Microsoft issues warning to unpatched Windows users about worm risk, and how do you delete all traces of yourself off the internet after you murder your podcast co-host?
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, who aren't joined by a special guest this week.
Visit https://www.smashingsecurity.com/131 to check out this episode’s show notes and episode links.
Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Sponsored By:
- Recorded Future: For anyone who is baffled by threat intelligence, and the benefits that it can bring to your company, this is the book for you.
- "The Threat Intelligence Handbook" is an easy-to-read guide will help you understand why threat intelligence is an essential part of every organisation's defence against the latest cyber attacks.
- Download it for free at smashingsecurity.com/intelligence
- MetaCompliance: People are the key to minimizing your Cyber Security risk posture. MetaCompliance makes this easier by providing a single platform for Phishing, Cybersecurity training, Policy, Privacy and Incident management.
- Go to smashingsecurity.com/metacompliance Promo Code: SMASHING
Links:
- WannaCry ransomware hits systems worldwide — Graham Cluley.
- WannaCry - Who's to blame? — Smashing Security #021.
- Remote Desktop Services Remote Code Execution Vulnerability CVE-2019-0708 — Microsoft.
- A Reminder to Update Your Systems to Prevent a Worm — Microsoft.
- Microsoft practically begs Windows users to fix wormable BlueKeep flaw — Ars Technica.
- Almost One Million Vulnerable to BlueKeep Vuln (CVE-2019-0708) — Errata Security.
- Intense scanning activity detected for BlueKeep RDP flaw — ZDNet.
- Greatest Love Of All (Official Music Video) - Whitney Houston — YouTube.
- DeleteMe.
- Deseat.me.
- Removing Content From Google.
- I want to know how to go about deleting everything about myself online — Reddit.
- Remove yourself from the internet, hide your identity, and erase your online presence — ZDNet.
- Chernobyl Trailer — YouTube.
- The 23-Year-Old Woman Who Pioneered Investigative Journalism — The Atlantic.
- Undercover in an Insane Asylum: How a 23-Year-Old Changed Journalism — YouTube.
- Nellie Bly — Wikipedia.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
GRAHAM CLULEY. That's not a bad idea, Carole. I think we could make a difference.
CAROLE THERIAULT. Well, better than Microsoft's outreach at only getting 2,000.
GRAHAM CLULEY. Oh, come on!
CAROLE THERIAULT. I wonder if we could beat Microsoft. I wonder if Smashing Security could beat Microsoft at, you know, we have a lot of listeners.
GRAHAM CLULEY. I'm not sure it would be possible to actually work out who might be listening to us or not. Oh, phishing, hush hush.
CAROLE THERIAULT. It's about saving the world, Graham.
UNKNOWN. Smashing Security, episode 131, Zap Yourself from the Net and Patch Now Against BlueKeep with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 131. My name is Graham Cluley.
CAROLE THERIAULT. And I'm Carole Theriault.
GRAHAM CLULEY. And we are joined once again this week by—
CAROLE THERIAULT. By a ghost, very quiet ghost.
GRAHAM CLULEY. Because it's just you and me. Why is it just you and me again, Carole?
CAROLE THERIAULT. Because we're frackin' busy right now and it's InfoSec this week and we had to do talks.
GRAHAM CLULEY. Anyway, to make up for all that disappointment, I suppose we better explain what's coming up on the show this week. Yeah, let's crack on.
CAROLE THERIAULT. Thanks to this week's sponsors, Recorded Future and MetaCompliance. Their support helps us give you this show for free. Now get your note-taking devices out, folks. In this info-packed pod, Graham will be warning us of a new threat and telling us what we should do about it. Meanwhile, I'm gonna look into how realistically viable it is to erase a person's digital footprint. All this and more coming up on this episode of Smashing Security.
GRAHAM CLULEY. Ahuga, ahuga, ahuga, warp, warp, alert, alert, alert, Kroll. We are on a countdown to destruction.
CAROLE THERIAULT. Sorry, a countdown to destruction?
GRAHAM CLULEY. Is this a bit of fear and doubt we're, uh, well, but maybe not uncertainty. Um, something ghastly this way comes, I have to say, because do you remember a couple of years ago? Of course you do. You remember WannaCry, right?
CAROLE THERIAULT. Yes.
GRAHAM CLULEY. Everyone listening to the show, you at home right now, there you, yes, you, you remember WannaCry as well, don't you? The ransomware which wreaked havoc around the world, bringing corporate networks to their knees, brought the National Health Service here in the UK to its artificial hips.
CAROLE THERIAULT. Oh yeah, it was a serious nightmare here in the UK.
