An app leaking private conversations and intimate photographs is ignoring requests to fix the problem, hackers poison a security update sent to ASUS PCs, and how to protect your privacy in motel rooms.
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Maria Varmazis.
Follow the show on Twitter at @SmashinSecurity, on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Special Guest: Maria Varmazis.
Sponsored By:
- Mimecast: Grab your FREE Cybersecurity Awareness Training Kit from Mimecast, and share it throughout your company. Give your employees the information they need to make the best cybersecurity decisions.
- Get your free kit at smashingsecurity.com/mimecast
Links:
- Varmazis.gr - The hot sauce factory.
- This Spyware Data Leak Is So Bad We Can't Even Tell You About It — Motherboard.
- A family tracking app was leaking real-time location data — TechCrunch.
- Popular family tracking app exposed real-time location data onto the internet – no password required — Hot for Security.
- Hosting Provider Finally Takes Down Spyware Leak of Thousands of Photos and Phone Calls — Motherboard.
- security.txt | A proposed standard which allows websites to define security policies.
- Hackers Hijacked ASUS Software Updates to Install Backdoors on Thousands of Computers — Motherboard.
- Operation ShadowHammer — Kaspersky.
- Shadow Hammer APT MAC Check.
- ASUS Settles FTC Charges That Insecure Home Routers and “Cloud” Services Put Consumers’ Privacy At Risk — Federal Trade Commission.
- ASUSFourceUpdater.exe is trying to do some mystery update, but it won't say what... — Reddit.
- Asus implements fix for malware attack — Reuters.
- ASUS response to the recent media reports regarding ASUS Live Update tool attack by Advanced Persistent Threat (APT) groups.
- Passion for life: Self-expansion and passionate love across the life span — Journal of Social and Personal Relationships.
- So THAT'S Why Hotel Sex Is So Much Better Than At Home — Huffington Post.
- South Korea arrests two for spy cameras that livestreamed 1,600 motel guests — Reuters.
- Zach King magic tricks — YouTube.
- Killed by Google - The Google Graveyard & Cemetery.
- Outline - Read & annotate without distractions.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
MARIA VERMALSIS. And they dubbed this malware, because you know it has to have a fancy name, Operation Shadowhammer.
CAROLE THERIAULT. That's alright! That's a lot better than most names where it's like BitZogVingDine428.
GRAHAM CLULEY. Hey, there was nothing wrong with BitZogVingDine418, Carole.
MARIA. I played the second version of that game back in the 80s, it was great.
GRAHAM. Smashing Security, Episode 121. Hijacked motel rooms, ASUS PCs and leaky apps with Carole Theriault and Graham Cluley. Hello, hello and welcome to Smashing Security, Episode 121. My name is Graham Cluley.
I'm Carole Theriault. And we're joined this week by returning guest fan favourite, Maria Vermalsis. Hello, Maria.
Yay, me. The crowds go wild. Hi, everyone.
Maria, has anything wonderful happened to you in the last week? Hot sauce.
Hot sauce.
MARIA. I was like, uh. That sounds a bit perverted, guys.
Well, I found out that my third or fourth cousins have launched a hot sauce line in Greece. It's called Vermalsis Hot Sauce.
Yes. I can't buy it yet. I don't think they have a distributor yet in the States or at least outside of Europe.
GRAHAM. Maybe it's too dangerous to ship. Maybe it's like lithium batteries. You can't put it on an airplane. It might explode. It's that hot.
MARIA. I have actually had hot sauce explode in my luggage when I transport it from one place to another. It is a mess to clean up. I can verify.
CAROLE. That happened once to me with maple syrup. Oh, Canada.
Now, tell me, did you, I know you're a little artiste, Maria. Did they hit you up for the logo?
MARIA. Oh, no, no, no, no. My mom was literally Googling our last name and their website came up and we went, what? Who are these people?
And we did a thing where we talked to an uncle who talked to our grandmother back in the home village. And she verified that these are indeed distant relatives.
CAROLE. Yeah. A cousin two steps removed, got on a donkey and went down the mountain.
GRAHAM. It's not the Stone Age in Greece, Carole.
MARIA. Oh, no, no. Well, economically, it's not. Economically, it might be going back.
But it's an unusual last name. So when we saw that, we kind of went, we must be related to these people because there aren't that many of us. And it ends up we are.
So, yep. I'm looking forward to trying Vermalsis hot sauce.
GRAHAM. Vermalsis hot sauce sounds pretty cool to me. Not cool Graham.
MARIA. And that's my pick of the week.
GRAHAM. Okay so what have we got coming up on this week's show? Carole?
Fuck, I don't know.
MARIA. I'm not talking about Facebook. Is what's happening this week.
GRAHAM. Now chaps. Have you ever suffered from a leak? Can be pretty embarrassing can't it?
Well, there are data leaks happening all the time, aren't they? And there's one happening right now, exposing a database of thousands of people's private, intimate photographs and conversations to the whole internet. Anyone can access it. No password required.
And normally you hear about a data leak after it's been closed or when it's getting fixed. But this one is a wee bit different.
Security researcher Kyan Heasley is the chap who found this exposed database on an internet server earlier this year, and he discovered two folders on this server with over 95,000 images and more than 25,000 audio recordings of phone calls. Well, the problem with this particular database is that every day more photos and more audio recordings are being added. The leak hasn't been, would you patch a leak? I don't know, but it hasn't been filled, right? Plugged. No, plugged. Exactly.
