See if you can spot it. I put it.

Okay, let's have a look. So, dear customer, traffic lights, Karen has sent your work on the water supply network.

How will this affect you?

What should you do? What should you do? Don't have to do anything, says just, you know, don't worry about it. Thom Wisocki is a twat.

Anything else?

But hang on, hang on a minute.

So, and it's in bold.

Smashing Security, episode 18. Smashing Security Episode 81: Hacker No Hoppers, Wessex Water Has a Word, and We Win an Award with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security Episode 81. My name is Graham Cluley.

And I'm Carole Theriault.

Carole, we don't have a guest this week, but I think there's something important we need to talk about.

This is a very exciting episode. 81! 81! Who knew that 81 would be our most exciting episode to date?

Not the number 81 that's exciting, it's what happened last night, what we got up to. Yes. Well, you tell everybody. Oh my goodness, we were having the most wonderful time at the Cybersecurity Blogger Awards in London, weren't we?

Well, I don't know if I'd describe it that way, but it was certainly a great evening.

We were up for the Best Security Podcast in the Galaxy Award.

Yes, in the galaxy. That was the key bit that we really were excited about, and we won!

We won! Hey!

We won, we won. Thanks to everyone who voted for us, who supported us, who said online, vote for them, everything. We love you. Love you.

Well, yeah, I mean, they did their bit, let's face it. But frankly, without us producing the podcast—

Hey, hey, hey, guess what?

What?

Would we have over a million downloads if it weren't for our listeners? I don't care how fast you can download and get your little automated download button to refresh and download again.

It's not Fox Crow. It's not Putin who's downloading our podcast.

That's what I'm saying. It's actual listeners.

Fantastic. And thanks as well to our special guests who've come on over the last 18 months. Bumped into a few of them last night. We were there with Mikko. I won't speak to you, Graham. And Dux. Graham, stop grinning. It looks very off-putting. And John Hawes.

Hello.

And John Leyden.

Good evening, everyone. We actually have a physical award. You can look on Twitter. You can see me smooching it.

Yeah, you have the physical award, Carole. You have the trophy.

Oh, but wait. Hey, there was a problem. Sorry. Whoa. Back up. Back it up. There was.

Back it up.

Back it up. Here's the problem, guys. This is one of the things that happened. So they're doing the shortlist of the awards and they show it up on screen. And as I turn to look at the screen, I hear them call the show not Smashing Security, but Smashing Graham Cluley. Do you remember that?

Back it up. Yeah, I remember that. What was wrong with that?

Well, what do you mean what's wrong with that? Am I freaking furniture? You don't think I add any value? Am I just here to, you know, I mean, just for you to have a foil?

Oh, it was wonderful.

Holy moly. It was wonderful.

It was up there on screen, Smashing Graham Cluley.

Yeah, but other than that, the organizers did an amazing job.

And then we won. And so they invited the Smashing Graham Cluley team to come up.

So embarrassing. I refused to get up. She had to drag me by the arm. This episode of Smashing Security is sponsored by LastPass. LastPass Enterprise makes password security effortless for your organization. LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and applications. But LastPass isn't just for enterprises. It's an equally great solution for business teams, families, and single users. Go to smashingsecurity.com/lastpass to see why LastPass is the trusted enterprise password manager of over 33,000 businesses.

And welcome back. Well, everything these days has got a computer inside it, hasn't it? Some little—

I don't have a computer inside me. Well, just saying.

You'd be surprised, Carole, what they put computers in these days. But the thing is, everything is connected to the internet, and many internet of things devices are poorly secured. You only have to remember how the Mirai botnet back in 2016 disrupted major websites and online services to realize the impact that thousands or even millions of compromised IoT devices can cause.

I don't think we have to go back that That's true. far. I mean, every week there seems to be

We're seeing more and more of those. And what's happening is that internet-enabled CCTV cameras are being hijacked, routers, anything else which has some processing power is either vulnerable to exploitation, it seems, through weak default passwords or simple security holes.

a new IoT device that's been hacked.

Now, there is a botnet out there called Awari.

Awari.

