Who stopped Twitter's hackers from stealing more money? Why are Covid-19 researchers being told to ramp up their cybersecurity? How can you find out if your smartphone is infected with stalkerware? And who does Graham think he is turning down a celebrity dinner invite?
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Lisa Forte.
Visit https://www.smashingsecurity.com/188 to check out this episode’s show notes and episode links.
Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Special Guest: Lisa Forte.
Sponsored By:
- LastPass: LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
- But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
- Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
Links:
- The Twitter mega-hack. What you need to know — Tripwire State of Security.
- The Twitter hack: Why Elon Musk, Bill Gates, Jeff Bezos and others might have reason to be worried — Graham Cluley.
- Twitter Hackers Could Have Stolen A Whole Lot More Bitcoin — Forbes.
- Twitter says hackers downloaded private account data — BBC News.
- UK condemns Russian Intelligence Services over vaccine cyber attacks — GOV.UK.
- Britain’s charges of hacking & meddling ‘make no sense’ but Russia is ready to turn the page & work with UK – ambassador — Russia Today.
- Russian Cyber Espionage Group Targets COVID-19 Vaccine Research and IP — IP Watchdog.
- Google bans ads for stalkerware apps—with some exceptions — Ars Technica.
- Google’s ad ban won’t stop stalkerware apps from promoting themselves — Graham Cluley.
- 1 in 10 Americans uses stalkerware to track partners and exes, poll finds — CNET.
- Stalkerware: Domestic Abuse Victims Face Invisible Threat — Digital Trends.
- How to Check Your Devices for Stalkerware — Wired.
- Find and remove stalkerware and bossware from your phone — Traced.
- President Trump goes one-on-one with Chris Wallace — YouTube.
- Montreal Cognitive Assessment (MOCA) — A similar test to that taken by President Donald Trump.
- Quiz: Could you pass Donald Trump's cognitive test? — BBC News.
- "How to cognitive" — Sarah Cooper on Twitter.
- Don't F**k with Cats: Hunting an Internet Killer — IMDB.
- 60 Versions of Leonard Cohen's 'Hallelujah,' Ranked — Newsweek.
- Hallelujah (COVER) - Shaun Brown & Jeremy Dunham — YouTube.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
CAROLE THERIAULT. Hi, before we kick off this doozy of a show, I just want to digitally high-five some of our amazing Patreon supporters. So huge thank you to Zach Daskill, Thom Turner, George Sarkov, Andy McClelland, David Bittner, Emil Tragberg Jensen, Xylar, David McConnell, Ragnar Carlson, Amanda. Thank you all. If you want to join our Patreon community, check us out at smashingsecurity.com/patreon. On with the show.
GRAHAM CLULEY. Do you remember the Winklevoss twins? They were the guys who were in the early days of Facebook. If you've ever seen that movie about Mark Zuckerberg, is it called The Social Network or something?
CAROLE THERIAULT. I have, but I don't remember them.
GRAHAM CLULEY. There's a couple of CGI twins. Well, one of them isn't CGI. Well, though, I I suppose neither of them are CGI, but they've been added in. They've been made twins through computer. There's a couple of twins. They're very rich.
CAROLE THERIAULT. There is one pair of twins.
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. Not a couple of twins. That's 4 people.
GRAHAM CLULEY. That's correct.
LISA FORTE. Oh my God.
UNKNOWN. Smashing Security, episode 188. Dinner with Elon Musk and Kris Jenner with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 188. My name is Graham Cluley, and I'm Carole Theriault, and this week we are joined by returning guest, it's Lisa Forte, everybody. Yay!
LISA FORTE. She's back! She is back.
CAROLE THERIAULT. How you doing, Lisa?
LISA FORTE. I am just, yeah, I'm just all over everything. It's amazing. Yeah, no, I'm loving lockdown. It's great. It's been brilliant.
GRAHAM CLULEY. And you're still pumping out those rebooting videos, aren't you?
LISA FORTE. Yeah, yeah. And Graham, yours was a big, big hit.
CAROLE THERIAULT. People, you know, tell us about them.
LISA FORTE. So I decided to do something that was about interviewing people about interesting stories, and the concept was that we can all learn from different people. And anybody you meet in life, whether they're a sporting personality or whether they're Graham, you can—
CAROLE THERIAULT. Sorry, you interviewed Graham?
GRAHAM CLULEY. I am a sporting personality. Are you? Just for clarity. Yes, chess. Chess.
CAROLE THERIAULT. Is that a sport?
LISA FORTE. It's not a sport. Is it? I can imagine him stretching beforehand so he doesn't pull a muscle.
CAROLE THERIAULT. He has the strongest thumb and index finger in the world.
GRAHAM CLULEY. Okay, I think you'll find the Olympics Committee are seriously considering it to be a sport.
CAROLE THERIAULT. Well, when they do.
LISA FORTE. Yeah, exactly. When they do, come back, we'll do another episode.
CAROLE THERIAULT. Yeah, yeah. So, yeah.
LISA FORTE. Yeah, so the idea was you can learn something from everybody in the world, basically, you come into contact with. So I wanted to have something that would allow everyone to reboot and learn something new from people. And it's ended up being great because we've had mountain climbers, we've had pen testers, we've had Grahams, we've had— Chris had Maggie, and it's been brilliant and we've learned a lot and they've been really good episodes, and Graham's was hilarious, and as usual, I just spent the whole time laughing.
CAROLE THERIAULT. So, oh, there you have one fan, Graham.
GRAHAM CLULEY. Yeah, that's good. Carole, what have we got coming up on the show this week?
CAROLE THERIAULT. Uh, first, thanks to this week's sponsor, LastPass. Its support helps us give you this show for free. Now, coming up on today's show, Graham delves into the recent Twitter hack and tells us what happened. Lisa tells us of Russian agents trying to attack COVID vaccine testing labs, and I give you the latest on stalkerware, and bossware. All this and much more coming up on this episode of Smashing Security.
GRAHAM CLULEY. Now, chums, chums, it cannot have failed to escape anybody's notice because it's been headlines all over the web and all over the TV news about the enormous Twitter hack.
LISA FORTE. Yes.
CAROLE THERIAULT. Well, I don't know if everyone read the deets, so I still think it might be interesting for you to cover it.
GRAHAM CLULEY. Well, I'm sure some people were a little bit disappointed we didn't cover it last week, but it actually happened after we recorded last week's episode.
LISA FORTE. It's really inconsiderate of Twitter, can I just say, to not take Smashing Security's recording schedule into consideration when having a break. I'm just going to point that out.
CAROLE THERIAULT. They're outrageous.
GRAHAM CLULEY. So what happened was lots of Twitter accounts began to post a rather peculiar message. For instance, Kanye West. He tweeted that, "I am giving back to my fans." 'all bitcoin sent to my address below will be sent back doubled. I'm only gonna do this for a maximum of $10 million, and you've got 30 minutes to do it.' So basically, he and other celebrities were saying, 'Send us your bitcoin, and we'll send you back double.' Yeah, okay.
CAROLE THERIAULT. First, Kanye West. Isn't he going a bit bozo crazy right now?
LISA FORTE. That's the future president of the United States you're talking about, Karl.
CAROLE THERIAULT. I know.
LISA FORTE. President West, that's who you're talking about.
GRAHAM CLULEY. I, you know what? I feel a little bit uncomfortable about all the teasing that's going on Kanye West right now. I am not a doctor, and I know that's going to shock a lot of people, but it seems to me from my amateur position, by the things that he's doing and things that he's saying, that this is a guy who's somewhat troubled. And because of his platform, he's out there acting a little bizarrely, shall we say, and the media are sort of jumping on it and making fun of him.
CAROLE THERIAULT. I'm, well, I'm not sure what he seems to go off his meds every time he has a new album to promote. Well, because that's how he gets to go crazy.