GRAHAM CLULEY. Tremendous.
CAROLE THERIAULT. Because many hospitals and health services were just crippled. Yeah, awful.
GRAHAM CLULEY. That worm was able to spread so quickly because it exploited a critical vulnerability in Windows. And even though Microsoft had issued a security patch for that vulnerability almost 60 days beforehand, WannaCry still successfully struck. Many computers had not been properly protected against it. And, uh, Well, we saw what happened. Now, now Microsoft is saying that it really, really wants you to patch your computers again.
CAROLE THERIAULT. Okay. I have to ask a question. Sorry. I haven't used Microsoft products in a very long time. However, how come updates aren't automatic? How come updates aren't automated? Right?
GRAHAM CLULEY. Well, you're right. Many, many consumers may well have automated those updates, and that's fantastic. Some people sadly have not. And of course, in an enterprise environment, you don't necessarily want to have automatic updates because there have been occasions when Microsoft's updates have gone a little bit awry and caused more problems than they tried to fix. So it's understandable if you've got thousands and thousands of computers in your company, you don't want some, some dude in Microsoft to say, hey, let's push out a patch to all of those computers because you're going to get it in the neck as the IT administrator if your network goes down and you stop making money.
CAROLE THERIAULT. I'm not sure that's true.
GRAHAM CLULEY. So, well, you know, it's certainly— there's a lot of apprehension about automatic updates in many situations, in some environments. So what is happening right now is Microsoft is warning that it really wants people to patch their vulnerable computers again. In fact, it's issued two warnings in the last couple of weeks.
CAROLE THERIAULT. We don't even know what they're vulnerable to at the moment.
GRAHAM CLULEY. Well, let me explain. There is once more a critical vulnerability in older versions of Windows that could be exploited by a worm just like Warner Cry managed. This flaw is being called BlueKeep, and it exploits what's known as a dangling pointer. You're so juvenile. A dangling pointer bug in Remote Desktop Services. And that—
CAROLE THERIAULT. I'm still giggling.
GRAHAM CLULEY. Yes. So this flaw was first spotted by the UK's NCSC, who are part of GCHQ, the intelligence gathering agency, and they informed Microsoft. And Microsoft did release a patch back on May the 14th.
CAROLE THERIAULT. However, so two weeks ago about, right?
GRAHAM CLULEY. Well, it's about three weeks ago now, by now, isn't it? I don't know, but it was like an old married couple.
CAROLE THERIAULT. It was a Saturday. It wasn't a Friday. It was a Saturday. It happened at 4 o'clock. Remember? Don't you remember? What's wrong with you? You don't remember anything.
GRAHAM CLULEY. You don't remember WannaCry is 2017 or 2016. It was 2017.
CAROLE THERIAULT. Oh, I'm sorry, listeners.
GRAHAM CLULEY. So Microsoft believes this vulnerability to be so serious that they've taken the unusual step of issuing patches for old versions of Windows they no longer officially support. So Windows 2003, Windows Vista, Windows XP, These are operating systems they said, "We are never ever going to release another security update for." They said, "You've really got to get off those operating systems." Well, they've done it to protect against BlueKey.
CAROLE THERIAULT. Yeah, okay, fine, fine. I get that. But I think that maybe if Microsoft want to retire a product that they sold in good faith to people, maybe they should do a buyback scheme, right?
GRAHAM CLULEY. Well, but it's not a question of making it cheaper to buy the software. The problem is the computers which are possibly running these older operating systems aren't capable of running more up to date.
CAROLE THERIAULT. Well, that would be true, and certainly in things like the NHS, or certainly was in case of WannaCry. But do you think for home users who are also potentially exposed to this, that's still an issue?
GRAHAM CLULEY. There's still lots of people who don't want to change their operating system or don't want to update their computer if it's working just fine. I just last night, I was around my father-in-law's updating Microsoft Word for him, and he was terribly befuddled because something had changed its look. And, you know, it was just like, this isn't the same as it used to be. I want it to be the old way. Um, and he, he went through a lot of pain when he upgraded to Windows 10. He's just like, what is all this ghastliness?
CAROLE THERIAULT. And I will feel the same when I'm his age, when I'm presented with Apple 87 or whatever. I'm not far off. How dare you.
GRAHAM CLULEY. Well, last week Microsoft issued its second warning about BlueKeep, begging computer users to patch their systems. Reports have emerged that there are nearly 1 million computers directly connected to the internet which were vulnerable to this Blue Keep floor.
CAROLE THERIAULT. Oh, it's so nice that they're able to tell that just by sniffing around on the internet and looking around.
