Erection your honour! Lawyers find themselves behind bars after they make porn movies in an attempt to scam internet users, boffins in Israel detail a way to steal data from an air-gapped computer, and Instagram coughs up $30,000 after a researcher finds a simple way to hack into anybody's account.
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Maria Varmazis.
Visit https://www.smashingsecurity.com/137 to check out this episode’s show notes and episode links.
Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Special Guest: Maria Varmazis.
Sponsored By:
- MetaCompliance: People are the key to minimizing your Cyber Security risk posture. MetaCompliance makes this easier by providing a single platform for Phishing, Cybersecurity training, Policy, Privacy and Incident management.
- Go to smashingsecurity.com/metacompliance Promo Code: SMASHING
- LastPass: LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
- But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
- Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
Links:
- CTRL-ALT-LED: Leaking Data from Air-Gapped Computers Via Keyboard LEDs — IEEE.
- Academics steal data from air-gapped systems via a keyboard's LEDs — ZDNet.
- How I Could Have Hacked Any Instagram Account — The Zero Hack.
- How any Instagram account could be hacked in less than 10 minutes — Hot for Security.
- Takeru Kobayashi - hotdog-eating world record holder — Wikipedia.
- Smashing Security 092: Hacky sack hack hack.
- Porn pirating lawyer jailed for five years — BBC News.
- Stiff penalty: Prenda Law copyright troll gets 14 years of hard time for blue view 'n sue scam — The Register.
- Prenda Law boss John Steele to miss 2020 Olympics... unless they show it in prison — The Register.
- InspiroBot.
- What football will look like in the future — (Maria says don't try to read it on your smartphone)
- The Life Of A Rock.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
ROBOT. When you press Caps Lock, your Caps Lock light comes on, and as does Num Lock or Scroll Lock. Why they even bother putting Scroll Lock on keyboards, I've got no idea. But anyway, basically it's like a disco going on in your house, isn't it? It's crazy. You must have so much fun there with your husband. Well, I don't need to know the details, Maria. Smashing Security, Episode 137: Porn Trolling Lawyers. Instahacking and Ctrl+Alt+LED with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 137. My name is Graham Cluley.
CAROLE THERIAULT. And I'm Carole Theriault.
GRAHAM CLULEY. Hello, Carole.
CAROLE THERIAULT. Hello, Graham.
GRAHAM CLULEY. Welcome back from Canada. We missed you. I'm sure someone missed you anyway.
CAROLE THERIAULT. Well, yeah, it's, uh, it's great to be back. I'm jet-lagged as anything, so forgive any, uh—
GRAHAM CLULEY. Mind you, you were on the show, so it's not like anyone who listened to the show missed you.
CAROLE THERIAULT. No, they don't miss me at all. You in fact don't miss me. No one missed me.
GRAHAM CLULEY. I'll tell you who I have been missing.
CAROLE THERIAULT. Who have you been missing?
GRAHAM CLULEY. That lovely Maria Varmazis.
CAROLE THERIAULT. She's the best. Where is she?
GRAHAM CLULEY. When's she going to come back on the show? Wouldn't that be great?
CAROLE THERIAULT. She's going to come on.
GRAHAM CLULEY. Oh, she'd be wonderful, wouldn't she? If only she were. Hang on a minute. Who's that? Who's that on the interwebs?
CAROLE THERIAULT. Who's that knocking at our digital virtual door?
MARIA VARMAZIS. Who's that who forgot her mute button was on her mic this entire time and has been talking to the two of you wondering why you've been I'm ignoring her.
GRAHAM CLULEY. Hi. Carole, keep on ignoring, keep on ignoring.
MARIA VARMAZIS. Oh, shit. Mine blinks at me when it's on mute, and even then I didn't notice that I was muted. So, hi.
CAROLE THERIAULT. Okay, this is great. So I'm jet-lagged, Maria's obviously insane. This is going to be a great show.
GRAHAM CLULEY. Well, I'll tell you what has changed is that now Smashing Security is on Patreon. Is it Patreon or Patreon?
CAROLE THERIAULT. Who cares? It's exciting.
GRAHAM CLULEY. It is exciting. If you want to support us, go and check us out on Patreon, and we'll talk a little bit more about that maybe at the end of the show.
CAROLE THERIAULT. The very end.
GRAHAM CLULEY. At the very, very end.
CAROLE THERIAULT. Just for those who really want to listen.
GRAHAM CLULEY. The real addicts.
CAROLE THERIAULT. Yeah, the real cool fans.
MARIA VARMAZIS. The patrons.
GRAHAM CLULEY. What else have we got coming up on the show this week?
CAROLE THERIAULT. Well, first, high five to this week's sponsors, LastPass and MetaCompliance. Their support helps us give you this show for free. And on today's show, Graham looks to the keyboard for crazy malicious shenanigans. That's difficult to say. Maria waxes is lyrical about a recent Insta snafu. And I see just what kind of judges Maria and Graham would make were they in charge of punishing scammers. All this and heaps more coming up on this episode of Smashing Security.
MARIA VARMAZIS. We're in the hot seat again with your segment? Again?
GRAHAM CLULEY. Okay, chaps, chaps, chaps. I want you to picture the scene, right? You, are Thom Cruise.
CAROLE THERIAULT. No. No.
MARIA VARMAZIS. No.
GRAHAM CLULEY. Imagine the thing. What?
MARIA VARMAZIS. That's not much of a leap to get there.
CAROLE THERIAULT. Yeah, weirdo. Who stars in movies I don't like.
GRAHAM CLULEY. Well, okay, look—
MARIA VARMAZIS. He's about my height though, so—
GRAHAM CLULEY. Well, you're probably slightly taller than the real Thom Cruise. I think he comes in at about 4'9" or something.
CAROLE THERIAULT. He wears Cuban heels, I'm sure.
GRAHAM CLULEY. Not just Cuba under there. He's got Dominican Republic. He's got all kinds of stuff going on under his shoes. Anyway, Thom Cruise, or rather his Mission: Impossible alter ego, Ethan Hunt.
