Scammers steal millions by impersonating a French politician, we offer fashion tips for DDoS attackers, and hear how a small town fought a sextortionist preying on young women.
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Jessica Barker.
Visit https://www.smashingsecurity.com/134 to check out this episode’s show notes and episode links.
Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Special Guest: Jessica Barker.
Sponsored By:
- LastPass: LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
- But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
- Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
- Edgewise Networks: Edgewise is the industry's first zero-trust segmentation platform. It’s simple to use interface lets you stops data breaches by allowing only verified software to communicate within your cloud or data centre. Edgewise's data-centric approach makes micro-segmentation simpler and more secure.
- Learn more and get a free trial at edgewise.net.
Links:
- Anonymous hacker exposed after dropping USB drive while throwing Molotov cocktail — ZDNet.
- 18 maanden cel voor hacker die website Crelan en pizzeria plat legde — HLN.
- The fake French minister in a silicone mask who stole millions — BBC News.
- He Cyberstalked Teen Girls for Years—Then They Fought Back — Wired.
- Childline — A counselling service for children and young people in the UK.
- Cyberbullying information — FTC.
- Information and resources to curb the growing problem of cyberbullying — National Crime Prevention Council.
- The Coddling of the American Mind.
- Depression, anxiety, suicide increase in teens and young adults, study finds — CBS News.
- Dreyer's English by Benjamin Dreyer — Penguin Random House.
- Stay Tuned: The Laws of Language (with Ben Dreyer).
- The Defiant Ones (trailer) — YouTube.
- The Defiant Ones — HBO.
- myNoise.net
- NCSC CyberThreat 2019 (London, GB).
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
GRAHAM CLULEY. Jess Crowe, have you ever firebombed a building?
CAROLE THERIAULT. Oh, firebombed. I only heard cocktail. A Molotov cocktail. Okay, okay, okay, okay, okay. Yes. You've
GRAHAM. had cocktails at the bank of this one. So
CAROLE. first he tries to DDoS them. That doesn't work, and then he decides to firebomb the bank.
GRAHAM. He doesn't throw a baby sham at them. He throws a Molotov cocktail.
Smashing Security, Episode 134. Sex Torsion, Silicon Face Masks, and a DDoS doofus. With Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security, Episode 134. My name is Graham Cluley. And I'm Carole Theriault. Hello, Carole. Hello. Hi, and we are joined today by a returning guest. She's come back by popular demand. It's Jessica Barker from Sygenta. Hello, Jessica. The amazing Jessica Barker from Sygenta, I think you'll find. Yeah, that's,
JESSICA BARKER. I mean, that's in my contract. Come on, Greg. Exactly, Greg. You're supposed to say that. Hello, it's wonderful to be back.
GRAHAM. It's great to have you back as well. Now, without further ado, plenty to talk about this week, I believe, Carole. What's coming up on this week's show?
CAROLE. Well, first thing is to thank this week's sponsors, LastPass and Edgewise. Their support helps us give you this show for free. On today's show, Mr. Cluley, you share a wacky story about a DDoS attack in Belgium. Jessica Barker heads to the next door country, La Belle France, not to scoff a delicious croissant, but to showcase a political spearfish with a twist. And I yak up at all things cyberbullying and sextortion, sharing takeaways for victims, parents and teachers. All this and buckets more coming up on this episode of Smashing Security.
GRAHAM. Now, chaps, chaps, are you good at complaining?
CAROLE. You are. God, daily. Well, sometimes... That's the sound I hear out of his mouth most often. Ah, geez.
GRAHAM. Sometimes we all need to complain about something, don't we? If we're frustrated by poor customer service, for instance. Or friendships, yeah. If you've got a problem, it can be hard to get a company's attention. How do you get a company's attention when their customer service sucks? What do you do? Twitter. Twitter is a great way to do it. That's one of my preferred ways of doing it. I've never done that. I've never done
JESSICA. that yet. I hate doing it. I try to just keep it back for extreme circumstances, but it can be quite effective.
GRAHAM. Right. I find if you can't get a hold of the CEO on the phone or send in a snotty email... Do you often call the CEO? No. Or if you try picketing the head office, all those things can fail. But sending a tweet and atting them and they kind of go emergency, emergency. There's an angry Twitter user. And it's almost like you sort of get past all the automated phone systems. Do you not feel,
CAROLE. though, that those with many Twitter followers might find it easier to complain on Twitter than perhaps normal people? No,
GRAHAM. I'm sure if Stephen Fry or somebody like that would complain about a company, then maybe they do sort of put him higher up on the list. But I don't think it matters that much. I think normally these days, companies have got someone who's monitoring social media and one of their jobs is if someone's unhappy, you know, sound the alarm, extinguish them as quickly as possible by fixing the problem.
JESSICA. Yeah, I think they know that any tweet can go viral. How many, you know, however many followers you might have. So I agree, Graham. I think the best people responding on behalf of companies as well are the ones that can do it with a sense of humor. Yes, absolutely. Tesco Mobile. Very
GRAHAM. good at that. Oh, they're good, are they?
CAROLE. Oh, yeah. You've got an account with us.
GRAHAM. No, I'm kidding. I'm kidding. They laugh at people for having been customers. They'll never be sponsors. I'm kidding.