LISA FORTE. And he's been held hostage by the Kardashian family, so, you know, we have to, we have to feel a bit sorry for him.
GRAHAM CLULEY. Yeah, I know, but how are we gonna feel if he, dare I say, if he tops himself, right? That all the media have been having a go at him and making fun of him, whereas really what he needs is some help from his family to sort him out and to take away the video cameras and his social media accounts for a while.
CAROLE THERIAULT. Yeah, imagine someone doing that to you, how easy that would be.
GRAHAM CLULEY. Well, they wouldn't need to do it to me, would they? Because I'm on this Oh, I see.
CAROLE THERIAULT. Now, another thing, you said lots of Twitter accounts were hacked. Yes. Wasn't it just a handful?
GRAHAM CLULEY. Well, it looks like 130 different accounts were targeted, and the hackers managed to reset passwords of 45, according to Twitter.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. But some of these accounts were really high profile. Right. So, some chap called Joe Biden.
CAROLE THERIAULT. Never heard of him.
GRAHAM CLULEY. Barack Obama. Who? Bill Gates, Geoff Bezos are our favourite on the podcast, Elon Musk. Kim Kardashian, of course, is Ye's— You have to call Kanye West Ye now, I believe. Kanye's wife. Mike Bloomberg. And companies as well. Apple, Coinbase, Binance, which is a cryptocurrency exchange. Uber.
CAROLE THERIAULT. Binance, surely.
GRAHAM CLULEY. Well, rather than Binance, I don't know.
CAROLE THERIAULT. I would say Binance.
LISA FORTE. I would say Binance.
GRAHAM CLULEY. Yeah.
LISA FORTE. And I'm not just saying that 'cause I agree with Carole.
GRAHAM CLULEY. You say Binance, I say tomato. Anyway, the thing— Oh, I see, because bitcoin, you think Binance. Probably.
CAROLE THERIAULT. No, Binance.
GRAHAM CLULEY. Oh, you think Binance. But it's not bytecoin, is it? All of this is probably gonna get edited out. Why?
CAROLE THERIAULT. Because Lisa and I were right? Is that why it's getting edited out?
LISA FORTE. It's gripping stuff. The listeners just can't get enough of this.
GRAHAM CLULEY. Now, these of course are all verified accounts. And so when people see them begin to post messages, they have a little bit more credibility because you imagine that some chap like Bill Gates or Geoff Bezos or Elon Musk probably have two-factor authentication in place, probably have not reusing passwords, probably been fairly smart about things.
CAROLE THERIAULT. Can you just remind us what a verified account is? Because just to understand exactly what it is, because I know my account, for example, is not verified, but I think yours both are.
GRAHAM CLULEY. Mine is verified because I'm a sporting personality. Reality. I have a little tick next to my name saying, "Yes, this is the real Graham Cluley." And you got that by doing what? Well, you do have to jump through some hoops.
CAROLE THERIAULT. Right. So they basically verify you're you and you're—
GRAHAM CLULEY. Yes, exactly.
CAROLE THERIAULT. And then you get this little tick that means you can trust me. Okay.
GRAHAM CLULEY. That's the idea. You can trust me. Because of course there have been problems in the past where fake Elon Musks, for instance, have been granted on Twitter.
CAROLE THERIAULT. Yes, you've covered them often.
LISA FORTE. Yeah.
GRAHAM CLULEY. And they've posted messages quite often scams similar to this, but these were the real accounts which were saying this, and they all sort of said it simultaneously. And my first thought, I think it happened around about 11 o'clock at night, or close to midnight on the particular day when it occurred. And my initial thought was, they must all be using the same third-party app. They're probably using something like Hootsuite or something like that. Maybe that's got a vulnerability and the hackers have exploited that to post messages in all of these legitimate accounts.
LISA FORTE. That would make sense, yeah. But I also think it's— if it comes from multiple verified accounts, it sort of looks like all of these famous people are part of some new kind of campaign to raise money or something, right? Because they're all— Yeah, well, it kind of looks like, oh well, everyone who's sort of anyone is saying, you know, about this, about this money transfer. It kind of looks a bit more legit. Whereas if you start having nobodies posting as well the same text, it starts to add some some questions to it. Right.
GRAHAM CLULEY. It could look like a whole load of celebrities have joined up together in some campaign. You remember when Gal Gadot did that video of her singing Imagine with a number of celebrities?
LISA FORTE. How can you forget?
CAROLE THERIAULT. I have no idea what you're even talking about.
LISA FORTE. You don't want to Google it, to be honest. Nope. Not interested at all. I wouldn't.
GRAHAM CLULEY. Okay. But anyway, so it looks like it's another— maybe they're doing it for the greater good of the world because we're all in lockdown and they're going to spread their wealth around, and Geoff Bezos frankly can afford it.
LISA FORTE. To be fair, was that not the biggest red flag ever when Geoff Bezos offers to send money to people and he's laying off his poor Amazon slaves that are working in a sweat factory somewhere and then he's giving money away? That should have been the biggest red flag ever.
CAROLE THERIAULT. And the message that I saw that was posted from these accounts certainly looked a bit amateurish, to say the least.
GRAHAM CLULEY. Well, yeah.
CAROLE THERIAULT. You felt you could fall for that?
GRAHAM CLULEY. Well, no, I'm a naturally cynical, questioning sort of person, because I work in cybersecurity.
CAROLE THERIAULT. Oh, sure, sure.
LISA FORTE. He's an Olympic athlete as well. They're a different breed.
CAROLE THERIAULT. I know, he keeps talking about his sporting character.
GRAHAM CLULEY. Anyway, chums, Twitter obviously realised that these were scams. And what they did for a while was they blocked tweets from every verified account on Twitter to try and stop—
CAROLE THERIAULT. Oh my god, did you cry?
GRAHAM CLULEY. I could retweet— But I couldn't tweet.
CAROLE THERIAULT. Oh, you could retweet. You could add a comment?
GRAHAM CLULEY. I could add my comments.
CAROLE THERIAULT. So were you just grabbing random tweets just to say, "Hi everyone, I'm fine." I could use the Smashing Security Twitter account because that isn't verified. Oh, so at least you had a way to communicate with your fans.
GRAHAM CLULEY. Yeah, exactly.
LISA FORTE. Graham is alive and well. Don't worry.
CAROLE THERIAULT. Yeah, I'm here, guys. I'm here.
LISA FORTE. Updates in the next 10 minutes.
CAROLE THERIAULT. Just going for a sandwich.
GRAHAM CLULEY. Is this the reason why this podcast exists? Just to take the piss out of me. Is that why?
LISA FORTE. Wait, is that not why it is? That's what I thought I was coming on to this podcast for.
CAROLE THERIAULT. I don't pick her taint, man, surely.
GRAHAM CLULEY. Anyway, it turns out that it wasn't a third-party app. Hackers had basically breached Twitter's own systems. And they'd gained access to a sort of backend tool, an internal tool, which Twitter have for managing accounts. Now, whether they'd done that with the assistance of a Twitter employee, or whether they'd managed to phish the credentials from that Twitter employee, employee is a little bit vague at this moment. But with that, they had the power to access anybody's Twitter account at all. By the way, there's one name which is missing from that list of celebrity Twitter users, which is perhaps surprising, which is of course Donald Trump. His account wasn't compromised. It didn't post anything about him giving away bitcoin.
CAROLE THERIAULT. So I read that, but what was the reason?
GRAHAM CLULEY. I think that it's possible that Twitter have got extra security specifically on Donald Trump's account. And that they don't allow their regular support people to do all the admin and management of that account like they would be able to on anyone else's. If you remember a couple of years ago, someone at Twitter—
CAROLE THERIAULT. Yeah, yeah, someone at Twitter had attacked his Twitter, had kofefe'd it.
