Hi, everyone.

It's Carole Theriault here on our final show of 2020. Despite the year being an absolute shit show, we've had a great time, and we really owe it all to you guys. To you, our guests, our listeners, our sponsors, and of course, our Patreon community. You help us make the show reality, and we're grateful. And remember, every penny we get to our Patreon during the month of December 2020 will go directly to our local food bank. Without further ado, let's get this last show on the road.

And are you familiar with Cameo? The website Cameo.

Word Up. Yeah, I remember that. The guy with the red codpiece. Yeah.

No, I don't know what's going on. That's a very specific reference I don't get. But Cameo Now is an app. I think I broke somebody or somebody broke himself. I think it's Graham. Oh, are you okay?

Smashing Security, Episode 209: Vengeful Ex-Staff, Bad Santas, and iOS App Nutrition Facts with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 209. My name's Graham Cluley.

Our last episode of the year. I'm Carole Theriault.

And we're joined this week by returning guest, it's Maria Varmazis. Hi!

Can you put a little more into that?

And ladies and gentlemen, we are joined by one of our most splendid special guests from yesteryear and yester episode. It is the one, the only, Maria Varmazis!

Thank you! Yes!

Wow, what an intro.

Maria, how are you? Anything to tell us? Anything changed since last time you were on?

I'm on this marvelous podcast called Sticky Pickles with my co-host Carole Theriault.

Oh wow, it's so great having both of you here. I feel I'm the glue. And, you know, I'm the meat of the sandwich, so to speak. Now, we have good news for our listeners because I spoke to Maria, and Maria is coming to our YouTube Live Christmas party on the 17th of December, our very last shindig of the year.

So the one complaint last time we did a YouTube livestream was from many people—

Sorry, we had a complaint?

Yes, we had many complaints from people who in the chat saying, where's Maria? When's Maria coming on? Is Maria going to be in the livestream?

Those aren't complaints, those are questions. We are now able to say this 17th December, you will see Maria. Here I will be. I'm going to be there.

So this is going to happen very soon after we actually release this very podcast to the world. So it will be at 3 p.m. Eastern time in the States, 8 p.m. in the UK, noon Pacific time. So Thursday, 17th of December, go to smashingsecurity.com/live as soon as you hear this. And either it'll be there for you to watch and you can join in live, if it's still happening, or you can click the reminder button and get a reminder when it does come on, or whatever. But go to smashingsecurity.com/live and join us for our Christmas party with the one and only Maria and some other special guests.

Yeah, we're kind of friends on demand.

Yeah, it's not going to be just me though. I mean, it's going to be amazing other guests.

No, no, Graham and I will be there too. Oh good, okay. Otherwise this is me for an hour, which is really awkward. We'll do that as a Patreon special next year.

Listen to me read a book.

Carole, what's coming up on the show this week?

Well, first, let's thank this week's sponsors, Kroll and LastPass. Their support helps us give you this show for free. Coming up today's show, Graham, what are you talking about?

Oh, I'm going to be telling you all about a chap at Cisco who got a little bit naughty.

Ooh, Maria.

And I'm going to be doing something about something that's really nice. It's Santa virtually this year. Oh, yeah. And scams.

Oh yeah, that sounds nice. And I'm going to Apple land to talk about all things Apple. Plus we have a featured interview with Kroll Cyber Risk's Mari DeGrazia, who gives us the inside scoop on all things digital forensics. Fascinating stuff, chums, you'll see.

Cool.

All this and much more coming up on this episode of Smashing Security.

Now, chum, Miss Chums, have you ever been driven to revenge? Have you ever been tempted to wreak revenge?

Well, tempted and driven to are different things.

Oh, okay.

Tempted. I don't have the cunning to actually pull it off.

I'm tempted every Tuesday around this time. No, I'm kidding. I'm kidding. I'm kidding.

Sync the podcast.

No, I'm not a very vengeful person. People get on my nerves though, but—

Do they?

I daydream about it. It sounds nice.

Yeah, it sometimes can leave you in a rather sticky situation when revenge goes wrong, doesn't it? But I'm going to tell you about a chap called Sudesh Kasaba Ramesh. And he was working at Cisco, which is of course the giant technology firm. And he was working there from midway through 2016 up until April 2018, where he departed the company.

Okay, so he spent how many years there?

