This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

---

---

ROBOT. Yes, you could have a Scottish voice, you know, saying, "Och, aye, it's your mcGoogle device here requiring a firmware update." Smashing Security, Episode 151: Frankly, Sometimes Paying the Ransom Is a Good Idea, with Carole Theriault and Graham Cluley. Hello. Hello. And welcome to Smashing Security episode 151. My name is Graham Cluley.

---

CAROLE THERIAULT. And my name's Carole Theriault.

---

GRAHAM CLULEY. Hello, Carole.

---

CAROLE THERIAULT. Uh, hello. How are you?

---

GRAHAM CLULEY. Well, it's just you and me this week, isn't it?

---

CAROLE THERIAULT. I know. Listen to the echo.

---

GRAHAM CLULEY. Yeah, no guests this week, although—

---

CAROLE THERIAULT. Yeah, don't be sad. We've got some cool stuff.

---

GRAHAM CLULEY. So what cool stuff have we got coming up later?

---

CAROLE THERIAULT. Well, I had a chat with Rachael Stockton from LogMeIn, LastPass fame, and we're going to tag that on at the end of the show because she goes through the numbers of a recent report that they've pulled together. It is a whopper of a report, 42 or 50 pages or something, and we go through the highlights of that report. So you don't want to miss that.

---

GRAHAM CLULEY. Okay, you're not reading out the entire report, 42, 45 pages?

---

CAROLE THERIAULT. No, it's not like the Mueller investigation. No, we're not gonna— no, we've cherry-picked the cool things that we wanted to talk about, and of course the report is available for anyone who wants to read more.

---

GRAHAM CLULEY. Well, talking about goodies, a little birdie told me that we have updated our Patreon at patreon.com/smashingsecurity. Security to offer some extra goodies to those people who support us at the $5 per month tier, the super duper bonus content tier where you get extra bickering between your hosts. So do you want to tell people what they're going to get now in addition to what they were already getting?

---

CAROLE THERIAULT. Well, we are going to throw in 3 high quality Smashing Security stickers.

---

UNKNOWN. What?

---

CAROLE THERIAULT. Yeah. No, I am not just one, not just one, not just for your laptop, not just for your laptop and your phone.

---

GRAHAM CLULEY. So you could stick these stickers on other people's laptops. You could basically become a hooligan.

---

CAROLE THERIAULT. You could become—

---

GRAHAM CLULEY. Smashing Security around.

---

CAROLE THERIAULT. Yeah, I don't— Well, actually I do recommend that because, you know, they're pretty nice stickers. We did design a logo and, you know, I'm still proud of it 3 years on.

---

GRAHAM CLULEY. So. All right. So, so, so if people sign up for that, they can get that. And thank you to everyone who has supported us so far.

---

CAROLE THERIAULT. Yeah, seriously, high five. I know we make this look like it's so much fun, but this is edited to within an inch of its life. We actually have a laugh track that we make use of because often Graham doesn't laugh at me and there's only one laugh, and I just— well, you laugh at me, you don't laugh with me.

---

GRAHAM CLULEY. Exactly, exactly. That's exactly how it works. What have we got coming up on the show this week?

---

CAROLE THERIAULT. Well, first, let's just say thank you to this week's sponsors: LastPass, Code42, and Immersive Labs. Their support helps us give you this show for free. Now, on today's show, Graham is doing a postmortem on the Baltimore City ransomware attack, and I've got a message for you Google Home and Alexa users out there, and it's pretty scary. Halloween's around the corner, so, uh, it's pretty fitting. All this and loads more coming up on this episode of Smashing Security. Buckle up, folks.

---

GRAHAM CLULEY. Now, chum chum, uh, cute, cute. Now I want to take you back in time. I want to take you back into, oh, through the ravages of time, way, way back to May 7th, 2019. Yes.

---

CAROLE THERIAULT. Oh, what, like 5 months ago?

---

GRAHAM CLULEY. Exactly, about 5 months ago.

---

CAROLE THERIAULT. Okay, okay. Let me see if I can get to the right headspace for that one.

---

GRAHAM CLULEY. Because way back then, the city of Baltimore in the United States of America, the government computer networks there were infected with some ransomware called Robinhood. That's Robin with a double B.

---

CAROLE THERIAULT. Right, I remember that.

---

GRAHAM CLULEY. I don't know if there's an apostrophe as well, if it's really hip kind of ransomware. But anyway, yes, it infected them and they demanded that a ransom was paid for the safe recovery of encrypted files on the city's affected computers and servers.

---

CAROLE THERIAULT. Right. Okay. So basically typical ransomware attack, their files are locked up and the ransom guy's like, give me some money and I'll give you your files, maybe.

---

GRAHAM CLULEY. Exactly. And of course we've seen many cities, particularly in the United States, being hit by ransomware over the course of the year. And some of the cities have paid up and some of them haven't. Some of them have just claimed on their insurance and recovered. Well, in this particular case, The bad guys demanded around about $70,000 in cryptocurrency. But the Baltimore mayor, a guy who goes by the name of Bernard C. Young, he likes to be called Jack. I don't understand that. But anyway, I don't know what that's about. But anyway, he refused to pay. He said, no, no, we're not going to pay.

---

CAROLE THERIAULT. Ransomware blocks users from their files and demands payment to unblock them. But Mayor Young says the city won't be blackmailed.

---

GRAHAM CLULEY. No, I will not pay a ransom to anybody.

---

CAROLE THERIAULT. All city workers are at work today whether they can do their jobs or not. Mayor Young also has an alternative in mind.

---

GRAHAM CLULEY. If we are in this for, um, longer than we anticipate, I'll be asking city employees who really can't do their work because of, um, the computer systems, would they be willing to go out and help us clean up the city? Well, two weeks later, Their computer systems were still down.

---

CAROLE THERIAULT. All right, so what's going on during these two weeks?

---

GRAHAM CLULEY. Oh, yeah, well, all kinds of problems. Their phone lines, their IP phone lines, they were down. Their online bill payments were affected. People couldn't even buy and sell their houses. Even surveillance cameras run by the police around the city were affected.

---

CAROLE THERIAULT. Ooh, okay. So basically they were just offline effectively. They were knocked offline. Would that be fair?

---

GRAHAM CLULEY. They were basically knocked offline. And I'm sure they actually took down some of their own systems while they were trying to recover. So they kept in place the absolute emergency systems. They seem to manage to keep those up and running.

---

CAROLE THERIAULT. Well, like 911.

---

GRAHAM CLULEY. Yeah, exactly.

---

CAROLE THERIAULT. Right.

---

GRAHAM CLULEY. But more or less everything else was disrupted by this. And the thousands of workers who work for the city there, they started using their own laptops, their own personal email addresses, like, oh, I'll just email from Yahoo. Others were using old-fashioned pen and paper.

---

CAROLE THERIAULT. Yeah, but there's a lot of things going on in a city, right? There's all kinds of counseling going on and there's police work and there's traffic problems.