CAROLE. I'm jesting for God's sake. Now,
GRAHAM. okay, so there's different ways to complain to companies. What I hope you don't do is follow the example of a 35-year-old Belgian known only as Brecht S. Okay. Just the letter S. Now, back in 2014, he was rather upset with a branch of his bank, the Crelan Bank, in a suburb of the city of Rosler. In Belgium. Yes, I've made it sound Scottish. I know, I'm not sure why. Now, his grumble with the bank account, that occurred after his parents divorced. He felt that his mother's bank account had somehow sustained a quite substantial loss, 300,000 euros. People
CAROLE. keep that in bank accounts? Just like that?
GRAHAM. Yes, some people do, yes. Do you
JESSICA. have yours under the mattress? Well, I don't have 300,000 euros lying around, actually.
GRAHAM. Anyway, somehow, maybe as a consequence of the divorce, I don't know what, but money had been moved out of an account. And he obviously had a bit of a grumble about this, and his mother was upset too. And the bank officials simply wouldn't meet with him to discuss the matter. They sort of washed their hands and said, we will not meet you to discuss it. Are you kidding
CAROLE. me? 300,000? They didn't care?
GRAHAM. Well, I think as far as they were concerned, it was quite a legitimate transaction.
Oh, I see. And so it wasn't their fault. But clearly, somewhere along the line, he was very unhappy. Brecht held them responsible.
Exactly. Now, you might think, as we are the Smashing Security Podcast, that he would launch a DDoS attack, a denial of service attack against the bank in response to this.
Yeah, maybe. If you thought that, you'd be right. I did a twist there. You weren't expecting that.
Yeah, it was a double twist. He's clever. So he actually launched this denial of service attack, which basically turned the online portal into porridge.
And he did that for many hours and multiple occasions, according to ZDNet. We can read more about the story. But of course, a DDoS attack uses other people's computers to bombard a website of traffic. So it won't necessarily mean that the authorities are able to easily identify who the actual mastermind of the attack was.
CAROLE. Yeah, because you have to detangle the whole obfuscation he might have put in place in order to hide himself.
GRAHAM. Yeah, he may have rented computers all around the world without the knowledge of their owners, different countries, all swamping a website with traffic.
So that's one thing he did. But the next method which he used to complain about the poor customer service, even better? Well, somewhat easier for the authorities to find out who was responsible. Because Brecht decided to throw a homemade Molotov cocktail at his local bank branch.
JESSICA. Escalated things a little bit there.
GRAHAM. Now, I don't know if I've read you. Jess, Carole, have you ever firebombed a building?
CAROLE. Oh, firebombed. I only heard cocktail. Molotov cocktail.
GRAHAM. You've had cocktails at the bank so first he tries to DDoS them that doesn't work and then he decides to firebomb the bank.
He doesn't throw a baby sham at them he throws a Molotov.
JESSICA. Showing your age a little bit cocktails have moved on a touch.
GRAHAM. Not where I live but anyway the thing is if you've ever tried to firebomb a building one of the first things you... You want to make that clear, do you? I'm making it really clear.
CAROLE. No, never, never, never.
GRAHAM. One of the first things you learn is it's a good idea to be a good distance from your target. Because otherwise, your cardigan or your eyebrows might get singed.
Well, it didn't get burnt. But what happens is when you're throwing a firebomb... I can't believe I'm giving advice on the podcast as to how to throw it.
CAROLE. Have you ever done this?
GRAHAM. No. So listeners do not take this as advice. I've barely even thrown a cricket ball, to be honest. But anyway, you need a good forceful chuck to lug the firebomb a decent distance because otherwise it's not going to go.
CAROLE. You can't say lug. Lugging is pulling. It's pulling from behind. You can't do that.
GRAHAM. No, like toss. So you're going to be tossing at the bank instead. That could upset them too. But the thing is that you've got to give it some welly, right? Because giving it some welly does increase the chance that something might fall out of your trousers.
And that is potential... Well, no, around the back of it. He lost his wallet. The back pocket of your jeans, something might pop out like a USB stick. And it was this USB thumb drive that the Belgian police found lying on the pavement and obviously contained information.
CAROLE. That's probably the problem with it. If he had had a bigger USB, he would have noticed that it had fallen out of his trousers.
GRAHAM. He wasn't going to bring a Seagate hard drive with him for all. Put that in his cargo pants.
JESSICA. I was just saying. You know, let's just go back to floppy disks.
GRAHAM. Anyway, it contained information which led police to his door. And what the Belgian cops discovered was not just that he'd been behind the DDoS attack against the bank, but also he'd been involved in other shady cyber criminal activity.
CAROLE. So it was all in the same USB, right. All kinds of evidence there.
GRAHAM. So he turned out to be a member of the elite Belgian chapter of, I imagine they're the smoothest, most delicious hackers in the Anonymous Collective. And he was also a member of the Cyber Crew hacking group that had previously launched an attack against FIFA in the run up to the 2014 World Cup.
Anyway, Brecht launched DDoS attacks not only against the bank, but also against a local pizza parlor.
CAROLE. It doesn't really compare to the firebombing. Just singing.
GRAHAM. I suppose not. You know, what if it was an American Hot or a pepperoni one or something with lots of peppers? I love American Hot. Then it could be pretty, yeah.
