This podcast is made possible by the generous support of Recorded Future. Recorded Future are a real-time threat intel firm whose machine learning technology analyzes the open and darkweb to give you great insight into emerging threats. Sign up for their cyber daily newsletter and get their latest insights at recordedfuture.com/intel.

Smashing Security, Episode 17: Data Breaches, Zero Day Exploits, and Ransomware. Ransomware Exploits and Tonel Clippings with Carole Theriault and Graham Cluley. Hello and welcome to Smashing Security episode 17 for the 20th of April 2017, and great to have everybody here. I'm joined as always by Carole Theriault. Hello, Carole.

Hello, Graham.

And we've also got our good chum from Sophos, Paul Ducklin, joining us as our special guest today. Hi, Duck, how are you doing?

I am doing superbly, thank you.

Duck is almost a regular.

I am. And I won't say I've dined out on Graham's joke about tweeting ducks, but it has come up. Well, I won't say it's come up often or even that it's come up twice, but it did come up once and the person who brought it up thought it was quite amusing. So, you know, I'm very happy for that.

So it's one person other than ourselves who listens to the podcast. That's fantastic.

And not me, not me myself. It wasn't like self-tweeting duck.

We've succeeded, guys. We're there. We've made it.

That's fantastic. Well, as always, we're looking back over the last 7 days, some of the things which have been going on in the world of computer security, some of the stories you may have missed, and some of the things which have caught our eye and just generally been interesting to us. And I'm gonna kick off today because I'm going to talk to you about hotel hacking. Now, chaps, how would you feel, how would you feel if a company has an advisory for you and they begin the advisory saying, "We value the relationship we have with our guests and we understand the importance of protecting payment card data."

I'd say they missed out the bit that says, comma, but only now. What a pity we didn't do it last week, last month, last year. But they never put that bit in. I can't think why.

No, they don't. And quite often they don't include words sorry or apologize or anything that as well, which their legal team think may get them into a spot of bother. No. The latest company to come out with that statement is the InterContinental Hotel Group, also known as IHG.

Okay.

And they've advised that malware has been found at, well, over 1,100. I've gone to their website. It's interesting actually, if you go to their website to try and find out which hotels have been hacked, they don't tell you, first of all, how many hotels have been hacked. They don't include a number. You actually have to go through this process. You go to a form on their website, you choose what state, in America you want to look at, what town, et cetera. And eventually you get the list. So you have to go in, remember every state that you visited, every hotel you may have gone to. Now, I was able to go into the source code of the webpage, and I worked out that there's at least 1,174 hotels who've been caught stealing, well, they weren't stealing, but the malware on their computers was stealing guests' payment card details as people checked in to the front desk.

Okay, back up. So 1,100 hotels have been caught having malware on their systems.

That's right.

This is from a couple of few years ago, Target all over again, isn't it?

Yeah.

Where you've got a payment terminal, the crooks get malware on there. If you're using an old school sort of terminal where the credit card numbers just wind up plaintext in memory, the malware can just snoop through memory every time anything changes, grab the credit card number, exfiltrate it. And because the US doesn't widely use chip and PIN, it's kind of all over bar the shouting when that happens, isn't it?

And the pain, of course, is, yeah, as we've seen time and time again at different hotel chains, they've been breached by this kind of RAM scraping malware, which grabs your payment card details, steals the credit card number, the cardholder's name, the expiration date, the internal verification code. All of that's been read from the magnetic strip, held on the computer. And if the right security isn't in place on those devices, then the criminals are having an absolute payday, aren't they?

My understanding is that the old-school payment terminals, US-style payment terminals— this is not true for chip and PIN, it works rather differently, which is why it's harder for the crooks to do any kind of RAM scraping— is that in order to make the payment devices, the credit card devices compatible with the widest number of possible computers and other devices, they basically pretend to be keyboards. So literally, if you plug one of them into your computer and open Notepad and swipe your credit card, then in Notepad appears all the mag stripe, all the track data unencrypted. And it's a simple unencrypted. So that's what gets shoved into memory. And unless and until the software has grabbed hold of it, and, you know, done whatever processing is necessary, it's there where malware can find it in memory if it knows roughly where to look. And of course, finding that you know, grepping or looking for that mag stripe pattern is actually pretty straightforward because even if it's in a huge lump of memory, the pattern of the data is kind of easy to recognize. If you think what credit card numbers look like and then the spaces and then the name, you know, it's pretty easy to recognize that you've hit paydirt.