---

GRAHAM CLULEY. Oh, yes.

---

CAROLE THERIAULT. And so I can understand why users—

---

GRAHAM CLULEY. Passports. You need to go out and buy things for meetings. Yeah, all kinds of nonsense.

---

CAROLE THERIAULT. But I can understand why government employees would feel responsible for trying to stay online and fix these problems. And I can see why they would go and use their own personal email addresses and all that, which is, you know, a huge security risk in itself. You know, we can go into that as well.

---

GRAHAM CLULEY. And I'm not going to be actually talking about that potential issue in this case, because I think in dire situations, sometimes you have to try and work out what the best thing is to do to get the best outcome. But anyway, in a news conference, the company's chief security boss, right?

---

CAROLE THERIAULT. Right.

---

GRAHAM CLULEY. Chief cybersecurity, information security guy. A guy called— you'll like this— his name is Frank Johnson.

---

CAROLE THERIAULT. Okay.

---

GRAHAM CLULEY. I know you're very keen on the name Frank.

---

CAROLE THERIAULT. I am.

---

GRAHAM CLULEY. Yeah, it's a great name, isn't it? Anyway, he explained just how hard it is to keep ahead of the cybercriminals.

---

CAROLE THERIAULT. In a news conference this morning, the city's chief information officer said it was unclear when the computer network would get back in use. Federal investigators asked the city to stay tight-lipped about details of the hack.

---

GRAHAM CLULEY. Unfortunately, there's a race between bad actors in the cybersecurity industry. Just once they know how to mitigate and keep bad things out, the bad guys go one step ahead of them and we're in this vicious race. Now, what made things worse and more difficult in this particular case is, like I said, the mayor said he's not going to pay up, right? But Baltimore didn't have any insurance against cyberattacks.

---

CAROLE THERIAULT. I wonder how, that's a really good point. I wonder how many government entities or state-run or city-run municipalities actually have insurance.

---

GRAHAM CLULEY. Well, I don't know.

---

CAROLE THERIAULT. I'm sure it's on the up. I'm sure it's a big moneymaker at now for the insurance industry, certainly. Though they do have big heavy payouts, I suppose.

---

GRAHAM CLULEY. I think more and more organizations do have some form of cyber insurance these days, simply because ransomware and other attacks are becoming more common. In this particular case, they didn't have it. And so it seemed that it was quite likely it's gonna cost the city much more than $70,000 that the hackers were demanding to restore their data from backups and get systems safely back up and running again. But at least they had backups. At least they were able to recover eventually.

---

CAROLE THERIAULT. That's not really the point of backups though. That shouldn't cost 70 grand to get it back up and running again. I can imagine most organizations that would be probably true, but—

---

GRAHAM CLULEY. There's different costs, aren't there? So, I mean, there's both the actual expense of restoring the backup, but there's also the expense of the downtime and the work which didn't happen.

---

CAROLE THERIAULT. Right.

---

GRAHAM CLULEY. And giving people overtime to come in, rebuild servers and things like that.

---

CAROLE THERIAULT. So, yeah, yeah, that's fair.

---

GRAHAM CLULEY. That's fair.

---

CAROLE THERIAULT. Yeah.

---

GRAHAM CLULEY. And it wasn't as though they hadn't thought about insurance. In fact, Frank, our hero Frank, the info security chief, he had warned back in 2018 for the need for Baltimore to get cyber insurance on the budget, but the city had decided not to go for it. And they also didn't include other things which were recommended, like expanding staff security training to maybe protect them against threats from like ransomware, prevent users from clicking on things or dodgy links, and other improvements to the IT infrastructure that are being called for. So they hadn't done that. And Frank had been pushing for that.

---

CAROLE THERIAULT. That's interesting because wasn't it in Trump's budget? That was one of the only areas that had got an increase in funding was the cybersecurity arm.

---

GRAHAM CLULEY. Oh, really?

---

CAROLE THERIAULT. Yeah. So that's interesting that cities, municipalities didn't get a big chunk of change to help them fix their systems.

---

GRAHAM CLULEY. Yeah. Russia, if you're listening, we've increased our cybersecurity spending, I guess was the message he was giving out there. Now, the good news is that not all of the city systems were actually run on its own computers. And so some escaped the attack. For instance, Baltimore's main website was actually hosted on Amazon Web Services.

---

CAROLE THERIAULT. Right.

---

GRAHAM CLULEY. So it's in the cloud, basically.

---

CAROLE THERIAULT. Like lots of companies do.

---

GRAHAM CLULEY. Yeah. And it was run by a contractor, although Oh, about a week after the ransomware attack, the website nearly disappeared, but not because of hackers. It nearly disappeared because the contractors who were running Baltimore's main website hadn't been paid and the contract had expired. Oh, so Baltimore had failed to be paying them. So the website was very nearly lost.

---

CAROLE THERIAULT. So Baltimore are in a bit of a pickle. They're not operating at full capacity here. If they make a mistake, they're making.

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. Okay.

---

GRAHAM CLULEY. They're having a few problems. Yeah. A little bit of a headache, but I'm sure Frank's got it all covered. Right. I'm sure Frank's all right. So now all these unexpected costs, like recovering from a ransomware attack, they've gotta be paid somehow, haven't they? You don't just find money down the back of the sofa.

---

CAROLE THERIAULT. I do.

---

GRAHAM CLULEY. Do you?

---

CAROLE THERIAULT. Yeah. Well, you know, my husband lies there a lot, so yeah, I do. Money falls out of his pockets. It's my daily coffee. Yeah.

---

GRAHAM CLULEY. Well, in Baltimore's case, they transferred $6 million Whoa. From a fund which they had to improve parks and public facilities to cover the recovery from the ransomware attack and hardening the security. That's obviously a lot more than the $70,000 that the extortionists wanted.

---

CAROLE THERIAULT. Okay, but I don't know if that's very fair because even had they paid the 70 grand and got all their files back, they would probably still have transferred money from the park and public facilities to cover hardening costs.

---

GRAHAM CLULEY. Yes. To better secure.

---

CAROLE THERIAULT. So I don't think it's fair.

---

GRAHAM CLULEY. I think probably they probably did need to do that. That, that's true.

---

CAROLE THERIAULT. So it might've been 5 million instead of 6.

---

GRAHAM CLULEY. But let me dig a little bit deeper into this story because this is what I caught in the Baltimore Sun. And this is what has brought me back to this story from earlier this year. It's a story about the city's IT department. You see, the city set up a council committee wanting to know how well the IT department was performing. If it was reaching its goals in modernizing the infrastructure, you know, following concerns raised by the ransomware attack.

---

CAROLE THERIAULT. Uh-huh. Okay.

---

GRAHAM CLULEY. And so they asked for all kinds of data and performance metrics.

---

CAROLE THERIAULT. Yep.

---

GRAHAM CLULEY. And the IT department said, uh, computer says no. Can't deliver that.

---

CAROLE THERIAULT. Why? Because they weren't collecting any information? They didn't have logs?