It works in a fairly similar way to Mirai. So the puppet master, there he is eating his pizza in his back bedroom. He is using a command and control server to tell all of those hijacked devices around the world what to do and where to launch their next attack. And like Mirai, Awari is able to brute force guess passwords to gain access to your router, for instance, and take advantage of default login credentials on devices.

So by brute force guess passwords, you mean so it's just hammering a password field with loads and loads of different passwords to see if they can find one that actually works.

Yeah. And often they will actually have a dictionary, as it were, of commonly used passwords, which they will try, or they may have a database of passwords which are used on particular IoT devices. So the lesson for us all, okay, here's the lesson, here's the science bit, is that everyone should ensure that they're not using the default password on their IoT devices, not choosing dumb passwords, which a hacker or a hacker's worm might find it very easy to crack. Otherwise you become a part of botnet. So it's a very simple lesson, isn't it? Well, that's true. We do see lots and lots of them

Well, anyone who's listened to this show ever will know that passwords are key to security.

and we've seen plenty of IoT botnets as well since Mirai, Well, I think there's someone who doesn't listen to our show. Carole?

No, in the entire world?

I know it's hard to— have they not heard we're award-winning? Well, that person is whoever is the mastermind behind the Awari botnet. but Mirai was huge. Yeah, that's true. Okay, that botnet which is going around exploiting weak passwords. He hasn't learned anything from his own victims. There is a researcher at New Sky Security, his name is Ankit Anupam, and he has published some research into the Awari botnet. And he has discovered that the botnet's command and control server was secured, in inverted quotes, with the username root and the password of root.

What, so you're saying, is he saying username colon, and then I could enter in root, and at the password field I could enter in root and I'd have full access to his command and control center?

Yeah, which means you're now in charge. Ah! In the words of Alanis Morissette.

Ah, the famous Canadian.

It's like rain on your wedding day. It's the username root with the password the same.

No, no, no, no, you sang last week. We're not doing this every week.

Okay, we're not doing that again. It's a bit of a blunder, isn't it? And of course, this means that it's now out of action, thank goodness. But it just goes to show that you can be criminally minded, you can mastermind some huge botnet and then do something that stupid. Now, antivirus veteran Veselin Vladimirov Bontchev. Ah, yes, we know him.

A famous, very famous in our circles.

He is a master of the withering put-down, and he has described Awari's mastermind as not just stupid for using weak credentials, but also creatively stupid because he says it is so hard to accidentally set up a MySQL database such as the one being used on this command and control server. So hard and difficult to set it up so that it would be openly accessible to the whole world that he's just taken stupidity to a whole new level.

It's a bit of a— it's almost Darwin Award level, isn't it?

It is.

Or it's arrogance. It's arrogant.

Maybe they just—

I know you're pretty arrogant. What do you think? Do you think you use good passwords or do you just use Graham Cluley?

Arrogant?

Well, you certainly love that a podcast was falsely called Smashing Graham Cluley.

I felt a little bit awkward about that, to be honest.

Did you?

Did you? Just a little bit.

Yeah.

But yeah, you don't want to upset that. I mean, I remember I was at an antivirus conference once with Vess.

With Vess? Yeah, that's what he's called. My bud bud Vess Vess.

He's called it. Yeah, my bud bud Vess Vess.

You have a special fist pump that you got to do?

Vess on security. I remember once he was, he listened to someone's talk and he stood up afterwards and he began to tell them all the mistakes that they'd made in their talk. And it was at the point where he said 17thly. I thought maybe he's going a little bit too far. Vess has a— he told me once a traditional Bulgarian saying about how you can smell a donkey with scabies from 7 hills away. I don't know if that gets a lot of use in Bulgaria. He was using it in context of an antivirus product he doesn't like, but it's an odd one, isn't it? Anyway, what have we learned from this? We've learned that people are stupid. At least people do stupid things sometimes, including the cybercriminals as well. And you know what? Huzzah for that! Huzzah for stupid cybercriminals. Let's clink our glasses together again for the best security podcast.

You know, speaking of clinking glasses, yesterday in celebration, when I got home, I had a single malt whiskey, a Laphroaig for whiskey lovers out there.