Anyway, right. So, well, you may be wondering, where is all this data coming from? Well, it's coming from an app, a stalkerware app that lets you spy on other people's phone activity. And it's primarily marketed towards parents wanting to keep an eye on their kids and what they might be doing online, which is understandable, although some people have ethical issues with that, obviously.
But it's safe to assume that the same app could be used to monitor anybody, right? Whether it was you looking after your kids or monitoring staff or keeping an eye on your spouse.
CAROLE. Right. So basically, people could be using this app for good reasons or to spy on their partner.
GRAHAM. Yeah, it may be that you don't trust your partner, for instance. Or you don't trust your dog not to eat. I don't think dogs normally have smartphones.
CAROLE. No, but the owner might, and they might have the house surveilled to make sure that he doesn't steal the treats. What are you talking about? What? You've lost me.
Do you not understand about people putting cams in their house to make sure their pets behave as they should?
GRAHAM. Yes. In this particular case, it's an app where you can steal photographs stored on the phone or you can steal the conversation.
MARIA. So unless your dog is taking photos with their phone.
GRAHAM. If you've got a pet which is taking selfies, then yes, I agree with your scenario.
CAROLE. I'm with you. I'm with you. Okay. It's clearly my fault.
GRAHAM. I didn't explain it well enough. Hopefully it's clear now.
Now, Kyan Heasley approached Motherboard, the technology website, with this story because they have been repeatedly trying to contact the vendor, the people who made this app, right, to alert them to the breach. But despite multiple attempts, they've received no response. Absolutely nada.
CAROLE. You know, I'd love to say that's so unusual, but it's not. It can often be difficult,
GRAHAM. Can't it? But this is something where the leak is continuing to happen. And with an established app, you would hope there would be an email address or a phone number or, you know, you could tweet them or something to say, hey, can we speak to you guys? And they've sort of hit this brick wall.
They say that they've tried to ethically disclose the vulnerability to get these private images secured, many of which will be intimate, of course. They've reached out to them through the official email address displayed on the site. No answer. They've used the Gmail address of the site's administrator, who appears to be the company's founder. No answer. They've left voicemails, no answer. They've looked up the whois information. They're not getting any response.
CAROLE. Yikes. This app is available from official stores?
GRAHAM. Well, here's the thing. They haven't named the app. I imagine it is available in the popular app stores, judging by the number of people who appear to be using it.
But they don't want to name the app because they are very worried that every arsehole on 4chan is then going to work out where the database is and take those photos and those recordings and start posting them on the internet.
CAROLE. Oh, they're at it already. Yeah. But presumably our researcher guy here, Kian, he is aware of the actual app name, right?
GRAHAM. Yes. Yes. They've been to the website. They've tried to contact them, but they're not getting any response.
CAROLE. Right. I guess. So what I'm getting at is why wouldn't you go to Apple or Google and take it down that way?
GRAHAM. Well, maybe you could. I mean, maybe if you were able to convince Apple or Google, they would remove it from the app store. It's pretty compelling evidence. Well, I think that's the natural progression of things.
I think, first of all, you try and contact the company and say, look, you need to fix this, because Apple themselves may say, well, look, what they're doing with the data may not be our responsibility. They may feel uncomfortable with that. They may be worried about getting into legal trouble themselves. But potentially that's something to do.
They've also tried to contact the web hosts and they name in the article who the web hosts are. It's a company called Codero. And they've approached them multiple times for help saying, look, you are actually hosting this content. And they're not getting any response from the web server hosts either.
What on earth? Even though Codero on its website says the difference with Codero isn't just that we answer the phone when you call day or night. But it's like, well, they're not even doing that. So maybe they don't care. Maybe they don't want to piss off a customer, but it's a bit of a problem.
MARIA. That level of radio silence almost to me sounds like it's coordinated. I don't know. If literally nobody's getting back to you at that level, it makes me start to wonder if they've been told not to.
GRAHAM. Well, it really begins to put the journalists and the security researcher in this difficult dilemma, doesn't it? Because do you protect the innocent users by getting them to stop using the app? Do you find a way to communicate this?
So unfortunately, the data itself doesn't have contact information of the people inside the database. But apparently, you would be able to identify the individuals. I don't know whether that's by distinguishing birthmarks or verbal tics or Tourette's or whatever it is.
But there would be ways of saying, oh, yes, I know that penis. And well, not me personally. I don't have a huge database of memory bank to work from. But maybe other people, Carole, maybe other people would.
CAROLE. I was waiting. I started laughing before you even said my name. I knew it was coming. I'm listening to your story carefully.
Yes, yes. It seems to me this is yet another reason why if you want to be a big app store provider, you have to be a gatekeeper.
GRAHAM. And can you really expect the likes of Apple and Google to put it on hold and put it in quarantine because they received a complaint with sound evidence until they get in touch and say, oh, what's going on with our app?
CAROLE. Well, you know what? If they were to freeze out the app for a while, wouldn't that also highlight to people there could be a problem with it and maybe send the bad guys in the direction of the database, though?
GRAHAM. There are already people on Twitter who claim to have worked out who it is from information, even the limited information which is available in that Motherboard article.
CAROLE. Okay, and coming back, this data that's up there, what kind of things is it going to be? It's audio, phone calls and pictures. Yeah, exactly. The kind of people have taken either, you know, with consent or without consent. Who knows? Who knows?