But this sounds like a huge deal. And I'm looking on their website now. So ihg.com, there's nothing mentioning it on the website that I can see.

Well, there is an advisory buried down on the site and we'll include a link in the show notes as well. But one thing which of course worries me is that InterContinental Hotel Group have released this statement warning. In fact, they originally warned back in February that 12 hotel locations have been affected. It's now gone up to over 1,100 locations.

So it could go further.

So it could go further because what they've said is that they basically operate a franchise operation, right? InterContinental is a brand which covers many other hotel chains. So you may not have gone to an InterContinental Hotel, but you may have gone to a Hyatt or a Holiday Inn or a Crowne Plaza or et cetera, et cetera.

So they own everything.

Well, they own around about 12 different brands. So across the United States and Puerto Rico, they've been affected. And so you have to work out, did I go to one of these hotels in this particular state during this time period? It looks like they've identified between the end of September last year and the end of December, they had malware on the systems.

It's a good job that Christmas isn't a big holiday season, really, isn't it?

Okay, but I am sure, I am sure that I have stayed at one of these hotels in the States during that time period. So what do I do now?

Well, what you need to do is you need to keep a close eye on your payment transactions, and if there's anything unusual there, of course, it may happen sometime in the future. You know, this data could be swirling around in underground channels for some time to come. Now, Intercontinental, they say that they've informed the payment card operators. They're also working with law enforcement as well. And since last September, they've been introducing more and more point-to-point encryption solutions. So they have been rolling out technology to make it much harder, as Duck was just describing how easy it is to steal this information. They have, as a result of the number of hacks which have been happening at hotels across the industry, introducing better technology to prevent this from succeeding.

I'm sorry, that's not enough. That's not enough.

Well, what can you do, Carole? Can you create a time machine? I mean, you know, I agree, it is rather disappointing, but it's happened, right? So at least they're doing something now. I agree it should have happened earlier, but the difficulty for IHG, InterContinental Hotel Group, a lot of these hotels are run as franchise operations. And my understanding is that some of the hotel branches have not actually allowed IHG to scan their systems to find out if the malware is there. So that number of 1,174 may not be the end of it. We've gone from 12 to 1,174 plus. It may be larger and worse than that, and maybe it's outside the United States as well. And that's where I think we can take action as well, because I mean, I travel around a bit and I stay in hotels, and I'm beginning to think this has happened at so many different hotels, so many different branches over the last few years. Should it— would it be wiser to start paying in cash? Should we be paying with cards which have a very low sort of payment limit? So if the details are lost, you know, we can sort of scrub that card.

Most hotels will not let you stay without a credit card anyway.

Yeah, I've tried to pay in cash once. I'd left my credit card at home when I was somewhere in Australia. I just went to check in and they said, oh, it's no problem, you know, because it was all prepaid.

Yes.

And they said, but we'll need a deposit. And I said, yeah, you know, in case I throw the television out of the window. I was on about the 40th floor. That would have probably almost been worth it. Killed someone. And when I got up there, it was an LCD TV that was bolted to the wall, so I couldn't even have done that.

Oh, how disappointing.

And they said, oh, it's no problem, you'll just need a deposit. We'd like $500 if you don't mind. What? Yeah, because they're figuring on your credit card, if you run out with the lounge furniture and you drain the whole minibar and you set fire to the washing machine—

And who doesn't want those chintz curtains?

They can sort of try and bill you for the whole amount. So you can sort of see it from their point of view. But good luck staying in a hotel, in a chain hotel, without a credit card, because it's, you know, it's the convenience for you. So is that kind of that safety and security of your life?

I've sometimes been asked for a sort of token deposit of just a few pounds or something like that. $500?

Where are you staying?

Did you make the mistake, Duck, of actually mentioning throwing the television out of the window? Is that when they went, oh, okay, yeah, for you, $500?