CAROLE THERIAULT. Say that carefully.
GRAHAM CLULEY. You, please. You are International Women of Mystery, and you like nothing better, jump out of a plane at 35,000 feet extolling the virtues of L. Ron Hubbard while having a fish tank explode behind you.
CAROLE THERIAULT. Did you watch the highlights of the movie just to get all those scenes?
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. Excellent. Okay, good.
GRAHAM CLULEY. It's famous now. Getting my seatons ready.
CAROLE THERIAULT. Yeah.
GRAHAM CLULEY. I'm sure Operation Clambake. I'm sure you may remember in the Mission: Impossible movie, even if you haven't seen, famous scene where he's trying to get some data off an air-gapped computer.
CAROLE THERIAULT. Oh, and he's dropped like a fish?
GRAHAM CLULEY. Yes, he's like sprawled out, isn't he? Exactly.
CAROLE THERIAULT. Copyright, copyright.
MARIA VARMAZIS. Oh shit. America.
GRAHAM CLULEY. Now anyway, you remember, right? He's trying to get the data off there, right? And in the movie there are lasers, probably, of pressure pads and temperature sensors, and the whole caboodle is dangled by wires and lowered from the ventilation shaft by Jean Reno. Very sexy Jean Reno, isn't he? If you like that sort of thing.
CAROLE THERIAULT. Bonjour, bonjour.
GRAHAM CLULEY. Swarthy Frenchman. And—
CAROLE THERIAULT. Oui.
GRAHAM CLULEY. He has just seconds to spare before the spod comes back in to deal with the computer. Anyway, but he manages to shove his USB stick into the computer, nab the data, and vrrrt, scarper. Huzzah, success. Now, these air-gapped computers are something which have caught the attention over the years of a bunch of researchers. At the Ben-Gurion University of the Negev in Israel.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. I've been looking up ways—
CAROLE THERIAULT. I've not heard of it before.
GRAHAM CLULEY. Have you not? They're quite big in the world of cybersecurity. Yeah. They really are. They do really funky research into crazy shit.
MARIA VARMAZIS. Yeah.
GRAHAM CLULEY. Including getting data off air-gapped computers. Now, on this particular occasion, the new research which they published—
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. Is all about trying to steal data, but doing it via the keyboard. So I want you to look at the keyboards in front of you, right? Now, if you've got an old-fashioned sort of PC keyboard, you know, the type with a number pad, you've probably got buttons with weird words on them like Print Screen, SysRq, and Scroll Lock. Has anyone ever used the Scroll Lock button?
MARIA VARMAZIS. Not in a long time.
GRAHAM CLULEY. Pause, break. On a regular-sized PC keyboard, you'll see some of that. And right up there in the top right next to it, you'll see 3 little lights quite often, which are the scroll lock, the num lock, and the caps lock.
CAROLE THERIAULT. Do you have one of these keyboards? 'Cause—
GRAHAM CLULEY. Oh, I'll have one somewhere in the office.
MARIA VARMAZIS. Yeah. I'm using one right now.
GRAHAM CLULEY. There you go.
MARIA VARMAZIS. Okay.
GRAHAM CLULEY. You're a big fan of the mechanical keyboard, aren't you?
MARIA VARMAZIS. I'm a dork for them. Yes, I am.
GRAHAM CLULEY. Yes. So yours has these lights and things, does it?
MARIA VARMAZIS. It does. And it also has rainbow LEDs underneath it that are constantly changing.
CAROLE THERIAULT. I love Maria so much.
MARIA VARMAZIS. So my husband and I in the same room have mechanical keyboards. So the two of us typing at the same time, it's this amazing cacophony. Anyway.
GRAHAM CLULEY. Saurian workhouse. There's just so much racket going on.
MARIA VARMAZIS. It's true. I love it. Murder, She Wrote.
GRAHAM CLULEY. So as you know, and for people who don't have this kind of keyboard—
CAROLE THERIAULT. Normal people.
GRAHAM CLULEY. Damn it. When you press Caps Lock, your Caps Lock light comes on, and as does Num Lock or Scroll Lock. Why they even bother putting Scroll Lock on keyboards, I've got no idea. But anyway, basically it's like a disco going on in your house, isn't it? It's crazy. You must have so much fun there with husband. Well, I don't need to know the details, Maria.
CAROLE THERIAULT. Yeah, yeah, yeah. She has normally the life of a swamp rat, so when she sees a few lights on her keyboard, she goes insane.
MARIA VARMAZIS. Completely. You nailed it.
CAROLE THERIAULT. I'm sorry for Graham.
GRAHAM CLULEY. These Israeli researchers, they say that this is the way in which data could be stolen from a computer. What they're saying is this. If there was malware on the computer which could access data, but because it's air-gapped, because it's not connected to the internet or other networks, they they don't have a way of sending that data which they want to steal back to the evil hacker overlord, there's no internet connection, what they can do is this. It can take data which it wants to exfiltrate, it can encode the data into 3-bit chunks. So every little byte of data, which normally is about like 8 bits or something, it makes it into chunks of 3 bits instead. So it'll be something like 000, right? If you imagine it in binary or 001. 0, 1, 0, 1.
MARIA VARMAZIS. Because 0 and 1 are the— yeah.
GRAHAM CLULEY. Exactly. 0s are off and 1 means lit. So imagine those numbers being like the lights on your keyboard right now, Maria, right now in front of you. You maybe got Caps Lock on or something like that.
MARIA VARMAZIS. Yeah, mine goes through all those colors. It doesn't do this fancy stuff.
CAROLE THERIAULT. Right.
MARIA VARMAZIS. Okay. It's right now, it's like a purpley pink. So I don't think that's very helpful for Ben-Gurion research.
GRAHAM CLULEY. Okay. Okay. Maybe you've come up with a defense. I don't know.
MARIA VARMAZIS. Yes, I was going to suggest this.
GRAHAM CLULEY. But normally, on most people's keyboards, it would come up maybe like a green LED, and that means that that particular light is on, right? And if someone could see, or even better, record those lights flickering on and off as the malware tells each one of those lights to turn on or off to signify different characters.