MARIA. Yeah, I could see this kind of software being used by, oh, I don't know, a really controlling, potentially abusive spouse or partner trying to spy on the person that they're trying to control. So I could see people who are already very vulnerable being further victimized by this leak.
CAROLE. Well, you know what? Actually, that's a really good point, Maria. I think then what you do is you get the cops involved. Get the cyber cops involved to take a listen at the data that's being collected and make a call.
GRAHAM. The thing that's been highlighted to me is that it can be really difficult to contact companies who are leaking data. And if you are a company, if you were found to be accidentally leaking data, how easy would it be for someone to tell you?
We've just seen a similar situation happening with an Australian iPhone app called Family Locator, which purports to help people stay informed about the location of the loved one. So they've got a database. 238,000 individuals were exposed for weeks on end, unsecured MongoDB database, no password required. Same old story.
TechCrunch wrote about this. They tried to get in touch with the makers of the app, React apps. They had no contact information on their website. Their Whois record was privacy protected.
MARIA. As they often are nowadays.
GRAHAM. So there was no way to get in touch with them. Online feedback forms weren't getting answered. Eventually, they went to Microsoft and said, look, you guys run the Azure cloud server platform, which this app is using. Can you get that shut down?
And they, in that case, were successful. So Microsoft actually shut it down. Well, there you go, bravo, Microsoft. Okay, good.
But Kodero, the server hosts in this case, aren't responding. Who knows why?
So some advice for people. If you're a company, how easy would it be to get in touch with you if there's a security issue? Look at your Whois privacy protection. If you are a company or running an app, maybe it makes sense not to have privacy protection there so people can get your contact details.
If you've got an online form, you need to monitor that email address and answer it. Basically, don't be a douchebag. Make sure your email addresses don't bounce. Make sure that phone calls don't go unanswered.
And one thing you can do is there is a standard on the internet called the security.txt file.
MARIA. I think that was one of my picks of the week a while ago.
GRAHAM. So you can read all about it at security.txt.org, but you basically create a subdirectory called .well-known, and inside it you put a file called security.txt where you contain information on how to contact you. My concern is only security-minded people are likely to do this in the first place. So these companies which don't care simply won't do that.
But it's all a huge mess, isn't it? If only people went back to the good old days of uploading their intimate private snaps to trusted services like Facebook, Maria?
CAROLE. I think that word should be banned for the episode.
GRAHAM. Sorry, yeah, I shouldn't use the F word. You're quite right. That's the F word.
Maria, what's your story for us this week?
MARIA. It's not Facebook. Yay! Oh, it's not the F word? Yay! Exactly.
Yeah. So, a story broke yesterday, which is Monday, on Motherboard via journalist Kim Zetter, that thousands, if not hundreds of thousands, of Asus-brand computers have been compromised with malware that was installed via Asus's official automatic software updater.
GRAHAM. Yeah, that's a big yikes yuck, isn't it?
MARIA. Yeah. So, there's still a bunch of estimates floating around about exactly how many machines have been infected because this story is only a little over a day old right now. But conservative estimates say that it's about half a million machines infected. But Kaspersky, who actually first found this malware, said it's actually closer to a million. So no small number of people have been affected by this.
So as I mentioned, Kaspersky, they discovered this back in January, and they dubbed this malware, because you know it has to have a fancy name, Operation Shadowhammer.
CAROLE. Hey! That's all right. That's a lot better than most names where it's like Bitzog Vingdine 428.
GRAHAM. Hey, there was nothing wrong with Bitzog Vingdine 418, Carole.
MARIA. I played the second version of that game back in the 80s. It was great.
GRAHAM. I kind of agree with you, Carole. I wish, you know, I loved it when there was a vulnerability called Poodle. Do you remember Poodle? Yeah, good old Poodle.
CAROLE. Or there was the Avril vibe, no threat, you know, they just named it after something memorable.
GRAHAM. Yeah, I know they're also macho aren't they? They're Marvel super villains.
MARIA. Operation Shadow Hammer's not right, it's definitely very, you know, subdued. No, that's a name, you know, and that means it's serious business guys.
So just diving into what they found a little bit, this malware flew under the radar for a couple months because not only was the malware itself hosted on the official Asus update servers, but it was also signed with two legitimate Asus certificates.
GRAHAM. Embarrassing.
MARIA. And not only that, to this day, those two certificates have not actually been revoked.
GRAHAM. For those people who aren't aware, software companies use digital certificates to say, yes, we really did write this code. Yes, we approve. If you have any uncertainty about this, let us reassure you, this is a legitimate program which you can safely run on your computer.
MARIA. It's not unheard of for certificates to be faked and they're not foolproof by any means. So this is not like a, oh, my God, this never should have happened.
GRAHAM. But, oh, my God, it never should have happened.
MARIA. It never should have happened. It's on their servers. It's signed with actual certificates that are from them. They weren't faked. And they're still legit as of right now during this recording.
GRAHAM. So they haven't revoked them. So somehow the hackers got in. They meddled with the update, which got pushed out to who knows how many, a large number of ASUS computers, and it was also signed with something that the hackers shouldn't have had access to.
Correct. Not that good news, is it?
CAROLE. Oh, I bet there's a lot of hair on fire in the ASUS offices at the moment. It is a wee mess.
Oh, yeah. But I expect
GRAHAM. ASUS is handling this very well. I expect they're reassuring people that they've got all hands on deck, right?
