You could just see the tech workers running into conference rooms and unplugging all the machines. So it wasn't your typical day at the office.

It takes quite a lot for an IT guy to run as well. It's quite serious. Normally they're kind of slouching along, aren't they? Just loafing around. It's whoa, we've got a big problem here. Smashing Security, episode 116. Phishing, Stalking Debtors, Facebook Farce, and a Cyber Insurance Snag with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 116. My name is Graham Cluley.

And I'm Carole Theriault.

Hello, Carole. Well, we are joined today by a special guest. He's brand new to the show. It's Joe Carrigan. Is it Carrigan or Corrigan?

Carrigan. With an A. Yeah.

Carrigan.

Welcome to the show, Joe.

I said it and then I wasn't sure. Nope, that's—

You said it right the first time.

I have so much self-doubt. Joe, you are, because you probably need reminding, a senior security engineer with the Information Security Institute at Johns Hopkins University.

Oh yeah, that's right.

Yeah.

And you're the co-host of the Hacking Humans podcast, part of the CyberWire network.

Yes, with Dave Bittner. Dave, who has been a guest on this show.

He has.

I'll have to look back. I don't remember.

So is he not nervous that you might outperform him on the show?

He should be.

I don't know if he's nervous or not.

We're going to find out on Twitter when he gets all riled up.

We'll rile him up for sure. So what do we got coming up, Carole?

Well, buckle up, listeners. We have a doozy this week. Cluley, you're investigating the novel ways a naughty app developer might track your whereabouts. Joe, you're sharing a Facebook snafu designed to fool even the tech savvy. And I've got a cautionary tale starring a malware victim and their cyber insurance policy. All this and oodles more coming up on Smashing Security. Don't move a muscle.

Now, fellows, word has reached us from China about what the police are doing over there. They have just arrested an app developer. Police in Nanjing, East China's Jiangsu Province, have arrested a 30-year-old man known only by the surname of Wu.

I kind of that. Yeah, I'd love to have a name that was just two letters long. Everyone would remember it. Kind of cool.

Carole Theriault is kind of hard to remember how to spell.

Yes, it's even hard for the French people.

Well, Mr. Wu, his full name is Mr. Wu, is a computer engineering graduate, and he created an app called App Detective. Bittner.

Oh my God, I would download that just on the name alone.

What does it do?

Well, App Detective breaks into a smartphone's instant message database. So imagine you're using WhatsApp or something that, or the local Chinese equivalent, and it grabs the user's location.

Bittner.

So far, pretty creepy stuff, right?

Yeah, okay, I wasn't thinking that.

No, it's not the kind of app you would want to install, quite frankly.

Right.

So why have police arrested him? What have they said that he's doing with his app? Well, apparently he was selling this app to debt collectors who would track their target's whereabouts. And some 4,000 people have paid as little as 1 yuan which is 15 cents, to get people's static location, or the extraordinarily high price of 10 yuan, which is about $1.50, to track their target's movements in real time.

Okay, okay, okay. So people that are downloading this are trying to keep track of what their wife or husband or their kid or—

Well, this is the thing that you would normally expect that, wouldn't you? And there are plenty of apps, of course, which are sold on the basis of, you know, 'Oh, keep a caring eye on your partner, right, on your children.' Reality is, are they cheating on you?

Those are owned and operated by creeps.

Yes, exactly. Well, in this particular case, he was selling it, it seems, primarily to debt collectors and bounty hunters. So people who are trying to track somebody down, and it can be very difficult tracking someone down. I remember you, Carole, do you remember years ago when I did a little bit of tracking for you? Me and our buddy Stevie Butts, we were around our friend Petra's house, and you said that there was a man in the neighboring pub who you wanted to keep track of. I think it was a potential boyfriend or something. And Stevie and I hid. We disguised ourselves quite well.

You that?

You guys took Petra's towel, put it over your heads, and then looked through the pub window to see if he was there or not. And Petra and I were watching you from the attic window, killing ourselves.

How did you see through the towel? Did you cut holes in the towel?

Our principle was, if you've ever read Hitchhiker's Guide to the Galaxy and the Bugblatter Beast of Trull, right, the beast is so dumb that it believes if it can't see you, you won't be able to see it. So we took the principle of putting a blanket over our heads. If we couldn't see, maybe they—

Absolutely no alcohol was involved in any of this at all, Joe, I assure you.

I'm sure of that.

Yeah. If only it had been, that would've been more understandable. But yes, so I understand the difficulty of tracking someone and, you know, finding your quarry.

Nice segue.

But this, this app, it appears no towels were required, debt collectors just could simply trick their target into installing the app.