MARIA VARMAZIS. It basically slowly spells it out for you.
GRAHAM CLULEY. Yeah, yeah, yeah.
CAROLE THERIAULT. Holy moly, you really wanna get on this machine, eh?
GRAHAM CLULEY. Carole, this is Israeli researchers. This is gonna be serious state-sponsored cybercrime, right? That's why they're being tasked to do this. Either they're investigating it to protect themselves, or they're investigating it 'cause they want to do this against other countries.
CAROLE THERIAULT. I just would like someone of that level of security to want to not use an old-style IBM computer.
MARIA VARMAZIS. What? Well, these are the guys that did the research about the fan. They did sort of something similar, data exfiltration with a fan, right?
GRAHAM CLULEY. That's right. They sped up and slowed down the fan, and then by the sound of the fan changing on computers, they were able to get data.
MARIA VARMAZIS. That's my favorite.
GRAHAM CLULEY. They've used radio waves in the past. They've used the PC speaker.
CAROLE THERIAULT. But did they release these exploits or did they just say, "We can do it"?
GRAHAM CLULEY. No, they've put together a research paper, which I'll link to in the show notes. And they called this technique, this is quite punny, this is a bit of a dad joke, Ctrl+Alt+LED. Rather than Del, rather than Ctrl+Del, you got LED, you see? Very clever. But the idea is—
CAROLE THERIAULT. I didn't need really an explanation.
MARIA VARMAZIS. Exactly.
CAROLE THERIAULT. Thanks, Graham.
MARIA VARMAZIS. The morons in the audience that need to be there.
GRAHAM CLULEY. No one needs to be in the room. You don't need to get Thom Cruise into the room to watch this, because what if a hacker was able to hack the CCTV camera?
CAROLE THERIAULT. There's a lot of what-ifs here.
GRAHAM CLULEY. Oh yes, of course there are. In the air-gapped room and record the LEDs when they're sending the information. So it's quite interesting. Now, before you start sticking gum over your keyboard or honey or whatever—
CAROLE THERIAULT. Yeah, that's exactly what I was about to do. Yeah, I was just pouring The treacle now, Graham.
MARIA VARMAZIS. The mitigation is electrical tape.
GRAHAM CLULEY. There are, yes. Well, there are some things that you should bear in mind. One is, how did the malware get on the air-gapped computer in the first place?
MARIA VARMAZIS. Ooh.
GRAHAM CLULEY. If it was air-gapped, you know, was it planted there by a cleaner or a rogue employee, or did they leave a USB stick in the car park and someone plugged that in? Or, you know, so this is always—
CAROLE THERIAULT. It's quite a huge barrier though, right?
GRAHAM CLULEY. It is a huge, I totally agree. And I always think this, whenever I see research from this particular group, you know, I think that's very clever, But how did you get the malware on to start beaming out the data via the keyboard or via the fan in the first place?
MARIA VARMAZIS. Well, that's where you go to their social engineering department and find out.
GRAHAM CLULEY. Do you know what?
MARIA VARMAZIS. Do you know what?
CAROLE THERIAULT. Actually, I bet they do some seriously great stuff, but if they want to have any press, they have to do crazy stuff like this in order to get journalists to pay attention because it's easy to explain, it's sensationalist. And then people like you, Graham, go, woo-woo, look what these guys can do.
MARIA VARMAZIS. You're part of the problem. Yeah.
CAROLE THERIAULT. And unfortunately, if you look a little deep and you scratch to surface, this kind of threat, whilst it sounds really scary, is pretty hard to pull off.
GRAHAM CLULEY. I would certainly say to people, don't be afraid of this.
CAROLE THERIAULT. Good, I agree.
GRAHAM CLULEY. I think this is interesting technically, and it's cool from that point of view. But anyone who was able to plant the malware in the first place could potentially have stolen data from those computers at the same time, couldn't they?
CAROLE THERIAULT. Yeah, you should be about as afraid of this as a baby little Thom Cruise flying down on your ceiling, landing in your sitting room.
GRAHAM CLULEY. I actually find the idea of a tinier Thom Cruise scarier than the— The one you can see through.
MARIA VARMAZIS. Like a toddler-sized Thom Cruise.
GRAHAM CLULEY. Yes, that's a horrendous thought. Now there are some other things they said.
CAROLE THERIAULT. Jackie Stiles.
GRAHAM CLULEY. They said, well, what if there aren't any hackable CCTV cameras in the room? And they said, well—
CAROLE THERIAULT. What if?
GRAHAM CLULEY. Maybe there's a window. Maybe.
MARIA VARMAZIS. That air-gapped room has a window?
GRAHAM CLULEY. Maybe it doesn't open, but maybe it offers a lovely view of an attractive water feature, and you could use a long-range camera. Or they said—
CAROLE THERIAULT. Sounds like, what's that show, CSI? It's like, magnify, magnify.
GRAHAM CLULEY. Enhance. Or maybe, the researchers postulated, someone could enter the room wearing a video camera, or even their smartwatch could record the flickering LEDs. And the key thing, they say, is the quality of the camera, because CCTV cameras typically record at 30 frames per second, but your smartphone or your watch potentially could capture more frames per second, which means you can grab more data and more reliably.
CAROLE THERIAULT. Yeah, I just don't think I'm the right audience for this one.
GRAHAM CLULEY. Right.
CAROLE THERIAULT. Like, fun, but whatever.
GRAHAM CLULEY. Anyway, so as you've probably guessed, there are some countermeasures if you are worried. Don't allow people into the room if they've got smartphones and smartwatches and cameras. Ban them from your secure room. Put some sticky tape over the LEDs or even disconnect them entirely.
MARIA VARMAZIS. Just put a little Post-it note over it.
GRAHAM CLULEY. Maybe put curtains over the windows.
MARIA VARMAZIS. Don't put your air-gapped shit in a room with a window might be the first thing.
GRAHAM CLULEY. Maria, from your mechanical keyboard, tell us what you've got for us this week.