MARIA. Oh, if they are, nobody knows. Because as far as we know, as of the time of this recording, they've yet to actually say anything publicly about this.
What? There was a story this morning through Reuters that there's been some sort of update to fix this issue on the client side. But there's been no communication from ASUS at all.
So people are tweeting at them. They're getting no response or they're being told, oh, just email our security team. And that's about it.
So this is
CAROLE. another story of companies not responding. Yeah.
And
GRAHAM. so this story's got some... In fairness, they're probably still trying to work out what happened. It doesn't matter.
Just say, yeah, we heard
MARIA. about it. There's a fuck up. Just say, yes, we've heard this story. As soon as we have more to tell you, we'll get back to you. That would be sufficient.
I think you'll find it's called
GRAHAM. a Facebook up, Carole. We'll have to bleep that.
It's
MARIA. a Facebook up. It's a big Facebook up. A giant Facebook up, yes.
So what's a weird wrinkle about this malware is that apparently it was only designed to target around 600 machines. Specifically, the malware was looking for MAC addresses. Basically, the malware was looking for a MAC address, one of these 600, and if it found it, it would download a second payload.
So the weird thing is this looks like it's basically highly targeted malware. Whoever's doing this was casting an extremely wide net to find these extremely targeted machines.
So who did it? Was it some sort of nation state? Who knows, but people are speculating.
You would naturally
GRAHAM. lean in that direction, wouldn't you? One might.
But to be clear, this MAC address, it's nothing to do with Apple Macs, is it? Because these are PCs which are getting infected. A MAC address is just an identifier for a particular piece of hardware, which is unique.
Correct.
MARIA. MAC addresses are hardware-based identifiers. Capital M, capital A, capital C.
And these ASUS machines are specifically running Windows. Linux users of the ASUS machines are not affected. It's Windows users, specifically.
GRAHAM. And it's not connected with MAC makeup or concealer or anything like that either. Gosh, I'm so in touch, aren't I?
So what they've done is they've basically installed a backdoor onto maybe up to a million computers. Who knows the exact number? And then it will work out, oh, is this one of the computers I'm interested in? And if it is one of those 600 or so, download something else, which is going to do who knows what.
Who knows what right
MARIA. now. Yeah, I think we'll find that out over time.
Yeah, it's an interesting story because we've been hearing at least this year, 2019, is the year of the supply chain attack. I've read at least a handful of articles saying that.
And this is a very timely example of what that means of when basically an attacker is like, we're not even going to bother going after the user anymore through the normal phishing or trying to get them to download malware because their machines are so hardened at this point that, yeah, it could work, but it's getting a lot harder. So let's go in the back way. Let's go in a way that people are not going to expect through channels that people have been told to trust, like the manufacturer of your machine.
We've all been told you can trust these guys. So if they can figure out a way to compromise the manufacturer, they've got a clear in.
GRAHAM. And this seems to be a growing trend, doesn't it? The supply chain attacks, although they're hard to pull off, they're extremely effective.
Maybe the best recent example is the NotPetya ransomware, which was spread via a malicious update to a Ukrainian accounting software package, but then spread all around the world and hit really big companies and cost them in some cases hundreds of millions of dollars.
MARIA. Yeah, there was a Bloomberg story at end of last year that purported that a whole bunch of firms like Amazon and Apple were compromised by a hardware level supply chain attack. That's right. That all of those companies then furiously denied, said this is a completely false story. But Bloomberg's still standing by it. So who knows?
But they were saying that the servers that these companies were using were all compromised, the hardware level. I was curious myself when I was reading this story about how long this attack had been active because the range that we've been given, at least in the motherboard story, is from like June of last year to November of last year-ish.
And I did a little Googling, so I'm not going to pretend I researched this, but I found on the Reddit forums, the Reddit ASUS forums specifically, that users back in July were noticing some really weird behavior from their official ASUS updater. Specifically, a critical update was coming from ASUS via a system pop-up, so sort of normal-ish.
But the file that they were being told to download was called the ASUS Force Updater with a U in the word force.
Were you saying that in a Canadian accent? Force.
Yeah, just put that on repeat. It's a great sound.
It's force with a U put in it. And I'm a dumb American, but I don't think a U generally belongs in the word force. Even though I'm used to use not being where they're supposed to be, apparently.
So yeah, that extra you set off a lot of red flags for people going, that looks weird. But then you read the comments. This is from nine months ago. People are going, well, I ran it through. I didn't execute this. I downloaded it and put it, I sent it to my AV. I checked the search. Everything's coming back clean. So I guess this is legit. But it's setting off a, I don't, my gut's telling me something's wrong.
GRAHAM. Oh my goodness. So SpiderSense wins even when the digital certificate tells you, oh, yeah, this is really from Asus.
CAROLE. And back then, did Asus say anything? Did they own up? Did they apologize?
MARIA. No, no. I mean, and I just want to be clear. I have no way of knowing if this is actually the malware in question. I'm going to be crystal clear. But the timeline, I'm willing to make a guess that this is probably related.
And I'm just thinking, like, the fact that they did all the checks, they went above and beyond what most people would do. I'm speculating. It's speculation. I'll put it out there. But the timing and also that little red flag makes me go, that's probably related.
It's just kind of heartbreaking to see people going, I'm doing all the things I'm supposed to be doing and more, and yet it's coming back as legit. And Kaspersky themselves and actually Symantec also backed this up. They were only recently able to detect this like two months ago.