Okay, now that's the crux of my question. How does a debt collector trick someone they want to collect a debt from into installing this app?

Yeah, this.

How naive are you, Joe?

Am I reading ahead?

It's so simple to do something like that. I mean, I think it's really up to the purchaser how they choose to want to do it, but if you were to offer someone something like I don't know, 100 Sexy Wallpapers app or something like that, or free ringtones.

Yes, free ringtones. That's the hook that always catches me.

Then some people would install it. But I agree with you, you know, you would—

But how do you weed out the people that you want to collect debt from versus the ones that are just—

Well, you would send a link, wouldn't you? You would send a link to the specific people.

Yeah, you have their email addresses presumably, right? Yeah.

Okay, so I have a list of people that are in debt, an email address. I then try and hook them in with a little fishy email saying, hey, hey, get this app, it's really cool.

You phish them and they install this malicious app, and then bang, you know where they are.

So the idea is that people that go into debt really just want to track people? Oh no, no, they're, they're—

No, no, it's them being tracked by the people they owe money to, or at least the debt collectors who are going to collect it. So the heavies are going to come around. All they need to know is where you are at a particular time, and then Moose and Rocco show up.

Gotcha.

Yeah, helps them do this. And apparently the app was quite good at its job. It was capable of determining people's location with margin of error of about 20 meters. And in all, the app is said to have made about $60,000, which, you know, it's quite a lot of money when you consider that they were charging as little as 15 cents per go. There was a lot of activity going on here. Now, one thought I had was, well, hang on, why does the app need to crack an instant messaging app rather than just grabbing your location itself? And I think I've come up with a theory on that, which is normally when you install an app on a modern phone, and I imagine most of the people being targeted here were running Androids, the operating system is going to pop up and say, "Ooh, this app requires—" Location information. GPS, you know. And you would think, "Well, why do I need that for my free ringtones and my sexy wallpaper?" And Joe would say, "No, I don't want to install that software." Right?

That's too many permissions for free ringtones and sexy wallpapers.

But if the app manages to actually instead crack your phone to grab the information from your instant messaging app, if it's able to query that, maybe through a vulnerability, or maybe because you're running an old version of Android which doesn't have good enough security, then that might be a more effective way to do it. I don't know, but that's my theory as to why they're doing it that way. Yeah, yeah, it seems plausible to me. It's certainly plausible.

I would, I would agree it's plausible.

Now, he has been prosecuted now, Mr. Wu, for allegedly writing the apps and stealing personal information. And two other frequent users of the app have been nabbed and are awaiting prosecution. But all of this got me thinking, what other novel ways might there be of tracking people? After all, you've got to trick someone into loading the app onto your smartphone. And it was at this point that one of our devoted Smashing Security listeners, Sarah Gatsky, she tweeted me and she pointed me towards a thread on Twitter about a brand new pair of shoes. Now, do you guys remember Back to the Future 2? With Michael J. Fox. Not the original! Back to the Future 2, which has a pair of self-lacing shoes in it. He wears these Nikes which sort of do themselves up because he goes into the future.

I do remember seeing that. I think that's the only Back to the Future I haven't seen. I've seen 1 and 3, but I don't think I've seen 2.

I remember this, definitely remember this, because I thought that why not just use Velcro, basically?

Because they don't do it automatically, Carole. That was the whole thing. Well, did you know that a few years later Nike actually produced a limited run of shoes like them. They sort of copied the design. Marketing geniuses. And in combination with Michael J. Fox's foundation, which fights Parkinson's and so forth, they auctioned off a few hundred of these for a vast amount of money, and they raised a lot of money for charity, which is obviously fantastic. Well, the third generation of these self-lacing sneakers called the Nike Adapt BB has just been released. Okay. And these shoes— you're wondering where I'm going with this.

Oh, they're not smart shoes, are they?

Well, these shoes, they will only set you back $350.

Which is not bad, right, for self-lacing shoes. I would expect that to be a lot higher.

You wouldn't have to bend over, right?

That would help me so much. I could breathe while tying my shoes.

They remember how tight you like your shoes. They pair over Bluetooth. They receive software updates. We'll link to the tweet where someone has actually put up a screenshot of their phone— of, sorry, of their shoes updating the software on your shoes being charged wirelessly on a USB-C charging mat while receiving a software update.

What's the point? What's the point?

What is the point? Well, the future is stupid.

Yes, that's exactly— yes. All kinds of questions spring to mind here, right? Would you be allowed to take these on a plane?

Does it need batteries?

Oh yes, it needs batteries. They're not like a pair of AA batteries, Carole. They're rechargeable. A few double Ds around the ankle.