MARIA VARMAZIS. My story comes by way of a security researcher and bug bounty hacker who found bugs in Facebook code. Because I have to talk about Facebook, right? I'm contractually obliged every time I come on the show. So this, this researcher's name is Lakshman Mutia, and I hope I pronounce his name correctly. And he has found bugs in Facebook's code many times, and he's made some money from this. And this week he did it again, and he published the details of how he earned $30,000 from a bug bounty from Facebook for finding a way to hack any Instagram account.
CAROLE THERIAULT. You think they could add a zero to that if he found a way to hack any Instagram account? I mean, how many Instagram users are there? Millions and billions and millions and millions worth a lot of money.
MARIA VARMAZIS. Yeah, a lot of people, their whole business is Instagram based.
CAROLE THERIAULT. Pasty.
MARIA VARMAZIS. So yeah, I think he should have gotten a lot more than that.
GRAHAM CLULEY. But to be honest, if he turned to criminals, he could have sold that probably for more, couldn't he? Or rent it out to others who might have tried to abuse it.
CAROLE THERIAULT. Facebook are hurting right now though. They just got fined something like a few billion, didn't they?
GRAHAM CLULEY. Oh yeah, they got fined about a weekend's income.
CAROLE THERIAULT. I know.
MARIA VARMAZIS. Yeah, I know. Zuck sneezes and he loses more money than that. So yeah, I mean, I'm pretty sure his napkin is made of $30,000 bills. So, um, uh, so Lakshman's method to hack Instagram was actually almost beautiful in how simply it worked. I, I, that's why I really love this story. So he basically used Instagram's password reset method to hack Instagram. So for context, for folks who may not know about how Instagram works, it's owned by Facebook, firstly, because again, have to talk about Facebook and you love—
CAROLE THERIAULT. sucks.
MARIA VARMAZIS. I pardon out of context. That sounded quite dirty. So unlike Facebook, which was a web browser thing originally, Instagram is meant to be mobile first. It's really a mobile smartphone app. So everything about it is supposed to be easy to use on the phone, optimized for phone use. So that goes for password resets. So if you lose your password, you tell Instagram, oopsie daisy, I made a mistake, need my new password. And then Instagram verifies that you're the person who lost their password and they send you, a smartphone user, a 6-digit recovery code straight to your phone number. Easy as possible. So you don't have to click any clumsy email password reset links or codes you have to type into some form somewhere on some website. You just get a 6-digit code and you just verify yourself easily.
GRAHAM CLULEY. Okay.
CAROLE THERIAULT. Doxing sucks. High five for that.
MARIA VARMAZIS. Yeah, super easy. That actually may have predated Zuckerberg. That may have been before Instagram was bought by Facebook.
GRAHAM CLULEY. Okay.
MARIA VARMAZIS. So, yeah, anyway, so if you wanted to attack an Instagram, one that has like millions and millions of followers, like, I don't know, Kim Kardashian, worth a whole lot of money, in theory, all you really need are those 6 digits to get in.
CAROLE THERIAULT. Yeah.
MARIA VARMAZIS. So Loxman figured, okay, so the path in is just a random 6-digit combination, and how many of those can there possibly be? If I guess them all, I can eventually get the right one. And for those of you crunching the numbers in your head, because it's a quick little math problem, any guesses on how many possible combinations there are?
GRAHAM CLULEY. If it's decimal, then it's—
CAROLE THERIAULT. I would have thought—
MARIA VARMAZIS. 0 through 9.
GRAHAM CLULEY. 0, yeah, 0 to 999999. Yeah.
MARIA VARMAZIS. Saving you the trouble in calculating factorials.
GRAHAM CLULEY. A million.
MARIA VARMAZIS. It's a million. It's a million. Yeah, it's a million. So you've got a million possible different 6-digit combinations. So if you—
CAROLE THERIAULT. That's a lot smaller than I thought.
MARIA VARMAZIS. Yeah, it's— but there are some mitigating factors here. The main problem that Lakshman has to overcome here is you have to try up to a million different number combos before hitting the right one and getting access. So that's the problem. So as you pointed out, a million is not as many as you think. And also, I'm sure some of our savvy listeners are thinking there's got to be some limitations in place here before Instagram would allow people to just try a million combinations, right? Yeah. So wouldn't Facebook have some kind of failsafe in place to prevent someone from, I don't know, spamming their servers with all those guesses. And yes, indeed they did. So in fact, they already had something in place called rate limiting. So the faster you try to guess number combinations— so if you're trying to spam their servers with like a million guesses, they're going to put the kibosh on you really quick. So Lachlan found out after some experimenting that he could safely attempt about 200 guesses from one IP address before Facebook blocks his IP from making any more attempts. So you've got about 200 guesses. And wouldn't Facebook also put a timer in place to expire the code so you can't keep trying to get in in perpetuity? And yes, it's a 10-minute timer. So.
GRAHAM CLULEY. Both of which steps are quite sensible, you know, because you don't want some automated script starting at 0 and working its way up to 999. So putting a block in place, very sensible. Sounds like they've done well so far.
MARIA VARMAZIS. Indeed. These are all good things. If they hadn't had those fail-safes in place, this would be a very different story. We would be laughing. And also Instagram would have been hacked years ago. So yes. So the TL;DR is you get 200 guesses for that precious recovery code from one IP address in 10 minutes. And if you don't get the code in those 200 guesses, you're done. Yes.
CAROLE THERIAULT. It's a pretty easy script to write, right? Right.
GRAHAM CLULEY. Yeah. Yeah.
MARIA VARMAZIS. So you either hope you get it in 200 guesses, or what if you had more than one IP address available to you? No, that can't—
CAROLE THERIAULT. no one has that, Maria.
MARIA VARMAZIS. What if you, I don't know, spent all of $150 to spin up some cloud accounts on AWS or Google and create, oh, I don't know, 5,000 IP addresses and had all those 5,000 IPs, or bots really, guessing their 200 guesses at the same time. Surely one of them will find the golden ticket within their 10-minute allotment. Ding, ding, ding. Wow.
GRAHAM CLULEY. So it's not that he had 5,000 computers in his back bedroom.