---

GRAHAM CLULEY. Oh no, they were collecting data. It's just that they weren't backing it up. What had been happening was they'd been storing the data on their local hard drives. They never backed up their data to a server or to the cloud.

---

CAROLE THERIAULT. Wow.

---

GRAHAM CLULEY. So it turned out that this wasn't the only data which was regularly being just saved to their local hard drives rather than to the cloud or rather than to an external hard drive. They basically didn't appear to have very much in the way of any kind of backup infrastructure.

---

CAROLE THERIAULT. And this is since the attack.

---

GRAHAM CLULEY. So this has been, this has been going on since the ransomware attack and was occurring at the time of the ransomware attack as well. So When the mayor said, "We're certainly not going to pay the guys who've extorted us," and when Frank Johnson was appearing in front of the media as the security chief, talking about how the bad guys keep on getting better and, you know, it's a constant battle. Well, maybe one of the things which they should have considered was, do we actually have any backups?

---

CAROLE THERIAULT. The IT guys must have known this was the case.

---

GRAHAM CLULEY. Well, they must have known. And why wasn't it fixed? Or why was he unable to convince the people who held in the purse strings that it would be quite a good idea to do offsite backups of some fashion.

---

UNKNOWN. Crazy.

---

GRAHAM CLULEY. So they said to Frank, your buddy Frank, they said, you know, you were on the front line during the ransomware attack. You lobbied for cybersecurity insurance. You know, you did all these things, but why wasn't this data being backed up? Now, all he was able to do was send a statement in saying, you know, he promised that this would be improved, but he was currently on extended leave and was unlikely to return. So basically they kicked out Frank.

---

CAROLE THERIAULT. Well, we don't know that. Maybe Frank is sick.

---

GRAHAM CLULEY. Well, he apparently lost the confidence of the city.

---

CAROLE THERIAULT. So basically you're saying to me, Jack—

---

GRAHAM CLULEY. Mayor Jack—

---

CAROLE THERIAULT. Mayor Jack threw cyber Frank under the proverbial bus.

---

GRAHAM CLULEY. If the buses had been running at the time, yes.

---

CAROLE THERIAULT. Had the buses been running?

---

GRAHAM CLULEY. Maybe they weren't. Maybe the schedule was bad.

---

CAROLE THERIAULT. Maybe the schedule was all bad, which is why he got run over.

---

GRAHAM CLULEY. And some in the media have been pointing out that before becoming Baltimore's Cyber Frank. Poor old Frank. What was his previous job? Well, he was a VP of sales at Intel and had no IT operations experience.

---

CAROLE THERIAULT. Oh, so it feels a bit like a scratch your back. Yeah, you can have this job, buddy. Come on in, Frank.

---

GRAHAM CLULEY. No worries. Hey, you're good with computers. You shuttle them. Maybe you can look after them for us.

---

CAROLE THERIAULT. Yeah.

---

GRAHAM CLULEY. It's a pretty sorry story. And I think It's all very well saying to the ransomware guys, look, we're not going to pay up, but if you don't have any backups, if you haven't got a backup infrastructure in place, maybe that's not the right decision to make. Now, Ars Technica, they asked Baltimore for information about how patching was going, uh, whether there were any disaster recovery plans which existed, right?

---

CAROLE THERIAULT. Yeah.

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. All the basic Security 101 questions, right?

---

GRAHAM CLULEY. But, uh, they haven't been able to get a response because apparently the documents don't exist. Because they were lost in the ransomware attack and weren't backed up.

---

CAROLE THERIAULT. This is not just like one screw-up from one individual. This seems like a kind of consolidated mass of screw-ups.

---

GRAHAM CLULEY. In all, it's believed the attack will have cost at least $18.2 million. Well, and much as I hate the idea of paying the ransomware baddies, Maybe it might have made sense to have spent some of that money getting the data back and then securing the systems.

---

CAROLE THERIAULT. I mean, the way politics are going now, it wouldn't be a surprise that, you know, there's actually a money trail that follows through here on who actually capitalized on this huge payment.

---

GRAHAM CLULEY. Oh, you mean where the $18.2 million ends up?

---

CAROLE THERIAULT. Where did that go?

---

GRAHAM CLULEY. You're so cynical, Carole.

---

CAROLE THERIAULT. Oh, you just should do more homework.

---

GRAHAM CLULEY. Just everything's a conspiracy.

---

CAROLE THERIAULT. I can't help it. I'm asking the question no one wants to ask.

---

GRAHAM CLULEY. You're probably thinking, think it's Nessie, don't you? Or the Sasquatch.

---

CAROLE THERIAULT. I just— yeah, no, it's just, it's just a shocking story, actually. It's a— I think listeners will be shocked as well. You kind of expect a city to operate at a higher level of security.

---

GRAHAM CLULEY. Just have a bloody backup. That's all we're asking for, Baltimore.

---

CAROLE THERIAULT. No, please, all we're asking for—

---

GRAHAM CLULEY. back it up, back it up, back it up, and encrypt your data. So Carole, what have you got for us this week?

---

CAROLE THERIAULT. Okay, I know I bang on all the time about home assistants, right? Just a few episodes ago, I talked about the latest whacktastic always-on listening gadgets.

---

GRAHAM CLULEY. Whacktastic?

---

CAROLE THERIAULT. You remember that Ring that both had a microphone, a speaker in it? I mean, please.

---

GRAHAM CLULEY. Oh yeah.

---

CAROLE THERIAULT. Anyway, many people poo-poo my views on these home assistants. You know, who cares what they hear? You know, these assistants are so convenient.

---

GRAHAM CLULEY. You mean these smart speaker things? Yeah. That's what you're talking about.

---

UNKNOWN. Yeah.

---

CAROLE THERIAULT. That's what they're called, home assistants. I'm sure you know that.

---

GRAHAM CLULEY. I just call them dinguses.

---

CAROLE THERIAULT. Right.

---

GRAHAM CLULEY. I think that's the best name for them, dingus.

---

CAROLE THERIAULT. Do you? Okay. Well, you just do that mental translation every time I say the word. So people telling me all the time how cool they are, blah, blah, blah. And I, you know, or they say, yeah, I know, I know they do collect information or they're not great, but they keep using them, right? They leave them plugged in all the time.

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. So this story is for the guys out there that have these devices in their houses. And are choosing not to secure them. The deniers, I'm going to call them.

---

GRAHAM CLULEY. And I bet lots of our listeners, even though they are obviously the finest, most smartest listeners and probably considering becoming patrons of us, I bet a large percentage of them do have these smart speakers in their homes.

---

CAROLE THERIAULT. Oh, sure. There are loads of people that I would say are security aware with these in their houses that I know.

---

GRAHAM CLULEY. Yeah. Yeah.

---

CAROLE THERIAULT. People that have been on this show as guests.

---

GRAHAM CLULEY. Right. So folks should listen up to this. What are you gonna reveal about them?