No, I know I may have mentioned that later, but no, they just said, look, that's the way it is. And I think then they came down a bit and then fortunately a colleague showed up and said, oh, you can whack it on my card. It's no problem. Oh, thank you.

No, but the point is, the point is most hotels want credit card details. And it's very upsetting that we have really no advice for users other than, oh, well, if you did stay in a hotel during that time, watch your— watch— well, I also think maybe you could get your credit card canceled and get a new number if you want.

I guess that depends on your card provider, because obviously they'll go, well, unless there's a really good chance. I mean, I got carded once when I was traveling in the States. Right. I don't think it was at a hotel. I think someone— I always would, you know, had a chip and PIN card. But of course in the US they swipe. I'd always made a point of taking it to the place where they pay and not doing the American thing of handing over your card and the waiter wanders off with it. But of course they always have to turn, they always turn around and swipe it on something under the counter, so you can't see whether it's being swiped once or twice. And in fact, the, my bank realized before I did. I got back to Oz and they called me up and it's very good. They called me up and said, we're investigating a fraud right, which we think may have happened on your card. We're not going to give you any details about what to do. We want you to go and get your card and phone the number on that card to get back to us. So they were doing the whole anti-phishing thing as well. It was great.

Well, that's very good.

Yeah. And so I went and got my card and I phoned the 1-800 number on it, and I got through and I said, hello, I've received a call. Apparently you suspect fraud on my card. And, you know, they said, well, you've just been in the US, haven't you? And I said yes. And they said, did you take a driving test in the United Kingdom at the same time? And I said, well, actually, it's not possible— not legally possible for me to take a UK driving test because I already have a UK driving license. So that'll be a no. So sometimes the, you know, the payment card people, they're pretty good at this these days. They may actually notice that something untoward has happened. But as Graham said, you know, this data could be sloshing around for ages. If your card's expiring reasonably soon, then of course you'll get a new number when the new card comes, and that kind of partly makes the problem go away. And I guess the reason why they haven't— why Graham had to go in and figure out how many hotels were involved and why, you know, to be fair to IHG, they're not saying it's exactly this, this list of hotels now signed and sealed is that list could change. Yeah, some will be added and some may be on the list like they found the malware there, but it turns out that the malware wasn't able to grab the credit card data at that hotel. They may have others where the malware wouldn't have worked if it had been there and wasn't. You know, there's all sorts of combinations.

It's they're contacting you, but they're teaching you not to believe what they tell you.

Yeah, it's going to be a fluid list, isn't it? And of course, they also want to avoid the headline keep on coming out of, oh, the number's gone up again, you know, which is obviously going to be bad news for them.

Well, we don't even know how many users are impacted, right? I'm surprised they can't tell us how many different cards. I mean, they don't want to tell us.

Well, you have to know when the malware started and when it was removed, don't you? And then you'd have to know whether it worked with this particular payment machine. And sometimes a payment machine will break and maybe you unplug one and you plug in another, or you've got two check-in desks with different machines and the malware works on one or not on the other. Golly, it can be tough.

I don't care. They could give us millions affected versus 100,000 affected.

Take a guess how many people stay at 1,100 hotels with an average size of, say, 200 rooms in a two-month period?

Yeah.

Assuming 90% occupancy.

They're doing good business.

It's as easy as that. But I was hoping I could figure it out in my head while I was doing that and sound really informed.

Three months, I think. But yes, I mean— Three, sorry. Yes. Yeah. But yeah. And the timeline does change. If you go to the website, different hotels do have different dates where they believe that this was occurring, but it was largely between the end of September and the end of December when it was occurring. And I was impressed with Duck's story there of when there was believed to be some fraud on his card that they contacted him and said, look, we're not gonna talk about this, call the number on the back of your card. I thought that was great advice.

And reminding you that it's actually fairly easy to go and find a website or a phone number or contact details, which is probably one of the strongest anti-phishing tips you can get, really.

And in this particular case, it was those firms again who've come to the rescue. It was the card providers for the hotels that alerted the hotel that there was a problem. And it seems to me that there is this worry and lack of internal threat detection. You know, it isn't the hotels noticing that something is awry with their systems. It's the people ultimately who are losing the cash who are going, whoa.