Oh.

And then I spilt it onto my MacBook keyboard. So not only a waste of a very expensive whiskey—I don't know, maybe a tablespoon or two.

Yeah. Did you lick it up?

Well, right now the keyboard doesn't work very well. However, I have been able to put in a second keyboard, so I've got a USB keyboard, so I'm able to—I've been bypassing the original one, hoping it dries out.

All right.

Good thing I don't have water in my whiskey. That's all I can say. Hopefully alcohol dries faster than water.

Well, thank you once again for my cranberry juice. I think I bought you an orange juice. Oh yeah, John Laydon bought me a cranberry juice. Bless him.

I don't know if you know this story, but before I even met you, I used to work in this technology company and I was responsible for documentation and online help and that sort of stuff.

Yeah.

And one day I was lining up this Easter egg for the developer, basically writing a help guide, and he was going to review the help guide that I had written. And inside the help guide I wrote down "Carole is cool, Ronnie is not." Ronnie being the name of the developer, right? And I put this at the very top page of the online help. I just wanted to see if he was actually going to read it.

Quite polite by your standards, I have to say.

Oh, I know. I was a lot younger. I was a lot younger then. Hi Ronnie, by the way, if you're out there. Anyway, so Ronnie somehow missed my silly edit and approved the work. Somehow I totally forgot about it. And somehow it didn't get spotted for 5 years. It turns out it's very rare for someone to visit the introduction page of a help guide.

I see. So hang on. So this actually shipped with a product, this help file?

This shipped with a product for 5 years with no one noticing it until someone, I guess, started at page 1 and noticed it and wrote into us and we were able to remove it.

Did you blame it on, you know, pouring whiskey over your keyboard or something? No, no.

I don't think I drank whiskey back then. I didn't need to. Now, I was lucky that this joke wasn't very rude, as you say, or very obvious, right? I probably would have been fired, or at least received a bollocking and a telling off room, had it been spotted right away.

If you'd used a word like bollocks, then I think you wouldn't be in that spot of bother, yes.

But meet poor Thom Wysocki. He's an employee of Wessex Water. This is a British water utility firm. Wessex Water wanted to warn residents of upcoming disruptions to roads, right, due to essential works that would be carried out in a few weeks' time in Chippenham. This is a pretty Cotswold town. So they sent an actual postal letter out to the residents there. Do you read these kind of letters when you get these, actually, Graham?

Letters, you mean?

Yeah, like letters from, I don't know, the council, or I don't know, business letters.

No, no, no, no, no.

See, I don't either. I hate it. I hate it as much as voicemail, actually. They could sit there for weeks if I lived on my own, but luckily I married someone who likes to keep on top of that kind of stuff. Anyway, so if my better half had received this disruption notice, he would have spotted the huge snafu in it. I probably never would have opened it. See if you can spot it. I've put it, I've put it.

Okay, let's have a look. So, dear customer, traffic lights, carrying out essential work in the water supply network. How will this affect you?

How will this affect you?

What should you do?

What should you do?

Don't have to do anything, it says, just, you know, don't worry about it. Thom Wysocki is a twat.

Anything else?

But what? Hang on, wait a minute. So they—

And it's in bold.

This is not hard to spot, actually. It's about halfway down the letter, and it says that one of their employees is a twat.

Well, it doesn't say it's an employee at this stage, right? It just says Thom Wysocki is a twat. So of course, people who received this letter, right, went on to Twitter and other social media to go, who is Thom and why is he a twat?

And this has been signed by someone called Stuart Stone of Wessex Water.

That's right. Well, it turns out Thom Wysocki is also an employee or works with Wessex Water.

Are they friends? Do they get on? Yes.

Well, wouldn't you love to know? Anyway, so of course loads of people tweeted out to Wessex Water to kind of warn them of— I mean, how did someone miss this? I have no idea. Even, I mean, these letters have to be manually folded and put into an envelope and it's written in boldface type. People wrote into Wessex Water and they replied with a very corporate response, which I find almost funny in itself. It says, we're deeply sorry for the inappropriate language and any offense caused by this letter. We are currently investigating how this has happened.