GRAHAM CLULEY. That's right. Someone at Twitter went rogue and actually deleted Donald Trump's account for a while. And obviously that got noticed and it was reinstated. But I think at that point—
CAROLE THERIAULT. He hardly uses it. I'm not sure why he would have noticed.
LISA FORTE. But don't you also think though that if you attack his account, maybe there are going to be some CIA people who are going to come after me with a vengeance in a way that, to be honest, Kim Kardashian probably doesn't have that same manpower.
GRAHAM CLULEY. Oh, I bet the Kardashians could send around unmarked cars.
LISA FORTE. I'm not saying you want to mess with the Kardashians. I think that would be ill-advised. But I'm just saying, of the two, I would mess with Kim Kardashian before the President of the United States. Really?
CAROLE THERIAULT. You're going to be down on the floor in no time.
LISA FORTE. I'm more worried about the mum. I think, you know, that's who you've got to watch out for.
GRAHAM CLULEY. Which one? Uh, Kris Jenner, is that right? Is that—
LISA FORTE. Yes, Kris Jenner. Yeah, that's where, that's where the threat lies in the Kardashian family for sure.
CAROLE THERIAULT. Interesting. See, I know nothing about this world.
GRAHAM CLULEY. I don't know anything about the Kardashians.
LISA FORTE. Graham's saying I don't know anything, but Graham seems to know the name of the mum. I mean, I think we should ask some questions here. I think we should divert the whole rest of the show to figure out why Graham is so obsessed with the Kardashians. That's what the listeners want.
GRAHAM CLULEY. Anyway! Anyway, back to the plot. We know that the hackers had access to Twitter's backend.
CAROLE THERIAULT. So to speak.
GRAHAM CLULEY. Oh my god.
CAROLE THERIAULT. I know.
GRAHAM CLULEY. 36 hours or so before the cryptocurrency scam. We know that because they posted screen captures of the admin tool on the Computer Underground. So they had access for a while beforehand. And then some hackers, we don't know if it's the same ones, did the cryptocurrencies come? It may have been different groups of hackers who had access to that system, right? Which is interesting. So my argument is this could have been worse. The good news is it got sorted out fairly quickly and some money was stolen. It's estimated something like $100,000 was sent by people.
CAROLE THERIAULT. Seriously?
GRAHAM CLULEY. Yes. Yes. Believing that they were going to get more in return.
CAROLE THERIAULT. Oh, wow. That's the—
GRAHAM CLULEY. Yeah, that's, that's what it appears happened. So I think it could have been even worse though, because maybe even more money would have been transferred to the bad guy's pockets if some of the cryptocurrency exchange hadn't been quicker on their feet.
CAROLE THERIAULT. I would argue it's a pretty big deal 'cause it makes it look like Twitter is not on top of things. Granted, they dealt with it quickly, which is good, but why did it happen in the first place?
GRAHAM CLULEY. Well, yes, huge questions as to what on earth happened there. Mm-hmm. And there's the social engineering element, the exploitation maybe of internal staff, whether their knowledge or without their knowledge. I, I think Big question to everyone. Now, I wonder as well how much working from home comes into this as well, because isn't Twitter continuing to say to its staff, "You can carry on working at home"?
LISA FORTE. Yeah, yeah, it is.
CAROLE THERIAULT. Ooh, interesting.
GRAHAM CLULEY. And I wonder as a consequence whether security has actually dropped a little and there may be less oversight as to what employees may be up to. I don't know. Anyway, listen, I would argue that things could have been even worse, right? Coinbase, they are the largest US-based bitcoin and cryptocurrency exchange. They indeed had their own Twitter account hacked. And they posted one of these messages as well. They say they prevented over 1,100 of their customers from sending money to the scammers. They stopped $280,000 worth of money going through.
CAROLE THERIAULT. I am shocked. Can I just ask, were the messages on all of the accounts that were taken over, was the message the same across the board?
GRAHAM CLULEY. There were small differences, but the general gist of it was this.
CAROLE THERIAULT. It was pretty weak then. Did you not think? For me anyway, I was just like, okay, scam, scam, scam, scam, scam.
GRAHAM CLULEY. Maybe for you, Crow, but you are—
CAROLE THERIAULT. I know I'm not as sensitive as you.
GRAHAM CLULEY. Well, no, no.
CAROLE THERIAULT. Right? You understand how people feel.
GRAHAM CLULEY. I don't, what?
CAROLE THERIAULT. You could see how people would fall for this.
GRAHAM CLULEY. I can see how some people might, yeah, because some people look up to the figure of Elon Musk and others and may be desperate and may have a few bitcoin in their wallet and think, well, this is probably legit because it comes from a verified account.
CAROLE THERIAULT. You keep talking about Elon Musk. Do you have a little crush on him? A bromance with Elon?
GRAHAM CLULEY. No.
CAROLE THERIAULT. Are you sure?
GRAHAM CLULEY. Yes. Let's move on. So—
CAROLE THERIAULT. See, some people have fantasies about things that they don't rationally like, Graham. No, it's okay.
LISA FORTE. Is his dream dinner party, in fact, Elon Musk and Kris Jenner?
CAROLE THERIAULT. Oh, I think this is it.
LISA FORTE. We figured it out, Carole.
CAROLE THERIAULT. You try and get an invite. There's no way I'll be allowed.
LISA FORTE. Okay, I'll report back.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. According to Coinbase's CISO, only 14 of their users were able to send any bitcoin. And they lost about $3,000 and then they blocked it. And other cryptocurrency exchanges like Gemini, which is run by the— do you remember the Winklevoss twins? They were the guys who were in the early days of Facebook. If you've ever seen that movie about Mark Zuckerberg, is it called The Social Network or something?
CAROLE THERIAULT. I have, but I don't remember them.
GRAHAM CLULEY. There's a couple of CGI twins. Well, one of them isn't CGI. Well, I suppose neither of them are CGI, but they've been added in. They've been made twins through computer. There's a couple of twins. They're very rich.
CAROLE THERIAULT. They've risen to the moon. One pair of twins.
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. Not a couple of twins. That's 4 people.
GRAHAM CLULEY. That's correct.
LISA FORTE. Oh my god.
GRAHAM CLULEY. Anyway.
LISA FORTE. Just trying to clarify.
GRAHAM CLULEY. They run a cryptocurrency exchange called Gemini. Oh, that's why it's called Gemini.
CAROLE THERIAULT. Oh my god.
GRAHAM CLULEY. They're so clever.
LISA FORTE. Big revelations this episode.
GRAHAM CLULEY. They're so clever. That's for sure. There's also a cryptocurrency exchange called Kraken, which I guess is run by sea monsters. And of course, previously, mentioned Binance.
CAROLE THERIAULT. Binance.
GRAHAM CLULEY. And they did, oh, as in finance maybe?
LISA FORTE. Yes. Yes, there we go.
GRAHAM CLULEY. Why didn't you say that?
CAROLE THERIAULT. Well, you'd figure it out at some point. You're a pretty smart guy.
GRAHAM CLULEY. Anyway, they did the same, but they don't have as many users. And so they didn't stop anything like the same amount. So what I thought was interesting about this is we talk about cryptocurrency being lawless, you know, it's like there's no rules and there's no regulations and it's democratized money. Or currency and the rest of it. But the fact that so many people use the same services to handle their cryptocurrency wallets and to move bitcoin around means actually that there are protections which can be put in place by the cryptocurrency exchange themselves if they see a, a really high-profile incident like this one occurring.
CAROLE THERIAULT. So basically, if you use Binance, you are safer than if you just do it solo, is what you're saying.