---

CAROLE THERIAULT. So this is reported by Ars Technica. So some German researchers are raising the alarm of third-party malicious eavesdropping and phishing apps. How's that for a mouthful? On Amazon and Google Home Assistant. So the down low is this.

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. It turns out that people with shady aims or, you know, digital internet hackers or attackers could have been recording the things you say near your Google or Amazon device, all without your knowledge, and even dupe you into giving away your username and password.

---

GRAHAM CLULEY. I am shocked. Are you suggesting that if we bring an internet-connected device into our homes which has an always-on microphone, that somehow that might actually snoop upon us? And it may be bad for security. This is, this is going to make headlines.

---

CAROLE THERIAULT. Yep. Not bored of that joke yet. Not bored at all.

---

UNKNOWN. Okay.

---

CAROLE THERIAULT. But this is what's interesting about this. This is not people employed by Amazon or Google that are hearing snippets of your conversation.

---

GRAHAM CLULEY. Right. Because that has happened before.

---

CAROLE THERIAULT. Exactly. We've read about that in the press, right? We've talked about it in our show. This is about third-party apps. These are apps that are called, on the Amazon device, they're called the skills apps. And on Google Home, it's called actions, right? So these are the apps that work with those home devices and assistants. And not all those apps, it turns out, do what they say on the tin. So researchers at Germany's security research labs developed a handful of apps for Amazon and Google Home Assistant.

---

GRAHAM CLULEY. Yes.

---

CAROLE THERIAULT. All of these apps passed the initial vetting services from Google and Amazon. These are services that are always telling you how trustworthy and how great they are.

---

GRAHAM CLULEY. Yeah. Rigorous checks. Yes.

---

CAROLE THERIAULT. Rigorous.

---

GRAHAM CLULEY. Yeah, that's right.

---

CAROLE THERIAULT. Rigorous, rigorous checks. Rigorous checks. So one of these apps posed as a random number generator because that's what you want on your Alexa and Google device.

---

GRAHAM CLULEY. I can't think of a random number. Alexa, can you help me?

---

UNKNOWN. Okay.

---

CAROLE THERIAULT. Yes. And 7 of these apps were basically horoscope-based.

---

GRAHAM CLULEY. Okay.

---

CAROLE THERIAULT. So this is how the researchers were able to show that attackers could be using this method to steal information. Okay. So, so you decide you want to be, you want to use this My Lucky Horoscope. That's the name of the app. And you sign up and say, fantastic. And you have this app, right? So you wake up in the morning and you might go over to your device.

---

GRAHAM CLULEY. Should I even get out of bed? I'm thinking.

---

CAROLE THERIAULT. No, of course you don't have to get out of bed.

---

GRAHAM CLULEY. No, but I'm wondering if my horoscope even says it's worth it. It may just say don't even weather today, Graham?

---

CAROLE THERIAULT. Exactly. So you wake up, right? You open your eyes and you go, yo, yo, Alexa, you know, or Google, ask my lucky horoscope to give me today's horoscope.

---

GRAHAM CLULEY. All right, yes.

---

CAROLE THERIAULT. And it will say, what's your sign? Probably. And you'd say, what are you? I don't even know what you are.

---

GRAHAM CLULEY. I'm actually— no, I'm Aries. I'm Aries, the ram.

---

CAROLE THERIAULT. That explains so much. Now, the home assistant starts reading out the horoscope and the user is satisfied with the task and goes off to do other things, right? You might go call the kids or fight or love the spouse or burst into songs or start talking to yourself in your case, whatever. And the researchers saw that the app only appears to have completed its task. In actual fact, it stuck around for a while listening. Not only could it listen to the things you were saying, but it could also send the transcript of that information directly to the attacker. Now the phishing apps, when the user requested a horoscope reading, for example, it would respond with an error message like, "This service is not available in your country," or something like that. And then the app creators added on, tacked on at the end of that message, a 1 minute of silence. That's something that should not be possible according to the researchers. And they go to show how it could be exploited, that extra time. So for example, an attacker could include a message like, "Your device needs an update. Please confirm this action with your Amazon or Google password." Ah, so that isn't a legitimate notification of an update.

---

GRAHAM CLULEY. That is the bad one provided by the malicious app.

---

CAROLE THERIAULT. That's right. So you're sitting there and I don't know, I think, you know, You know, 1 in 4 people apparently in the UK and the US have one of these devices in their houses, right? So how many people, if you suddenly heard in the proper voice, please confirm your, you know, your Amazon password because to update your device, I think a lot of people would go, yeah, sure, here's my password.

---

GRAHAM CLULEY. Well, absolutely. And the fact that it is using the Amazon or the Google Home voice means that people, I mean, it's a little bit like your computer putting up a fake message saying, you know, there's an update to Adobe Flash or something. But it's going to be so much more convincing because you're not used to having fake updates. And so you would— so the idea is that you would then, what, you say your password?

---

CAROLE THERIAULT. You'd go, "Ah, Jesus Christ, oh, where'd I put my password? Okay, hold on." Password 123. And go read it out.

---

GRAHAM CLULEY. Hunter 2.

---

CAROLE THERIAULT. Yeah, I was gonna say C-A-T. And then of course, if you don't have any multifactor authentication on your Amazon or Google account and they ask you just to verify your full email address, Your guess, you might be entering Scroogeville, right?

---

GRAHAM CLULEY. This isn't good.

---

CAROLE THERIAULT. Let's just tie this all together here. The researchers were able to show that the apps with malicious intent got past the initial vetting process, right? Ran on legitimate devices and sent private audio to the researcher who was purporting to be an attacker. Now, Fabian Brauline, he's a senior security consultant at These Labs, told Ars Technica, we now show that not only the manufacturers, but also hackers can abuse those voice assistants to intrude on someone's privacy.

---

GRAHAM CLULEY. Yeah, because I think we were all focused on what Google and Amazon might do with this. But this has really opened it up to every Thom, Dick, and Hildegard, hasn't it?

---

CAROLE THERIAULT. Well, it did, but the doors have also closed shut slightly because the researchers at Germany's Smashing Security research lab privately reported these results of the research to Amazon and Google before they told us and the rest of the world about their findings. These malicious phishing and eavesdropping apps are no longer available, right, for the Google and Amazon Home Assistants. And both companies say they are changing their approval process to prevent skills and actions from having similar capabilities in the future. But that's just the tip of the iceberg, right?

---

GRAHAM CLULEY. Well, yeah, 'cause they've zapped the ones produced by these researchers, but there may be other ones which might be able to sneak past Amazon and Google's vetting.

---

CAROLE THERIAULT. Exactly, 'cause the way they kind of did it was quite clever. The app would get initial approval from Google or Amazon vetting services. Then the researchers would change the function calls, intents. So in other words, stop and start could do other things than just stopping or starting. They could be programmed with new functions that could cause the apps to listen or log. And I'm no developer. You'd think someone might come up with something during the hardening process and go, hey, could someone just change that function? On any app and it could screw up our entire device?

---

GRAHAM CLULEY. Mm-hmm.