MARIA VARMAZIS. No, in his basement, no.
GRAHAM CLULEY. These are basically virtual machines which are running on some sort of cloud service like Google or Amazon. Correct. And they've all got different IP addresses.
MARIA VARMAZIS. Correct. So he actually has a wonderful 2-minute video proof of concept of this, which is, I thought, a really fun watch. He used only 1,000 IPs that he bought from Amazon's EC2, and from those 1,000 IPs that he bought, they sent out 200,000 requests to Facebook servers in an attempt to get a right guess on the recovery code. And that's only 20% of the total possible number combos, but he still got it. And it's a 2-minute video that shows how pretty elegantly simple this is. It's a wonderful little brute force attack. And super fun to watch, but that was enough for Facebook to go, "You know what? You nailed it." Because $150 is not a lot for a hacker to spend to, I don't know, try and hack Kim Kardashian's Instagram account.
GRAHAM CLULEY. And the other thing I read about this case was that you also found that if there were concurrent attempts to guess the number, Instagram sort of got its knickers in a twist regarding how many attempts there had been. So if you had different computers attempting at the same time, it kind of lost count. And so there was a bigger number of attacks which were possible to get to that number more quickly within the 10 minutes.
MARIA VARMAZIS. There you go. This was beautiful, I thought. Just a really fun little exploit that he found. And Facebook has already patched it. So for anyone who's like buying EC2 instances right now, you're already too late. But yeah, it's $30,000 for that. I think that was a really neat discovery.
CAROLE THERIAULT. I wish he'd got more money. Yeah, same.
MARIA VARMAZIS. Yep. I'm going to be interested to see how companies start hardening their defenses against these virtual account attacks. Attacks. So if he used AWS to spin up all these different instances, are companies prepared for something like that where you've got 5,000 different IPs coming at you at the same time? Or is that just gonna look like normal web traffic for you? I don't know. It'll be interesting.
CAROLE THERIAULT. Also, what makes it kind of elegant is it's pretty old school brute force, right? That's why these guys should really have had some fail safes. So it's kind of embarrassing, isn't it, Sucks?
GRAHAM CLULEY. It is embarrassing, but they also have to be careful in their defenses because if they were to block people from attempting to access the account because they'd noticed lots of different computers were trying to break in, then potentially there's a denial of service which people could do as well to lock the genuine user out of the account.
MARIA VARMAZIS. Yeah, there you go.
GRAHAM CLULEY. Just to be a bloody nuisance. What if?
MARIA VARMAZIS. It could happen. I mean, we'll be talking about it next time on Smashing Security.
CAROLE THERIAULT. Yeah, I love, I'm loving the FUD, loving the FUD. Okay.
GRAHAM CLULEY. So Facebook has hardened Instagram as a result, so this kind of attack can't be done in future. But the other piece of advice we'd probably give to Instagram users is do enable two-step verification onto your accounts. Oh, yes, absolutely. Because that's a much more common way in which your accounts will get hacked is because your password has been reused or you get phished or something like that.
CAROLE THERIAULT. And never enter your code in front of a window because— You never know! You never know!
GRAHAM CLULEY. I am looking up at my ceiling right now in case Thom Cruise is dangling down.
CAROLE THERIAULT. The baby one?
MARIA VARMAZIS. Pitsy-whipsy little one. Little baby Thom Cruise. Hi, everybody! Wow. It's like I'm there. It's amazing.
GRAHAM CLULEY. Oh, Carole, tell us what your story is this week.
CAROLE THERIAULT. Okay, so way back in August 2018, a year ago, episode 93, I introduced you to John Steele and Paul Hasmer.
GRAHAM CLULEY. I remember it well.
CAROLE THERIAULT. Of course you don't remember them. So I'm going to be reminding you on this show. So these are two Chicago lawyer dudes with the morality and legal ethics ethics akin to a pile of turds. Literally.
GRAHAM CLULEY. I think you could have just said they were lawyers. I think that would have covered— that was just tautology. Say that.
CAROLE THERIAULT. This sneaky legal duo got caught making dirty money, and just last week, they have now faced the consequences for their actions. And I thought, as a game, I'll remind you of what these two dirtbags did, give you a little insight into the legal case, and you two, and all you listeners out there, why don't you take a stab in the dark at the punishment the judge doled out. Okay, and we'll see if you're right or not, right? So John Steele and Paul Hansmeyer. So back in 2010, these boys ran a Chicago-based law firm, and by their subsequent actions, I'm gonna guess they were just in for the money. Like, if $1,000 were a hot dog, John and Paul would easily beat the world hot dog eating champion, the Japanese Takeru Kobayashi, who I've watched a video of recently and it's impressive.
GRAHAM CLULEY. Sorry, I think I've just woken up in a parallel universe. What are you talking— what, what?
CAROLE THERIAULT. Okay, okay, the hot dog world eating He is known for eating 60 hot dogs in a single sitting. And his trick, in case you're interested, clearly, was to dunk the whole hot dog and bun into water before sucking it down his pie hole.
MARIA VARMAZIS. So he's lubricating it well before— okay, got it. Yeah, lube is usually the trick.
GRAHAM CLULEY. So that's what they call hot dogging. I've always wondered.
MARIA VARMAZIS. All right, we've gone off the rails.
CAROLE THERIAULT. Uh, yeah, we have. I have. I just wanted to get that in. It's a bad crowbar. Sorry. Okay, so here is how these guys made millions and millions. So they first, they created the honey. They hire porn stars and film some porn. And then they copyright the material.
GRAHAM CLULEY. So these were lawyers making the porn?
CAROLE THERIAULT. These two lawyers, yeah, two Deutsche Bank lawyers. Yeah. Okay. Okay, then they create the honey trap. They populate popular content sharing websites.
GRAHAM CLULEY. Hang on. Erection, Your Honor. Oh, yo.
CAROLE THERIAULT. So then they create the honey trap. They create the honey trap, populate popular content sharing websites like Pirate Bay with said porn vids.
MARIA VARMAZIS. There's no porn on Pirate Bay.