Now, Brecht has now been sentenced to 18 months in prison and ordered to pay €3,000 to the bank for the damage which he caused.
CAROLE. So it wasn't a very effective firebomb. Three grand. What, he broke the little pillar in the front?
GRAHAM. Well, and he also caused problems for the website, remember, too.
CAROLE. I think three grand is not very much money.
GRAHAM. Well, I don't know how effective his little cocktail was.
CAROLE. Yeah. I don't know. Basically, he threw a lit cigarette, it sounds like. A match.
GRAHAM. Anyway, he has been hit with an additional prison sentence of three years for the arson. I think we've got some lessons to learn here for everybody, right? First of all, don't firebomb banks. In fact, don't firebomb anybody. It's rather antisocial. Don't do it.
Don't launch DDoS attacks against banks either, Carole or Jessica, if you plan to do that. Don't do it. Even if you're grumpy, just tweet them instead.
CAROLE. She can because Sygenta look after ethical hacking. So she could do that.
GRAHAM. Okay, but with permission. Probably with the agreement of the bank. With a contract.
CAROLE. Exactly.
GRAHAM. But if you do find yourself in the position of firebombing a bank, don't take with you a USB stick which contains identifying information and details of all your other cybercrime exploits. Or at least, I don't know, wear a tight pair of jeans or something so it doesn't fall out of you. Tights. You could wear tights. No pockets in tights. Leggings, yoga pants.
CAROLE. Actually, you know what? Pockets in tights would be quite handy when I was 25, I tell you.
GRAHAM. Aren't they just trousers? Aren't you just describing trousers?
CAROLE. You go to clubs, you go dancing, you don't want to be holding on to your freaking handbag or anything that, right? Just wear trousers. Why not? Because we have a choice, Graham.
GRAHAM. Thanks for your advice. Lucky you. Anyway, so there you are, some helpful fashion advice from Smashing Security as well as some other advice.
JESSICA. Very good top tips.
GRAHAM. Excellent. Now, Jessica, what's your story for us this week?
JESSICA. Well, it begins in late 2015 and lasts for a couple of years and we are moving to France. Ooh la la. In this story, the French defense minister, Jean-Yves Le Drian.
GRAHAM. That sounds a bit Jean-Yves the Drain Pipe or something that. Is that how it translates?
JESSICA. I mean, we'd have to ask the French listeners. If you were dyslexic, maybe. So, Monsieur Le Drian was impersonated as part of a scam in which wealthy individuals were contacted under the guise of a request for financial help for journalists apparently being held hostage in the Middle East.
GRAHAM. So journalists had allegedly, or maybe they had been, they'd been kidnapped in the Middle East. Someone is trying to raise money to get them released. And so they're going to rich people Jean-Yves Le Drian, the French defense minister?
JESSICA. So sorry. They weren't going to him. They were posing as him and going to friends of France, wealthy individuals who, you know, had an affinity for the French state and asking them if they would pay the ransom money. And, you know, quite a clever backstory saying, you know, we can't pay the ransom because it's not French policy. We're the government, of course. We must keep our hands clean. But you, monsieur, do your bit for the country and for these poor individuals.
CAROLE. Viva France! Oui, oui, madame.
GRAHAM. Carole, can I say, for someone who's French-Canadian, your French accent is not as good as mine.
CAROLE. Yes, you're absolutely right there. I think I'm much more convincing.
GRAHAM. You are, you are. You're so good at accents. Carry on, Jessica. I'm riveted.
JESSICA. So, this obviously, it sounds classic spear phishing, doesn't it? Well, actually, this story has a dash of Mission Impossible to it, and then we start to get the full picture. So I'm going to talk through it. The scam started with a call pretending to be from one of Monsieur Le Drian's close circle to the wealthy individual being targeted. And this individual was contacted and, you know, the advisor, apparent advisor for Monsieur Le Drian said, we want to set up a video call with the French minister who needs to speak to you.
GRAHAM. Holy moly.
JESSICA. Yeah. So then the criminals used Skype video calls and a custom-made silicon mask which looked a bit Monsieur Le Drian.
GRAHAM. No way.
JESSICA. They had a set which looked his office, you know, complete with French flag.
GRAHAM. Don't knock on the desk too hard. It's just made of MDF. Oh, this is just awesome.
JESSICA. And then basically they lit this set quite badly. They had someone there with a silicon mask.
CAROLE. Like a B-rated film. He comes out of the shadows.
JESSICA. A poor, you know, dodgy connection, dodgy Wi-Fi connection. So the video calls didn't last that long. But with the target and said, basically, you know, we need your help to pay the ransom to free these people.
CAROLE. And we promise to give you a tax break.
JESSICA. Yes, and we will forever be, you know, grateful. Ingratiated and grateful and indebted to you, Mr. Millionaire. Yeah, and you'll have done your thing for France. You'd be feeling quite patriotic, wouldn't you? With a mask. I love it. Yeah, there with the mask. The mock set. So a lot of people didn't pay up. But as with all of these scams, you know, particularly when you're targeting wealthy people, it only takes a few to become victims. And suddenly the criminals have made quite a bit of money. And they actually made an estimated 80 million euros.