GRAHAM CLULEY. Well, you can scan ports. Yeah, exactly. Yeah, exactly. Now, some of those are quite likely to be honeypots set up by researchers, but I doubt that they account for 923-odd thousand vulnerable computers. And the thing is, it doesn't mean that that many computers are the only ones you have to worry about because some of those computers will be inside organizations. So if that one gets compromised by WannaCry 2, or whatever we want to call it, exploiting BlueKeep, then the malware could spread further inside that organization as well. So you only need one vulnerable computer on your network.
CAROLE THERIAULT. Yeah, exactly. Take heed, folks. Take heed.
GRAHAM CLULEY. Right, right. So there's a real risk that we might see a big worm, and the bigger risk maybe is that it will actually take the worm itself to wake people up to the threat and get them to patch. When Microsoft first made its announcement about this problem and began alerting people.
CAROLE THERIAULT. Right.
GRAHAM CLULEY. A scan was done of the internet, how many vulnerable computers, and they came up with, you know, almost a million. Then two days later, they did another scan, and what they found was good news. The number of vulnerable computers has gone down. To what? It had gone down by about 2,000.
CAROLE THERIAULT. Oh no.
GRAHAM CLULEY. So we are talking years and years and years if we just let nature take its course or until a worm comes out and then That maybe wake people up to it.
CAROLE THERIAULT. Maybe we need to put a challenge out to all our thousands and thousands and thousands of listeners to go out and tell one person who you don't think is very computer savvy, who uses Windows, to make sure they update. If we all do that, that would be a good thing.
GRAHAM CLULEY. That would be a good thing. So if you're at the bus stop, or if you're—
CAROLE THERIAULT. You see someone with a Dell, Dell, bashed up Dell laptop under their arm, tell them, oh, so how "Yeah, I hope you've been updating that.
GRAHAM CLULEY. I see you're using Windows XP still. Now you need to keep up to date." That's not a bad idea, Carole. I think we could make all the difference.
CAROLE THERIAULT. It's better than Microsoft's outreach at only getting 2,000.
GRAHAM CLULEY. Oh, come on, Ned.
CAROLE THERIAULT. I wonder if we could beat Microsoft. I wonder if Smashing Security could beat Microsoft at, you know, we have a lot of listeners.
GRAHAM CLULEY. I'm not sure it would be possible to actually work out who might be doxing us or not.
CAROLE THERIAULT. It's about saving the world, Graham.
GRAHAM CLULEY. So at the time of recording, there's no sign of an actual malicious worm exploiting this vulnerability, but it's likely to only be a matter of time. And there have already been a number of researchers and white hats who have successfully created exploits demonstrating how the flaw could potentially be exploited by a worm. So it may only be a matter of time. So you've got to patch. If you're in an organization, you know how you could also test that RDP, Remote Desktop Protocol, is not exposed to the internet unless absolutely necessary. You know, just cut it off at the knees, if you want, and that way there'll be no future exploitation of that protocol either. That'd be good. This flaw, just to underline, it affects versions of Windows from Windows XP through Server 2008 R2. Windows 8 and Windows 10 aren't affected by this. But if you don't know how to patch, and I know it's sort of like, oh, you're telling us to patch, how are we going to do it? Here is my very simple guide. Okay.
CAROLE THERIAULT. Yeah, ready.
GRAHAM CLULEY. Right, I want you to go to Windows Control Panel.
CAROLE THERIAULT. Okay, I'm imagining I'm doing that if I had a Windows machine.
GRAHAM CLULEY. Okay, yes, don't do this if you've got a Mac. Yeah, well, it'd be hard, it'd be difficult to find that Control Panel. Or if you've got a PlayStation as well, again, not going to work. Or if you're listening on your Game Boy, again, not going to happen. So you're in Windows Control Panel, choose System and Security. And you will see an option there which says Windows Update. Click on that. Click on Windows Update and follow the instructions. Chances are, if you haven't updated against this flaw, there's probably bunches of other vulnerabilities and flaws you haven't patched up against as well.
CAROLE THERIAULT. Yeah, update 'em all, kids!
GRAHAM CLULEY. Update everything. If you can, turn on automatic updates, particularly if you're a home user. Inside business, I understand it's a more complicated decision. You can determine that for yourself, but You've got to keep your computer systems updated, not only for your own safety and to prevent you becoming infected by ransomware, but because of all the other people on the internet. Right? Let's do something for, let's do something for everyone, right? Let's, let's be loving. I believe that children are our future.
CAROLE THERIAULT. Right? Yeah, well, they actually are. It wasn't a very big jump of faith, that one, was it?