He was there for almost two years.

Almost two, yeah.

Five months after he left the company's employment, he decided to log into their systems. Specifically, some Cisco systems which were hosted on an Amazon AWS server. One of those cloud buckets, those blobs of computing which are doing all kinds of clever things up there in the cloud.

Do we know where he is?

In America.

Oh, he's in the States somewhere.

He's in the States. Yes. Yes.

But he is no longer under their employ. So—

He's no longer working for them. But this was 5 months after he left. Let me just repeat that. This was 5 months after he left their employment.

So he was able to do it, not just he thought about it. He actually did it.

Yeah, he did it. He logged in.

Graham, has it never happened to you that a client has left the gates open after you're no longer working for them anymore?

Oh, I'm sure they have. I'm sure.

Correct answer, because you've never checked, because that would be a bad thing.

Well, it would be, yes. Exactly. I'm sure there have been companies I've worked for who haven't changed the credentials.

And you're working for technology and security firms.

Well, in some cases, yes.

Yeah, so I'm just saying I'm not surprised that—

It's not just when I was working down Kentucky Fried Chicken to earn some extra bob. You know, it wasn't just that. Yeah, all kinds of things.

Okay, but this was Cisco, you're right. So Cisco is a big dog. Okay, so 5 months after this guy's finished employed, he manages to log in.

Yeah, he logs in.

Someone forgot to do something. Yeah.

Someone has forgotten something.

Is he just having a nose, you think? Or are you done?

Oh no, no, no. He's not just nosing around. He's not just having a curious to see if the company's still doing well in his absence. No, no, he's not doing that. What he does is he logs in to their, you know, oh, I wonder how Cisco are doing without me. No, no, it wasn't that scenario.

Have they managed without me? Am I missed? Oh, yes.

I must admit, I have done that with some clients.

Yeah, yeah, yeah, yeah, we've all done it, that's why.

I wonder how they're doing now I've left.

Up shit creek.

Sudish is up to something else, you're saying.

Yes, so Sudish Ramesh, he logs in to this AWS server and he deletes 456 virtual machines.

Oh boy.

Which were being used by Cisco to power its Webex video conferencing service.

Oh, for God's sakes. What, he's trying to bring Cisco to its knees through its Webex?

As though Webex doesn't bring the entire world to its knees on a regular basis whenever you try and log into it and use it and try and have a video chat. Yeah, the video conferences have— you must have used it. Have you guys used Webex video meetings?

Yes, yes. Pre-pandemic, yes.

It's been absorbed by things like Zoom.

So Zoom really has sort of caught everyone's imagination now, hasn't it? But Webex was, I mean, it's still obviously going strong and it's used by some organizations.

It's the more corporate one.

So as a consequence of Ramesh deleting all these virtual machines, as a result of this, over 16,000 Webex Teams accounts were shut down for up to two weeks. Imagine the impact on productivity. That's right, productivity must have gone through the roof.

Yes.

Because people—

Well, we can't have a meeting. Oh darn.

We'll have to do some work instead rather than practice around.

Maybe I'll send an email.

You're on mute. You're on mute. Rather than having all those kind of, can you hear me, Austria? Rather than all of those kind of situations.

When were you on my last call? Jeez.

Can you hear me over there?

Gotta shout louder so they can hear you over the line. This is the way.

So I'm just doing that because Carole and I used to work with somebody who did exactly that on the international conference call.

And it was 5 AM, we'd have to be called into the office to do that.

He would shout as loud as that to get through to the other countries. Anyway, and so 16,000 accounts were shut down for up to two weeks. Cisco spent roughly $1.4 million restoring the damage and paying people to restore it, which is a bit odd, isn't it?

But why wouldn't they just restore them? Don't you have to just press go back to yesterday?

Just press Ctrl+Z.

I mean, what's the issue?

Drag it out of the trash.

They would have backups, surely.

Well, you would think so, wouldn't you? And they also had to pay over $1 million to customers in refunds.

'Cause they're hosting all these Webex for other companies.

Well, yes. People would've had contracts and they would've had to say, oh, terribly sorry, you haven't been able to use it for two weeks. We're gonna have to—

Those webinars that people were not able to host.

Oh yes, well that's right. Yeah, not just internal inside your company, but ones you would have been giving to customers.

Oh my God, the product marketing manager is going insane.