GRAHAM CLULEY. Or, or indeed Coinbase, which had—
CAROLE THERIAULT. Yeah, 'cause no one's gonna stop you if you wanna send $10 million to Elon Musk's supposed account.
GRAHAM CLULEY. No, but if lots of other people are doing it the same and it gets spotted, then maybe it'd be picked up. So that's one way in which I think things can be worse. The other thing is, this was used for a cryptocurrency scam, right? But the bad guys also had access to other information from those people's accounts. They were able to access private direct messages, contacts, physical location history.
CAROLE THERIAULT. Of people like Barack Obama and Joe Biden. Which is extremely— but not Trump. So interesting.
GRAHAM CLULEY. So Twitter says that private data was downloaded for only 8 accounts. And it says, it won't tell us which ones, and it says none of them were verified. But obviously the potential was there for blackmail, sextortion, who knows, influence. You can imagine how state-sponsored hackers may want access to that kind of information.
CAROLE THERIAULT. So they won't tell us who the account holders are? Do you think they've told the account holders, hey dudes, your stuff's gone, dude-ice?
GRAHAM CLULEY. They say they have been in contact and they're working with them on that. I believe some of these accounts may have been accounts which just had one or two letters in their name. So some people literally have a one-character name, which is apparently very common.
CAROLE THERIAULT. Like ZSK?
GRAHAM CLULEY. Well, we'll have to ask Zoe whether she—
CAROLE THERIAULT. Zoe, I hope you're okay.
LISA FORTE. Whether she was taken from us.
GRAHAM CLULEY. We love you, Zoe. But the thing is, that actually makes me think again that these weren't that serious hackers, because there's so much which could have been done, but all they did was this rather lame cryptocurrency scam and try and pinch a few accounts.
LISA FORTE. And I think also it does kind of, A, call into question the platform's ability to secure everything, but also it's a bit concerning given the timing and the US elections that are coming up. How competent are these platforms in dealing with of things that could be problematic for democracy, right?
CAROLE THERIAULT. Crap.
LISA FORTE. Okay, that's that question answered. Great discussion there.
CAROLE THERIAULT. Anytime.
GRAHAM CLULEY. Lisa, what do you have for us this week?
LISA FORTE. Okay, so I have a question for you, Graham. Have you ever been accused of stealing the formula for a life and economy-saving vaccine?
GRAHAM CLULEY. It's a fair cop. I have to put my hands up. No, of course not.
LISA FORTE. Well, the poor Russians have been.
GRAHAM CLULEY. Oh, bless them.
LISA FORTE. So the Cozy Bears, aka APT29, well, there's a joint advisory that came out on the 16th from the NCSC, the NSA, that said that Russian-sponsored attackers are going after labs that are working on the vaccine, but also labs that are working on figuring out how this virus works. And spear phishing is their attack of choice, which is interesting because it's also social engineering, as Graham mentioned in the Twitter one. So basically, they're pretty certain at this stage that the Russian intelligence services are involved in this.
CAROLE THERIAULT. Does the spear phisher have to know a lot, a lot, a lot about biology and virology?
LISA FORTE. If you think about social engineering, that's kind of my area. Yeah, the staff that work in these labs are likely to be stressed, working long hours, wanting to win this race for the vaccine. There's probably lots of governmental pressure being put on them to sort of get it done. Also, we know that security tends to hamper innovation and slow things down, so chances are there might be some bypassing going on. And also, the media have been sort of focusing in on these labs and probably providing quite a lot of OSINT, maybe names, identities, things like that.
CAROLE THERIAULT. Good point.
LISA FORTE. That's more identifiable for these people. So I think in some ways, like, the high-profile nature of the work they're doing has probably lent itself to this.
GRAHAM CLULEY. If I wanted to target a scientist who was working on this kind of research, I might send them an email, forge the address to appear as though it comes from a rival lab or something, and say, "Hey, have you seen this new research which says if you inject yourself with bleach, it cures the virus?" Right? Now, if someone receives that, they either believe it and think, "Crikey, you know, maybe he was on to something," or they think, it's a joke. Either way, you open it because it comes from a fellow nerd wearing a white coat, and bam, the PDF or the Word document infects your computer with malware.
CAROLE THERIAULT. I think, I think, I think that's outrageous. No, no, no.
GRAHAM CLULEY. That's an outrageous characterization. But you could do something like that, which doesn't even have to appear completely official. It could just be sort of chit-chat, right?
CAROLE THERIAULT. I totally understand. So the spear phishing bit means either they got infected through clicking a link, which means they weren't secure, or they fell for something and handed over information. Am I right?
LISA FORTE. Yeah, exactly. They passed over the information that they were working on thinking it was someone in the US or in France or somewhere, right?
CAROLE THERIAULT. I'm just thinking if someone came to me like that and was pretending to be a cybersecurity expert, for instance, and started, you know, giving me a load of words and I was reading it and I'd go— I could tell pretty quickly their level of knowledge from the email.
LISA FORTE. But if it's the Russians, why wouldn't they go to their own scientists and say, could you write a plausible email for me to send to these people?
CAROLE THERIAULT. So they obviously had to have a lot of knowledge, you know, in order to be able to pull this off. So that's why state-sponsored makes it very—
LISA FORTE. well, Russia Today has a different take on it, and I like Russia Today. I like to kind of vary my sources a little bit because they give you a bit more entertainment. So they claim that this whole thing makes no sense whatsoever, and their main defense that they put forward in the article is that they said that in this world, to attribute any kind of computer hackers to any country is impossible. And thankfully, they have agreed to forgive us for this mistake we have made.
CAROLE THERIAULT. So we're very fortunate.
LISA FORTE. Okay.
GRAHAM CLULEY. Well, I'm sure the Salisbury tourist board will be really pleased that we're back in their good books.
LISA FORTE. Yeah, I mean, I agree, because they got a lot of tourism from that, so they wouldn't want that to stop. The cathedral is just spectacular.
GRAHAM CLULEY. It is. Yeah, go twice.
LISA FORTE. So one of the journalists that interviewed one of the UK-Russian diplomats decided to push things a little bit further and asked him whether he'd watched the BBC show on the Salisbury poisonings, because I mean— Why wouldn't you take that shot at this point in time? You just would do it, wouldn't you? And his response was epic. He said that he'd seen some episodes, but he wasn't hooked because the show was so dull. But I love that their main defense was that you can't attribute it to us. It wasn't like, oh, we're all in this together. You know, like it's a joint worldwide effort. Nothing like that. It was like, you don't know it was us. That was the defense.
CAROLE THERIAULT. Fascinating.
LISA FORTE. Yeah. So it's kind of interesting. And I think the problem we have here is that the vaccine vaccine is IP, it's R&D, right? It's really, really valuable. And I think from us as citizens, we look at it as a responsibility to save the lives of all these people, to save the economy. But on a sort of higher-up level, a state level, whoever gets it first gets a huge amount of international leverage. And I think our sort of moral attitude of it actually doesn't apply when you're looking at it at that high level because it's sort of a military advantage almost, right? Because you now control the crucial thing that everybody needs to get their economy started.
CAROLE THERIAULT. I understand that from a senior leverage point, but also, like, we have a pandemic on our hands right now, right? So anything that can encourage any country to come up with it— like, would you care if it was UK or any country that came up with it as an— as a citizen, as an individual?
GRAHAM CLULEY. Oh, I, I don't think I would, but I certainly agree with Lisa that it will be used as a bargaining chip and as leverage.
CAROLE THERIAULT. Sure, sure, sure, sure. But would you, would you think it's not immoral if you were sabotaging someone else's chances when people are dying?
LISA FORTE. Well, to be fair, the accusation is not that they're sabotaging it, it's that they're trying to steal the research that's already been done.
CAROLE THERIAULT. Um, yeah, okay, that's fair. And then they're going to maybe get out first would be the idea there, right?