GRAHAM CLULEY. What, what? Teach them well?
CAROLE THERIAULT. No, children are the future. Yeah, good. Great. It's on the ball, that guy.
GRAHAM CLULEY. Anyway, there you go. Bluekeep, protect yourself. And I hope by the time the next podcast comes out, we don't have to say, oh dear, we all got hit by that Bluekeep worm. Worm?
CAROLE THERIAULT. You sound D-R-U-N-K.
GRAHAM CLULEY. Drunk? Yeah. Drunk like Pelosi. What story have you got for us, this week, Carole?
CAROLE THERIAULT. Well, Graham, do you remember The Fugitive with Dr. Richard Kimball, who was accused of a crime he didn't commit?
GRAHAM CLULEY. Ah, so there was a TV show, wasn't there, in the 1960s?
CAROLE THERIAULT. Yeah, there was a movie as well.
GRAHAM CLULEY. A movie starring John, uh, Harrison Ford.
CAROLE THERIAULT. Harrison Ford.
GRAHAM CLULEY. Harrison Ford. Yes, yes.
CAROLE THERIAULT. Now I want you to imagine that you're in a similar scenario, okay? Inspired by the IMDb storyline, I decided to write one just for you.
GRAHAM CLULEY. Okay.
CAROLE THERIAULT. So an occasionally entertaining cybersecurity pundit and podcaster, Graham, has found out that his podcast co-host Carole has been murdered ferociously in her own studio. It looks like someone strangled her with her Sony MDR headphones. The local Thames Valley Police Force locate you and accuse you of murdering me. You start thinking of all the rubbish emails and communiqués you've sent over the last 20 years of knowing me.
GRAHAM CLULEY. I've never even met her. I podcast remotely. We're not in the same room. It couldn't possibly be me.
CAROLE THERIAULT. I know, but think of all the stuff sent to me over the years and even sent about me.
GRAHAM CLULEY. All the stuff we edit out from the show because—
CAROLE THERIAULT. The many, many missives that could be misconstrued. I mean, someone, if they got their hands on it, might say that there's, you know, these missives show rather a lot of opportunity and motive. Just saying. Just saying.
GRAHAM CLULEY. I'm being framed. I'm being framed.
CAROLE THERIAULT. You, Mr. Graham, you need to scrub your digital footprint clean of any incriminating evidence. And the idea, you think, is to make it as hard as possible for the cops to associate you with anything related to my unfortunate and very devastating demise, right? But where to start, right? Where do we look? So I, uh, I thought we'd have just a little powwow on this. I have a few suggestions. I thought we could pro and con the suggestions, and you could obviously come up with your own.
GRAHAM CLULEY. Yeah, I thought I could change my name to Steve Gibson from the Security Now podcast. That may be a sense of just try and divert the police onto another security podcaster.
CAROLE THERIAULT. Yes. Okay, well, that's interesting because there are services out there where what they try to do is to delete your online profile. So one of them is called Delete Me and one is called De-seat Me. These are just two I looked at. So you can see it as in lie, like D-E-S-E-A-T, like remove you from the seat.
GRAHAM CLULEY. Oh, okay. Yes.
CAROLE THERIAULT. It's really interesting. On one of them, it seems the way it works is it scrubs your email looking for onboarding emails with certain services, online services. So for example, if you'd used it to sign up to Facebook, it would find that original email and then provide you a way to get your information off of it.
GRAHAM CLULEY. Okay. All right.
CAROLE THERIAULT. And these are important. The reason I'm talking about this is it's important, for example, maybe kids are now graduating and they had a bit of a wild time in college.
GRAHAM CLULEY. Wild time.
CAROLE THERIAULT. And, you know, they need to get a job and they're like, yeah, no, maybe the whole photocopying my butt thing isn't going to go down too well, right, with my new job. So how do you get rid of that stuff, right? Similar situation to you, the murderer.
GRAHAM CLULEY. How do you wipe clean the photocopier?
CAROLE THERIAULT. Yes.
GRAHAM CLULEY. After you've taken a— Yes.
CAROLE THERIAULT. That's very good, Graham. I'm impressed. I'm impressed. You would have a smaller digital footprint if you used maybe some of these services. But A, you've got to trust that they're going to do the right thing by all the data that they have access to, right? You're giving them access to your email to scour that.
GRAHAM CLULEY. Well, exactly. I'm now going to have an account with them. The police can go to them. Right. So what have you been doing for Mr. Cluedo?
CAROLE THERIAULT. Yeah, exactly. Because he's wanted for murder.
GRAHAM CLULEY. Murder.