So it was going past everybody's detection systems because nobody knew how to find the thing. So, yeah, interesting.
GRAHAM. If people are worried, though, that they may have been affected by it, if they've got ASUS computers, is there anything they can do?
Get a sledgehammer.
MARIA. You can go to Kaspersky's fancy website shadowhammer.kaspersky.com and they have a thing where you can input your Mac address and they'll actually walk you through how to find your Mac address because I realized not everyone might know how to do that and it'll tell you if you're one of the 600 machines that have been targeted and or they have a tool that you can download and run on your machine that will automatically clean up all the mess for you that's digitally
GRAHAM. Signed by Kaspersky that I'm sure
MARIA. Is totally trustworthy. So if you're feeling lucky, you could do that. But if you find out that you've been targeted, I would just nuke your machine from orbit, frankly. Just kidding.
GRAHAM. Presumably, all the major antivirus vendors are adding detection for this dodgy update to their database or have done already. I would assume so. I would hope so. So hopefully that will give people a warning as well.
MARIA. So your question, Carole, has ASUS acknowledged this? No, they have not. As we mentioned a little earlier, they haven't put any kind of public comment out, at least as the time of this recording. But apparently Reuters says there's a fix in place.
Has ASUS gotten in trouble for security issues in the past? Yes, they have. So in 2016, ASUS settled a lawsuit with the U.S. Federal Trade Commission, the FTC, where the FTC basically sued ASUS for lack of security practice regarding their routers. FTC said ASUS had not, quote, taken reasonable steps to secure the software on its routers.
So part of their agreement in the settlement with the FTC was that ASUS had to establish and maintain a comprehensive security program subject to independent audits for the next 20 years. So where were these auditors? We will see. I'm very curious to see how that comes up in the context of this.
So the story is still so fresh. It's still steaming new. It's a big steaming pile of story. So we're going to find out exactly how this all plays out.
GRAHAM. Now we've interrupt our regular programming for a news update so what you've been listening to about the shadow hammer attack and about the data leak at the mystery stalking app company was all recorded on Tuesday.
Since then there have been developments and rather than issue this podcast as is without mentioning them we thought we'd inject a little bit of me in here.
So firstly ASUS has now responded to the shadow hammer reports links in the show notes and has confirmed it has issued a fix in the form of an actual security update that you can download using its live update software tool. Yes, the irony of that isn't lost on any of us.
Presumably they've digitally signed it as well. Meanwhile, Motherboard and Kyan Heasley have finally succeeded in getting a response from Kodero, the company which was hosting MobiSpy's leaky server.
Yes, they are now confirming the name of the app as well. So that sensitive data is no longer accessible for the world to peruse without a password.
Right well let's return to our regular programming Carole what's your story for us this week?
CAROLE. Well a lot of us are facing the end of the financial year this week many a boss is going apeshit cracking the proverbial whip to force their underlings to finalize projects or close deals before the annual tax bell bing bong.
I've actually been in touch with several mates this week who seem at their wits end, pulling their hair out, trying to juggle all the responsibilities being foisted on them. The upshot, these peeps are desperate for a break.
I mean, I've been there. It's stressful, right?
Pulling my hair out. But don't you remember when we were working in the big corpse?
Everyone was freaking out in March.
GRAHAM. Yeah, sell, sell, sell. Stop spending money.
Yeah, totally, totally.
MARIA. Or spend all that budget. Otherwise, you don't get it next year.
Yeah, buy donuts.
CAROLE. I always wanted to be in that team. Here's more money.
You have two weeks to spend it. Go nuts.
But if you look ahead just a few weeks, we can glimpse a ray of hope. Easter is just around the corner, which means holiday time for a lot of us.
Work pressures have eased because the financial year is over. Offices and schools close for a few days, at least in the EU and UK.
I don't know about the States, actually. Do you guys close around Easter?
MARIA. It depends on where you live. Some towns by towns, at least around here, some towns close more for Passover or holidays.
It really depends on where you live. It's kind of complicated.
CAROLE. So it's kind of time to take a breather and maybe book a hotel somewhere different, somewhere where you can soak up some race or drink in some culture. Who knows?
Even maybe indulge in a little romance. Steady.
Let's talk about romance in hotels for a second. All right.
Segway!
GRAHAM. I'm up for this. Let's talk about it.
CAROLE. Amy Muise, she's from the psych department. Amy Muise?
M-U-I-S-E.
GRAHAM. I wasn't sure if she had asthma or whether she had her own data leak.
CAROLE. So Amy Muise from the psych department at York University suggests that the new adventures we seek out away from the home routines actually help make adventures in the bedroom a little more exciting.
MARIA. What podcast am I on again?
GRAHAM. I don't know, but I like it.
CAROLE. And I didn't know that, but in the shrink biz, the concept of this is called self-expansion.
MARIA. Of course it is.
CAROLE. Steady on. Now Muise maintains that couples may be more likely to experience this happening on vacation because trips often have that element built in.
You're in a new place. You're eating new foods.
You may be trying new activities. New positions.
MARIA. What is going on? I don't understand where are we going?
We were just talking about ASUS malware.
CAROLE. Aren't you glad I'm here? You guys should stop judging and just go with it, baby.
GRAHAM. Okay, so here we are. We're on holiday, we're in a hotel room and we're thinking, let's give a little bit.
CAROLE. And I guess, actually, motels. Are motels and hotels very different?