Sellotape them to the side. Here's another issue I have with this. These batteries are on presumably a very mobile part of your body, probably the part of your body that endures the most G-force during the course of a day. How safe are those batteries?

Yeah. Loving lithium there. Right.

These apparently the BB stands for basketball. So you can imagine it would be quite a rough sort of, you know, it's not a gentle stroll, is it? Right.

No, it's a lot of sudden stops and starts.

They have got a battery inside them, a microcontroller, an accelerometer, a gyroscope, a temperature sensor, a motor, lights. They've got little lights at the side.

Can they stop you if something dangerous comes across your path? Does it alert you if there's any damage on the skin? Alert! Alert!

Small chafing of leather. I think the idea is that they monitor the temperature so that they can loosen over time in case you get sweaty.

They can't do that automatic braking.

They don't have fans that cool your feet off?

Now, now you are thinking, and I assumed the same.

This is fucking ridiculous.

And these sneakers would be tracking your location and your activity and counting steps. Well, apparently they aren't yet, but it sounds like it'd be an easy thing to add via a firmware update or adding new features to the app. But it's kind of inevitable that they will do at some point, won't they? Or the next version will.

Right. And you don't even have to update the firmware on the shoes. You just have to update the app. Because the shoes probably don't have a GPS receiver in them. But the phone does. Right.

Yeah. And so it's being all collected. Now, you have to wonder what will in the future shoe manufacturers be planning to do with all that data? And I'm thinking if you're finding it hard to get someone to install the app with the ringtones and the sexy wallpaper, send them a pair of sneakers. And your average person.

Or tell them they will get them. $350. Just send them willy-nilly. What kind of businessman are you?

Okay, so let's look at the business model here for a second. I'm a collector, collections person, right? So I have to spend $350 for a pair of shoes. So that means that I have to have a bill collected or a bill to collect that's worth— going to profit me at least $350, right?

You'll get the shoes back when you collect. You rip them off his feet and say, "Oi, they're mine." Anyway, and in the future, the sneakers will be cheaper as well. This is the future of sneakers, right? Already you don't need to put fuel in them, do you? They're all sort of—

Well, you do have to charge them.

You do have to charge them. Yes, you have to charge them every fortnight, apparently.

That's pretty good for a pair of shoes. I would imagine that— I would have thought more than that.

But it's not just for debt collection, right? It's not just for tracking people. In the future, shoe manufacturers will know where you're going. They'll know if you stop for donuts. They know if you're exercising. They will be able to monetize that data. Yes, but it's going to be happening more and more.

Okay, great story.

And if you've got— if you're dumb enough to spend $350 on sneakers, you've got other money to burn, probably, which big companies are going to be able to exploit, aren't they? I've just given you a vision of the future. You can call me Nostradamus if you wish.

That's the first word that came to mind.

I am seeing an image of the future and where things are going. All right, so Joe, have you got a story for us? Of course. Not right now.

Huzzah! So imagine that you are minding your own business, sitting at home, and someone sends you a URL that says something like, "Hey, take a look at this on Facebook."

And of course, by the way, there's an app.

Okay, I would be "Haha, I don't have Facebook." But imagine if I did. Lucky you.

So you can actually go to your app to tighten the left or right shoe.

I gotta tell you, I have used Facebook less and less. The only reason I keep it around is to communicate with family.

Or you can press a button on the side of the shoe.

But ever since I stopped just getting on there on a regular basis, I find myself living a much happier life.

Listen, people out there, listen to Joe. Get off it.

Yeah, no Facebook February, right? That's what we believe in. Give it a try, try and stop for a month.

Right, so you're astute. You look at the URL and it does indeed point to Facebook. It says facebook.com and it has some other stuff after it. And you say, "Okay, I'll look at this" and bam, you very quickly lose control of your own Facebook account. How would this have happened?

So this isn't phishing, isn't taking you to a login page or—

It is phishing. It's a phishing email that they're sending you, or a phishing message or something, but it is going to a Facebook page. So what has happened is there is a researcher, Sam Ouda— I hope I'm saying that right. It's a hacker alias, I guess. The O is a zero. And he found a vulnerable endpoint on Facebook at the URL facebook.com/comet/dialog_do_not_use.

That's the kind of thing I would do in one of my files.

It's like a button which says "do not press."

Yeah, don't press, exactly. What is the first thing that a hacker does when you tell him or her not to use something?

What happens when you do that to a 2-year-old?