CAROLE THERIAULT. Yeah. And it will make it harder for your podcast fans to actually find your stuff online, right? Well, that's the worst thing. Yes.
GRAHAM CLULEY. For you.
CAROLE THERIAULT. Yeah. Your ego would really take a hit there. Now, okay. Now, would you ask Google to remove any personal information from its many, many services? Because there are webpages that allow you to do this.
GRAHAM CLULEY. Well, I have previously logged into Google and yeah, asked it to delete information and not track information. And I've been through their account settings in the past, yes. Right, right.
CAROLE THERIAULT. But that's different.
GRAHAM CLULEY. Are you talking about the actual search results? Because sometimes when you do a search result, it says some of the search results have been hidden.
CAROLE THERIAULT. For example, you may have information on Blogspot from days of yore. You might have information on YouTube videos. You might have left crazy comments somewhere.
GRAHAM CLULEY. Oh, yes. Yes, definitely.
CAROLE THERIAULT. Saying, God, crawl, this is a stupid video. So there's lots of places you might be and you may want to get that scrubbed. So I'll put the link inside the show notes if anyone's interested in doing something like that.
GRAHAM CLULEY. Okay.
CAROLE THERIAULT. And there's also a link there if you want Google to remove some old cached data. Again, I don't think there's any guarantee that it will do this, but it's a way of you to be able maybe to mitigate and limit the amount of information about you.
GRAHAM CLULEY. So if I understand you correctly, what you are saying is if you don't want to use services like Deceit.me or Delete.me, you can at least get Google, it kind of promises, or it's, it's offering to delete some of the records it stores about you to do the cleanup. And that's for free, I imagine.
CAROLE THERIAULT. I'm just giving you a few little options here on how you can reduce it so you can try and trust a third party to do it. With you and for you by using services or paying for services. You can also go look at Google. Google is a bit of a monster on the web, right? They're the ones that hold the most amount of information about most of us, you know, because you want to basically— you don't want the cops to get you, right?
GRAHAM CLULEY. It's very good that you're mentioning all this and give me these tips, Carole, before the actual murder takes place. It's very handy. I'm sure plenty of our listeners are appreciating.
CAROLE THERIAULT. You know what, all our listeners, if something happens to me, they're going to know who to point the finger at, Mr. Cleverley.
GRAHAM CLULEY. Well, I imagine that all of this advice only applies if you're the murder victim, right? Not if anyone else. I don't want to give anyone else any ideas regarding murdering anybody else. Not that I want you murdered either, Carole, but maybe.
CAROLE THERIAULT. I'm not telling anyone how to murder anyone other than—
GRAHAM CLULEY. No, but you're sort of telling them how to cover their tracks. Interesting. Interesting. No, carry on.
CAROLE THERIAULT. Now, another idea is removing everything that might be stored on the cloud, right? And keep everything local. So a lot of people, you know, the real big privacy experts would say everything should be on a removable hard disk, right? And all backups should be on hard copy only, like on a USB key or whatever. Do you have any thoughts on that?
GRAHAM CLULEY. Well, I have both local backups and online backups because I like to have backups in different places. As long as they're sort of encrypted and secure, I don't mind that too much.
CAROLE THERIAULT. Yeah, that suggests though that you're more concerned about not losing data that you have as opposed to safeguarding your data from prying eyes.
GRAHAM CLULEY. No, I don't think so because all of those backups are encrypted and I sort of hold the master key for them.
CAROLE THERIAULT. Right.
GRAHAM CLULEY. So other people shouldn't be able to access them, although I'm using cloud-based services in some cases for those backups. It's not as though I believe they would be easy for others to peruse.
CAROLE THERIAULT. But like, there is a pitfall, right? If you get too obsessed with erasing your entire footprint on the web because you're flirting, A, you're flirting a bit with privacy burnout where you just can't care anymore. You know, it's like my nephew was over yesterday and he was playing Wii and he was doing some kind of sword fighting thing and he was really into it. And as soon as we kind of yanked the handset out of his hand, he literally just collapsed on the ground. He was so focused. He was just like, he literally got burnout, like literally just was like, oh, he just collapsed and didn't move for about 15 minutes. So I'm wondering if people are going to, you know, you run into that kind of danger if you really start looking at trying to make everything private. And the other problem with it is it actually might have a counter effect of employers or dates, future dates, finding it strange that they can't, you know, find any information about you online.
GRAHAM CLULEY. Yes, maybe you've come here under an assumed name. Maybe your name isn't Graham Cluley. Maybe your name is Emily Buckwater or something. And yeah, that would be— it does seem rather a nuclear option to me.