---

CAROLE THERIAULT. What do you think?

---

GRAHAM CLULEY. I think this is quite a problem because a lot of these apps are going to be driven by the third-party servers. And it's not like you can just provide a piece of code and say to Amazon and Google, check that out and see what it's capable of doing. Because I imagine some of this could be driven by external data being chucked into it. It's not very good. I wonder if— so if the Amazon or Google device have a system message, maybe they should say it in a different accent to the messages which are played by apps. So you can't—

---

CAROLE THERIAULT. it doesn't have to be a different accent, it could be a different voice entirely.

---

GRAHAM CLULEY. Yes, you could have a Scottish voice, you know, saying, "Och, aye, it's your mcGoogle device here requiring a firmware update." And then you would know. Because normally it's, I don't know, I can do a Canadian accent. I could do any accent, to be honest. The world is my lobster. But, but, you know, but I'm wondering, it feels like there needs to be a clearer differentiation between is this a message from the third party written by who knows what and what they're up to.

---

CAROLE THERIAULT. I think you're actually, I think that's a really good idea. I didn't think of that.

---

GRAHAM CLULEY. Thank you very much.

---

CAROLE THERIAULT. The accent thing's all yours. But I do think having a differentiation of voices between the, this is Amazon and Google speaking versus this is an app speaking would be, you know, you could have, you know, you could have two different voices that make it very clear. You can choose those voices. And at the moment there's only one, I think, that come out of the systems. 'Cause they're not, you know, these are cheap devices, right? They are basically flogging these for as cheap as they possibly can to get them in as many households as they can. And they've succeeded.

---

GRAHAM CLULEY. Can you buy different voices for these smart devices?

---

CAROLE THERIAULT. No, I don't think so.

---

GRAHAM CLULEY. You can't get like, you know, Peter Falk as Columbo or something?

---

CAROLE THERIAULT. I don't know. I don't know. Should have done more research.

---

GRAHAM CLULEY. I know. I know.

---

CAROLE THERIAULT. Okay. So advice for you deniers out there, right? For all you people that say, yeah, yeah, great crawl. Okay. These are things you can do, right? So you can limit links to external devices and personal accounts, right? You don't want to have everything tied into your little Google or Amazon device. Right? You wanna use two-factor authentication, especially on the account that is tied to your device. So if you have a Google Home Assistant, you wanna make darn sure, extra, extra darn sure that your Google accounts have two-factor authentication, which they should already have anyway. You want to manage your recordings. So remember how you were talking about how you went looking on your Google account and you found these actual audio recordings from your family? I wonder how long it's gonna be before, you know, a researcher can show that they can be scooped up, all those old recordings that are lying around in the account. So you, like, you wanna make sure you delete old recordings from your Alexa or from your Google Home device.

---

GRAHAM CLULEY. And another thing is Amazon and Google are never going to genuinely ask you for your password via your smart speaker, right? They're not gonna ask you shout out your credit card number, I would imagine. So no, not your password.

---

CAROLE THERIAULT. Please don't. Even if they do, do not do that. Now, this is a really cool idea. Would love to hear from people that actually use these devices to see if this is actually a convenient idea or not. But both of these devices have a mute button. And when it is muted, it is not— it won't respond to you. It won't respond to voice commands, but it also will not be listening. What you do is you can enable your mic when you need to use it and then turn off the mic when you're not using it. And I know it's a bit of a pain, but it's a small price to pay for the additional privacy, I think, until these things get stabilized and legislated properly.

---

GRAHAM CLULEY. I think a lot of people would find that a pain though, don't they? A lot of people have these in the kitchen.

---

CAROLE THERIAULT. Yeah, they're elbow deep in washing up and they just really need to hear Billy Idol or something.

---

GRAHAM CLULEY. And also, do you trust the mute button?

---

CAROLE THERIAULT. Well, no. Are you asking me?

---

GRAHAM CLULEY. I wonder whether there would be a market for like, you know how you have like cozies for teapots to keep them warm, whether you could have a cozy for your smart assistant.

---

CAROLE THERIAULT. A Faraday bag.

---

GRAHAM CLULEY. Right. And then it can't see you, can't hear you. Be wonderful, wouldn't it? Put in the cupboard box.

---

CAROLE THERIAULT. Yeah, no, yeah. Listen, you know what I would do? I would just unplug it and give the little bugger a bath, right? But definitely unplug it first though, otherwise, you know, you're gonna get electrocuted and I'm gonna get I'm gonna get in trouble for that. But seriously, to my mind, these things are like gremlins, but in reverse. You remember gremlins before they got wet? They were all cute and fuzzy wuzzy. And then you give them a bath and whammo, they turn into this evil, slimy, gross monster thing that ruins your life.

---

GRAHAM CLULEY. Don't feed them after midnight.

---

CAROLE THERIAULT. And the water, right?

---

GRAHAM CLULEY. Oh, and the water thing. Yeah, no, yeah, that's yes.

---

CAROLE THERIAULT. Right, so this is the opposite, right? This is Home Assistants are gremlins in reverse. They go all passive and lovely once their electronics are unplugged and given a big old soak.

---

GRAHAM CLULEY. Watch out for those gizmos.

---

CAROLE THERIAULT. But unplug. Don't you love a win-win situation? Imagine if you could have both enterprise-wide password management with single sign-on. What is single sign-on? Well, Graham, let me dazzle you. Single sign-on is designed to connect employees to high-priority apps. All without needing the user to log in at every single hurdle. Now, by combining these two services, our friends at LastPass may have just revolutionized security at the enterprise level. Learn more at lastpass.com/smashing. You don't need to say the forward slash. Ah.

---

GRAHAM CLULEY. So you've got an IT security team, but you want to turn them into security superstars? How can you best provide each employee with the opportunity to upskill themselves? Immersive Labs provides a cloud-based system. It's available 24 hours a day, whenever is convenient for them to learn. It provides hands-on experience with tools, technology, and even sandboxed malware. The platform provides story-based threat simulations. It lets teams enhance their skills while stopping an online banking breach or the hack of industrial control systems. Lots of fun to be had there. Check out Immersive Labs' skills skills development platform to drive down your organization's cyber risk while reducing training costs. Check them out at immersive labs.com/light. Immersive labs.com/lite.

---

CAROLE THERIAULT. Okay, so it turns out that we are all bad people. Well, not all of us. Most of us though, because 60% of employees who quit their jobs admit to taking data Yeah, that's why Code42 provides data loss protection for when employees quit. It can help you detect insider threats, investigate file activity, and respond before damage is done. A really cool aspect is that at any time Code42 can tell you what data lives where, when it leaves, where it goes, and who has access to it. To learn more about how you can protect your company from insider threats, visit Code42.com. Www.patreon.com/smashingsecurity.

---

UNKNOWN. Now on with the show.

---

GRAHAM CLULEY. And welcome back. And you join us on our favourite part of the show, the part of the show that we like to call Pick of the Week.

---

CAROLE THERIAULT. Pick of the Week.