GRAHAM. Yes, they're. Well, there's a letter different.
Motels, you go to in a car. And hotels, you go to in a car.
Go through reception. You don't have to go through reception.
CAROLE. Oh, that's true, yes, that's what it is.
GRAHAM. Yes, you have your own door.
CAROLE. And they're often probably cheaper as well. And motels in many countries, such as South Korea, you can rent by the hour.
And I'm guessing that that hour is really being used for a bit of shut eye, more like a bit of slap and tickle. Keep talking, Carole.
So these two guys in South Korea thought they might make a buck or two by taking advantage of the seedier stuff that might go on behind a motel door. By spying on the guests.
Ew. As they were doing what they were doing in the motel room.
Who would actually want to do that? Really.
What do you mean? Spy on them?
Yes.
GRAHAM. Well. Isn't there enough of that kind of stuff on the internet anyway?
You don't have to make your own. With poor lighting and...
CAROLE. Well, maybe if you want a bit of the pizza. Amateurs. You want a bit of the money. You want a bit of the chingling. All right, okay. So the way they did this is they dressed... See, this is the other interesting thing that they chose motels over hotels because they dressed up as employees and installed hidden cameras in 42 rooms across 30 different motels.
Wow. So because you don't have to go through reception, right, you could just knock on the door and say, hey, maintenance.
Oh, I see. Right? Right. They apparently were able to record a whopping 1,600 guests doing whatever they were doing in those rooms.
Cameras were hidden in televisions, sockets, hairdryer holders. Do you know what the guys did with the footage? What do you think they did with it?
GRAHAM. I think they securely erased it. They recanted. They realized that they were very naughty people.
MARIA. Correct. They enjoyed it. Really? What? No. Oh. I was going to say blackmail probably.
CAROLE. See, that's what I thought too. This seems to me like perfect ransomware.
GRAHAM. They'll be selling it to someone.
CAROLE. Yeah. They broadcasted it live on the internet. Oh, fuck. That's terrible. It was the first case in South Korea. And the kicker, the kicker in all this, do you know how much these boys made by invading all these people's privacy? $10,000. Less. Less than, well, $6,000. 5,000 quid. Did that even
MARIA. cover the cost of their equipment at that point? And the uniforms?
CAROLE. Yeah. I worked it out. I worked it out, and it's 30p for each pair of butt cheeks. Oh, fucking... Hang on. Are you
GRAHAM. counting each butt cheek twice, or is that... Oh, no. That's for a pair. I worded
CAROLE. that very, very carefully. It's 30p for each pair of pumping cheeks.
MARIA. We're very precise here on Smashing Security. I just want everyone to know and appreciate the level of precision that goes into this. There's so much math. So much
CAROLE. math. So much math. So the good news here is that the two douchebags have been arrested. Graham, you're right. He's still wheezing. I know some unfortunate person said on Twitter that they loved his wheeze. Oh, my Lord. And I think now he just turned it on. He's like, yeah. It's just a button.
GRAHAM. Yeah. Everyone can have a fetish. It's all right if that's what they like.
CAROLE. The law in South Korea was apparently amended last November to toughen penalties for illegal filming and distributing images without consent. So punishments for the convicted include a five-year jail term or up to five years in jail or fines of up to 30 million won. That's about $30,000. So they could effectively, based on the money they brought home, find themselves 24,000 smackaroos out of pocket if the judge maxes out the financial punishment.
GRAHAM. They've got to get jail time as well, haven't they, surely? That's quite a terrible thing to do.
CAROLE. And the thing is, okay, so while it's great that they've arrested these guys and these guys are going to be facing their punishment, the problem is all those people whose personal privacy has been invaded, what do they get? They probably don't even know that they've been filmed.
GRAHAM. You know what they should get? They should get a free subscription to the webcam in their prison cells to watch those two as they're shuffling around under their duvets at night. That's entertaining. Well, it may know, but it's justice.
CAROLE. That doesn't sound very empathetic either, Graham.
GRAHAM. I was empathetic last week, not being empathetic this week, but done that.
CAROLE. So advice, okay, because the whole story here is that we all use hotels or motels or Airbnbs or whatever, stay at places other than home. And some of us might be concerned that they might be being spied on. And so there's a few things you can do. Okay. And these. All right. Okay. Let's hear your advice. Okay. All right. So number one, conduct a physical search of the room. You want to listen for a hiss or buzzing because shittier equipment emits this kind of low buzz hum sound. So you want to use your Britney's to search the room. Sorry. Britney's. Britney's. Cockney English. Britney Spears ears. Good.
GRAHAM. It could equally be the minibar or something like that, though, couldn't it? Just humming away. Of
CAROLE. course. I think if you find that it's the mini bar, you move on, don't you?
GRAHAM. I never move on from the mini bar. I've been there for a while. Toblerone.
CAROLE. Turn off all the lights and look for a glimmer of an LED light source. And apparently, this is a cute tip, use your phone's camera because it's better at catching light and detecting light than the human eye. So you can scan the room through your actual phone screen.
GRAHAM. But wouldn't they have covered up any LED on the camera? So it didn't go blink, blink, blink, You're on camera. You're being filmed.