GRAHAM. What? That's more than my annual salary by a factor of a little bit. It's more than I've got under the mattress, let's put it that. 80 million euros. Yeah, so 70 million quid.
CAROLE. So that would pay for the set and the Skype account? If the whole thing was made of solid platinum? My goodness. So this
JESSICA. All started in 2015, though? 2015, and it ran for a couple of years. And then they thought they'd caught the guy behind it. It was thought to be the work of a convicted French-Israeli con artist called Gilbert Chikli. And he is currently in jail in Paris, facing charges of organised fraud and usurping an identity.
But earlier this year, with Chikli safely behind bars, the con started again. So it's now thought that there is a whole gang out there. Well, at least two. Yeah, yes. Someone to run the camera and someone in the house.
Are they still impersonating the same minister? Yeah, impersonating the same minister. Because
GRAHAM. They don't want to get a new mask made, right? Exactly. And they're on the set. 3D printers are expensive. They're thrifty.
JESSICA. And they've only made 80 million. Exactly. So they need to recoup a bit more. They've got a few bills to pay, obviously.
CAROLE. It kind of seems like the takeaways of this are, hey, there's a lot of money to be made here, guys.
JESSICA. Go make your sets. It goes to show, you know, the attackers are always evolving, unfortunately. And just when we think, you know, we've all been familiar with CEO fraud for a while, impersonation of people over email and those being quite convincing and using some of the same tactics that the criminals used in this, you know, trying to prey on people's good nature, trying to make them feel like they're donating to a worthy cause, a time pressure.
So the importance of being aware of how those tactics are used but also the fact that just when we get used to one method the attackers are always going to be trying others and just because you see something because you know they seem to be there on video doesn't mean it's true.
CAROLE. The thing is though with the soon to be probably ubiquitous deep fakes this type of targeted attack where you have a video, you know, for someone like that is pretty celeb-y and is often on camera, that must be quite easy to kind of maybe grab their face.
GRAHAM. And fire a dodgy Skype connection. Yes, with bad lighting and homemade furniture.
JESSICA. And they've already been warmed up with the call, so...
GRAHAM. Yeah, yeah, yeah. Hey, can I raise a possible conspiracy theory here?
CAROLE. Oh, always.
GRAHAM. What kind of salary does the French defence minister, Jean-Yves Le Drian, actually make?
CAROLE. Can I do a guess before anyone Googles? I'll do a guess. I'll bet on paper it'd probably be like 150,000 euros.
GRAHAM. I don't know. But yeah, the thing is, it's a lot less than 80 million euros, isn't it? So I wonder whether...
CAROLE. You think he was in on it the same time?
GRAHAM. I'm just saying... You're saying he went down to the homemade office, turned the lights down. It is a possibility. There's no mask at all. I think it's something which the police should just not immediately rule out that maybe he saw criminals pretending to be him and how much money they could make, maybe he might have been tempted.
CAROLE. Well, let's just see if he has a chateau. With the French version of moat around it.
JESSICA. Maybe underneath that fake mask, you know.
CAROLE. Who was really there? Who's wearing the mask?
GRAHAM. Oh, definitely deliciously good. Get the popcorn. It's been a crazy show so far, hasn't it? It's bonkers. Carole, what have you got for us this week?
CAROLE. I am going to the land of cyberbullying and stalking. I know it's not a place we want to hang out. It's not a fun place, but I think it's an important subject. And the reason I chose this topic is based on a long form Wired article penned by Stephanie Clifford. I pulled together some interesting takeaways from that article.
So my story starts in 2012 in a small wooden town in New Hampshire. Live free or die. That's what they have in their license plates there, I think. It's a town called Belmont. Now, Belmont has less than 8,000 people. The biggest employer in town is the local supermarket. And they have this teeny tiny police force with a lone detective.
GRAHAM. Is he a teeny tiny lone detective as well?
CAROLE. It's a female actually.
GRAHAM. I didn't say anything about sex. I'm just talking about their height.
CAROLE. You said he. Now, crime in Belmont normally tended towards things like opioids, thefts, burglaries, things you'd see in small towns. But suddenly our detective, Rachel Moulton, became aware that a cyber stalker was hounding teens for nude pics. And then when he didn't get his way, he would take over the victim's Facebook accounts.
So here's how it kind of went down. This girl, 16 year old girl, she's new to the town, new to the school, and she hasn't yet established a gaggle of buddies or joined any teams yet, right? So when she gets a Facebook request from a guy called Seth Williams, she clicks accept.
And typical stalking ensues over the next few weeks, right? He flatters her, asks her lots of questions, acts like he wants to get to know her, likes what he hears, et cetera, et cetera. And when their online relationship seems pretty stable, he asks for some photos of her body. And she hesitates for a while, but he persists. Come on, come on, come on, come on.
So she finally sends him a photo that she thought of as fun. And this is of her behind in jeans with plastered handprints from, you know, I guess she was painting her room and she put her hands in the paint and put them on her butt. And then send him that kind of thing, right? She's never met this guy.