LISA FORTE. And I guess that the states must be doing that, the UK must be doing it because it's, it's, it's so valuable. And I think like Graham said, you know, imagine if you got it. Imagine if Graham found the vaccine. Let's just live in that world for a second.
CAROLE THERIAULT. In a sandwich.
LISA FORTE. He single-handedly, in the podcast Pleasure Palace, created— this sounds so strange— created the vaccine for coronavirus. Graham has so much leverage now. He can go out and say, you know what, unless you all subscribe to Smashing Security, no vaccine for you. What would you do?
CAROLE THERIAULT. Um, I would leave the show.
GRAHAM CLULEY. That's what I would do.
CAROLE THERIAULT. You'd have a position, Lisa. You'd come in. You'd come in.
LISA FORTE. Don't drag me into this. He's gone rogue.
GRAHAM CLULEY. Carole, what have you got for us this week?
CAROLE THERIAULT. So there were tons of articles this week about stalkerware. And this is due to an announcement that was made last week by Google. So drumroll, please. The giant search engine has decided that it is no longer going to allow ads for stalkerware. Apps and software. Well, like, gee, Google, I couldn't believe that. Like, they took their freaking time. How long has stalkerware been around? Like a decade at least.
GRAHAM CLULEY. Yeah, years and years, and openly advertised and promoted.
CAROLE THERIAULT. I wonder how much money, ad money, they made over the last 10 years to facilitate the promotion of these digital stalking tools.
LISA FORTE. Seriously, I reckon that's why they left it as long as they did.
CAROLE THERIAULT. Yeah, making a ton of cash. So, okay, for those that don't know, let me just back up a bit. So what is stalkerware? What do these apps do? First, it's kind of grown in scope. I've decided there's 3 different categories, okay? But you guys may think of other ones. Number 1, you'd have the relationship issue, like the quote, I don't trust my partner, so I'm gonna track their movements by installing something on their phone so I can take screenshots, log their activity, you know, follow where they go, et cetera, et cetera. Then you've got like legit crazy stalkers, those, you know, those who won't take no for an answer. When you tell them to go away, they don't, and they think you just need more time to reconsider. And these, you know, this is a big spectrum of yuck of how far they can go. And then you've got this new one, which is what some people are calling bossware. And this is because of COVID people are working at home now. So, and some bosses aren't very happy with that because they can't keep an eye on their workers, like, how do I know you actually worked your full 8 hours that I'm paying you for?
GRAHAM CLULEY. Oh, yeah, I think you talked about this in a past episode, didn't you?
CAROLE THERIAULT. I did, exactly. And some of these apps can do is take a pic, for example, every 15 seconds from your— or record every phone conversation or log every employee information through something like Slack or through any of these kind of DM tools.
GRAHAM CLULEY. Yeah, horrendous.
CAROLE THERIAULT. Can you think of any others that would be in those large groups, or does that kind of COVID it as far as— you guys think?
GRAHAM CLULEY. I think fundamentally it's about snooping on someone without their permission and authorization, isn't it? And sometimes you'll have a relationship with them already, or other times you might want to have a relationship with them. Either way, it's a bit creepy.
CAROLE THERIAULT. But you kind of often need access to their phone, like physical access to their phone. So, you know, you may want to get on Elon Musk's phone, Graham, and have access to all this stuff, but you'd need to be able to hang out with them or get your hands on this phone to install said software.
LISA FORTE. I think it's a bit like if Graham was at his dinner party with Elon Musk and what was her name? Kris Jenner. Kardashian?
CAROLE THERIAULT. Kris Jenner.
LISA FORTE. Kris Jenner. And he takes Kris Jenner's phone when she goes to powder her nose and he installs spyware, stalkerware, sorry, onto the phone and then he can read all of Kris Jenner's messages.
GRAHAM CLULEY. Those will be interesting.
LISA FORTE. It might actually be very interesting, yes.
CAROLE THERIAULT. So, so we have these groups, right? We have these groups of people. And one of the big things with these stalkerware apps is that the victim or the owner of the phone often does not know this software is on there.
LISA FORTE. Right.
CAROLE THERIAULT. And, and the way that some apps get around it and to allow your partner, say, for example, to convince you to put it on your phone is that these apps have what they call a dual purpose. So it might look like an anti-theft application or a child safety app. But it has the secret purpose of tracking and recording and logging all the stuff you do.
GRAHAM CLULEY. This is what I remember about this stalker. I remember a company who I'm not gonna name because they don't deserve the publicity, who had a rather flashy advert, American-style advert, containing these people who claimed to be—
CAROLE THERIAULT. He's your mouse!
GRAHAM CLULEY. Hey, hey! No, they claimed to be genuine customers of this stalkerware and say, I was worried about my wife's safety and this stalkerware, although they didn't say stalkerware, it helped me work out where she was when she had a dangerous car crash and I was able to to save her life because I installed it. But reading between the lines, you knew it was all about possessive people and jealous partners wanting to keep track of people. But it was often sold on the basis of look after your family or keep an eye on what your child is doing.
CAROLE THERIAULT. Mm-hmm.
GRAHAM CLULEY. And this is one of the problems with what Google is proposing is that although they're saying we won't allow ads which allow you to stalk, it's fine if they're promoted as something which allows you to keep tabs on someone else for another reason.
LISA FORTE. So on Twitter, I saw today that Jake Moore was talking about attribution of attacks, right? In general, with cyber attacks and all these things, attribution can be very, very hard. And he was talking about how, you know, can we ever really truly know with certainty? But with this, in most situations, you actually are in a privileged, privileged in inverted commas, situation because you actually probably do know who it is because it's, you're likely to be your partner the person who's stalking you on Twitter.
CAROLE THERIAULT. No, no, totally. And I think, I suspect when you do search, uh, for these kind of tools, if this is what you want, you would find a ton of articles that tell you, oh, here, use this tool, use this tool, it says it's anti-theft, but, or anti-safety, or more safety.
LISA FORTE. But actually, but I think also it's not just necessarily this intrusive, because I had a bit of an incident and the, the gentleman involved, um, found an app that although didn't go onto my phone and track, you know, what I was doing on my phone, it did track every single thing I liked or did, or when I logged on and did anything on Twitter. And it reported back everything I was doing as an account he was sort of— I guess it was sort of monitoring, but—
CAROLE THERIAULT. or like intense following and, and sending the information over, right?
LISA FORTE. And although it wasn't anything that was private because I was on Twitter, it was still kind of like, I think, like the gateway drug to stalkerware, right? Because it's kind of— it's just one step removed from putting something actually on my phone.
CAROLE THERIAULT. Well, it's really interesting because there was a poll done in February as to how many— this was done in America, right? So what percentage of Americans do you feel would admit to using this kind of an app, like using a kind of subversive app on a partner's or ex-partner's device? What percentage do you think?
GRAHAM CLULEY. 5? No, it'd be less than that.
LISA FORTE. I'm gonna go higher.
GRAHAM CLULEY. I'm gonna go, yeah, I'll say 5%.
LISA FORTE. I'm gonna say, oh, it's difficult. I'm gonna go 20. Really?
CAROLE THERIAULT. Right, so you think 1 in 5 people have done it?
LISA FORTE. Yeah.
GRAHAM CLULEY. And admit to it?
CAROLE THERIAULT. Okay, well, you're wrong. It's 1 in 10, but it's right between you two. So 1 in 10, and I was shocked with 1 in 10.
GRAHAM CLULEY. And those are just the ones who admit to it.
CAROLE THERIAULT. Who admit to actually doing it, not thinking about doing it, not like dreaming, oh, that would be— I would really love that, but actually effectively doing it and admitting it.