Yeah, I'm just thinking from the marketing team, oh, there goes a whole calendar.

Frank, we've got a problem, we gotta change the landing pages.

So who's at fault?

Real, too real.

Who's at fault? Who's at fault?

The guy who did it.

Yeah, ultimately him. Yeah.

Yeah, I mean, yeah, it's a bit like leaving your car unlocked, right?

So if I left my car unlocked and then someone stole something from inside my car, which has happened to me, whose fault is it, right? Ultimately, it's the person who stole the thing from my car because it is parked in my drive, but they're opportunists. And you'd say, well, lock your doors, dumbass.

Yeah. So Cisco should have locked their doors, dumbass, shouldn't they?

He had the kind of, I'm guessing, pretty high-level privileges to do that much damage that easily. I mean, nobody locked his account down. Not even a little bit? I mean, geez, 5 months later. I mean, I can understand if it was the day after he left, but 5 months later.

My guess is that when someone like Ramesh left employment at the company, they may well have revoked his access to Active Directory and his ability to log into his email or something like that. But I wonder whether access to that AWS server was something which was available to many people in the IT department and maybe they were sharing credentials.

Oh, shared creds. Yep.

And I think that's probably what was happening. And it's hard to work out if you do share credentials inside an IT team, who might know those login credentials. And it's a pain to change them because that's gonna affect lots of other people and lots of other services.

Well, not if you use a really good password manager. Well, it simplifies it a lot, right? Because you can change it at the admin level for everybody.

Yeah, I suppose so. But if you also have services which might be logging into these systems and it may be it's grabbing the password from somewhere.

It's gonna break everything.

The real mistake here is sharing passwords, right? Is that there are teams of people where the password will be known to a variety of people and they'll log in, they'll be doing administration and all kinds of different maintenance and other work on a particular system. And the thing is that they don't have individual passwords, so you can't just revoke that person's password.

It's great advice. We share passwords.

What passwords are we sharing?

Yes, we share passwords to run this podcast.

You and me?

Yes.

You're not Cisco though.

No, I know we're not Cisco, but I'm saying we know better and we do it because the workaround to do it any other way is too complicated, just ridiculously too complicated.

And can I assure you, Carole, that if one of us were to leave Smashing Security to set up a podcast about, I don't know, pickly predicaments or something, if that took off and they weren't interested in Smashing Security anymore, then I would change the pass— or whoever remained would change the password of those accounts so that you or whoever had left would no longer be able to access them.

Really?

So Graham, does this mean you're joining our podcast now? Is that what I'm understanding? That's what it sounds like to me.

So there's clearly some negligence on the part of Cisco. They should have changed the login credentials, right? Just like you'd expect when people leave a company to hand in their badge or give in any keys which they have to unlock doors. But shared credentials, bad, bad, bad ideas.

Especially for something that business crucial, like the keys to the kingdom. I mean, it's one thing to say, you know, here's the marketing login for our, I don't know, something really unimportant, but your admin credentials for your entire WebEx product?

Ugh.

So did Cisco call Sudish in when they figured out what happened and say, look, we obviously dismissed you in a bad way, and offered him a nice severance package and a hug? And a donut.

I haven't been able to get to the bottom exactly what his beef was with Cisco and what made him do this. Some months later, it's not really an act of passion, is it?

He was stewing on this.

Unless your passion takes 5 months to stir. You know, you can be angry with a company, but you're not angry necessarily with its customers, and you're not probably angry with most of your former colleagues. So remain professional. Don't take it out on them because—

But what if you are though? What if you do hate all your former colleagues? Is it justified then? Maybe just a little?

This case reminded me a little of the case of Terry Childs. Do you remember Terry Childs? He was a former network administrator at the city of San Francisco about 10 or 15 years ago.

I remember his name.

Right.

Well, yes, I actually remember. I remember this.

He infamously locked up the city's entire network for days. LastPass in 2008, resetting all the admin passwords so that only he knew them and he refused to reveal them to anybody. And the excuse he gave, and you know, he was arrested and things and for about a week and a half, nothing was happening because he said, no, I'm not going to tell you the password. You can't log in. And he claimed it wasn't going to tell the bosses or the managers the passwords because he was concerned that they would indiscriminately share those credentials with third-party contractors. And so he didn't like that people were being careless with passwords.