GRAHAM. It's just a picture of her
CAROLE. Jeans at the moment, right? With some... Well, yeah, a fun picture of her rear in jeans. Okay, yeah. With some handprints. Right, so, but surprise, surprise, this does not appease him. Seth wants more, right? And after days or weeks or hours of cajoling, she ends up sending a picture in her pants, or sorry, undies for our North American audience, and eventually sends one over bare butt, right? Yeah. This is, of course, where he doesn't relent again, demands a full nude. And she says, no, that's where I draw the line. And this is where nasty things ensue.
So he replies, no picture, no Facebook. Now, he'd hacked her Facebook and her email and changed the passwords. And she begged him to return the accounts. He refused.
He harassed her by text. She'd block his number. He'd use a new number. She'd block that one and so on. This went on for months and months. Oh, my goodness. Yeah. You know, he'd be like, take your clothes off, get fucking naked on camera. I'm going to have fun fucking with you this summer. So he's sending her all these horrible texts. Right.
And while this teen didn't end up sending any identifiably naked picture, using her Facebook account, he messaged all her friends at her new school where she wasn't yet really established. And of course, friends became jumpy and their parents did too, right? Prohibiting their friends from hanging out with her. And she says this time, I never felt so alone in my life, which I can totally understand based on the story. It's ghastly. Yeah.
But you can also see other parents going, oh, God, you know, she must, you know, she must be up to something. You know, when there's smoke, there's fire. You can imagine that kind of attitude happening. Just wanting to keep your kids safe. And you just feel sorry for this one.
Back to our detective. 41-year-old Rachel Moulton. She starts getting reports from numerous local girls naming online bully Seth Williams. And so she ends up figuring out that all the victims at one point or another attended the local high school. And it seems all of them felt basically socially unstable.
And weirdly, our bully Seth sends nude pics of other victims to victims he is trying to get nude pics from. So our girl here was being sent pictures from other girls he was harassing and basically sextorting pictures out of. And because it's such a small town, our girl recognized some of the girls. And our detective did too. And she was able to identify and cold call these other kids because they hadn't said a word to anyone about this. Not their parents, not a teacher, not a trusted adult.
GRAHAM. It feels to me like that's a bit of a mistake by the extortionist doing that because of course it gives them the ability to sort of band together and think I'm not the only one who's suffering at the hands of this toe rag.
JESSICA. You wonder like was he showing off what was he what was he why was he doing that yeah.
CAROLE. He must have been because he had these girls cowering right. And the thing was according to the detective family life is not always easy for those whose parents actually knew about it you know.
Detective Moulton said girls would come into the station with parents and she sometime would have to send the parents out of the room because she says, quote, some of the parents were blaming the girls and were really hard on them. That's terrible. Yeah.
And anyway, so fast forward the story here a little bit. Our detective rolls up her sleeves, right, and starts digging hard and getting to the bottom of this. Moulton learned that Seth had been able to text from four or five different numbers using a service like TextFree. A VoIP service allows users to text without subscribing to a cell plan.
Now, Detective Moulton sent out subpoenas and the developer TextFree sent back information that included the Apple identifier for Seth's phone. And with that, she could subpoena Apple for the phone's registration and billing information. So a little aside here, I'm actually kind of impressed that a detective, a single detective on her own in a town of 7,000 plus is able to do this. Yeah, she sounds amazing as well. Right. It's pretty commendable, I think. Sounds awesome. Yeah.
So the results that Moulton got back from Apple were a little confusing, but she landed on a name, Ryan Vallee. I don't know if I'm saying this right. V-A-L-L-E. And he was a 19-year-old graduate from the very same high school.
The girls who had been victimized by this guy were really suffering, right? One began sleeping in the same bed as her mom. And we're talking teens here. Several feared that this guy, Seth, would attack them. One cried herself to sleep. Another routinely called her mom at work, sobbing, terrified about being alone at home. And they battled depression, anxiety, nausea, etc.
Now, our detective knows who she thinks it is. But she knows there's a mountain of paperwork and bureaucratic processes and limitations to local laws. She presumably
GRAHAM. Isn't in a position to tell these victims, I think it's this guy. She can't do that, can she? Is she? Well, I would. So
CAROLE. She decides to get the feds involved because, of course, nationwide, they have a better legal framework for dealing with cyberstalking and these types of crime, much more than the small town she has or even her state. But she's also aware that when she gets them involved, they're going to need a really strong case. And that could take years.
Detective Moulton decides to tell a few of the troubled girls that Valet, the former classmate, was a suspect in the hope that it might ease their fears. Quote, they had a sense of this being a huge brute of a person, Moulton said. And when they found out who it was, some of them were like, really? Yeah, no, apparently he was one of these kind of people that kind of disappeared in the classroom.
Like they would say, this is the person in your class. Like who? Which guy? Like they didn't remember him.
Anyway, investigators eventually identified 23 stalked victims and suspect there are way more. So this all started in 2012, remember. This is now 2017, five years after the first attack was reported. And they were able at that point to sentence him to eight years in prison, which was the high end of the federal sentencing guidelines at the time. Good.
JESSICA. Wow. Yeah. I mean, that detective did amazing work. And this is another weird
CAROLE. Thing, right? So this happens. The guy goes to the slammer for eight years for basically terrorizing 23 girls, right? Young girls. So you'd kind of expect there'd be some kind of whoops and cheers in the town of Belmont.