CAROLE THERIAULT. But I think for the rest of us, maybe a smarter approach is not to panic about all the data that's out there on you, but focus on what— just focus on the important stuff, like stuff that's personally identifiable. And lock that down as much as possible. And like, every user obviously has to decide for themselves what information they're comfortable sharing and what information they want to keep private.
GRAHAM CLULEY. So if, for instance, Google had a search record that I'd been searching the web for details of, you know, how to strangle someone with a microphone cord or something like that. So those are the sort of things to remove rather than, you know, what time does Waitrose supermarket shut tonight?
CAROLE THERIAULT. Or I'd like to make a fish pie tonight, give me a recipe. The thing is, is I don't know, I think there should, you know, we should all try and retain some measure of privacy because if we don't, we're strangling the life out of our individual right to have it. So now there's a few things. So here's just a few little things we can do. So EU subjects, anyone who lives in the EU, can use GDPR to get companies to delete previously collated identifiable info. It's not easy, but for some services where you've shared a lot of information, it may be very worthwhile.
GRAHAM CLULEY. Well, I guess you can try and— if you did have something which was potentially a little bit embarrassing, one thing you could do is try and lose it in the noise, couldn't you?
CAROLE THERIAULT. Yes, like needle in the haystack approach, right?
GRAHAM CLULEY. But if there are websites which are saying something nasty about you, then maybe you want lots of web pages which are saying something nice about you, and then people are less likely to stumble across the one which has something unpleasant.
CAROLE THERIAULT. Mm-hmm.
GRAHAM CLULEY. So do some good, people, and get people to write about it, and maybe people will forget those mistakes you've made in the past, such as that unfortunate microphone murder.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. Okay.
CAROLE THERIAULT. And you know what we could do? We could actually distill it to the big ones. So I've made a list of 5 big things I would do. The best result for the least amount of effort according to me. Let's see if you agree with it, right? So first, delete messages, pics, tweets, comments, emails that you no longer want or basically make you look bad, right, Graham? Lock down apps and profiles as much as possible. So if they ask for, you know, I need to know your location at all times, and you're thinking, why? You're just a chess app. You can turn that off.
GRAHAM CLULEY. Right. And look at your privacy settings is basically what you're saying as well. So if you're on social media, make sure that you're not sharing it with the entire world, but just sharing it with the people on the social network that you want to share your personal information with. Yeah.
CAROLE THERIAULT. And some people would say, why share anything personal on social media at all? Like, why don't you just go, oh, look, it's pretty outside today, right? You don't have to. You want to use different passwords for every account. Obviously, use a two-factor I use a reputable password manager. I find it useful. I think you do too, Graham. We talk about it a lot. Use multifactor authentication. So 2FA, it's also known as. Very good. And then the things you can consider is encrypt your data like Graham does. Use a VPN, which helps obfuscate your traffic and what you're looking at. And most importantly, don't kill anyone, especially not your co-host.
GRAHAM CLULEY. I think maybe that should have been number 1, Carole. Yeah. Rather than hitting away at the—
CAROLE THERIAULT. I wanna end on something powerful. Powerful.
GRAHAM CLULEY. Okay. So if you only remember one thing, Graham—
CAROLE THERIAULT. Yeah, don't kill me. Quote, "Most business security breaches are the result of one thing: sloppy password practices. Effective enterprise password management is a must to ensure that your employees are properly protecting their accounts." Unquote. That's my co-host Graham Cluley. This is what he says on the LastPass enterprise page. And most of you know how much I hate to admit when he's right, but he is. Sloppy passwords are a huge contributor to security breaches within an organization. The way to manage that is get a password manager, and the one we recommend is LastPass Enterprise. Check it out at lastpass.com/smashingsecurity. We also are sponsored by MetaCompliance.
GRAHAM CLULEY. Now, MetaCompliance reduce cybersecurity risk by providing a platform for training Yeah, they do online training. They've gamified it. It's animated e-learning, teaches you and your staff all about the risks of phishing and other threats which may impact them inside business.
CAROLE THERIAULT. And best thing, it's not boring.
GRAHAM CLULEY. No, not boring at all. You learn everything. GDPR, malware, data security, password safety. You can grab it all and save yourself a ton of cash because you're a Smashing Security listener. Go to smashingsecurity.com/metacompliance.
CAROLE THERIAULT. On with the show.
GRAHAM CLULEY. And welcome back. And you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
CAROLE THERIAULT. Pick of the Week.
GRAHAM CLULEY. Pick of the Week. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security related necessarily.
CAROLE THERIAULT. Better not be after last week's debacle.
GRAHAM CLULEY. Well, mine has a tangential security connection.