So he was like, I'll show you, show you the vault. You cannot break it.

And ultimately, oh my gosh, ultimately the mayor of San Francisco had to personally go and chat with him to get the password because he was considered the only trustworthy person.

Yeah, that doesn't sound just like a typical, quote, rogue employee. Yeah. I think there's some mental stuff going on there because that's his baby or something. That goes beyond.

I know, but I wonder how much it actually hurt their bottom dollar. What percentage did it actually hurt Cisco? 0.1%? 0.001%.

Yeah, $1 million fine is nothing for a company like Cisco. It's just absolutely, you know, change.

What are you saying, Carole? Are you saying— so this is—

I'm saying it's a very heavy sentence.

Well, you need to tell people don't do this, right?

There's different ways to say that. I'm not saying that he shouldn't be punished. I'm just thinking 2 years in the clink and a $15,000 fine, that's more than, you know—

Well, ruined the tone of the fun podcast. Okay, sitting with that one.

For a moment. Okay. All right. Story took a dark, dark turn at the end. Woo!

Maria, what do you got for us this week?

Santa Claus?

It's that time of year.

Yeah, I wish I had my sleigh bells here. So did you know that Zoom Santa is a thing?

Zoom Santa?

So it's not Santa just going really fast. Right.

Santa on speed.

Mm, it's virtual Santa visits are a thing this year. So since little kiddos can't go sit on Santa's lap at a mall or wherever, a lot of actors who portray Santa are allowing little kids to visit them virtually for some amount of money. The Santa will pop up on a parent's screen and they'll talk to the kids and everybody's happy. So it's exploded in popularity this year because everybody's stuck at home and people want to give their little ones a bit of Santa magic. Even the famous Macy's in New York, they have this huge Santa Land that they do every year, and they even— that has gone completely virtual. I've been actually very impressed with how people have gotten creative. There's an app called Portable North Pole where Santa will call your kid via the app on Christmas Eve. Oh, it doesn't sound scary to me at all. Websites like Kringle Mingle, which I just love because of its name. And are you familiar with Cameo, the website?

Yeah, Word Up. Yeah, I remember that. The guy with the red codpiece.

Yeah. No, I don't know what that is.

Early '90s. That's an early '90s joke.

That's a very specific reference I don't get. But Cameo now is an app. I think I broke somebody or somebody broke himself. I think it's Graham. Oh, are you okay?

Can we invite him to the Christmas party livestream, Carole?

Go ahead.

Oh my gosh, you should! Pay for Santa to do the thing. That would be amazing. A Santa bomb. On Cameo, which is an app where you pay a celebrity a small amount of money for them to give you a 30-second message. Oh, really? There's a Santa scuba diver, a singing Santa with an electric guitar, stripper Santa. So be careful with that one. And my favorite is Santa Gilbert Gottfried. You know Gilbert Gottfried, right?

Who's Gilbert Gottfried?

You don't know the comedian Gilbert Gottfried, who has a very distinctive voice?

I know him.

Okay. Yeah. Link in the show notes. I guess the moment you hear his voice, you'll recognize him. He's very distinctive and he'll dress up as Santa and give you a very hilarious message anyway. So these are all virtual options for Santa visits in any way, shape, or form. So it makes sense, right, with all this exploding this year, that scammers would go, you know what, maybe we should get in on this action. So if you can get a phone call from Santa or Stripper Santa, why not also get a nice little pretty handwritten letter from—

Oh, that'd be nice.

Yeah, right, sounds pretty delightful. So this scam starts with a letter in your email unsolicited, of course. And this unsolicited email offers a beautiful, artisanal, small-batch handwritten letter straight from Santa. So just for you, Carole, straight from Santa to your dear little ones, or, you know, the adults in your life if they want this.

To me?

To you personally, just to you, for the low, low price of $20. Okay. Okay.

Anyway, Sudhish Ramesh, he pleaded guilty earlier this year, but he has now been sentenced to 24 months in the clink for what

Yeah. And given that these Zoom calls from Santa start at around $50 for a 5-minute session, are you kidding me? I am not kidding you.

he did and to pay a $15,000 fine as well. And because he was here on a visa as well, I suspect he

5 minutes, $50.

Yeah, and it varies. I'm sure there's some cheap Santas out there.

What are we doing this podcast?