Same thing. Anybody. Do not use. This looks interesting. Samo Uda did some investigating and found a cross-site request forgery attack. An attacker could craft URLs, start with this do not use URL and allow an attacker to do some stuff they shouldn't otherwise be able to do. Like they could make a post on a user's timeline. They could delete a user's profile picture, or they could actually trick a user into totally deleting their account. Oh, wow. Oh, let's do more of that, please. There you go, Carole. This is your mission in life now, right?

Yeah.

And finally, the one thing that allows the account takeover is they could change the user's email address. And that's the key of taking over the account, because if you've changed the email address, now you click on a link that says, oh, silly me, I forgot my password. Send me an email to reset it. And you get the email and then you go in, you can reset the password. And once you have access and once you've logged into the Facebook account, you can log the user out of all their other locations and you have control of the account.

Okay, so tell me, unless someone had the same usernames on other accounts, what is the joy of having access to a Facebook account? You know, what does an attacker get out of it?

I guess if they're just doing it for the lols, they can mess somebody's life up. They could impersonate somebody.

Yeah, it's the social engineering stuff, isn't it?

Yeah, imagine that you're on Facebook and you start getting Facebook messages from someone you trust and someone you know that's their account and you verify it's their account, and you know they're not using a spoofed account, which is another way that social engineering can take place on Facebook. But just imagine the difficulty of losing your Facebook account. How would you go back and restructure your Facebook account and reconnect with all your friends and then tell everybody that other Facebook account has been compromised? It would be just a nightmare for the individual user. It's horrendous.

And imagine, for instance, you could have a jealous stalker or something like that, or an ex-partner who wanted to read your messages and so they want to break into the account. Or maybe you are the administrator on a Facebook page, and so cracking that personal account then gives you access to a company or an organization's Facebook presence, and you could cause all kinds of problems.

Yes, you could. There's a very good use case for this vulnerability.

Oh, I don't want to give anyone ideas. Too late.

It actually is too late because Samo Uda informed Facebook about this bug on January 26th of this year. And by the 31st, only 5 days later, Facebook had fixed the bug and they issued on February 12th a bug bounty to Samo Uda in the amount of $25,000. Blow me away, that sounds almost reasonable, guys.

I wonder how they write the check for Mr. Samo Zero Uda.

I don't know how they do that. I imagine that they actually have his real name and they probably put him through a non-disclosure agreement stuff.

Yeah, I mean, it seems like a pretty tragic error for them to make, leaving this thing with the— was their fix simply to rename it from "dialogue do not use" to "dialogue no really really do not use"?

I would imagine that Facebook actually did fix it. Probably just took it down. They probably just turned that machine off.

But how many other things like this might be lurking out there? Well, you never know.

There is absolutely no such thing as a perfectly secure system. That's something we tell people over and over and over again. The key of this vulnerability is that it was found on the Facebook network. So it would have appeared like a legitimate Facebook link. It would have worked and there would have been nothing that Facebook would have had cognizance about unless they were tracking the usage of the do not use address. Right? Yeah. So, but I would like to say kudos to Sam Uda for finding and reporting this bug. And kudos to Facebook. There's something you don't hear every day, right?

They'll be really happy to know that they've had some good news from us. They think, finally.

Wasn't it the UK government that called them digital gangsters last week? So yeah, they're going to be really touched. They're probably having tears of joy right now listening to your story, Joe.

Kudos to Facebook for handling this so quickly and for paying a substantial bug bounty. Yeah. You know, one of my jobs here is to disclose vulnerabilities that we find, and 9 times out of 10, I disclose a vulnerability to a company and I never hear anything back from them. Nothing.

So, well, you know, a tiny silver lining on otherwise big, dark, crazy cloud of Facebook. Yeah, exactly.

But it is fixed, so you can't do this anymore. Well, not with that URL.

I wonder how he found it. I mean, yeah, it's a star, isn't it?

Poking around. Yeah.

Crawl, crawl, crawl.

How are you able to poke around Facebook to that extent to find a URL like that? That suggests to me that maybe they haven't locked down some things. Or maybe it's an ex-employee.

Crawl through. Knows his way around. Could be an ex-employee. The gardens.

He probably planted it. Could be a current employee. Oh, the conspiracy theory. You're just—

What are you, Alex Jones? There is a similarity.

If you saw both of us sat behind a desk turning purple in anger. Oh, Carole, don't get me all riled up. What have you got for us?