Yeah, that's what they call it, CPP, common point of purchase.

Right.

Yeah. They're going, hey, we're having fraud reported by people who've noticed, say, 1% of people notice within the first week because they're right on their statements. And then they notice that of the people who've reported it, a higher than average proportion have this commonality that they all shopped at this brand or they all stayed at that hotel or they all bought petrol at this kind of filling station. And from that, they can kind of zoom in.

Stay home, folks.

Well, yes, stay home, or I expect you will—

Get a tent.

Yeah, I was about to say, yes, get a tent, or otherwise just feel— you will feel that uncomfortable buttock clenching as you hand your credit card over at the hotel desk about what may be about to happen.

Hmm.

Not quite sure I've gone there. Duck, save me from this. What have you got?

I was interested, but not perhaps for the reasons that you might think, about two recent exposures of exploits. There was the recently patched Microsoft Word zero-day, the one where you pretend to send an RTF file but the web server says actually it's an HTA file and so it bypasses Word's protection. The jauntily named CVE-2017-0199 and the Easter announcement by the Shadow Brokers that most listeners will probably have heard of, saying, hey, we're dumping a whole load of zero days in Microsoft Windows. And what was interesting to me is that I have read a couple of responses to, in both those cases, of people going, wow, this probably isn't really much of a hassle for consumers and end users because automatic updates will save them. You know, the Word zero-day was patched really, really quickly, and the Shadow Brokers stuff, it's likely they only dumped that stuff because they realized, oh, darn, all the zero-days are useless now because Microsoft patched them a couple of months ago. So let's put the cat among the pigeons. And people saying, well, so end users will be fine because they'll already be up to date. They're unlikely to be two months out of date, but it's businesses. You know, a lot of companies still, they still like to think about patches for a couple of months.

Wow.

Yeah. I'm thinking, wow, haven't we long passed that line where you're actually saving your business more harm by delaying the patch? Than just doing it right away. And if there's a problem, well, then have a system that lets you roll back.

You know, people are really nervous though, about putting stuff on live systems. You know, I mean, if a system, a live, big live system for a big company goes down, it can have huge impact on revenues, everything.

But you do see that, well, we're not going to roll it out at all. And you imagine, well, you know, if you surely for 80% of your users, maybe you have 2 or 3 hours where they can't use Microsoft Word. Is that likely to be a greater risk to your business, given that there's probably a workaround and it probably won't be catastrophic? Is that actually worse for your business than being the low-hanging fruit that the crooks are now looking for because they know they're on borrowed time and they know about the exploit because it's all revealed?

Yes. And this exploit wasn't just being used in targeted attacks, was it? I mean, we were seeing examples where malware was being spammed out pretending to come from your company's printer, for instance, claiming, oh, we've done the scan, you know, a fairly ordinary disguise, which we see time and time again. But it was using this fairly new, it'd been around for a few months, fairly new vulnerability and exploit in order to infect people's computers. Wasn't just being used in targeted attacks. So there were many business users who could have been put at risk.

I'm surprised that people still have so much anxiety about the risk of patching compared to the risk of not patching. I know that sometimes problems can happen, but certainly in my life on Mac and Windows and on my phone— I've got a Windows phone and an iPhone— I, for about the last 3 years, I just decided, right, I'm going to live my life that as soon as I know a patch is available, the instant I know, within seconds of getting Apple's email, I'll be the first guy to go and get it. And I pride myself on getting it within minutes. And I've never had any trouble doing that. Now I know that I'm looking after my own computer and I'm not part of some kind of giant IT regimen like you get at some companies.

Yeah.

But I've always felt much safer as a result, and I've never had anything but really tiny problems where once or twice I've done a big Mac, like a major league Mac, not a point upgrade on my Mac, or upgrade on my Mac, and I found some ancient software I've been using no longer works properly because it wasn't designed for the latest version. And then when I look at it, I think, you know, I should probably go and throw that software away and find something new because that hasn't had a patch for 7 years. You know, who am I kidding by saying the patch broke my system? It didn't. It actually was the impetus for me to go and bring myself more up to date.