But the kids didn't want to talk about it. The parents don't want to talk about it. And when Wired contacted teachers, some of them were like, yeah, I don't really know anything about this. It's like the shame and the embarrassment associated. People just want to bury it.
But the problem with that is that new generations aren't learning how to get around that. Not that they have to go into details of this exact incident, but it should be on the curriculum now that, hey, these things happen and you'll read about this. It's a way of
GRAHAM. Fighting back and someone can be caught and they can be put away for doing this sort of thing.
JESSICA. Yeah, and you should talk about this. You shouldn't hide it. You shouldn't try and, you shouldn't feel ashamed or feel like you're to blame.
CAROLE. I have to go on my soapbox just for one sec on this one, right? We have been reading a lot of a sharp increase in the last few years in teen depression, anxiety, suicide, and this is especially amongst girls. Apparently it's up nearly 100% since the early years of 2000, this century.
And this is all based on a book I read last year. I think it was my pick of the week, The Coddling of the American Mind. So social media and device dependency are considered main attributors.
This is how cyberstalkers are able to worm their way into your life. But how do you limit a teenage girl from her social media or her phone? It must be about as fun as commuting into London during rush hour, which I did yesterday.
Five and a half hours it took on return trip thank you very much. Anyway, so takeaways. These are things I took away from this now to see what you guys think.
When the bully is giving his victim all this attention at the beginning, asking all the questions, things like what's your favorite color or ice cream or depending on how old you are, he's actually curating and collecting information for the account takeover and that's a real psychological annoyance for a young girl who may be feeling out of sorts and needs a friend, right? Because suddenly what you want is someone to listen to you and ask you questions. And really, you're answering your security questions that will allow them to take over your Facebook or whatever, Instagram or whatever account you have.
And also, the stalkers seem to ease them into feeling comfortable or making the victims think it's okay in stages. So, for example, Graham, if you send pics of your moves one day to someone and nothing bad happened, you might be more comfortable the next day to send a picture of your hairy butt or something.
GRAHAM. Hello, what? Can we leave my body out of this?
CAROLE. Well I'm just saying, you know, it's not a case of in for a penny in for a pound, but lots of people kind of go oh I already did that, it's not so bad, so you kind of use that kind of mental breakdown of your wall.
JESSICA. It's like classic grooming, isn't it? Just like a bit at a time, slowly eroding what someone's comfortable or not comfortable with.
CAROLE. And my other big one was like, don't assume parents handle this very well, especially if their daughters have been duped into compromising themselves by sending pictures to an idiot that's going to then drag their name through the dirt online. And thinking about this, when I was reading this article, I am not sure my own dad would have handled this very well at all.
GRAHAM. No, but let's be honest. If you're a teenager, you don't often want to talk to your parents about anything, right? I think, I don't think it's necessarily that they would handle this specifically badly. And I think many parents actually would have the best intentions.
It's simply that you can't communicate anymore, or it's simply too embarrassing to talk with your parents who are just like, oh, they're so uncool about these things because they're too personal. It's almost like you need a school counselor or someone like that who you can turn to and talk about with these things. Because sometimes I think it's just simply too close to discuss it with your parents.
CAROLE. Totally. And I think that's a really important thing. You know, my personal advice on all this is, if you ever get to any crossroad on any decision, right, all you got to ask yourself is, is this good for me? That's the question. The honest answer is no, then, you know, don't follow the Nike motto of just do it. Just trust yourself and absolutely do not do it. Walk away. That's my big takeaway.
JESSICA. But I think we also, we need to talk about this stuff so much more because even adults feel ashamed when they're caught up in a sextortion or they sometimes feel ashamed when they're caught up in this kind of sextortion scam. And I've done awareness raising for companies where I've kind of said, one thing I'm going to talk about is sextortion. They say, oh, we'd rather you didn't bring that up, actually. And I kind of like why are we uncomfortable talking about this because if we continue to be uncomfortable then people are going to keep hiding it keep feeling ashamed and then the criminals are winning.
CAROLE. A hundred percent and if we can't get our act together to talk about these things openly honestly and transparently how do we expect a freaking 16 year old girl to come forward and go yeah let me explain everything that happened to me all the mistakes I made and let's tell everybody about them. And yeah, here's my name. Like it's just, it's too much. It's too much.
GRAHAM. I think it's natural to feel uncomfortable. I feel slightly uncomfortable right now because Carole was talking about my hairy butt. We all feel uncomfortable.
CAROLE. I have some links on all things cyberbullying, some great links. There's actually games for kids and all kinds of resources. Check them out at the Smashing Security web page. Sorry. I know it wasn't a hilarious one this week, but, you know, important. Very important. Yeah.
GRAHAM. Have you finished? Is it safe for me to come out now? No. Keep your trousers on. So, Carole, imagine a hacker has gained access to one of the computers inside your organisation. Dun, dun, dun. And, of course, they're going to take advantage of any flat networks and ineffective security controls to try and move laterally towards their intended targets, which is going to be all that juicy data your company collects. Gotcha. Yeah. Right. Now, traditional solutions, they often find it difficult to reliably distinguish between legitimate software accessing that data and unapproved applications. Yeah. Okay. Yeah. Yeah. Yeah. Right. And that's where our sponsor comes in this week. Edgewise is the industry's first zero trust segmentation platform. Okay. It has a simple to use interface, which lets you stop data breaches by allowing only verified software to communicate within your cloud or data center. Clever. Yeah, really smart. In a nutshell, Edgewise's data-centric approach makes micro-segmentation simpler and more secure. Okay, I want to learn more. Well, that's easy. All you have to do is go to edgewise.net and request a trial of their one-click micro-segmentation. Oh, awesome. Boom.