GRAHAM CLULEY. Trust me, I've looked. There definitely isn't.
MARIA VARMAZIS. There's like a separate checky box you gotta check for that.
CAROLE THERIAULT. And then they set the trap, right? They wait for people to come and download them, and then they go after them for copyright infringement. Why? So, for money. So in other words, they donned their legal robes and went after the guys that downloaded the sexy stuff all only intent to extort cash out of them. It's insane.
MARIA VARMAZIS. That's so many extra steps for extortion. Oh my God.
CAROLE THERIAULT. Okay, so they make this porn available. Let's say, Graham, you download the porn, right, from Pirate Bay or wherever. I go to the courts and I say, look, we have seen some, um, hacking going on on our systems from this IP address.
GRAHAM CLULEY. We would like to contact the ISPs and get their personal information so that we can go after So the lawyers went to the court and said that, well, presumably they claimed that they had clients. They didn't say it was them.
CAROLE THERIAULT. So yes, who are their plaintiffs? Of course. Oh, well, don't worry. They took care of that. They just created 8 shell companies. So they had very colorful names like Sunlust Studios and Hard Drive Productions. And their jobs were to act as the porn plaintiffs in the legal case against the porn downloaders. Why? Right?
GRAHAM CLULEY. Okay. So just to be completely clear. There are lawyers who've also set up companies who the lawyers are claiming to represent. So they've set up companies which are posing as porn companies. The porn ends up on Pirate Bay because the lawyers have uploaded it. Right. And then the lawyers send, they go to the court saying, our clients, the porn companies, who don't really, they've been hacked by people from this IP address. So they do that to find out who owns the IP address. And then they don't actually hit them with hacking claims. They hit them with 'You've downloaded porn from Pirate Bay, and it belongs to us.' Exactly.
CAROLE THERIAULT. Oh, just— I know. That's such trolly behaviour.
MARIA VARMAZIS. I mean, it's so much extra work. There's so many easier ways to do something like this.
GRAHAM CLULEY. Yeah, but would it be as much fun? If you're a lawyer, this is actually quite an erection, Your Honour. Right? You can— it's a lot of fun to be had here getting work—
MARIA VARMAZIS. Like, that's called a hobby. Don't— I mean, why? You don't get paid to do porn, guys.
CAROLE THERIAULT. That's not how it works.
GRAHAM CLULEY. They didn't also work in washing machine repair or anything like that, did they?
MARIA VARMAZIS. Because were they pool boys, pizza delivery?
GRAHAM CLULEY. You can combine— you can combine these different careers.
MARIA VARMAZIS. So much extra work. I just— it's like I'm lazy and this is offensive to me. I'm not being lazy.
CAROLE THERIAULT. Like, come on, it's too much work. Okay, so they of course never want to go to court because if they go to court, they might have to reveal that they're actually behind some of these shenanigans, right? Right? So the idea is to scare folks into paying into a settlement, and if they don't have to pay the— you know, they don't have any public humiliation. I have written here in my notes, pubic humiliation, and/or court hassle. So from 2010 to 2013, they netted $6 million in copyright settlements. That's the fuck out. That's why it was maybe worth the work, Maria. Oh, come on.
MARIA VARMAZIS. Yeah, but after you pay like the, the union fees and the studio costs like that, there's way shooting a porn is that cheap.
GRAHAM CLULEY. I don't know, from what I've seen, says the voice of experience.
CAROLE THERIAULT. Their comeuppance came in 2016 where Paul Hansmeier and John Steele were arrested by the FBI. And the FBI, I think, twigged on because they were harassing the ISPs with all kinds of, you know, requests for information. And they were charged with 18 counts of running a multi-million dollar extortion scheme, right? So fast forward to today. Yes, they've both been sentenced. And are you guys ready to play the game? Okay, because Paul and John got different sentences. They are not the same. Why? Um, well, let's start with Paul Hansmeyer. He was sentenced in June by Judge Joan Erickson. They were both judged by the same judge. Hansmeyer initially refused to cooperate, but in August accepted a plea deal guilty, but he reserved the right to withdraw the plea if he was successful in dismissing the complaint. Can you do that? Apparently. So I'm guilty, but I'm also running this concurrent plan to get this all thrown out of court. So if I do— I'm betting his bets. Okay, all right, exactly. Genius. Now the judge said it is almost incalculable how much your abuse of trust has harmed the administration of justice. And of course they're not happy. They're probably very pissy because they use the courts in a lot of their schemings.
GRAHAM CLULEY. Yeah, wasted lots of time.
CAROLE THERIAULT. Yeah, and kind of fooled and duped. Get a hobby. So what do you think he got in prison?
GRAHAM CLULEY. So what sentence? Uh, so what, $6 million? Uh, he got 5 years.
CAROLE THERIAULT. 14 years in prison. Oh, 2 years of supervised release, and he has to pay the victims $1.5 million restitution. That is hefty. Now, John Steele sentenced Tuesday last week by the same judge. John Steele pled guilty in 2017 to money laundering, same da da da da. He cooperated from the get-go with authorities and he did not have any caveats to withdraw his plea, which was a bit cheeky from the other guy, to be honest.
MARIA VARMAZIS. An asshole move. Yeah.
GRAHAM CLULEY. So, okay, so one of them's got 14 years and this guy who's helped, he is going to get 5 years.
CAROLE THERIAULT. Yes. He got 2 years, 2 5-year sentences, but they're to run concurrently, not consecutively. So he's basically just in jail for 5 years. Oh, yeah. Cool. Okay. So it seems as though it pays to play ball with the courts, because that's 9 years less than Paul Hansmaier. Right? Like, Graham, your son is not even that old yet. And I bet you don't even remember life before him. 9 years is a long, long time.
GRAHAM CLULEY. Right? Well, I mean, I think it's a general rule of life though, isn't it? Is that when the authorities have got you, you just say, you put your hands up and you say it's a fair cop.
CAROLE THERIAULT. So basically, if we get caught at something, I hope you're not doing anything illegal, you're basically gonna dob me in.