Okay, so I think the advice from us three, all together now, 1, 2, 3, the word beginning with P is patch.

Patch.

Patch. Patch early, patch often. You know, it makes sense.

Fantastic. Carole, tell us what's been tickling you this week.

So this happened last week. We all know Alexa, right? This is— well, Google also have an Alexa. It's called Google Home. And it's that always listening, ready to give you snippets of information if you say, OK Google, right? Now, do you have one of these, any of you? An Alexa or Google in your house?

Yes. Oh, yes. I want some surveillance device running 100% of the time in my house, listening and reacting to what I say. I think that's a brilliant idea.

I'd love it to be— yes, I'd love it to be run as well by some large— some of the world's largest advertising companies. Yes, what a terrific idea. Let's have that.

And the nice thing about this surveillance, instead of waiting for, you know, the intelligence services to sneak into my flat and put it there, I'm going to buy it and take it home and turn it on and pay for the electricity to run it and the network bandwidth that makes it work. I think that's the best idea in the world. I just wish it had video.

It will, it will.

It kind of does already. You guys are actually having, you know, all your tablets and your phones you were talking about earlier basically have similar features to this. But there is one feature of the Google Home and Alexa that your phones don't have, and that's that it's not voice-specific in terms of when it reacts.

So that means anyone can say, "Okay, Google." So you can spy on your friends as well, right?

Yeah, no, but say your friend comes over. Say I went over to your house and you had a Google Home device. I could say, "Okay, Google, tell me about Paul Ducklin." And it could go to the Wikipedia page and tell me everything about you, because I'm sure you have your own page that you keep up to date, right?

And I can go, "Okay, Google, format Carole Theriault's hard drive, hahaha." Like, what could possibly go wrong?

Okay, well, let me tell you what could go wrong. So Whopper makers Burger King are kind of known for their creative ads, right? And they—

Really?

Yeah, they are. They have had quite a few creative ads in the past, yeah. Now last week they put out this ad that was only 15 seconds long. And the concept was that the guy on screen who was behind a big Burger King desk thing or whatever, counter, was saying, "I obviously can't tell you all the wonderful ingredients that are in the Whopper." And he says, "Okay Google, what is the Whopper burger?" I'll tell you what, Kroll, stop right there.

We'll listen to that ad right now.

Perfect.

You're watching a 15-second Burger King ad, which is unfortunately not enough time to explain all the fresh ingredients in the Whopper sandwich. But I got an idea.

OK Google, what is the Whopper burger? OK, so now what happens is that Google Home device, if you have one in your house, is activated by the ad's OK Google statement, right? And then it starts describing whatever is on Wikipedia because that's how Google Home works. So kind of cool, although we know from old Amazon Alexa times when someone actually ordered, what was it, dollhouses. That was what we talked about. We know this can be very annoying, but I don't know, from an ad perspective, I think it's kind of interesting, right? 15 seconds and you actually then get the continuation of the ad happening thanks to Google. Now, of course, Wikipedia, as we know, is editable by everybody.

Yes, that may have been a little bit of a blunder to rely on the Wikipedia. You know, if you're going to have a surprise ending, then at least have one of three that you can choose from. That's my advice.

Do you think this— I mean, I'm going to hear in a minute from Carole as to what people actually put on the Wikipedia. I'm guessing that's what happened, right? People edited the Wikipedia.

Yes, they edited the ingredients of the burger.

But do you think— I mean, shock us in a minute as to what they said. Do you think— this is Burger King— do you think Burger King knew that people would do that and maybe they would get more coverage as a result?

Well, that's the thing, because Burger King have had quite a few kind of interesting avant-garde ad styles before. So I think they did know. I'm going to— I mean, I have no proof of this, right? This is just a gut feeling. But I think they did know because, look, their social conversation has gone up 300% according to the Register. Picture, right? With people putting in words. I'm going to do it now. Are you ready? These are the kind of things people put in: 100% medium-sized child, rat and toenail clippings.

What's a rat

What's a rat clipping?