But they're not actually denying that Thom Wysocki is a twat though, are they?

Exactly. And that's what I want to know. That's what we all want to know. Is Thom a twat? Was Thom being a twat at that particular time but normally is not a twat?

Do we have to censor the word? Yes. Oh, crikey.

Whilst very tangentially related to cybersecurity, not at all, basically it's mailshot related, but I think it's a very important reminder to us all to just take a break and proofread stuff before you send it out.

Well, I know that that's great advice. And I remember covering the story recently about the spreadsheet which was sent out with the hidden pivot table, including information. So you have to be careful when you have a piece of information which maybe you're sending out, even if it is being printed out, that you may be sharing more than you intended. Obviously, the Thom Wysocki thing is— and his twatiness— is something which they really wanted to keep within the company rather than send out to all of their customers, judging by their embarrassment and apology.

Yeah, I don't think this was their marketing campaign.

Do you remember that girl Claire Swells? There was a thing with her about 15 years ago on the internet where someone—

Was I born then?

Someone—

I was probably still in college.

Someone forwarded email about her and her bedtime activities. Let's not go into it anyway. You can look it up on the internet. The thing is that this—

What are you doing?

This— What are you—

Why are you waffling?

Because it's far too rude.

This episode of Smashing Security is sponsored by LastPass. LastPass simplifies password management for companies of every size, but it isn't just for enterprises. It's equally a great solution for business teams, families, and single users. Learn more at smashingsecurity.com/lastpass. And welcome back.

Can you join us on our favorite part of the show, the part of the show that we like to call Pick of the Week. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book they've read, a TV show, a movie, a record, an app, a website, a podcast. Actually, oh, hang on.

A broom.

Hang on, hang on. We had a complaint.

Did we?

Well, we had a 4 out of 5 review. Oh. Where somebody said that they would have given me 5 stars. Sorry, given us 5 stars.

Oh my God.

If I enunciated properly. Apparently when I say—

So I got 4 stars because of your enunciation difficulties.

So apparently when I say a TV show, a movie, a record, an app, a website, they thought I was saying an Apple website.

Oh.

And they've written this in their review. So they'd like me to start saying TV show, a movie, a record, a website, app. I don't know, podcast, whatever. Anyway, they want me to put the words in a different order. The important thing though, Carole, is that your pick of the week does not have to be security-related necessarily.

Well, mine is not this week, Graham, and definitely not, shouldn't be.

Now, my pick of the week is an app. Now, for many years I've used a great little app called SimpleNote, which is multi-platform and it syncs notes. So if you're making notes, so if I'm at a meeting and I'm having to make a few notes or something, I just chuck it into SimpleNote and it would get automatically synced up with my phone. Phone and, you know, whatever other computers, my laptop. A great way of just putting little notes to yourself. It could— my wife sends me out to go and buy some food at the supermarket, I'll chuck it into the app, right? Works really well, nice design, lovely, lovely, lovely, completely free. However, there's one little tiny little bit of grit in the gears, which is that although it encrypts notes during syncing, it doesn't encrypt them on the servers. And although this was being run by Automattic, who run WordPress.com, and I think they know what they're doing, it always left me a little bit uncomfortable. They are upfront about this and they say, look, you shouldn't really use it for sensitive information, but I was also a little bit nervous that, you know, maybe I'd just through habit put something sensitive in there rather than my shopping list. So I went looking for an alternative, and the alternative I've chosen is an app which looks very much like SimpleNote, but it's called Standard Notes. And it's also available for Windows, Mac, iOS, Android, and Linux, just like SimpleNote. It's really simple and easy to use, has cross-platform sync, just works. And the standard version is free. Now, if you want some additional features, such as extensions you can plug in, and particularly if you're a programmer, you might want to do that, then you can pay an annual subscription of a little bit of cash.

You can even self-host it if you want to. So if you're really paranoid and want all this encrypted data on your own servers.

Okay, so let me, let me get this straight. You're saying you used to use this app called SimpleNote. But you didn't like the whole lack of encryption during server rest time. Can I ask a question? Why don't you just use Notes provided by Apple? Well, because it cross-syncs. I know it's not cross-platform, but you don't use a lot of different platforms, as far as I know.