CAROLE. Hey, Graham. Yes. There are people out there with companies a little bit bigger than ours. And one of the issues that they face is visibility and oversight. And when it comes to cybersecurity, that is super important. So listeners, listen up. If you do not have a password manager in your organization, please check out LastPass Enterprise. They offer centralized admin oversight and control shared access and automated user management. All this stuff makes your life easier. Plus, you can even use LastPass's single sign-on to protect all your cloud apps and give seamless access to employees. Check it out at Smashing Security. No. Check it out at LastPass.com forward slash Smashing. Let me try that again, folks. Check it out at LastPass.com forward slash Smashing.
GRAHAM. Perfect. Do you want to make it more conversational?
CAROLE. I don't know. I think that sounded great.
GRAHAM. And welcome back. Can you join us on our favourite part of the show, the part of the show that we like to call Pick of the Week? Pick of the Week. Pick of the Week. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish. It doesn't have to be security-related necessarily. Better not be. And my pick of the week this week is not security related. It is actually a book. I always say it could be a funny story, a book that they've read, a TV show, a movie, a record, etc. You don't read. But I have actually bought a book. Oh, okay, you've bought one. Now, let me tell you. Let me tell you about this book. Yes, exactly. I bought it. For the shelf. Now, a book, Carole. This is something which comes back. It's lots of pages. Can you hear those? There you are. Yes.
CAROLE. Oh, it's like a good 20 in there. So
GRAHAM. It's hardback, this. This book is called Dreyer's English, or maybe Dreyer's English, I'm not sure. An Utterly Correct Guide to Clarity and Style. And it is written by the copy chief at Random House called Benjamin Dreyer.
And I'm quite enjoying it because sometimes I'll be in the middle of writing an article and I'm sort of thinking, oh, am I using that word correctly? Is that American? Well, it comes in different editions. I chose to buy the English version because obviously the American edition contains lots and lots of mistakes. But the English version is absolutely fine.
I heard about this book in a fun interview, which I heard Benjamin Dreyer give, with a hero of ours, I think, a podcast hero, Preet Bharara. On the Stay Tuned with Preet podcast, a good fun podcast. Go and listen to that.
That was my pick of the week. Oh, was it? Oh, there you go. Excellent. And although it is obviously discussing how to write better and I have to be very careful what I say now, don't I? Is it write better or write better?
Well, I have a question.
CAROLE. Can you check something for me?
GRAHAM. Okay, of course. I've got the book right here. Because
CAROLE. You used to get really pissy with me. We used to have a big fight with the word whilst.
GRAHAM. Yes, what's wrong with whilst?
CAROLE. Right, you'd always put it into all your articles and I was just like, what are you, middle ages? Come on, right? And you'd get all no no no it's proper English so can you just check it up in your Bible
GRAHAM. I'm going to look up whilst and it'll be right at the back of the index here and it's not in here so that book's rubbish so forget that book it's not even there
JESSICA. It's such an old timey word that it doesn't even make it
GRAHAM. There's nothing wrong with the word whilst at all
CAROLE. Okay Jessica I think we've made our point. Excellent pick of the week I'm right you're wrong. Jessica what's your pick of the week
JESSICA. Well my pick of the week is a documentary miniseries that I watched on Netflix. I've actually watched it twice which I don't often watch films or TV programmes more than once. I usually get bored the second time.
But this documentary miniseries is full of so much stuff that yeah I feel like I could watch it a hundred times and it is called The Defiant Ones. Oh I haven't watched that I don't know that. I highly recommend it hence it being my pick of the week.
It covers the careers of Jimmy Iovine and Dr. Dre. And in doing so it explores musical history over the last four or so decades and it has interviews of people like Bruce Springsteen, Snoop Dogg, Eminem, Stevie Nicks, Patti Smith. Everyone who's anyone from rock or hip-hop is interviewed and you know footage of them in the studio at concerts. The list goes on it's amazing.
And it is so outstandingly well directed outstandingly well is that you'll have to look I'll go and have a look. You carry on talking, I'm looking. I don't feel I used those words. I think it's fine. You used an adverb and an adjective there. I think it's perfect. Oh, thank you.
Well, it is supremely directed by Alan Hughes, who apparently I read when I was looking this up earlier. Apparently he is working on a TV series documentary about Tupac. That's coming next from him.
Are you a bit of a Tupac fan? I'm a little bit of a hip hop fan. Oh, that's interesting. So that is what drew me to The Defiant Ones.
And I didn't know much about Jimmy Iovine, I have to be honest. But I found him a really inspiring figure. And so I was drawn in by the hip hop angle. And then it brought you way wider, right? Yeah.