Please, God. Let me take you guys back to the crazy summer of 2017. So this was the year that Trump was inaugurated, began befriending Kim Jong-un, and this podcast, Smashing Security, was just still a little wee baby. And during that summer of 2017, many a company faced the wrath of the NotPetya malware. Now, we all know that NotPetya was this mass-spreading worm that used versions of the NSA's EternalBlue SMB exploit. Now, NotPetya successfully made huge companies buckle to their knees. Global ad giant WPP was taken offline. FedEx was badly hit. Shipping goliath Maersk was crippled. And Wired had this article giving the inside scoop in the company. So listen to this quote: within half an hour, Maersk employees were running down the hallways yelling to their colleagues to turn off computers and disconnect them from Maersk's network before the malicious software could infect them, as it dawned on them that every minute could mean dozens or hundreds more corrupted PCs. You can just see the tech workers running into conference rooms and unplugging all the machines. So it wasn't your typical day at the office.

It takes quite a lot for an IT guy to run as well. It's quite serious. Normally they're kind of slouching along, aren't they? Just loafing around. But it's like, whoa, they're running We've got a big problem here.

They even said staffers were hurtling themselves over locked keycard gates, which had been paralyzed by the still mysterious malware. You should really read this article. It's fantastic. Another global giant that was hit was Fortune 500 company Mondelez. Do you know who they are, Graham? Joe, don't look.

Don't read ahead. I have read ahead.

Well, you should know Mondelez. They are Illinois-based company, and they employ around 100,000 employees worldwide. They are the mom and dad to Kraft Foods, Oreo cookies, and Cadbury's.

So they're a big—

Yeah, they're big. So do they own Nabisco then?

What's Nabisco?

It's short for National Biscuit Company. Nabisco.

Oh, really? I didn't know that. So they were hit by NotPetya, and they say they lost 1,700 servers and 24,000 laptops as a result of the malware.

Oh my gosh.

So in its annual— in Mondelez's annual report, which they filed with the SEC in 2017, they stated that the net revenue loss amounted to $100 million. They also said that it had incremental expenses of $84 million.

So that's $100 million in lost revenue and then $84 million in recovery.

And it would have been so much less if those IT guys had just shifted their asses a bit faster. That's what— did they put that in the report?

Well, those were the guys at MAERSK that were running around. Oh, you're right.

But I'm sure they— I'm sure Mondelez were doing exactly the same thing.

No, they weren't. They were stuffing themselves with Oreo cookies and Cadbury chocolate bars. They were popcorn and sweeties.

Exactly. Can you imagine? Kraft Dinner.

Don't even put Oreo cookies in front of me.

You love them? I love them so much. So basically, Mondelez say they're almost $200 million out of pocket, right? And this is only 1% of their turnover for the year, by the way.

But that's 1% of their revenue. Pretty substantial.

So now before you say poor, poor Mondelez, you should know that they had cyber insurance with a company called Zurich Insurance. Oh, thank heavens for that.

I'm sure that they took care of everything.

Exactly, Joe. They're so smart, right?

They're a good insurance company, and insurance companies always pay out whenever you have an incident for which you have insured yourself.

Exactly. Just in case someone nips past your approved and reviewed defenses, you can insure yourself to recoup any losses. Great, makes perfect sense. So if you go to the Zurich Insurance website, it says enhance your cyber resilience with Zurich security and privacy coverage. Yes, let's do it.

Yes.

And the marketing blurb touts first-party coverage includes digital asset replacement, expense coverage, business income loss and dependent business income loss coverage, cyber extortion threat and reward payment coverage. Basically, we'll pay for everything. Just give us some money, right?

I'm signing up right now.

I'm signing up. The entire $200 million that Mondelez lost is coming back to them thanks to their policy with Zurich. Exactly.

Sounds worth it to me.

I'm glad this story ends this way. You have to imagine it wouldn't have been cheap, right? It wouldn't have been chump change that they would have asked for to protect Mondelez, right?

It's a big company, correct? That policy could not have been inexpensive.

I'm signing up.

Perhaps no surprise to you both that the Kraft food company, Mondelez, put together an insurance claim. And filed the paperwork and waited for payday. Ka-ching! And they waited. And they waited. And they waited.

Well, sometimes it can take a while. You know, it's just the wheels are in motion. It'll come in soon. It'll arrive soon. The check's in the post.

Well, in January this year, instead of getting a check, Mondelēz got the news that Zurich Insurance weren't going to honor the payment. What? They were refusing to foot the bill, and I was like, really?

How shocking. An insurance company not prepared to pay up.

Well, the policy apparently clearly states that, quote, "all risks of physical loss or damage, as well as physical loss or damage to electronic data, programs, software," yada, yada, yada, "we cover." So how are they wiggling out of paying Mondelēz? And it's because they're saying it was an act of war. So you might remember February last year, both the UK and the US government blamed Russia for the malicious NotPetya cyberattack. Experts believe that about 2,000 NotPetya attacks were launched, mainly aimed at Ukraine. Ukraine, as we know, has been locked in a simmering conflict with Russia since Moscow annexed Crimea in 2014.