---

GRAHAM CLULEY. Anybody? Anybody? Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever whatever they wish. It doesn't have to be security related necessarily.

---

CAROLE THERIAULT. Better not be.

---

GRAHAM CLULEY. Well, my pick of the week this week, Kroll.

---

CAROLE THERIAULT. Yes.

---

GRAHAM CLULEY. Is not security related. You'll be pleased to hear.

---

CAROLE THERIAULT. Thrilled.

---

GRAHAM CLULEY. It is. Well, I found a few different websites which were quite curious. And you recently have become something of the artist, haven't you? You've been texting me images of some of the amazing painting that you have been doing.

---

CAROLE THERIAULT. Um, I would only call it amazing from the, uh, uh, you know, for someone who's never put up a paintbrush before. It's early days, dude. It's early days.

---

GRAHAM CLULEY. I am genuinely impressed by what you've been doing. So I have gone to a website, and our listeners can as well, called zoomquilt2.com.

---

CAROLE THERIAULT. Okay, I'm going there right now.

---

GRAHAM CLULEY. Okay, now it's a little bit odd.

---

CAROLE THERIAULT. Two, like number two?

---

GRAHAM CLULEY. Yeah, the number two. Zoomquilt2.com, all one word. HTTPS, of course, we only point you to those kind of sites. And this is a webpage where you are zooming in on an image, a rather creepy, freaky, sort of spooky, peculiar image.

---

CAROLE THERIAULT. But you never stop zooming in.

---

GRAHAM CLULEY. But you never stop because the more you go in, the more the picture changes and the more you begin to see. And then you begin to see it and it's all different kinds of art forms and, oh, I'm in a cinema. Oh no, I'm entering the mouth of some kind of monster. Oh, it's actually really It's so fast. Well, you can slow it down, Crow. With your mouse, you can even go into reverse as well. You've got a speed control.

---

CAROLE THERIAULT. Oh, I see that.

---

UNKNOWN. Yeah.

---

CAROLE THERIAULT. I thought that was like getting to the end to see if there was an end, but there isn't. You're right.

---

GRAHAM CLULEY. Right. And now it does ultimately loop around as well.

---

CAROLE THERIAULT. You've watched it that long?

---

GRAHAM CLULEY. Oh yes. Yes. And there's some others as well. There's the original ZoomQuilt2, not with a 2, ZoomQuilt as well, which does something like this.

---

CAROLE THERIAULT. Okay, going to look at that one. Yeah, I don't love this. This kind of makes me— oh, it says, oh, don't go to zoomquilt. Oh, hang on.

---

GRAHAM CLULEY. Have I got the name right?

---

CAROLE THERIAULT. Whoa, back out, back out.

---

GRAHAM CLULEY. Oh no, no, no. The original one is zoomquilt.org. Don't go to zoomquilt.com, whatever you do. Zoomquilt.org is the original one.

---

CAROLE THERIAULT. You're right.

---

GRAHAM CLULEY. There's a nice one called Arkadia with a K dot XYZ. That's quite a nice one. You might like that one more actually. Go to Arkadia.

---

CAROLE THERIAULT. This is basically like looking into my husband's belly button. Exactly.

---

GRAHAM CLULEY. Yeah. But you're never—

---

CAROLE THERIAULT. This is what I imagine what would happen if I suddenly got sucked in there. This is where— this is what would happen. Yeah.

---

GRAHAM CLULEY. Anyway, so—

---

CAROLE THERIAULT. He doesn't listen. Doesn't matter.

---

GRAHAM CLULEY. I don't know quite— I don't quite know how they did this. So I'm quite intrigued as to how on earth they did this. Like I said, they do ultimately loop round. But I think, you know, I was just thinking about your artist's brief. It's jolly clever. It's jolly clever. And I thought, oh yes, well, Well, you know, if you were to have a screensaver or something like that, or something up on your TV rather than just watching people playing snooker, then maybe you'd want to put up something like this. Arkadia.xyz. Arkadia with a K as the third person.

---

CAROLE THERIAULT. You know what? Go to the show notes and get the link.

---

GRAHAM CLULEY. Go to the show notes. You'll find them all up there. That's a little less trippy. But I imagine this is a little bit like what it's— if you were to take LSD, I imagine it's something a bit like this.

---

CAROLE THERIAULT. Oh, really?

---

GRAHAM CLULEY. I don't know. I've only just started drinking normal tea.

---

CAROLE THERIAULT. Right.

---

GRAHAM CLULEY. I probably will never discover, but I imagine this is the kind of— any opinions, Crowl?

---

CAROLE THERIAULT. Nope. No, pass. I'm passing on that one.

---

GRAHAM CLULEY. Yeah, yeah. Okay. Okay. All right. So, yes. So there you are. Zoom Quilt and Arcadia.xyz is my pick of the week. Crowl, what's your pick of the week?

---

CAROLE THERIAULT. Well, I am going to talk about a YouTube channel. Oh yes, called Historia Syphilis.

---

GRAHAM CLULEY. Syphilis.

---

CAROLE THERIAULT. Syphilis.

---

GRAHAM CLULEY. There was a lot of it around in the past.

---

CAROLE THERIAULT. Links in the show notes. This is for people like me who know sweet FA about Roman and pre-Roman history. Um, Caesar, do you know anything about Roman elections? Do you know anything about Seneca?

---

GRAHAM CLULEY. Most of what I know probably comes from either Asterix books or watching I, Claudius on TV back in the 1970s, which was—

---

CAROLE THERIAULT. Right. So I read all of the Asterix books. I was a diehard fan. I would still say that I knew nothing about the constitution of the Spartans.

---

GRAHAM CLULEY. Okay.

---

CAROLE THERIAULT. All right. Okay.

---

GRAHAM CLULEY. Yes.

---

CAROLE THERIAULT. This is like, this is very educational, but it's done in a super cute way. So the video is almost like a board game. And talking about different people are represented with little blocks, and they kind of dance around the screen as the person gives the lecture on whatever— Caesar in Gaul, the revolt, right? Or Cicero, his year, 63 BCE. So there's all these kind of really interesting little history windows that, you know, they run about 20 minutes a pop.

---

GRAHAM CLULEY. Okay.

---

CAROLE THERIAULT. And you can learn a lot, and they've done it in a very cute, refreshing way. And he He speaks very precisely and slowly and says every single word clearly, which I think is great because it must make it useful on a much wider, more broader audience, right? People with, you know, that might have more difficulty with English could totally follow this as well.

---

GRAHAM CLULEY. I have watched one of, or some of one of these, and he does have a rather unusual vocal delivery, doesn't he?

---

CAROLE THERIAULT. Okay, but let me tell you what I learned. Okay, so in Sparta, unlike other places where if a man died, his son would get all his wealth and fortune, but here the women, the wives, got the money.

---

GRAHAM CLULEY. Okay, sounds reasonable.