GRAHAM CLULEY. That's really disturbing. Not only that they're doing it, but that they feel comfortable enough. They feel almost like society is endorsing that kind of appalling behavior that they feel comfortable saying, oh yeah, I do that. You know, it's like what everyone does, isn't it?
CAROLE THERIAULT. I mean, that number, isn't that— means that one person in your social distancing circle people may have spied on their partner or their ex. It blows my mind. Now the other thing in the same poll was that men were twice as likely to use these types of apps than women.
LISA FORTE. Oh my God, is that because of like female intuition? We just kind of know.
CAROLE THERIAULT. I was thinking— this sounds rather sexist, and I don't mean that— but I, I was thinking that men might be more likely to be working in tech or be more comfortable with grabbing a phone and doing all that kind of stuff just because because there's more men in tech than there are women still. But yeah, interesting. But jealousy, you know, goes— but we know everyone gets jealous at some time. This is how you handle it, gentlemen and ladies.
LISA FORTE. Yes, gentlemen.
CAROLE THERIAULT. Okay, so just a bit of advice here. So let's say you were thinking, hmm, I think I may have something on my device, right? So for example, there was this I read one story of someone, so, you know, she's living with her husband, but he's acting really weird around her and he keeps going to the loo for like long times and then coming out super angry. And it was because he'd installed one of these spyware apps on her phone and was going, when he went to the loo, he was reading all her messages.
LISA FORTE. Oh my God, that makes me mad.
CAROLE THERIAULT. He wouldn't say what was going on. So he'd come out of the loo all furious and he was like, why is your poop making you so angry?
GRAHAM CLULEY. Constipation. Exactly.
CAROLE THERIAULT. Diarrhea, constipation, Okay, so let's say you're thinking, hmm, something's a bit off. I wanna make sure that I don't have any of this stuff on my phone, okay? So things you can look for. One is a huge surge in data usage, right?
GRAHAM CLULEY. Oh, okay, yes.
CAROLE THERIAULT. Or a battery drain, because obviously your phone has to process lots more information. Good point. And so there is these, certainly on iPhone, you can kind of see this is my normal usage and you can kind of track it over time. And if you see a spike and you have no reason for that spike.
GRAHAM CLULEY. Carole, there's a global pandemic going on. We're all in lockdown. Our data usage.
CAROLE THERIAULT. We have a lot of time to look at it. We have now a good 6 months of behavior that we can look at. Don't worry, that's not the only one though. There's also inexplicable charges. Some stalkerware actually cross-charge the victim at premium rates to send the messages to the other phone.
LISA FORTE. Interesting.
CAROLE THERIAULT. You'll suddenly get this bill going, "Why is my bill suddenly 80 quid?" instead as opposed to 30, and that may be the reason.
GRAHAM CLULEY. In a way, that's quite a good thing. Maybe all stalking software should be obliged to do that because the device on which it's installed is the person being spied upon. So as part of their awareness, you go and look at the bill and it says, yes, you are running the stalking app or the tracking app.
CAROLE THERIAULT. Yeah, and also the other thing is just weird behavior that happens on your phone, like sudden pop-ups, or you see apps that you don't remember installing, even if they look harmless. They could have a dual purpose as we talked about before. Just a few things to note, Android devices as opposed to Apple devices are more susceptible because they're based on open source and have a very diverse ecosystem as opposed to the homogeneous system that you see at Apple. So for example, you'll have several versions of Android operating systems available all simultaneously and all of them have different features inside them and it makes security updates difficult Are you suggesting that Android users are more likely to be stalked? No, no, I think it's more— it's easier to hide this kind of stalkerware on the devices than it is on Apple devices. And that's because of Apple's, you know, development and app submission process. It doesn't mean that it's impossible to get in there.
GRAHAM CLULEY. Okay.
CAROLE THERIAULT. But it's a little bit more difficult to get through.
GRAHAM CLULEY. Imagine I was your jealous partner, Carole, and I wanted to stalk you. Should you be suspicious if I suddenly say, "Hey, hey, here's an Android phone. Why don't you put away your iPhone? Have this sexy new Android phone. Carry that around with you all the time." But also, information has to be used, right?
LISA FORTE. There's no point gathering intelligence and just going, "Oh, that's interesting," and then that's it. That's just a waste of time. So I think very much you will see that— let's assume that it's your partner, just for the purposes of this conversation. You will see your partner's behavior change, and you will probably see them turn the conversation into topics that maybe you have researched or discussed with somebody else. And I think there is also the opportunity— although I think probably the best thing to do is to, you know, reformat your phone and maybe have some counseling and some conversations.
CAROLE THERIAULT. Yeah, yeah.
LISA FORTE. But you can also test it, because in intelligence they used to teach us that, you know, once you know that someone's looking at you or watching you or monitoring you, you can actually poison the well to confirm that. So for example, you could start talking about your foot fetishes, or you start searching for like miniature poodles and how do I buy them fast, and like how many can I buy— what if he gets you one? How many can I buy in one go? And I don't know, something really bizarre that they just wouldn't pick up on. And if they suddenly start bringing up that you don't have room for a dog— this is a hint to my partner who has said this to me—
CAROLE THERIAULT. interesting. Then, um, Lisa, you are a fountain of information.
LISA FORTE. Yes, I'm a devious Italian woman and this is my forte, literally.
CAROLE THERIAULT. So things you can do, okay? Lock your bloody device and don't tell anyone else how to get in. Use two-factor, and not just lock your device, but set your lock to reset not in half an hour, right? Or 20 minutes, and then you leave your phone lying.
GRAHAM CLULEY. Oh, like auto-locking?
CAROLE THERIAULT. Yeah, like auto-lock your phone. Mine's set like for 1 minute. It because I tend to use my phone and then not use my phone for long periods of time, and I'd have no notifications, so it's not complicated. But can be someone you live with. So if you are concerned that someone in your home may be tracking your devices, you need to think about your phone plan to make sure it's not a shared one as opposed to an individual one, because that complicates everything, especially from a legal standpoint, because how can you make sure you knew about what, and they have access to all your logs, and they can make changes and configuration change because it's a shared plan.
LISA FORTE. Can I ask Then, you know, on Apple devices you can have a family Apple ID.
CAROLE THERIAULT. Yeah, that's interesting.
LISA FORTE. How does that link into this?
CAROLE THERIAULT. I don't know. That's a really good question. Any listener that knows, please tell us, because that's a great question. And also you have that on Amazon too, right? You have it with a lot of apps now, family apps, right? Yeah. And it's a difficult one for people to say no to in a family because you obviously maybe save, uh, on cash, right? So there's a kind of financial incentive for someone to bring that Now, one of the big problems here is it is very difficult to detect many stalkerware apps without a, you know, stalkerware scan or an antivirus scan that's, you know, specifically designed for stalkerware. But for iOS, so I did just a bit of research. So on iOS, it is harder to get in, but an app that was recommended is called Certo. The phone has to be plugged into a computer to do this, and then Certo can scan your phone backup on your computer. And it does it for a price, a small fee, a year price.
GRAHAM CLULEY. So you have to pay for that, yeah?
CAROLE THERIAULT. Yeah, you gotta pay for that. Now, there's also reputable antivirus scanners that do it. So McAfee do it, Avira do it, and they allow you to scan specifically for stalkerware.
GRAHAM CLULEY. Mm-hmm.
CAROLE THERIAULT. And for Android, there are a number of little apps out there that can help, but one that I know of is from a new startup called Traced, and I actually know the guys who created this and developed the tool. It's a free tool, but I have not tried it 'cause I'm not an Android user, so it's only for Android. Um, but people seem to think it's pretty cool, so you can check that out. I'll put links for all these in the show notes.
GRAHAM CLULEY. It's really horrific, isn't it? Because when you begin to suspect that someone might be spying on you, you're not sure, and you're not, you're not certain whether you're imagining it.