So yeah, well, it just seems to me that maybe Mondelēz need to sue the US and UK governments for concluding that it was Russia, because if they hadn't done that, they would have got their payout. And maybe Mondelēz needs to threaten the US and UK governments with a bombardment of Oreo cookies.

You're shooting my story, that's my big—

I'm getting there. Oh, sorry, sorry, great minds.

Very great minds. That never happened.

Joe, have you got any theories?

Right, yeah. To their sweet tooth. So Moscow, of course, is denying being behind the attack and calls the claims Russophobic. But an assessment from the National Cybersecurity Centre in the UK clearly states that Russian military was almost certainly, and I'm quoting here, "almost certainly responsible for the NotPetya cyberattack of June 2017." So it seems that companies can be collateral damage when governments publicly blame other countries for hacks. So now I'll insert what you just said, Graham, earlier.

What's the point? What's the point of governments publicly blaming other countries for hacks anyway? Because they never actually act, they never actually do anything afterwards. I mean, sometimes they might have a few sanctions or kick out a few diplomats or something, but it seems like they're doing more harm to the economy by blaming other countries. If this— I wonder how many other times this is happening.

Well, you know, in this case, don't you think the US would want to take the heat off itself because the malware used an NSA bit of code? So it really wanted to kind of say, "Oh, you see, it wasn't our fault. It was stolen from us, used by the Russians. They're really, really great at hacking and stuff."

That was my thought, is that there hasn't been a clear definition of what constitutes an act of war based on a cyber attack. There's no clear boundary across the planet as to what that is.

Exactly. And it poses a bit of a pickle, right? Because now who's going to win? Is the insurance company going to be able to get out of this and think of the other clients it's been able to sell its insurance to?

It is kind of about time the insurance companies came out properly and positively from one of these things because so often they're paying out, can't they? And for them to suffer another— that would be really rough on them. So I'm glad that for once they're getting the benefit of the doubt.

Something similar happened on 9/11 when all those people were killed in the World Trade Center and in the flight that crashed in Pennsylvania. Insurance companies said, "Well, this is an act of war. We're not gonna pay out." And the backlash was so severe that they just decided, "Okay, we're gonna pay out." Right.

Well, that's good news for Mondelez because they are seemingly a bit pissed at this response from their insurers who they've been paying for this exact reason. And they've decided to roll up their sleeves and fight for payday. Good. They're suing Zurich Insurance in Illinois courts for $100 million in damages. Only $100 million?

Only $100 million. I know. Presumably Zurich Insurance is itself insured against getting sued.

There is a lot of that. And that's one of the big problems in the whole chain, because insurers have backers that insure them against losses and then those insurers have backers. So there's this huge chain of money. And the problem— one of the problems they're seeing in the industry is that backers are going to demand more collateral. So anyway, it's going to be very, very expensive. And there's going to be a lot of little loopholes to watch out for. So the moral of the story is to take heed, listeners, when it comes to cyber insurance. It's not a tried and tested field yet. No one should think they're safe as houses just because they're paying a monthly fee that's extortionate. Do not assume they're going to honor the deal because we don't have a lot of precedent, a lot of time with this yet. So until there's a proper clarification on terminology, as you said, Joe, right? The terminology used by cyber insurers and the people they're trying to insure, it might be more cost effective for some firms out there to keep their own private pot of in-case-shit-hits-the-fan money.

How Mondelēz can do this is they can stop Right. So in other words, you're advising people to be cyber preppers.

Yeah, I don't know. I just think it's early days. Imagine getting the Mondelez account, right? That is a huge win.

shipping Oreos and Cadbury bars to Russia until they

I don't care how big of an insurance company you are. That is a huge win for a company. And you think they, of course, would get paid out because they're the ones, they're the crème de la crème. They're at the top, you know, the top tier of customer.

Sorry, Carole. Carry on,

get their $200 million. Hold them ransom.

And but the problem in insurance is the big guys have much bigger payouts. So everyone loses, it seems, in insurance. The little guy loses because they can't get any attention. The big guy loses because the payouts are too big.

Right. I wonder, I wonder how this has affected Zurich's ability to sell their insurance.

I was fascinated.

Let's see how many listeners talk about it.

Go, guys. Right. Exactly. Everyone, they're all listening to this right now. Now they know.

Well, there's lots of good links in the show notes about this if you're interested. I'll keep an eye on the story and get Graham to tweet about it as appropriate.

