don't. I'm not interested in any internet. Not interested. Not interested.

I believe the first Internet of Things device was actually someone connecting a toaster to the network at some point. University in the US. And everyone knew about the Coke machine, that if you pinged its IP address, it would dispense a bottle of Coke. But I think someone actually hooked a toaster up before that.

But in fact, okay, but listen, you've just joked about Kellyanne Conway. And to be fair to her—

I take her very seriously, to be honest.

But to be fair to her for a second, right? She's got her— she's not a computer security expert. She has got her information from the newspaper headlines and maybe from WikiLeaks press release. And that's one of the problems. If WikiLeaks keep on trickling out information about these vulnerabilities, they need to do it in a responsible way. Because when they did talk about the TV, for instance, being hackable, they didn't make clear that it could only be done via a USB stick. It couldn't be done remotely. And some of the other vulnerabilities which they spoke about, such as, for instance, breaking WhatsApp encryption and Signal encryption, were a load of old nonsense because in fact what they were talking about was hacking the phone individually, and then of course all bets are off. Yeah, so I would urge everyone, as we see further revelations, to maybe take it with a little pinch of salt because, dare I say it, you could be being fed fake news.

Oh, more dreaded alternative facts.

But there's other stuff coming out of WikiLeaks right now. I hear that Julian Assange might be releasing soon some information of CIA and NSA intercepts of Angela Merkel, the German Chancellor, which could be embarrassing for her.

Yes, there were just reports earlier today on that, eh?

Yeah, because she's meant to be meeting up with the Donald, and that could cause some awkwardness, couldn't it? And of course, she has been a victim of surveillance in the past when Barack Obama's gang allegedly spied upon her smartphone. Conversations anyway. WikiLeaks, it isn't going away, is it? And just I suspect he's going to be staying in that Ecuadorian ambassador's residence for some time as well, I suspect it's going to be here for a while.

I wonder if they have dinner every night.

Oh boy. Okay, Carole, what have you got for us? Well, this isn't the biggest story of the week, but I thought it was so sweet and clever and quirky, I thought it deserved a mention. So, I've always thinking outside the box projects. You know, the real grassroots stuff with, you know, even maybe a meager budget, but some strong ideas. And I love all that stuff. And when I saw this little UK number, I had to share it. This isn't about Threat de Toilette, this isn't about the old internet-connected lavatories being hacked? I remember that happening a few years ago.

Your French is appalling. It's a parfum, a parfum. So they do a little perfume. David M., spokesperson of Kaspersky, is on record saying fear awakens our senses. Okay, so cheesy, but I love it. I love it. So it's just clever, right? So this is an IT company. They've been around 20-plus years, probably more.

Sorry, what are they doing? I'm sorry, to make it clear to me, what are they doing?

So they've hired UK beauty blogger Scarlett London. Now she has a respectful following of about 10,000.

I think that's her real name.

And they hired her to basically come out and help launch this new range of perfumes. There are four. One of them is called Ransom, reassuringly expensive. You see where I'm going with this? The next, another one is called Malware, W-E-A-R, the wicked way to pierce the heart. I know, not poetry here. One of my favorites, Social The Lure of the Men. So a little play on words of social engineering. And the last one, which is questionable for a name for a perfume, they've called it Phish.

With a PH presumably.

Yes, with a PH. Catch your deepest love. Who's going to wear Phish? Now, no one. I haven't seen anyone. I sadly did not receive one of these little press packets and things, but they've tied with each of those explanations of what ransomware, malware, social engineering, phishing is, and they've given some top tips on how to stay safe online. So what do you think of the idea? Do you think cute? Do you think, you know, as veterans, very old veterans of the industry? How dare you?

I'm sorry. So this is just to raise awareness of things?

Exactly.

This kind of ties into Graham's socks at the beginning.

It does.

Yes, it's this sort of thinking outside of the square marketing thing. Yeah, I just, I think maybe a little bit too far outside the square.

Oh, I don't— You know what, think about it this way. They are able to reach a whole audience that are online all the time, buying online, you know, and beauty blogs and whatever. If this takes off, they'll be able to get a whole industry of people, people that are not interested normally in this, to share this information and maybe, you know, be more educated about how to be safe online. I think there's something quite cute there.