CAROLE THERIAULT. Oh, of course they're going to say no, right?
LISA FORTE. And it's, and it's worse when it gets physical as well, because I had a situation a few years ago, uh, when I was still in the case, um, where somebody was stalked, like properly stalking me. They were taking photos of me in Sainsbury's, for instance, and then sending them.
GRAHAM CLULEY. Oh my goodness.
LISA FORTE. And then they started leaving a yogurt pot outside my front door every morning with a little, uh, present bow on it, every single morning. And it was— it got really horrific. And even though nothing happened and no threat against my life was made and nothing like that, um, it still really ruins your day. You know, it sounds like a stupid thing to say, but, you know, yogurt suddenly becomes threatening. It's true though, worried about everything instead of enjoying your life. So it's not just about physical safety, it's just that unbalanced feeling you get when someone, you know, is doing that to you.
CAROLE THERIAULT. Yeah, you're totally right. It can be super scary, and it can totally change your outlook on life, and and tools that facilitate it should not be allowed to be sold. Okay, so there's the kind of the lowdown on stalkerware at this stage. There's also, remember, there's bossware, stalkerware. It's going to grow more and more. There are a few apps to help you, but basically prevention is the best. So lock your phone, use two-factor authentication, and have good passwords, and use biometrics. That's another good way to go around it, although I don't, but there you go.
GRAHAM CLULEY. Ring an endorsement there for biometrics.
CAROLE THERIAULT. I know, I know.
LISA FORTE. We like to practice what we preach on this show. Very much so.
CAROLE THERIAULT. Well, at least I'm honest. I say what I do. Use a password manager. Just do it. These aren't my words. These are the words of Brian X. Chen, the lead consumer technology writer at The New York Times. It's time that everybody uses a password manager, both at home and at work. Get this, LastPass from LogMeIn for businesses, secure vault with centralized secure access, single sign-on, and simplifies remote management of all these accounts. And guess what, you home users out there, you can get LastPass free. For more info, go to Smashing Security smashingsecurity.com/lastpass.
GRAHAM CLULEY. And welcome back. Can you join us on our favorite part of the show? The part of the show that we like to call Pick of the Week.
LISA FORTE. Pick of the Week. Pick of the Week.
GRAHAM CLULEY. Woo! Musical. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security related necessarily.
CAROLE THERIAULT. I really hope it's not.
GRAHAM CLULEY. Well, my pick of the week this week is not security related. I wonder whether you saw an extraordinary program which occurred last Sunday on Fox News on Sunday. It's a program called Fox News Sunday, which they broadcast on Sundays on Fox News.
LISA FORTE. Can't miss it.
GRAHAM CLULEY. What are you working for Fox? And it is hosted by a chap called Chris Wallace. and he did an interview with a gentleman called Donald J. Trump.
LISA FORTE. No!
GRAHAM CLULEY. And it was quite a fascinating thing to watch, not only because it was, of course, an interview done by Fox News, which historically has been a bit of a supporter of Donald Trump, but the issue came up of Donald Trump's cognitive test. And this is— you may have seen him on the news where he's saying that Joe Biden needs to take the same test because Donald Trump says that he absolutely aced it, and he says it's not an easy test, not an easy test at all. Now, I thought, wouldn't it be fun to put ourselves and maybe our listeners to the test and see if they can also pass this test, which is normally, I think, done for people who have Alzheimer's or the beginning of Alzheimer's, to see if they have a problem or not. So, you know, it's a good test for all of us probably to take. So I am going to put some links in the show notes, and maybe Carole and Lisa, you would like to click on the link link to the test right now, but you will be asked, for instance, whether you can name animals. So you'll see an animal, there'll be one which is normally found in Africa and it's yellow and has big teeth.
LISA FORTE. Yes.
GRAHAM CLULEY. And so you'll be asked, what kind of animal is that? Or here's another one which has a great big spiky horn on its nose. What could that be? Is it a cat? No, it's not a cat. You failed. Right? And so—
CAROLE THERIAULT. What does this clock say?
GRAHAM CLULEY. Oh yes. Can you draw a clock which says 10 past 11? Now, Chris Wallace, who was interviewing the president, said, just so you know, Mr. President, I've also done the test and it wasn't that hard. And Donald said, well, the first questions were easy, but they suddenly got very hard towards the end. The last 5 questions, he said, I bet you couldn't answer them like I did. I aced it, and I bet Joe Biden couldn't answer them.
LISA FORTE. Was he referring to the test where you have to put a list of 3 numbers in order? Was that the point it got hard? Because that's where it got hard for me. I was like, 7, 4, 2, what do I do? I don't know.
GRAHAM CLULEY. So there was part of the test where you had to count down from 100, taking away 7 each time. So if we started with— Okay, Kroll. 100, take away 7. Mhm.
CAROLE THERIAULT. Oh, I have to say it out loud?
GRAHAM CLULEY. Oh, you're just playing for time now.
CAROLE THERIAULT. Okay, 93.
GRAHAM CLULEY. Very good. Take away 7 again.
LISA FORTE. 80, 86.
GRAHAM CLULEY. Take away 7 again.
CAROLE THERIAULT. 79.
GRAHAM CLULEY. Okay, you are awesome. You're doing really well.
LISA FORTE. You can be President of the United States officially.
CAROLE THERIAULT. No, thank you.
GRAHAM CLULEY. Those were the easier questions. We're going to get onto the ones which Donald Trump claimed were really, really hard.
CAROLE THERIAULT. Okay.
GRAHAM CLULEY. Lisa, what month is it?
LISA FORTE. Oh god.
CAROLE THERIAULT. March.
LISA FORTE. It's still March. It's still March.
CAROLE THERIAULT. Oh no.
GRAHAM CLULEY. Where are you? What place are you living in? What country are you living in?
LISA FORTE. I live in the UK, unfortunately.
GRAHAM CLULEY. And what is the year?
LISA FORTE. Oh, the year is still 2019, I think. So I think we're fine.
GRAHAM CLULEY. Okay, so you're not doing so well. So I think Donald Trump was correct to say that those final questions in the test were really hard.
LISA FORTE. Donald, if you're listening, which you're probably not, yeah, you're right. They're really tough.
CAROLE THERIAULT. Silver lining, at least he knows those things. Because I was getting very concerned that even that was beyond his grasp. So, you know.
GRAHAM CLULEY. Good that he knows those things. He may still be living in the 1950s, but yes, he does know what year it is. Is, but a little bit alarming that he should think that would be something which would trip up the average person.
CAROLE THERIAULT. Are you really alarmed by anything he says? Really, really?
GRAHAM CLULEY. I am alarmed by everything he says, yes. But I'm more alarmed as to what's going to be happening by the end of the year.
LISA FORTE. I think the Sarah Cooper summary of the interview was actually better than the actual interview, in fact.
GRAHAM CLULEY. Oh, what did she do?
LISA FORTE. He was talking about how he aced the test. And she did a colouring in of this outside the lines of this drawing. And he said how hard it— She was saying how hard it was and she aced it. And it's brilliant. They've never seen anything like it, I think was the phrase.
CAROLE THERIAULT. The best ever.
LISA FORTE. Yeah.
GRAHAM CLULEY. We will link in the show notes. Fantastic. Lisa, what is your pick of the week?