That's right. In the past, I've never had a great experience with iCloud. I've often found it syncing a little bit wonky.

So therefore you've moved to Standard Notes.

Maybe it's improved, but I've been uncomfortable with that. And of course, something like SimpleNote and standard Notes, they both go much further than just the pure Apple platform. Therefore I'm using Standard Notes. So if you did want to sync it with other devices as well— so I remember, for instance, way back when, when we both worked at Sophos, for instance, Carole I would use SimpleNote to sync up with my Windows computer at work as well. So my notes were going through multiple devices.

Okay.

Anyway, I find it really handy, and the fact that this is a more secure version really appeals to me. So that is why Standard Notes is my pick of the week. Completely open source.

I said the Wonderful.

Good. I think that's a good pick of the week. Yeah, I just use Notes and I love it.

whole thing in 30 seconds.

So just saying. All right, well, attacking on those that like to keep life simple.

Okay. Carole, we don't have a guest this week. So what's your pick of the week?

I have a documentary as my pick of the week. It is called Evil Genius. It has just come out on Netflix. This is a story based on an actual bank robbery that took place in Pennsylvania in the summer of 2003. Now the gist is this: bank robber turns out to actually be a local pizza delivery guy named Brian Wells, gets caught, and tells authorities to be careful because he has a bomb strapped to his neck. So Evil Genius is effectively the story of the famous collar bomb heist. It's full of lies and manipulation. There's madness, there's gruesomeness. It's great. There's 4 parts. I actually stayed up till 2 AM to finish it in one sitting. It twists and turns like a fish out of water. It's like Blue Velvet or Twin Peaks. I think you're gonna love it, Graham. And it also makes you a bit uncomfortable. For example, inside the show, one of the key players is incarcerated, and the producer offers them some legal advice, right? And for some reason, this has all been— there's no privacy. We are able to get all that information, and it's shown to us. So it's like a video meeting with a lawyer and you're getting that private info and you're like, how did they get that? How are they allowed to show that? So there's all these kind of weird moments. How did the producers actually get— and it kind of makes sense at the end. But it's well worth the watch for 4 shows. Excellent.

So in a nutshell, this guy, Thom Wazowski, decides to— Brian Wells, getting them mixed up. Anyway, he decides to rob a bank and he has a bomb around his neck, or at least he claims to have a bomb around his neck.

Yes.

And dots, dots, dots.

I'm leaving, yes, I'm leaving a lot of dot, dot, dots out. So if you've not following it, just go watch it. But listen, it gets even more interesting. As I was watching the show, I was like, I know this story. And I'd heard it on one of my other favorite podcasts other than Smashing Security called Casefile. I think I've talked about it on the show before. And it takes a completely different perspective on this same case. So if you go listen to episode 81 Brian Wells in Casefile podcast.

Do you want us to, do you want us to watch this clip as well?

Yeah, if you just click on the first YouTube clip there.

Okay. So there's a clip of the show. I'm going to click on it right now and see what it— Oh, for goodness sake.

Happy happy days. I got you with World Again. It's a 2 out of 2 for me. I would say, if you like documentaries and you like things that twist and turn and like, what's going on? This is one for you. And it's 4 episodes. You can do it in a night if you plan it carefully.

Sounds good.

Yeah, you'll like it. You'll like it.

Okay.

I promise.

Fantastic. Well, on that literal bombshell.

I like what you did there.

That just about wraps it up. If you like the show, please follow us on Twitter.

If you like the show, we like you too.

Ah, well, we do, don't we? Because we've just— did you hear? We've just won. Yes, we're on Twitter @SmashingSecurity. No G, Twitter wouldn't allow us to have a G. You can buy t-shirts and mugs and stickers at smashingsecurity.com/store. If you like the show, rate it on Apple Podcasts. It really does help new listeners discover us, doesn't it, Carole? It certainly does. Thanks to everyone who's written a review already, and if you haven't, please think about it. Until next time, cheerio, bye-bye, bye everyone! Mewtwo.

Mewtwo.

Mewtwo.

Yay!