I mean, okay, okay, I'm trying to take this seriously, right? It's fun. I suppose there is a certain truth in the fact that when we talk about computer security, we're often talking to the same people who already have an interest in this, and possibly the demographic of people who are following Scarlett London on Instagram is different from the typical IT engineer, and people who are interested in parfum— is that how you say it, Carole?

Exactly that.

If I want to have the essence of Eugene about me, you know what, it's funny you've said that.

Listen, listen, so there was a rumour going around that there was a little bit of Eugene's DNA in every sample sent out. What? Yes, though they think this was caused by a misreading of the ingredients, which included eugenol, a common phenylpropylene included in perfumes.

Well, thank— let's hope it is eugenol, because I'd hate to think of where they've extracted Eugene Kaspersky's DNA from to put in each bottle. Oh dear. So he's not— I mean, in my experience, he's not a smelly chap. He's a nice-smelling— I think. I'm trying to remember, actually. He hasn't stuck out to me particularly in either a positive or a negative way. I'm sort of neutral on Eugene smell. What a bizarre thing for them to do, though. I mean, but okay, but seriously, yes, maybe this is a way of reaching a different audience. Obviously, the PR people had great fun at the restaurant, and hey, we're talking about it, aren't we? And we mentioned Kaspersky's name a few times.

It looks like most of the journos that attended wrote about it, and I think that means it's successful. The only thing that's a bit, you know, there's a niggle for me is I'm surprised no one at Kaspersky spotted the potential of this being a global education campaign. We could have hired bloggers in the States and a few other countries and done this as a kind of international launch. I think they would have received a much bigger return on investment.

You know what, if this goes big, if this is successful in the UK, maybe they'll spend a bit more cash and get someone like Kim Kardashian to do it. Yes, they might do. They might, they might go all out on this if this really does work for them.

Well, they have hired big actors before, didn't they? Who was it they hired?

Jackie Chan.

Was it Jackie Chan?

Yes, there's a

Yes, there's also Packing the K, which is where they did— had some kind of rapper style. I think we should actually play that out tonight at our leading song, don't you think? We'll have to play that out. Packing the K. We're gonna play that out. Listen to the end, everyone.

Eugene and Jackie Chan video. Carole, they're not sponsors, you know.

I don't care.

I don't care. It's such a great song, the Packing the K song.

You know what, I'm going to celebrate the fact that they've done it, you know, they're doing something a little bit creative, you know, they take a punt and I like that.

Oh, well, it's certainly unusual. Well, I think that probably just about wraps it up, doesn't it? Thank you, Carole. Thank you as well, Nick, for joining us all the way from New Zealand on the podcast today. We really appreciate you being here. Hope you won't be a stranger.

My pleasure.

And the rest of you, if you enjoyed the show, please subscribe to us on iTunes, leave a review. You can also listen to us on Google Play Music and Stitcher and TuneIn and Overcast and other podcast apps as well. And new, I can reveal, we are now on iHeartRadio, which is available in some parts of the world at least. So tune into us there.

And big thank you to Recorded Future, who helped support the show. Remember, you can sign up to their cyber daily newsletter at recordedfuture.com/intel. That's recordedfuture.com/intel.

If you like the show, tell your friends, follow us on Twitter. We are at Smashing, without a G, Security. That's Smashing Security. And until next time, toodle-oo. Bye.

Good evening.

Shit don't happen.

When I'm packing the K, I

When I'm packing the K, I'm

When I'm packing the K, I can say with affection the K-Man gives me the best. can have a ball because he

as happy as a clam because Graham, Graham, you know, I'd be happy if they just kept listening.

K is the key. What, just keep listening? stands tall at the firewall.

I'm armed to the teeth with anti-spam. Yeah.

While we're playing the fucking K Music.

When I'm packing the K, I'm packing the K, oh, packing the K.

I'm packing the K out of cybercrime.

When I'm packing the K, I

When I'm packing the K, the computer stalker, he flushes him out with Behavior Blocker.

Yeah, when I'm packing the K, there's no escape. He blocks pop-ups and phishers like a guy with a cape. feel secure that adware and malware get slammed at the door.