CAROLE. Say, for example, there was a little device inside the fire alarm gizmo in the room. Okay, yes. And you might turn off light and you might see two little LEDs blinking there. And you might go, that's weird. And you might go up and look closer. And one you see attached to a hidden device. And you go, aha. Now, this is one of my favorites. I've never actually been in a room where I thought the mirror might be two-way, but what do you do if you think it might be two-way so you turn off all the lights and you put a flashlight directly onto the glass come on
GRAHAM. Carole what you've been too paranoid here this is too much to do
CAROLE. People do it but do they? Yeah, I think if people are concerned about this thing, if people are sitting somewhere and they got their spidey sense going, this doesn't feel right, just on all these people in motel rooms, they might have helped them not expose their, you know, what's to you know who.
GRAHAM. So I've watched Dexter, right? The serial killer guy. You know, I've watched that show.
The TV show? Yeah, the TV show. Yes. Oh, not an actual one. No, no. And what he does is he sets up his little murder room and he puts the polythene up over all of the walls. All right. So he doesn't leave any blood traces anywhere, right? For the cops to find him and catch him.
If you're really that worried about a hotel room, and it's going to be so difficult to work out where these tiny devices might be, maybe you should just take some sheets of polythene with you and just polythene the whole room. And then you live inside the polythene thing. Couldn't you do that?
Can you say polythene one more time? Sorry. Polythene? Yeah, okay. Am I saying polythene incorrectly?
MARIA. No, I just enjoy it. What?
GRAHAM. I said it like a Canadian. It sounds funny to my ears for some reason. I don't know.
Oh, okay. I'm going to
CAROLE. carry on with my very good list.
Oh, please do,
GRAHAM. please do. What else have you got?
CAROLE. You want to, obviously, a good one, keep off the Wi-Fi if you don't trust it or use a secure VPN, if you're going to do that. And note that many cameras are wired in. Pay special attention to sockets, fire alarms, anything with a plug, right?
You want to see, and if you look for wires that are going into weird places. The other good one is they often put these cameras to the action locations, right? Like the bed facing the bed or the shower or something like that.
So you want to look for out-of-place decorations. Like is there something facing the bed oddly? A pot plant, for example.
GRAHAM. Or only ever have sex up against the door of the hotel door, right? If you did it there where people aren't expecting it. I think that's what you're actually advocating is having sex in unusual places in the hotel room where you're not going to be videoed.
CAROLE. Actually, coming back to your suggestion, Graham. Maybe you could just get yourself a polythene almost like body bag with no air holes.
MARIA. Or just make a little tent. You should try it out first. Make sure it's all zipped up.
GRAHAM. Some people do do that, don't they? They zip themselves up in their luggage for fun. Where is this podcast going this time?
MARIA. We're not recommending that, folks.
CAROLE. So there's of course RF radio frequency detectors so you can scan a room and look for frequencies being emitted.
Seriously, if you're
GRAHAM. this paranoid, just stay at home. You know, I'm never going to leave the house if I'm worried about all that. Back it up.
CAROLE. This story was about two guys who filmed 16,000 people across 30 hotels, motels in South Korea. It's bad. It happens. Yes. So if people are nervous about this and go, I don't know what to do, I am telling them things they can do.
GRAHAM. Right. And I'm saying just stay at home because if you're that worried, for goodness sake, you can't live your entire life in fear, Carole.
MARIA. Just throw a sheet over. Like, they can't see anything.
GRAHAM. Yes, excellent idea. So just do it under the duvet, right?
CAROLE. I do agree with Graham, though, that if you do get a spidey sense, you feel like you're being watched, yeah, just leave. You know, head for the door.
MARIA. Trust your gut is almost always the best advice.
CAROLE. Or just do something really incredibly dull and nothing else, like maybe just play a game of chess for hours or something.
GRAHAM. Now that I'd subscribe to. That I would want to watch. So you've been spying
CAROLE. on Graham then is what I'm... Oh yeah, I don't spend enough time with him doing this podcast. Hey,
GRAHAM. Don't bash the bishop, all right? Human error is at the root of 95% of all security breaches. It's all too easy for any of us to make a mistake that lets hackers win.
Download a free cybersecurity awareness training kit from Mimecast, which will help your staff learn about threats like data leaks, ransomware, business email compromise, and much, much more. Grab it for yourself at smashingsecurity.com slash mimecast. And thanks to Mimecast for supporting the show.
And welcome back. Can you join us on our favourite part of the show? The part of the show that we like to call Pick of the Week.
Pick of the Week. Pick of the Week. Pick of the Week is the part of the show where everyone chooses to say what they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website or an app, whatever you wish. It doesn't have to be security related necessarily.
Well, my Pick of the Week this week comes courtesy of our Reddit community. One of our listeners who goes by the user ID PaleSkinnySwede. What if it's descriptive? You think he's actually a vegetable.
He has nominated a pick of the week for us. And I checked it out. And I thought, oh, that's quite good. That's quite fun.
So he has recommended to us a chap on YouTube, 29-year-old Zach King, who is a personality on the video service, who makes short, digital, sleight-of-hand videos. Sort of magic-y, but there's a bit of editing and jiggery-pokery and crafty editing. And they're jolly clever. And kids will love them. And it will amuse you as well.
So I've put in a link in the show notes. He makes things disappear. He does tricks with perspective. And I thought, you know what? That's very good.
Well done you, sir, for making videos like that. They're like little Vine videos. They're like six, ten seconds. They're very cute and wonderful.
And I thought very creative and good for him. And so my recommendation, my very quick pick of the week this week is Zach King. And thank you, Pale Skinny Swede, for recommending it.