I know.

may find it difficult to stay in the States as a result after this. I do a great Father Christmas impression.

Do you?

Oh, yes.

Why don't you do it for the show on Thursday?

No, Carole, no, Carole.

You sound like you have COVID.

Yeah.

Oh, yeah. That's not good for this time of year, honey. Santa's got consumption for Christmas.

Have some water there, dear.

Okay, terrifying. It's great. So given that those Zoom calls are a lot more money than a $20 letter, someone who's tight on cash might go, that seems like a good bargain.

Yeah.

So I'm sure you both, being savvy folks that you are, and our listeners who are very, very smart and beautiful people, heard the phrase unsolicited email and said, uh, yeah, that seems like a bad idea, because it is.

Oh no, I might click on something like this.

Yeah, if you were in a rush or just very, you know, pandemic haze.

Or dumb.

Yeah.

Or maybe stuck for a gift and thinking, oh my God, I know a kid who will love this.

Oh, but Carole, Carole, Carole.

I'd probably then go and Google it afterwards.

No, no, no, no, no, no, no. What you would actually do is you would get the email, say, oh, that sounds like a nice idea. $20 for an artisanal handwritten letter. And then you think, why don't I write my own flipping letter and put it in the post to my kids?

You have perfume-scented cotton rag paper and a beautiful quill pen with a really nice italic nib. I doubt it.

That's how they get you, Graham. You see, you gotta come in prepared.

They're not gonna know the cut of my nib.

The cut of your nib? Is it a flexi nib? No. So I'm sure you know what happens. There's a link in there. Yes, a flexi nib is not dirty.

Excuse you, it sounded dirty to me. It sounded dirty, that's why I ignored it. Listen, just because you don't know fountain pens— whatever, we've gone totally sideways. So there's a link in that email, which of course is phishing, and it grabs the sensitive information from the person who has unwittingly clicked this link or wittingly clicked the link.

Of course, because the PII to personalize the letter. Of course. Right?

So you definitely need to give Santa your Social Security number because, you know, how else is he going to verify that it's you? So.

He needs to check his naughty and nice list, doesn't he? So he needs all your details to make sure he's worked out who the right person is.

Gotta run a credit check, and this is gonna be a hard credit check because I wanna see if you're up on your bill payments. That's why. That's what Santa's up to.

Carole, what have you got for us this week?

Listeners, and you guys know that I'm a bit of an Apple fangirl. I don't wear the t-shirt, but I do sport the AirPods.

Did you cry when Steve Jobs died?

I don't know if I cried, but I was shocked. I was like, who's going to Oh, really?

Wow.

Because I know people who did. So not me. Not me.

To be clear, you are all Mac heads, aren't you?

Or no, I am. Yeah.

Yeah.

wear a black turtleneck now?

I've got Apple Mac. Yep.

Literally, if someone gave me a Windows or Linux machine right now, I would literally just hit buttons a bit like a Pavlov's dog or something because I would literally not know how to open an app.

I'd punch them in the face. I'd say, what are you doing? Give me this. Don't you know it's Christmas? Do you know what a hard year it's been? Give me a flipping MacBook. That's what I want.

Noted.

Okay, so Apple have been in the press tons, tons, tons this week, and we're gonna focus on one of their stories. Okay. The game is easy, right? It's a thumbs up or thumbs down. Do you agree or disagree with Apple's decision in this case?

Oh, you want us to do some sort of visual?

Visual on the podcast.

I don't know, I thought you could just interpret it and say my thumb is up.

Okay, okay.

Yeah, or my thumb is down. You could just say it. Okay, so number one is that Apple said it will further strengthen its security by requiring its app developers to put privacy labels onto their apps. Now, this so-called app privacy, it's called nutrition labels. So Apple.

All right, I'll give it a moment. All right, yeah.

And it's, you know, it's the idea is to make it clearer what data apps are collecting.

All right.

Once implemented, apps will no longer be able to track users based on their individual device ID or IDFA, limiting their ability to sell or generate ads. So the question really is, is this a privacy landmark? I mean, Apple are a pretty big player and could it lead to a culture of, you know, pro-privacy app development because they don't want to have to go through all the hoops that Apple put in place for those that are trying to snuffle up data.

Or if I'm the user looking at this, it just tells me what's going on, but doesn't actually give me the power to do anything about it. Right.