---

CAROLE THERIAULT. And you think that sounds reasonable because today that's what normally would happen, except men died super young because they were all in battle, right? Right. So they die young, wife gets all the money, then she marries again, guy dies again, she gets all the money, she passes on that money to her children. Equally to the— say she has a daughter and a son, for example.

---

GRAHAM CLULEY. Okay.

---

CAROLE THERIAULT. And then that daughter starts off with quite a nice little package, and she marries and gets the money, and she marries, gets money. So apparently women were not allowed to vote, weren't allowed to do anything political or make any decisions.

---

GRAHAM CLULEY. They were loaded.

---

UNKNOWN. But they were loaded.

---

CAROLE THERIAULT. They were more loaded than the two kings. What? They were like Spartan heiresses or something like that. Anyway, places like Rome were really scared of these women, right? They were really, really rich, but they weren't very powerful because they weren't able to vote and they weren't able get in and make decisions and policy.

---

GRAHAM CLULEY. But sure, but if they had lots of money, couldn't they tell other people how to vote?

---

CAROLE THERIAULT. So watch the show, watch the show. Anyway, I think it's great. I think he's done his homework. I think he's done it in a very controlled fashion, and it's a refreshing but educational take. So check out Historia Civilis. I will— not syphilis, not syphilis, folks. Starts with a C.

---

GRAHAM CLULEY. I'll put a link in the show notes for everybody and check it Well, that just about wraps it up for this week. You can follow us on Twitter @SmashInSecurity, no G, Twitter won't allow us to have a G. And you can also continue the discussion with us on Reddit. You can join us up there. Just search for the subreddit, the Smashing Security subreddit.

---

CAROLE THERIAULT. Again, to this week's Smashing Security sponsors, Code42, LastPass, and Immersive Labs. Their amazing support helps us give you this show for free. And thank you, wonderful listeners and supporters.

---

GRAHAM CLULEY. But don't hit pause just yet.

---

CAROLE THERIAULT. No, Rachael's coming. Rachael's coming. Exciting time. After the music, we are going to hear from Rachael Stockton, who's talking about a brand new report from LastPass. You can check out this report at smashingsecurity.com/lastpassreport, and we'll bring you right to it. Okay, take a listen.

---

UNKNOWN. Something weird is happening.

---

CAROLE THERIAULT. One sec.

---

UNKNOWN. Something weird is happening. I hope I'm not being thrown out. Everything's frozen. Hold on. Yeah, you still hear me?

---

CAROLE THERIAULT. Yep.

---

UNKNOWN. Okay, we're good.

---

CAROLE THERIAULT. Sorry. That's great. That's actually a cute beginning.

---

UNKNOWN. Great. Oh, great. Everything's frozen. Can you still hear me?

---

CAROLE THERIAULT. Great.

---

UNKNOWN. Let's do this.

---

CAROLE THERIAULT. As you can hear, the delightful and insightful Rachael Stockton of Lock.me In, the company behind LastPass, is with us for another special interview. Thank you so, so much for making the time to chat with us. Between us, it's a bit more fun than one of the meetings, right?

---

UNKNOWN. Don't even get me started. I'm totally going to send you this meme, and I want you to put this up by this discussion. But yes, it is, it is 100% more fun.

---

CAROLE THERIAULT. Now, you guys just put out some research, and I was hoping to get your kind of special insight on it because you obviously, you have the inside scoop.

---

UNKNOWN. Yeah, definitely. By using data from over 47,000 organizations, we've been able to really understand different trends that we're seeing, password management, different trends that we're seeing when it comes to multifactor authentication, and how these really differ from businesses who are smaller, let's say less than 1,000 employees, $10 million and higher, so bigger businesses. So yeah, it's very cool to be able to use what people are doing to be able to help others learn.

---

CAROLE THERIAULT. And use you do. This is a beefcake of a report coming in at a whopping 42 pages. This must have taken some time to compile.

---

UNKNOWN. I'll tell you, our machine learning team was incredible on this, and it's really helped us gain a lot of insights.

---

CAROLE THERIAULT. Oh, that's kind of cool. Now, in the introduction, you guys write, quote, we want to help IT and security professionals understand the greatest obstacles employees face when it comes to passwords. So I thought this was a good place to start.

---

UNKNOWN. They're very similar to what we've seen actually year over year, which is the number of passwords that are expected and how hard it is to remember all of those. That has not really changed too much over time, and I think that is one of the biggest challenges that employees face. We have seen some very interesting things this year though, in a difference between um, small businesses and, and larger businesses in the number of passwords and some of the things and negative things that come from that, like password reuse.

---

CAROLE THERIAULT. I'm guessing that password reuse is one of the biggest, um, problems that you're still facing in password world.

---

UNKNOWN. Yeah, it definitely is on a personal, you know, for personal users, but in the businesses too. And you can't forget there's a lot of overlap between personal and business passwords.

---

CAROLE THERIAULT. And now of course people have way more, uh, sites to pay attention to than ever before, right? There's a lot more user logins that they have to dig out, and why not use the same password all the time? Because it's easier to remember.

---

UNKNOWN. Definitely. So what we found when we looked at businesses today, people in small businesses have on average 85 passwords that they need to remember. And so think about just all of those little systems. And we found that small businesses— and this not that small, organizations 1,000 employees and below, they reuse about 10 to 14 passwords. Really? And yes, and so, you know, that's what, like 15% of all their passwords are reused. But here's the interesting thing, larger organizations greater than 1,000, they have decreased the number of passwords that employees need to use down to 25. And with that, about 4 of them are reused.

---

CAROLE THERIAULT. I'm going to guess why that is.

---

UNKNOWN. Okay, okay, ready? Hold on.

---

CAROLE THERIAULT. Drum roll. I'm going to guess that's because big companies, enterprises can afford consolidated enterprise solutions where maybe you can have a single sign-on to all the options within that service.

---

UNKNOWN. You are 100% right.

---

CAROLE THERIAULT. Boom.

---

UNKNOWN. Boom. Totally. Yes, I believe so too. I mean, we found that about 50% of organizations are using SSO, but the vast majority The majority of those are larger organizations. And what's interesting, and I think we've talked about this before, is this doors and windows concept. Yeah. You know, single sign-on is exactly what that is. I mean, everybody listening understands that. It's one place for all your employees to be able to access the applications that you care most about. And while that sounds super easy, there's an incredible amount of integration that has to go on to have that be seamless. And that is an incredible amount of work for IT. So that ability has to be very easy, but that does take away the number of passwords that, that somebody needs to remember.

---

CAROLE THERIAULT. And this kind of explains why small businesses are sitting ducks when it comes to things like ransomware or social engineering attacks, because they have too many accounts to remember. They're, of course, reusing passwords and they're not all using password managers.

---

UNKNOWN. It's true. And remember what we talked about last time? Even your listeners came back and agreed. The general IT manager in a small-medium business, their back is up against the wall. They have so many things to do. So figuring out how to solve these problems in a world that's changing very quickly is hard. And the risk is huge. You mentioned ransomware and things like that. The latest Verizon data breach report, 43% of all attacks are on SMBs. And I believe it was in CISA, and CISA is the month, 60% of those SMBs that get attacked go out of business. So this is serious stuff.