CAROLE THERIAULT. Do you mean tangential?
GRAHAM CLULEY. Oh, I don't know.
CAROLE THERIAULT. Oh, it's all right.
GRAHAM CLULEY. Did I say tangential?
CAROLE THERIAULT. Yes.
GRAHAM CLULEY. Exactly what happens if you go to the tanning salon without your underpants.
CAROLE THERIAULT. Oh dear.
GRAHAM CLULEY. Anyway, my pick of the week this week is a TV show which I've been binging on. And it's not a barrel of laughs.
CAROLE THERIAULT. I thought you'd been all busy, busy. You keep saying how busy you are.
GRAHAM CLULEY. Well, I managed to slip in, I've managed to slip in 4 hours of TV watching. I've still got 1 episode to go of Chernobyl.
CAROLE THERIAULT. Oh, I've been hearing about this everywhere. What are you watching it on?
GRAHAM CLULEY. Well, it is available on HBO in the United States and Sky Atlantic over here in the UK. And we don't have Sky. But, uh, Mrs. Cluley wanted to watch the final season of Game of Thrones. And so we found an online service where we paid some money and it hasn't quite expired yet. So I had a poke around, see what else they had to offer us. Now Game of Thrones is over and they had Chernobyl. I thought, oh, everyone's talking about that. I'll go and see it. Oh my goodness.
CAROLE THERIAULT. Is it good?
GRAHAM CLULEY. It is chilling. It does, of course, dramatize the true story of the Chernobyl nuclear accident.
CAROLE THERIAULT. Fun.
GRAHAM CLULEY. And well, no, it turns out, Carole, not so much fun. And yeah, yeah, there's some occasional bit of little gallows humor. It is tremendously well done.
CAROLE THERIAULT. I heard that. I heard it shot so beautifully.
GRAHAM CLULEY. It is incredibly filmed and it is just absolutely gripping. It has the actual accident itself, has its aftermath, the cleanup, and of course the cover-up.
CAROLE THERIAULT. Yep. So you're jumping on the Chernobyl bandwagon along with every other journalist out there.
GRAHAM CLULEY. Is that right? Well, there you go. That's what I've done. If you haven't had a chance to watch it, go and watch it. If it's not on your streaming service, hopefully it will be someday and you'll get a chance to watch it because it was quite interesting. The security— do you remember the security link, Crow? The security link?
CAROLE THERIAULT. What? Tangentially?
GRAHAM CLULEY. Tangentially was because there was, of course, a Chernobyl virus.
CAROLE THERIAULT. —back in the day. Oh, that's very tangential.
GRAHAM CLULEY. Which triggered on the date. And I suppose it was a failure of their industrial control system as well, was it not? But no, I imagine many people listening— I mean, I'm of an age where I remember the Chernobyl accident, and I imagine you do too, Carole, but there will be listeners who were too young to remember it. But it really comes across in this program just how much more serious it could have been. I mean, it was horrendously serious.
CAROLE THERIAULT. Thank you for bringing so many really lighthearted and interesting topics to the show.
GRAHAM CLULEY. That's what we do. That's what we do on the show, Carole. Sometimes it's, sometimes it's a giggle, sometimes it's smutty, and sometimes it's deadly serious. Welcome to the world of Smashing Security. So let's hear from you what your pick of the week is.
CAROLE THERIAULT. Well, until this morning when I sent you the video that I have featuring on my pick of the week, had you heard of Nellie Bly?
GRAHAM CLULEY. No, I'd never heard of Nellie Bly. Okay, that's very cool.
CAROLE THERIAULT. Because, and then, you know, she was an American journalist from, you know, the Victorian times. There's no real reason that she might make it into your school books, particularly those when you were at school, I'm sure featured many, many men of historical note, as opposed to women.
GRAHAM CLULEY. It's true. I'm sure they did. Queen Elizabeth, Queen Victoria.
CAROLE THERIAULT. Yes. Well, they had to be queens to get mentioned. Boadicea. Yeah.
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. Now, I had never really read a lot about her or watched any documentaries on her before. So when I saw this little Atlantic article show up in my feed this week, I checked it Now, just for those who don't know, Nellie Bly is the name of one of the first daredevil gotcha female journalists, and her shtick was to go undercover and do quote unquote stunt reportage. So where you never really identify yourself as a reporter, but then later on do a gotcha and expose the company or the person, explaining all your experiences with not holding anything back.
GRAHAM CLULEY. Right, so she's like an undercover investigative journalist getting the scoop.