GRAHAM CLULEY. Copyright infringement, Mission: Impossible music. Yes, exactly.
CAROLE THERIAULT. That's what this is telling me, because you're gonna throw me, your buddy, under the bus for, and you're gonna cooperate, and you're gonna lie to save your own butt.
GRAHAM CLULEY. Which one of us, well, it will save my butt, but which one of us will cooperate first? That's the thing. We've got to get in first, Carole.
MARIA VARMAZIS. Yeah.
CAROLE THERIAULT. Who's more loyal, Graham, I wonder? Hmm. Interesting. Hmm. Hey, Graham. Yes. There are people out there with companies a little bit bigger than ours, and one of the issues that they face is visibility and oversight. And when it comes to cybersecurity, that is super important. So listeners, listen up. If you do not have a password manager in your organization, please check out LastPass. LastPass Enterprise. They offer centralized admin oversight and control, shared access, and automated user management. All this stuff makes your life easier. Plus, you can even use LastPass's single sign-on to protect all your cloud apps and give seamless access to employees. Check it out at Smashing Security— no, at— check it out at lastpass.com. .com/smashing. Let me try that again, folks. Check it out at lastpass.com/smashing. Perfect. Do you want to make it more conversational?
GRAHAM CLULEY. I don't know.
CAROLE THERIAULT. I think that sounded great. We also are sponsored by MetaCompliance. Now, MetaCompliance Let's reduce cybersecurity risk by providing a platform for training.
GRAHAM CLULEY. Yeah, they do online training. They've gamified it. It's animated e-learning, teaches you and your staff all about the risks of phishing and other threats which may impact them inside business. And best thing, it's not boring. No, not boring at all. You learn everything. GDPR, malware, data security, password safety. You can grab it all and save yourself a ton of cash because you're a Smashing Security listener. Go to smashingsecurity.com/PassPass.
CAROLE THERIAULT. On with the show.
GRAHAM CLULEY. And welcome back. And you join us on our favorite part of the show, the part of the show that we like to call Pick of the Week. Pick of the Week. Pick of the Week. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be be security-related necessarily.
CAROLE THERIAULT. Better not be.
GRAHAM CLULEY. Now, my pick of the week this week is not security-related, but I do remember many years ago working for a security firm where in the sales department, they had inspirational posters on the wall encouraging them to sell more.
CAROLE THERIAULT. What, in the bathroom, like pee carefully?
GRAHAM CLULEY. No, no, no, no, no, no. You don't have to be inspired to urinate in a straight line. I'm talking about to sell more or to be a happier person. And I always found these rather ridiculous and comical, but it would say things like, you know, the first step of the journey is, I don't know, who knows. But anyway, I found a website called Inspirobot.me. And what this does is it comes up with inspirational phrases. Here's a couple which I just grabbed off the website. Ignore the connection between your virility and gravity. Never let anyone tell you that you're not fondling yourself. Damn straight.
CAROLE THERIAULT. Do you know, Graham, I have a friend who actually got paid to write books that do this. Oh, really? And yes, so her job was to kind of collect them around the, you know, wherever she could find them and put them into this book. It was like an early job. She was 20.
GRAHAM CLULEY. Did she have this one? No one is telling you to obsess about your mother's medication.
CAROLE THERIAULT. See, she could have written that one. She told me she made up loads of them because no one cared and no one read them. Well— So she made up loads, so they could be hers.
GRAHAM CLULEY. She should go to inspirerobot.me because it has an artificial intelligence dedicated to generating unlimited amounts of unique inspirational ridiculous quotes for the endless enrichment of pointless human existence. That's how it sells itself. Beautiful. Wow. There's even a mindfulness mode where it'll play music in the background and display images from nature and cityscapes and things like that. Things like that and read out to you in a robotic voice the inspirational quote.
CAROLE THERIAULT. This is one for Nimity. She likes those. She likes a little mindfulness. Yes.
GRAHAM CLULEY. Anyway, so that is my pick of the week.
CAROLE THERIAULT. I think that sounds fun.
GRAHAM CLULEY. It tickled me. It tickled me just where I needed to be tickled this afternoon.
CAROLE THERIAULT. Oh, please don't be doing that right now. Can you just wait 10 minutes? We're almost, we're almost done.
GRAHAM CLULEY. I might need some WD-40 in a moment. There's a bit of squeaking coming. Oh, Maria, what's your pick of the week?
MARIA VARMAZIS. Well, may I ask, could I do like a punt of the week, like an anti-pick of the week before I do my pick of the week? Yes, because I just— somebody added me, my, my work email, they added me to a privacy email newsletter without asking me first if I wanted to opt into this. And that is like the douchiest thing I can imagine for a privacy newsletter. So that is my anti-pick of the week. Don't do that.
CAROLE THERIAULT. And it has to do with security. Yes, it's a privacy and security newsletter.
MARIA VARMAZIS. They added like an email that I only use for like a very specific work purpose. There's no way I would have used this email myself for like a real thing.
GRAHAM CLULEY. And it didn't do double opt-in. It didn't ask you to confirm.
MARIA VARMAZIS. It was nothing. It just showed up in my inbox, started spamming me one day, and I was like, how dare you, sir? It was very annoying. And yes, don't do that. Shame them. Shame them. Maybe I will name and shame maybe on Twitter. How about that? Okay. All right. So for my actual pick of the week, my pick is what Wikipedia calls a serialized speculative fiction multimedia narrative. It is called What Football Will Look Like in the Future. And you don't have to have any interest in American football at all or any knowledge of it. Yes, because I don't either, really, aside from what I've absorbed by osmosis being a Yankee. And that link that is in the show notes, you do not want to read it on mobile. You need to be on a desktop or a laptop. So anyone who's reading show notes on mobile—
GRAHAM CLULEY. I've just gone there on my desktop. It's a pretty— it's exploding my screen.
MARIA VARMAZIS. Okay, don't give away too much. It's, it's very, um, you don't have to have any interest in any kind of sport because I don't. It's a very captivating read. I don't want to give away what it's about. It will take you— it's a long read. And I will just say it was a contender for a Hugo Award for best graphic story last year, and a Hugo is like a very, very—
CAROLE THERIAULT. yeah, yeah, big deal.