---

CAROLE THERIAULT. Yeah, you just don't have the resiliency to bounce back if you get hit by something like a piece of ransomware, for example. You just don't have those reserves if it's as a smaller business. Okay, so they have all these passwords, um, they don't have the same IT resources, and they don't have the same budget. What advice do you have for small businesses, IT guys, and companies that want to be more resilient against against these threats?

---

UNKNOWN. I think one of the biggest things to really think about are what are behaviors that you can enforce? And if you're going to invest in something, ensure that you know how you could be able to fully roll it out. When we look at the windows and doors, the passwords with SSO that you're going to centralize with SSO, and then the passwords that you don't have as much control over, those applications that people either bring in or just really on top of priority for you to integrate. Looking for a solution that's easy to use, but does both of those because there's no point in really just doing one or the other when you can do both. But it has to be easy and it has to be able to be rolled out successfully.

---

CAROLE THERIAULT. If you can have your cake and eat it, why not, right?

---

UNKNOWN. You definitely can. But here's the other thing. It does not have to be done all at the same time.

---

CAROLE THERIAULT. Right.

---

UNKNOWN. You know, you can sort of take it piece by piece or bite by bite in your metaphor.

---

CAROLE THERIAULT. So let me get back to the report for a second. It's not all doom and gloom. Gloom in this report, is it? Your findings show that multifactor authentication use is on the rise. I read up 12% points over last year.

---

UNKNOWN. So about 57% of the organizations who are using LastPass are using multifactor authentication, and that's great. That increase is important because the fact is, whether it's a password manager or single sign-on, when somebody gets access to either one of those, they have the keys to the kingdom. And so best practice is always to protect with multifactor authentication. But even bringing that back to the small-medium business I mean, that's a place still where, you know, less than a third of organizations are protecting their business with multifactor authentication. And I think that could be a very, very quick win for some of the listeners out here. I remember talking to some customers recently at an event that we held, and one of the things that they were challenged by with multifactor authentication was still like getting it by the users. Always comes up. Back to that. And I do think that, you know, if you've looked at solutions a year ago, that a lot of things have changed. There's a lot of different things out there that'll enable biometrics, simple ease of use, and so it might even be time to reevaluate.

---

CAROLE THERIAULT. Why do you think this— there's a steep rise in the use of multifactor authentication now? Regulations and things like the Privacy Act and GDPR and the constraints that that's putting on some businesses? Do you think that's kind of forcing the hand of some companies that might otherwise be turning a blind eye to the cybersecurity risk?

---

UNKNOWN. It's interesting. You have like government and regulations pushing down, but you also have multifactor authentication taking more of a natural place in a consumer's life. So, there's even more of bringing that to work and, you know, now you authenticate authenticate to applications like you authenticate into your phone every day. So I think that it's actually both. And who knows, who knows what will be, you know, 5 years from now, 10 years from now when it comes to gaining access and proving you are who you are.

---

CAROLE THERIAULT. That's why I love working in this industry so much, really. Um, just a pivot, but I just love how fast it moves. Like both the, you know, the, both the good side and then the bad side tries to keep up and the good side gets ahead and it's just, you know, there's a little bit of excitement. There, isn't there?

---

UNKNOWN. Oh yeah. I mean, this is real. I mean, what we do, what your listeners do, what my company does and the other tech companies do, I mean, we really are trying to make a difference and protect organizations and protect economics. And, you know, this is real stuff. This is a real risk.

---

CAROLE THERIAULT. Now, one thing I found in your report I wanted to ask you about just before we go is that you broke down the use of multifactor authentication by country. Country. So, the leader of the pack, the top performer, was Denmark, and still Denmark couldn't boast more than 50% of businesses using multifactor authentication. So, there's still a long road ahead, don't you think?

---

UNKNOWN. Yeah, I definitely think. And even if you look down the top 5, I think, let me even look, 8, they're non-American. They're Denmark, Netherlands, Switzerland, which I think goes right back to your point about regulations. And I mean, GDPR had a huge impact on, impact on these countries and the US as well. But I think we really see that here. And yes, it not being over 50% is very interesting. And it does say there's still a lot of work to do to understand why not. And, and then both ways, how to make it easier to implement, more cost-effective to implement, and make sure people understand why they have to.

---

CAROLE THERIAULT. Okay, and finally, and finally, I know you have to go, but what are the kind of 3 top takeaways you'd have for any IT guy or gal out there who needs to get a better handle on their cybersecurity and, you know, get their guys educated?

---

UNKNOWN. You know, you need to make a plan. Like I said, you have to take this bit by bit, particularly if you're in a smaller company. Um, so, you know, you have to look broadly, do some learning, um, but then make a plan. And with that, And so with that, you know, I think first steps there really are thinking about what's that lowest common, you know, what's that lowest hanging fruit. And I think one of the first things you can look at is what are the things that you can be protecting more with multifactor authentication of your systems, what are they, and, you know, find that. And then I think the second piece is how do you close those doors and windows. With multifactor authentication, you kind of put like this huge lid on everything, but there's so much work you need to do behind the scenes. So those are the, the, the three that I would look at. Make a plan, look at multifactor authentication, and then look at how you're going to be sort of consolidating access to simplify for your employees.

---

CAROLE THERIAULT. Thank you so, so much for making the time to come on the show once again. We love having you on. Listeners, if you have any thoughts on what Rachael and I have discussed today, do tweet us and tell us your thoughts or ask your questions.

---

UNKNOWN. This—

---

CAROLE THERIAULT. I was gonna do a CyberWire sign-off. It must be—

---

UNKNOWN. do you feel I feel like total multiple personalities sometimes.

---

CAROLE THERIAULT. Yep.

---

GRAHAM CLULEY. Yep. Yep.

---

CAROLE THERIAULT. Thank you, Rachael, so much.

---

UNKNOWN. Thank you so much.

---

GRAHAM CLULEY. Nice work, Carole. Very interesting hearing that.

---

CAROLE THERIAULT. Don't sound impressed. What? You always sound so impressed, like, oh, Carole, you did a good job there.

---

GRAHAM CLULEY. Wow. I don't think I always sound impressed, Carole. I don't think you can say that.

---

CAROLE THERIAULT. You don't always sound impressive. That's what I'm going to say.

---

GRAHAM CLULEY. So remind me again where I can download this report from.

---

CAROLE THERIAULT. You can get it from smashingsecurity.com/lastpassreport. Boom.

---

GRAHAM CLULEY. Lovely. Until next time, cheerio. Bye-bye.

---

UNKNOWN. Bye.

---

CAROLE THERIAULT. Don't be a stranger. Find us on Patreon.

---

GRAHAM CLULEY. Speak next week.

---

CAROLE THERIAULT. Week. Okay. What?

---

GRAHAM CLULEY. Okay.

-- TRANSCRIPT ENDS --