LISA FORTE. Continuing on from the fact that I only pick kind of dark things. So, I watched a programme on Netflix, which is called Don't Fuck With Me. Cats. It's a story of cyber tech people who use their OSINT powers for good to hunt down this man who basically started making videos of him killing kittens and uploading them to YouTube. Um, and this transforms into a hunt which, with, um, like literally unbelievable twists. You— it's just unbelievable. Um, and I won't tell you this sort of the storyline because it gets completely crazy, but essentially they end up working with with police from around the world in this, this international manhunt for this guy. Um, and it's on Netflix and it's, it's really well done. But I think the, the reason I chose it was because I think I'm a big believer that as cybersecurity professionals, we obviously can make money from our skills and our knowledge for sure, but we also have the power to do immense good in the world and to help people and to, you know, help people who are victims of domestic violence hide themselves, or, you know, gather OSINT on people who maybe missing people. Um, and I think it just goes to show that we should, uh, also use our powers for, for good as well as, you know, to line our own pockets and to make the world a better place.
CAROLE THERIAULT. Smashing Security in a nutshell.
LISA FORTE. Yeah, it's the same thing.
CAROLE THERIAULT. Just because we have fun, we share lots of good info.
LISA FORTE. Yeah, and you don't kill kittens, so no added benefit.
GRAHAM CLULEY. This sounds, it sounds really interesting. I've never heard of this.
CAROLE THERIAULT. Are you serious? No, I refuse to watch it because of the cat bit.
LISA FORTE. They don't show the cats. They're very, very— no, they don't show it. They're very good about obviously making it suitable for not seeing the cats. Um, but, but it's really interesting how they dissect the videos to a point where they're identifying, oh, what's that vacuum cleaner? What's that plug? Can we pinpoint him somewhere in the world? Um, to try and figure out where this guy is and who he is. And I think I think, you know, it really goes to show that we have a lot of power and a lot of skills and a lot of manpower to help the police and help people who really need us.
CAROLE THERIAULT. It is dark though. I've heard that. I've been— I know it's supposed to be great, but it's dark.
LISA FORTE. I reckon it's going to be about as uplifting as Chernobyl was. I don't think it's going to be much better.
GRAHAM CLULEY. Oh, Chernobyl was great. Carole, could you watch this before me and just tell me if it's all right?
CAROLE THERIAULT. No, no.
LISA FORTE. It's all right. I've watched it. It's awesome. Be brave, Graham, be brave. What would Kris Jenner do?
CAROLE THERIAULT. Yeah, what would Elon Musk do? He wouldn't be afraid.
LISA FORTE. Yeah, he wouldn't be afraid.
GRAHAM CLULEY. Carole, what's your pick of the week?
CAROLE THERIAULT. So we, especially after Lisa's pick of the week, need a little hope in these yucky days. And there's nothing like a well-written, well-orchestrated, well-sung song to gee me up. Right? And one of my longtime favorite songs was written by the great Leonard Cohen.
GRAHAM CLULEY. Ah.
CAROLE THERIAULT. And it's a song that I used to love and then got poisoned by a number of horrible versions of Hallelujah.
GRAHAM CLULEY. Yes.
CAROLE THERIAULT. In 2015, that's how old this article is, there are already 60 versions of Leonard Cohen's Hallelujah. Made by mildly famous people and some very famous people. I'm going to name some because some of them are quite surprising. You've got, uh, you've got, uh, the very sexy Michael Bolton. You have similar hair to him now, don't you, Graham?
GRAHAM CLULEY. I do at the moment, yes.
CAROLE THERIAULT. Right, without the haircuts. Bon Jovi, you probably have hair like him as well. Yes, right. His hair is always, was always long. What about Il Divo? They're one of your favorites. They They did it. Yeah, in 2008, they did it. So lots of people did. Now, a lot of them are quite bad. There's a few very good ones, which I'm going to share with you, right? So that if people want to go watch them, they can. One of them is the Geoff Buckley version. I think that's 1994. That's a very good one. And there's, there's one from Regina Spektor, which is excellent. And I'm a big fan of her.
GRAHAM CLULEY. She's always cool, isn't she?
CAROLE THERIAULT. She's very cool.
GRAHAM CLULEY. Geoff Buckley one, it's been overplayed for me. Like, it doesn't—
CAROLE THERIAULT. it doesn't mean it's a bad song.
GRAHAM CLULEY. No, well, it's not a bad song.
LISA FORTE. It's not all about you.
GRAHAM CLULEY. I love Leonard Cohen, but there's— there are some songs which are played so much.
CAROLE THERIAULT. I know, but you know what? I have a new version, and this has been recorded by friend of the show Michael Hucks. Oh, he's in a band who, uh, and they, you know, kind of go around and do lots of work in the States. And, uh, they found this guy, and they— he sung the song, and they were just like, oh my God, we have to record you. And they did. And it's being shared all over Facebook. But we also have— I got a special link on YouTube for our listeners. So I've also got permission to play it. So we will have it play out. And you'll see if it's great version. And if you want to hear the whole thing, you can go to the YouTube link and enjoy. And if you don't like it because it's been overplayed, ignore me.
LISA FORTE. I love how your Pick of the Weeks are always so cheerful, Carole.
CAROLE THERIAULT. Not always. Well, I try.
LISA FORTE. They are usually quite cheerful. And mine really dark and Graham's are always very complicated.
CAROLE THERIAULT. It's my responsibility to wind up the show.
GRAHAM CLULEY. Very cool. And on that musical cultural note, we have just about wrapped it up for this week. Lisa, I'm sure lots of our listeners would love to follow you in a non-stalky kind of way on social media. What is the best, decent, respectable way for folks to Twitter @LisaForteUK.
LISA FORTE. I'm also on LinkedIn, although don't use that as much, and sort of on Instagram as well with the same handle, Lisa Forte UK.
GRAHAM CLULEY. Very cool. And you can follow us on Twitter @SmashingSecurity, no G, Twitter doesn't allow us to have a G. And you can join us in our subreddit and catch up with all that's going on with Smashing Security there. And don't forget, if you want to be sure never to miss another episode, subscribe in your favorite podcast app. Please do You can do that in an app such as Apple Podcasts, Spotify, or Pocket Casts.
CAROLE THERIAULT. And big heartfelt thanks from all of us for listening, for supporting us, for sharing our work. Also, high five to this week's Smashing Security sponsor, LastPass. Its support helps us give you this show for free. Check out smashingsecurity.com for past episodes, sponsorship details, and information on how to get in touch with us.
GRAHAM CLULEY. Until next time, cheerio. Bye-bye.
CAROLE THERIAULT. Bye.
LISA FORTE. Ciao ciao!
CAROLE THERIAULT. So, presenting a pretty awesome cover of Hallelujah, written by Leonard Cohen, performed by Sean Brown and Jeremy Dunham, and produced by MIM Media. Link to the YouTube video in the show notes. Enjoy. Well, I heard there was a secret code David played and it pleased the Lord, but you don't really care for music, do you? Well, it goes like this: the fourth, the fifth, the minor fall and the major lift, the baffled king composing Hallelujah, hallelujah, hallelujah, hallelujah, hallelujah. When your faith was strong but you needed proof, you saw her bathing on the roof. Her beauty in the moonlight overthrew you, and she tied you to her kitchen And she broke your throne and she cut your hair. And from your lips she drew the hallelujah. Hallelujah.
GRAHAM CLULEY. Hallelujah.
CAROLE THERIAULT. Hallelujah. Hallelujah. Well, there was a time when you You let me know what's really going on below. But now you never show that to me, do ya? And remember when, well, I moved in you and the holy dove was moving too. And every breath we drew Hallelujah, hallelujah, hallelujah, hallelujah, hallelujah. Maybe there's a God above, but all that I ever learned from love was how to shoot somebody who'd outdrew you. And it's not a cry that you You hear it night and it's not somebody who's seen the light. It's a cold in need, it's a broken.
GRAHAM CLULEY. Hallelujah.
CAROLE THERIAULT. Hallelujah. Hallelujah. Hallelujah. Hallelujah, hallelujah, hallelujah, hallelujah, hallelujah. Hallelujah, hallelujah.
-- TRANSCRIPT ENDS --