Yeah, rock on, brother. Yeah, it's good fun. Maria, what is your pick of the week?
MARIA. Well, as a fellow pale skinny Swede, I wanted to give my own recommendation. And it wasn't just the Vermalsis's hot sauce, although that was sort of mine for this week.
God, advertise. We have to chart. Yeah, I know. They're going to be like, what? So much traffic to our site all of a sudden.
So my actual pick of the week is killedbygoogle.com, which is, as the name may suggest, a website that lists all the things that Google has killed. So not people who have been murdered by the Google street maps car or anything like that. Not that, although I'd be really interested if that is a thing. Please, somebody send it to me.
GRAHAM. Sergey Brin hasn't been sniping at people off the top of the Google building. Again, we're not suggesting there's been any actual deaths.
I'm sure that list
MARIA. exists somewhere on the dark web, though. It's the death of dreams. It's the death of dreams.
So if you want to be really mad about Google Reader with me, you can scroll down on this and then shake your fist. But yeah, it's when you get past the Google Reader and then let your rage subside a little bit you can see all the other projects that they've killed over the time many of which deserve to go but some yeah.
Yeah I was gonna say some of them is sayonara yeah but it's an interesting, it's an interesting trip through time going if you go all the way back. The first one on the list is Google Desk Bar which I have fond memories of using but yeah it outlasted its purpose but it's an interesting open source project. So you can actually contribute to it if they're missing something.
And it's just a simple but really good concept time waster. And I recommend it.
GRAHAM. Very cool. But it also sends an important message because they've killed almost 150 products. I mean, a huge number of them. I mean, the one we all care about, as you've already mentioned, is Google Reader, which was just spiteful that they got rid of that. And it was used by so many people.
What
CAROLE. about Google Circles? Wasn't that amazing?
MARIA. What about Google Glass? Actually, a legitimate one that I'm not sure why they killed it was Google Flu Trends. That was really interesting. Yeah, that was – I'm not sure why they killed that one. But, yeah.
GRAHAM. But the important message here is if you rely on something from a company like Google, they have the ability, because you're not a paying customer, to just zap it anytime they want. And you may be up the creek without a paddle.
MARIA. I wasn't sure how to respond to that. Yes, yes, yes, yes, yes, you would be.
GRAHAM. So wise. Guru. Carole, what's your pick of the week?
CAROLE. Mine is not exciting, funny or quirky, but it's flipping useful, particularly for people like us who spend a ton of time reading online news articles. But one of the things that kind of annoys me when I'm reading these sites is that everyone first displays their news in a different way, different fonts, different sizes, different locations, is full of images, often ads, all the crap.
GRAHAM. Do you accept cookies and nastiness like that? Different
CAROLE. Size fonts and all kinds of, it just drives me nuts. So outline.com is a resource for people that want to just get the news, right? So what I'd normally do is cut and paste the story into a reader, text editor to actually read it that way. That's how I would normally read a story so I could get around all that. But often a lot of extraneous information gets copied over as well. So outline.com takes all the trouble out of that. You don't have to cut and paste. You don't have to sign up. You do not have to download an app. You just go to a web page and you enter the URL for the article you're trying to read. And presto, a nice clean copy is presented to you.
GRAHAM. And it's very, I've used this a few times. It's very pretty. It's sort of clutter-free presentation of an article.
CAROLE. Yes, like Steve Jobs was there. No, remove that. Remove that. Unnecessary. And this is a free service, isn't it? It is a free service. Is it free? Well, I'm using it for free.
GRAHAM. Yeah, we're using it for free. But is there anything? Why are they? See, you've made me all cynical now. Why are they doing it?
CAROLE. I have not made you cynical.
MARIA. Yeah, you were pretty cynical to start. Let's be real. Come on.
CAROLE. Stop blaming everybody for your shortcuts.
MARIA. What's their angle? Follow the money. Yeah, I know, I know. I'm wondering that too, actually. Try it out.
CAROLE. It's a lovely website. All you're doing is cutting and pasting from articles you'd like to read.
GRAHAM. Yeah, and just the link, isn't it?
CAROLE. It's just the link. You can take out the trackers before you put the link in if you want to be absolutely 100% sure. And voila. Check it out. Outline.com. It's a good pick of the week. Don't listen to Graham.
GRAHAM. No, no, I've used it. I think it's quite handy and quite nice. All right. Well, that just about wraps it up for this week. Now, Maria, I'm sure lots of people would love to follow you online. What's the best way for folks to do that?
MARIA. You can follow me on Twitter at Mvormazis, or if you're on Infosec.exchange, my handle there is at Maria.
GRAHAM. Which is a Mastodon instance, isn't it?
MARIA. Tis, yes. Trying to get better at using that.
GRAHAM. Well, we're on Twitter as well. You can follow us on Twitter at Smash Security. No G. Twitter wouldn't allow us to have a G. And we have an active community as well on Reddit. Quickest way to find us up there is to go to smashingsecurity.com/reddit
CAROLE. And huge thanks to this week's Smashing Security sponsor Mimecast. It's support like this that helps us give you this show for free. And thank you to all our glorious listeners. If you like what you hear and you want to help us grow tell some friends about the show or leave us a review. It really helps.
GRAHAM. Until next time cheerio bye bye later bye
MARIA. Marvelous. Marvelous. Nicely done. Week in, week out.
-- TRANSCRIPT ENDS --