Well, cool story, Carole Theriault. Really interesting. Thank you very much. Recorded Future provides deep, detailed insight into emerging threats by automatically collecting and analyzing billions of data points from the web. Every security team can benefit from that kind of threat intelligence. Grab yourself a copy of Recorded Future's free handbook, which explains why threat intelligence is an essential part of every organization's defense against the latest cyberattacks. Go and get it at smashingsecurity.com/intelligence. And thanks to Recorded Future for supporting the show.

Hey, what's your password for your email? Do you even know it? I don't. I trust LastPass Enterprise to remember it for me because it's so long, so complex, and so unique I couldn't possibly remember all my passwords for all my accounts. Let LastPass Enterprise do the hard work for you because they take security seriously and they're really responsive. Check out LastPass Enterprise at lastpass.com/smashing. I'm on the show. And welcome back.

Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they like. Doesn't have to be security related necessarily.

Can sometimes be though, maybe.

Yeah, maybe. Doesn't have to be.

Do you have a security related Pick of the Week?

I might. Okay. Well, my Pick of the Week is a little bit curious. My Pick of the Week is a website called— well, it does something rather startling. If you go to thispersondoesnotexist.com, every time you visit it, it will show you a picture of a random person. You just refresh the page, thispersondoesnotexist.com, tick, tick, tick, keep on refreshing, and you'll see different people popping up. And what's amazing about this is that these people don't exist. They're entirely computer-generated.

Well, this one looks like he's computer-generated. He's got a weird ear.

Well, occasionally you get someone who looks a little bit odd with a weird ear or, you know, an extra eye or something. But the majority of them are really surprisingly convincing. And you can imagine them being on the About Us page for some tech startup, there's the head of engineering, that guy's clearly working in IT support, oh, he's a VP. So, this page has been created by a software engineer called Philip Wang, and he developed the site thispersondoesnotexist.com using an artificial intelligence algorithm called StyleGAN, which was developed by the dudes at NVIDIA. It's quite startling how realistic some of these images are. So I've been reading about this, right?

And there's a few hacks on how you can tell, apparently. I'm just trying to— and I haven't done them myself, so I was just going through the pictures while you were talking, so I didn't listen to anything you said.

Yeah, tell me, because I'm looking at this site right now, and if these people don't exist, this is terrifyingly real.

So one of the ways apparently is looking for wrinkles both on the top of the face and the bottom of the face being kind of similarly aged. Aged, like in terms of someone being 18 and someone being 45 might have a different set of look, right? Color, skin tone as well. So they kind of bleed into each other. But occasionally, if you look at the very top and the very bottom, you'll say, oh, that's not the same person.

Yeah, but this might be true of some of them, but a lot of—

On Reddit, certainly, they were all like, of course, of course, very easy. It's very easy. I'm not sure it's that easy.

I'm looking at one at the moment. They're really rather hot. You know, it's like, I really rather wish they did. No, it's just ding dong, you know, they're quite attractive. Really? Yes. I'm looking at quite attractive ones. Where are you looking?

Because I'm looking at all average looking people.

Oh no, I've got, well, you know, I don't know how picky you are, but some of them are oh yeah, you look quite nice.

None of these men is Graham Cluley handsome.

Now, now, thank God. Now, you might be thinking, so it's a curious web page, and I think it has some interesting implications as well, because first of all—

Scary as heck, come with Joe.

Well, right. And I was also thinking, following our discussion in last week's episode, Carole, about catfishing and extortion scams, one of the pieces of advice you gave people is you should reverse image search the images that people give you, because what a scammer might do is find an image of someone on the internet, pretend that they are that person. Well, if you used a site like this, to generate the image, you're not gonna get any hits on that Google search. You aren't gonna get any hits at all, are you? Right.

And I wonder, I guess you would never have the same fake face doing different expressions. Of course you could.

Yeah, they may have to play around a little bit more. I think that's probably the way in which things are going, but it is.

Right, if I could generate multiple pictures of the same person that doesn't exist, that would be great for that social engineering attack.

Yeah. So anyway, fascinating website, equally terrifying. Terrifying times, fascinating website. Right. But yeah, go and check it out for yourself. thispersondoesnotexist.com. And we'll put some links in the show notes. Joe, what's your pick of the week?

Do you rugby, Graham?

Is that the place in Yorkshire? Is that—

That's the one. That's the sport where people get cauliflower ears.

Yes. Physical sport. Physical sport. Rugby Union. Yeah. I don't really believe in physical sports. I view them as games. Oh, I view chess as a sport. I think these other things are just for kids, really.

Okay. Well, maybe this isn't going to be a great pick of the week for you then, Graham. Carole, do you rugby? I'm going to be very enthusiastic.

Tell me everything, Joe.