I've never heard of that. I probably wouldn't eat one knowingly. clipping? I know According to Wikipedia, the Whopper is a burger consisting of a flame-grilled patty made with 100% medium-sized child with no preservatives or fillers, topped with sliced tomatoes, onions, lettuce, cyanide, pickles, ketchup, and mayonnaise served on a sesame seed bun. what toenail clippings are.

So yeah.

So anyway, is this an improvement upon the regular Burger King recipe? Nothing wrong with Whoppers. Yeah, I'm not some, I don't eat, I've eaten Whoppers.

You just eat them once in a while and they don't do you no harm, man. That's my theory. Now, what I missed in this is that everyone is so predictable. Oh yes, they contain, you know, and then rude words and stuff. I would have changed the wiki— well, no, I wouldn't. I mean, one might have changed the Wikipedia article so that the first thing it said was, "okay, smart TV." If you remember those, that would be great. And it would certainly focus the mind on whether you really want these auto-stimulatable surveillance devices in your own home at your own expense. That's my theory.

I think people have these for the whole convenience purpose. I mean, that's the only reason I can think that they think this is worthwhile, to be able to go, "Oh, okay Google, what's the weather?" "Okay Alexa, put toilet paper on my shopping list."

Do we know? Were they impressed?

Google were not very happy that obviously their pages are being used in this way. So they don't really want, from what I've read in the articles I've seen, Google are not really happy with the whole ad industry taking advantage of their toys.

Because Google don't do a lot of ads, do they? It's not really a thing for them.

You know, and the other thing that they noticed was that the person at Burger King had actually gone into the Wikipedia page before the ad went live to change the list of ingredients to be much more enticing.

More succulent.

Than previously. Yeah, more succulent, fresh, and— Exactly. Exactly. So yeah, so they were slapped on the wrist for that. And I think it's a good warning to companies out there to make sure that you shouldn't be shamelessly promoting anything on your Wikipedia page.

I guess that's what this reminds us, that when you have something anyone can edit, anyone can edit it. Who would have thought? And when you have something that can recognize any voice, then it may take commands from someone you did not expect.

Exactly. And the thing that's interesting, Graham, I mean, okay, you may say this is successful because we're all talking about it. But I forevermore now will think of a Whopper with rat and toenail clippings. Right? That's how successful they have been at this marketing campaign. That is now cemented in my brain.

The rat's one thing, but the toenail clippings do turn the stomach somewhat, don't they? Golly me.

I don't know

I don't know.

They are quite grubby, aren't they?

I'm just thinking tinea city. Oh dear.

Okay, listen guys, I've just got one message for listeners at home. I hope they're not listening on their earphones, but they're playing this through their speakers. Okay Google, subscribe to Smashing Security. if you've seen rat's toenails.

That is just so gross.

Yeah, and now you're going to have to put in the explanation about how it doesn't have a G and all that, right? That would be a test.

It does. The podcast has a G, it's the Twitter account.

Isn't it funny that we can understand that and make that leap of faith, but I don't think that these surveillance devices are quite at that level of voice recognition yet.

Well, folks, that just about wraps it up for this week. Thank you, Carole. Thank you, Duck, for joining us once again. Appreciate having you here. You can subscribe to us on iTunes. You can leave reviews if you like. We're also on Overcast and TuneIn, Stitcher, and Google Play Music. And you can even play us through your Amazon Echo. I know some people do that. Be very careful with it. Thanks for tuning in.

That's very convincing, Graham. Hey, all Echo owners, wouldn't you love to listen to our podcast? You silly people.

Hey, maybe they'll sponsor us one day. Amazon, we don't want to slag them off too much, do we?

Graham Cluley.

It might be quite nice to have one just to play around with, to mess around with.

Yeah, because then if you forget something, it can tell you what you said.

And a big shout out to Recorded Future, our sponsors this week. You can sign up to their cyber daily newsletter and get their latest insights at recordedfuture.com/intel.

Thanks for tuning in. If you enjoyed the show, tell your friends and let us know what you think. You can go to our website at www.smashingsecurity.com smashingsecurity.com and you'll find an email contact form and a link to our Twitter as well. And until next time, toodloo.

Yeah, stay safe out there, guys.