CAROLE THERIAULT. She did something— okay, so what she's best known for was her first big stunt, or what I know to be her first big stunt. So it was in 1887, she got herself committed to the women's asylum in New York City. So it's called Blackwell Island, and she spent 10 days there as a psychotic patient, faking psychosis. And the point was to collect stories and facts and then expose them all in her column. My goodness. And, you know, she had to trust. Like, she just went up to, I think it was the editor of The World, Mr. Pulitzer, and she basically kind of said, okay, he offered her this. He said, we can't get in. We're all guys. We can't get in there. Can you? And so she did. But she had to trust that they would pull her out 10 days on because she said there was no way you could get out of there had they not sprung her out.
GRAHAM CLULEY. That's the terrifying thing, isn't it? Totally. I mean, 100%. If you throw yourself— I don't know if you've ever done this, Carole, if you've ever put yourself into a mental asylum.
CAROLE THERIAULT. And joining this podcast, Graham, is a similar analogy. And then of course, you try—
GRAHAM CLULEY. if you're trying to get out afterwards and you're trying to convince them that you're sane, well, that is what a mad person would do, isn't it?
CAROLE THERIAULT. Yeah. And it's an unbelievable story, and it's led to many, many more stunts, right? And it's kind of all touched upon in this gorgeous 12-minute video, right? The film director Penny Lane uses animation and documentary-style reenactments, and that they're mostly drawn from primary sources, including Bly's own writing and published interviews, and basically tries to tell the story of this fearless Victorian newspaperwoman. So check it out. It's beautifully scripted and animated, I think.
GRAHAM CLULEY. What did you think, Clue? I really enjoyed it. And I liked that the animation part of it was sort of made out of newspaper headlines. They actually sort of made the landscape. And like you said, there was this asylum story, but there was also a story of how she set the world record for going around, circumnavigating the world, you know, on train and steamboat. And she did it in about 72 days.
CAROLE THERIAULT. Yeah, she wanted to beat Jules Verne's Around the World in 80 Days concept.
GRAHAM CLULEY. Yeah. She met him en route when she was in France. And I also got a little tidbit because I was quite fascinated by this.
CAROLE THERIAULT. I thought you would like it. Little video.
GRAHAM CLULEY. I was. And I was reading up about her on Wikipedia and I found out that she married when she was in her early 30s. She married some 73-year-old uber businessman and Of course, he popped his clogs just a few years later, and she inherited quite a lot. She was quite a woman. Well, and this was also the days before the suffragette movement as well. I mean, she went all around the world. She only took one dress with her and a couple of pairs of underpants. Oh, and you know what?
CAROLE THERIAULT. She was annoyed that people focused on that. And so was I watching this video. But everyone kept talking about her outfit, the fact that she only— she didn't have a humongous trunk. Yeah. Honestly.
GRAHAM CLULEY. Well, If she'd had a humongous trunk in Victorian times, Kroll, she'd have been the elephant woman. Boom, boom. Okay. Oh, whoa. Well, that just about wraps it up for this show. Kroll, if you want to follow us on Twitter, you're already following us on Twitter, but if you at home want to follow us on Twitter, we are at Smashing Security, no G. Twitter wouldn't allow us to have a G. And we're also on Reddit. You can continue the discussion with us up there. There at smashingsecurity.com/reddit.
CAROLE THERIAULT. And shout out to our sponsors, Recorded Future and MetaCompliance. Their support helps us give you this show for free. So check out their offers, please. And high five to you listeners as well.
GRAHAM CLULEY. We're so glad you listen to us week in, week out. Until next time, cheerio, bye-bye. Bye. Have you got your pop screen on? I have a problem.
CAROLE THERIAULT. What's your problem? The A on my keyboard 30 seconds ago decided to stop working. Any advice? It's going to make taking notes a real pain. Only the letter A?
GRAHAM CLULEY. Have you dropped some coffee on it?
CAROLE THERIAULT. What have you done? No, no, no, nothing. Just the letter A.
GRAHAM CLULEY. It's just not responding at all.
CAROLE THERIAULT. Look, I'll write you a message in the little Sting machine. Yeah, go on then. Okay, I'm pressing a lot of A's.
GRAHAM CLULEY. I'm not seeing anything show up. Oh, look. Okay, I'm looking. You've written—
CAROLE THERIAULT. I'm pressing A, A, B, B, A, A, B, B.
GRAHAM CLULEY. The B's are coming through, but no A's.
CAROLE THERIAULT. Yep. Anyway, fun times, even with cap lock. So the key's dead. So I need a new keyboard. So that's fine.
GRAHAM CLULEY. So welcome everybody to the latest episode of Smashing Security.
-- TRANSCRIPT ENDS --