She's a very sturdy winger. She'd do well. What?

What, you used a term?

Yes, a sturdy word. Yeah. You been on the running machine today, Graham Cluley? No.

I will do after this. Carry on, carry on. Take that bit out. I know you will have anyway, Carole Theriault.

So I got into rugby about 10 years ago when I was just flipping through the channel and I happened to see Ireland's team playing in the Six Nations tournament. And I kind of fell in love with the sport and I've been watching it or trying to watch it ever since. My interest grew, but I really wanted to see the Guinness Pro14 teams play rugby, which I couldn't do until this year. Thanks to ESPN here in the United States, they have a product called ESPN+. Now normally I wouldn't consider paying for a premium service this. I'm not so into sports that I would pay for ESPN+, but what you can get with ESPN+ is you can watch almost all the matches from the Guinness Pro14 here in the US. And also you can see the nascent here in the US again, Major League Rugby. It costs about $50 a year and I've been enjoying it.

Yeah, if you're a rugby fan, this is the bomb.

It's pretty great value, isn't it? And for our other American listeners, we should explain that rugby is like American football, but without all the namby-pamby padding and helmets and all that stuff.

It's nonstop action. In an American football game, you'll get 11 minutes of action out of 60 minutes of play. And in a rugby game, they're 80 minutes long and you'll probably get 60 minutes of action out of it.

You guys have a lot of violent stuff though. Don't you guys have that Ultimate Fighting or something?

Cage fighting? Yeah, we do.

And there's people that pay money for that. Gladiators.

Feeding Christians to the lions. Oh, that wasn't the Americans, was it? That was some other people. I think $50, if you're into rugby, that's a fantastic deal really, isn't it? $50 for the entire year.

It used to be a lot more money for that. And there were things Rugby Pass, which you couldn't get in the US that are $150 a year for watching rugby. But here you can get a lot of rugby for $50.

You don't have to do any craftiness setting up a VPN or anything to pretend you're in another country. This is actually being served out to the United States right now.

And when this app initially rolled out, they had some issues with authentication expiring rapidly. So every time I started up the app, I'd have to log in again. But now they've got that fixed and they've got some of the kinks worked out and it works pretty well.

This is the second time someone's talked sport on our show.

I think the first was John Laydon. I do mention chess a lot, Carole. It is a sport. What's your pick of the week, Carole?

So my pick of the week on this bleak February afternoon is funny. We needed a bit of sunshine. So it is a tiny bit computer-related. So sue me, Cluley. So this is the fun work of Trevor Moore. He's a musical comedian who cut his teeth at Saturday Night Live. And he's a little bit Flight of the Conchords got wooed by Weird Al Yankovic, and they had a love child, and that child is called Trevor Moore. So my pick of the week is his song and video called "My Computer Just Became Self-Aware." Now, I've only heard one other cyber-based song, and that was Kaspersky's "Packing the K" rap song.

Anyway, let's take a little quick listen to "My Computer Just Became Self-Aware." "Feeling sad and depressed, so I packed me a hit and then computer said, 'Dude, do you have more of that shit?' My computer just became self-aware and now it's fucked up on drugs and it is out on a tear. It's talking crazy and is updating its own software and it wants more, so humanity had better beware. My laptop is talking and this doesn't make sense. The first case of legit artificial intelligence. I guess the scientist guys are working on AI. Never gave cocaine or Monster Energy a try. How are you talking?"

Funny, right? You can listen to the whole thing on YouTube. Happy February.

There you go. Fantastic. Well, thank you, Carole, and thank you, Joe, as well for joining us on the show for your first time. I hope you won't be a stranger and you'll come back again. If people want to follow you online, which I'm sure they will, what's the best way for folks to do that, Joe?

They can follow me on Twitter @JTCarrigan.

C-A-R-R-I-G-A-N. Awesome. And you can follow us on Twitter @SmashingSecurity smashingsecurity, no G, Twitter won't allow us to have a G, and you can join in the discussion on Reddit as well. Just go to smashingsecurity.com/reddit where we are having a thriving little community chatting about everything on the show.

And please slap your hands together for this week's sponsors, LastPass and Recorded Future. Their support helps us give you this show for free. And high fives to all of you, our wonderful dear listeners. And before you do anything else, go check us out on Castbox. They are a podcast service that supports some brilliant shows, including Smashing Security. How brilliant is that?

Yeah, it's a great app for listening to all of your podcasts. Go and check it out and subscribe to us and you'll never miss another show. Until next time, cheerio, bye-bye, later skaters, see ya. Well, there we go. There we go. I'm going to hit stop recording. Don't close your bra—