MARIA VARMAZIS. So for just as a point of how much this draws people in, I sent it to my husband last night. Yeah. And he, an hour later, he was still reading it, and an hour after that he was still reading it. And then when we went to bed, he started asking me questions about it. Like, it got him really thinking about, like, life in the universe and stuff. So it's best to go into it knowing nothing about it, and you really want to set some time aside to give it proper attention. And I— this came out actually two years ago. Yeah, it's awesome. It's actually two years old, uh, but I, I've never shared it with, uh, our listeners. So I said, okay, in the show notes.
CAROLE THERIAULT. Yes, we'll make it big and obvious for people.
GRAHAM CLULEY. And the show notes— even some podcast apps don't support show notes properly, so if you can't find something, you can click on there, go to smashingsecurity.com and all the links are clickable from in there as well for this episode.
MARIA VARMAZIS. Yeah, you can search what football will look like in the future, or it's also called 17,776. It's a year. 17,776. Sorry. Imagine 15,000 years from now, basically. And that's sort of a spoiler. So— How curious. Yes. You both have been sucked into it, I can tell.
CAROLE THERIAULT. That's why I'm not talking. I'm totally—
GRAHAM CLULEY. I'm already in. Oh, it's my favorite part of the show, Carole. Okay, well, we'll skip your Pick of the Week then, in the interest of time.
CAROLE THERIAULT. You don't wanna miss my Pick of the Week. Okay, tell us about it. Tell us about it. Okay. Because what would be the most boring thing in the world to be? Like anything in the world? Anything that exists. Quantity surveyor? Yeah, or a rock, right? I mean, a rock's pretty. You don't move, you don't communicate, you don't grow. You get kicked around a bit, maybe. Well, my pick of the week changed my mind about rocks. It's a little video I saw on Damn, That's Interesting subreddit. And I've put the link in here, so take a look. Right. It's posted by a user Tetrapolis. This. It's kind of just a little vignette, a little anime vignette, silent movie.
MARIA VARMAZIS. There's no sound. Silent movie. Yeah. Rock Experience. Okay, the life of a rock.
GRAHAM CLULEY. Yeah, just watch a bit of it. Okay, it looks cute.
CAROLE THERIAULT. It's more than cute. It's quite sweet and it's really interesting, and it kind of has a bit of historical element to it. I think it'd be great for kids too. It's very peaceful and takes a few minutes, and it just changes how you might see rocks. Oh, see, trees last week and now Yep. Going back to basics. Going back to basics. Well, that just about wraps it up for this week.
GRAHAM CLULEY. Thank you, Maria, for joining us as well. I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that?
MARIA VARMAZIS. Uh, on the Twitters, I'm @mvarmazis and on mastodon's infosec.exchange, I'm @maria. Either one is great.
GRAHAM CLULEY. Cool. And you can join us on Twitter at Smashing Security, no G, Twitter wouldn't allow us to have a G. And you can join our community on Reddit as well. Just look for Smashing Security up there.
CAROLE THERIAULT. Huge thank you to this week's sponsors, LastPass and MetaCompliance. Their support helps us give you this show for free, so be sure to check out their offers. And as always, big love to you all, you listeners out there, and welcome to our new Patreon subscribers. Stay tuned after the show for more information on our Patreon launch. Check out smashingsecurity.com for past episodes, sponsorship details, info, and how to get in touch with us.
GRAHAM CLULEY. Until next time, cheerio, bye-bye. Bye. Bye. Maria, say something like, hey, so you guys are on Patreon now. Spontaneously.
MARIA VARMAZIS. Oh, oh, so y'all are on Patreon now then.
CAROLE THERIAULT. What's the answer? To that. Yeah, we are. We've just dipped our toes into the Patreon world.
GRAHAM CLULEY. The thing is, there were people who said they wanted to support the show, and we were like, well, just tell your friends, you know, get them to listen to it. And some people said, no, Graham, I really want to give you money. They said— they didn't mention Kroll. They said, we really want to give you a small amount of money. I'm joking, Kroll. Of course they wouldn't. Of course. But they wanted to No, no, no, it's just— I just have jet lag, you know. So what we're doing is that we've got two tiers on Patreon, $2 a month, which basically means that you love us very, very, very much. But if you want to be a really schmancy fancy pantsy supporter of the show, you can give us $5 a month, which means you get everything for the $2 tier plus early release episodes when possible. And behind-the-scenes bonus content.
CAROLE THERIAULT. Now, the point behind all this is basically I would like to do a lot more on podcasts, but in order to do that, we need to fund it. Rather than, you know, doing other things to make money, we could make money here in this thing that we really love. So we're trying it out. We'll see what happens.
GRAHAM CLULEY. I think it's important to underline that the podcast remains free for everyone. That's not changing. You can still listen to us for free. You don't have to support us on Patreon. We just love that you're listening, actually, to be honest. But if you, if you can afford it and if you want to support us, go to patreon.com/smashingsecurity. And thanks to those people who've already supported us up there, even, even before we announced it on the podcast. That's pretty impressive, isn't it?
CAROLE THERIAULT. It's awesome.
GRAHAM CLULEY. Wow. So thanks to Angela, Cheyenne, David, Dimitri, Jonathan, Macaulay, Marcus, Pete, Richard, Ruben, Ruben Scotia Thomas and Thomas, who've already supported us. We really appreciate it. Thank you so much. Mwah! Oh my goodness. That's not for you, Grim. I don't think we can promise that to everyone who supports us.
MARIA VARMAZIS. There's only one David in that list. That's surprising. I thought we had a lot of Davids.
GRAHAM CLULEY. Come on, Davids. Yeah. Yeah, Davids, you know who you are.
MARIA VARMAZIS. The whole league of Davids. It's really, they need to activate.
GRAHAM CLULEY. No, no Marias either, actually. Before she begins to point the finger.
-- TRANSCRIPT ENDS --