And I would recommend it to, you know, if you're interested in hip hop, then it's a given you're going to like this. If you're interested in rock, then it really covers that and the intersection between rock and hip hop. But it's also it's just a pleasure to watch partly because of how it's edited it's really fun but it's also so inspiring that if you're interested in innovation or entrepreneurship you want to think about the world a little bit differently then this is the kind of thing that just makes you feel ready to take on the world so put down that Tony Robbins book and check this out
GRAHAM. Definitely yes Tony Robbins exactly. Well see I don't really know anything about hip-hop, but I'd be quite interested in still watching... Hip-hop? What's wrong with that? Is that how you say it?
Hey, I'm actually quite hip, Carole, just so you know. Do they interview wiki-wiki-wa-wa-wiki-wa-wa Will Smith in this?
JESSICA. No, not Will Smith. will.i.am does feature.
CAROLE. I don't think will.i.am, the stupidest name ever. Was it Small I Big A.M. or something stupid? And stupidest
GRAHAM. Spectacle wearer as well. Yeah, he's a... I can't really put up with that sort of nonsense.
JESSICA. Well, don't let that put you off. John Lennon does also feature, I know you're a Beatles fan.
GRAHAM. Oh, okay, now you're talking. That's it. Cool. Yeah, yeah, give it a whirl. Good of him to make an appearance. Yeah, how did they interview him? You know, they must have just... They dug him up.
Okay, please, right. Okay, so, and it's called The Defiant Ones, and that's on Netflix.
JESSICA. The Defiant Ones, yeah, check it out.
GRAHAM. Awesome. Carole, what's your pick of the week?
CAROLE. You guys have to do something. Right. You have to go to a website called mynoise.net. Mynoise.net. Now, mynoise.net is my pick of the week. It is a collection of noisescapes. How's that for a modern word?
So this is basically that people, more and more of us are working from home, but it seems as though there's research that suggests that when we have a noisy environment, like a cafe background or office sounds or just something white noisy, it helps us be more productive and we can work longer with more focus. So this is a site created by an audio processing guru named Stéphane Pigeon.
Stephen the Pigeon. Exactly. I'm sure that's how you pronounce it.
There is an app as well. But I've used things like Distant Thunder. That's my favourite. My least favourite is Gregorian chants. That is definitely not my bag at all.
I've just found one. I've started listening
GRAHAM. To one. It's called Examination Time. It says, it can be hard to focus in an exam hall full of students when you're used to studying in silence. Prepare now so you can have the sound of an examination hall
CAROLE. Yeah. But there's loads of research that suggests that having mimicking the same environment makes you perform much better because you don't have to then take all the stress of the new environment in.
JESSICA. Well, here's an interesting one if we're thinking of mimicking an environment. Oblivion. Embrace that darkness.
CAROLE. I think it's an amazing site. So you can get it off Apple Music or Spotify or Deezer, Google Music, Amazon Music, all of them. And or you can just check it out probably with your home assistance as well by barking an order at it.
MyNoise.net. That's my pick of the week.
GRAHAM. OK, well, excellent. Well, we chose a book. We chose a documentary and we chose a noise, I suppose, is what you came up with.
Noisescapes.
CAROLE. Noisescapes. Mine's the coolest.
GRAHAM. I wasn't going to say that. And that just about wraps it up for this week. Jessica, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that and find out more about what you're up to?
JESSICA. Well, check out our website, sygenta.co.uk, and you can go and have a look at our blogs from there. And then also follow me on Twitter at Dr Jessica Barker.
GRAHAM. Super duper. And you can also follow us on Twitter at Smash Insecurity. No G. Twitter wouldn't allow us to have a G. and we've got a Reddit community as well. Just look for Smashing Security up on Reddit.
CAROLE. And thanks once again to this week's Smashing Security sponsors, LastPass and Edgewise. Their support helps us give you this show for free, so be sure to check out their offers. And fist bumps to all you listeners out there. If you don't know it, you rock. Check out smashingsecurity.com for past episodes, sponsorship details and info on how to get in touch with us.
GRAHAM. Until next time, cheerio. Bye-bye.
CAROLE. Bye. Bye. I like that. Sounds a bit sexy.
Ask me where I was yesterday.
GRAHAM. Where were you?
CAROLE. I was at the NCSC, the National Cyber Security Centre in London. In London? Oh, the London, not the Cheltenham donut. Yeah. Pretty
JESSICA. Cool. Oh, very good. How was that?
CAROLE. I can't really say.
GRAHAM. What were you doing there? What were you doing there? I can't really say. Who were you there to meet?
CAROLE. Graham, I can't say. But I can tell you one thing. They are looking for speakers for their upcoming Cyber Threat 2019 event. And it's in London in November. Now, I didn't attend last year, but I heard it from very good sources that it's pretty cutting edge and pretty cool. So if you're a researcher with a cool discovery or you've suffered a breach and you want to share how much fun that was for you, maybe you should check out the website. I'll put it in the show notes.
GRAHAM. Cool. Yeah. Boom. Graham, I don't know if it's your bag. A bit too advanced. A bit too technical for you, I think.
A bit too technical. You're all right with the groom in your bottom. It was just a mental image which came up, which wasn't very pleasant. Can I just apologize now? We can now, but it's the end of the show now. I'm sorry your butt's not her suit.
CAROLE. Okay. What do you want me to say? Done.
-- TRANSCRIPT ENDS --