You cannot use the app and you can obviously change the settings in the app. So I don't know what the list is yet from Apple.

Yeah. So my question, I don't know if you can answer this, but when I was an

Yeah.

Android user for years, it would give you the option to say, I don't grant it permission And that's what I've been wanting from Apple for a long time is it's like, I don't want them just to tell me what you're going to do. It's like, I'm okay with three of those four things, but can I just undo the fourth thing?

Every time the app updates,

to do this, this, and this. You could uncheck stuff.

can you not reset the settings to a default?

Yeah. The notifications

I think you can already do that with some things in the iOS App Store, for instance, regarding location, can't you? So when an app asks for access to your location, for instance, you can deny it or you can even say, you know, yeah,

or whatever. Yeah.

you can have my vague location, but you don't get my base, you know, you don't get my real specific location.

Who asked him? Well, who cares?

No one. But he— yeah, he stamped his little feet. So back in October, he started whining, saying that the move will impact the economy as the world tries to recover from 2020.

Oh, get over it.

Basically saying that small businesses rely on the inflow from Facebook ads and this move will hurt them. And do you really want to do that, Apple? You bad, bad people.

How much money has he made this year alone? I'm not— he can give some of his money to those guys. How about that? He'll only make $2 billion this year.

Oh no.

Or whatever obscene amount of money.

So then Facebook's owned WhatsApp waded into this privacy stew, saying that Apple's new privacy law was problematic because the privacy rules did not seem to apply to the company or Apple's own apps. So iMessage or FaceTime, for example.

Right.

Which are pre-installed with the iOS.

Right?

So it's only from the App Store. So they're saying, well, because they don't have to go get these apps, they're not going to have this. And that's not fair. And this complaint was rebuffed really quickly because Apple said, oh, that's a good point. We'll just do it on our apps too.

Yeah.

So, so app—

Damn, they said. They foiled us.

So Apple has required that app devs submit their privacy detail labels by December 8th, which was last week. But it's anyone's guess when we'll see them onto the App Store or on the Apple website.

So the devs are self-reporting.

The devs are going to be self-reporting, and I guess you'll be able to report a concern if you think that something's not right.

Sorry, that's my bar.

I presume that if an app is misreporting, then it can get flung out of the App Store.

Yeah, that was another side point that Facebook made, that it said, look, you know, with all this stuff, you're not actually saying how much we try to protect people's data. You're just saying what we take.

If you're a real fangirl

You're not saying what we do that's good. And maybe you need to get— and I mean, I think that'll happen over time.

Because Facebook's been amazing over the years, hasn't it?

or fanboy is if you cried.

Oh, I know. Don't you think? I love them.

Yeah, and not only that, but it's well, yeah, if you're taking the data, we know for sure that nothing bad ever happens to data when someone's hoarding it, right? No breaches, nope, never gonna happen.

Okay, so that one, thumbs up, thumbs down for Apple?

I mean, it's not a bad idea. I just, it just seems like it's not gonna do a whole lot really.

I'm not gonna give it a complete thumbs up. I'm gonna go mostly thumbs up.

Because?

Well, I'm a little bit cautious because of course, Apple inevitably likes to run quite a closed shop because the way they operate, and I'm sure that part of their intention may be to get people to use their own advertising system. And we know how Apple already takes an immense amount of cash from app developers.

30%. I think it went down lower for small developers.

Yeah, it's changed for people who are making, I think, less than $1 million a year out of their apps. So it's gone down a little bit, but historically they have taken a huge amount of cash from app developers. So I'm a little bit guarded on it because I think already app developers are giving away their hard work for 99 cents. You know, it's hard to make a living, I think, that way. So I think there is maybe more Apple can do, but generally more information about what an app is going to do with your data sounds like good news to me.

Way to go sit on the fence there, Clue.

Thank you very much. I'm very comfortable here.

I bet you are.

I think that it's— I echo those comments. That just— the phrase that kind of pops in my head is privacy washing, or sort of like whitewashing. The phrase doesn't really work, but it's just washing your privates. Exactly. Just it gives the appearance of adding to your privacy while maybe not doing a whole lot for it. I mean, it's good to have that information, but effectively, what can anybody do about it?

Go and change their settings on their phone.

I think most people will probably not pay that much attention to it. But when someone notes that what an app is claiming is different from what it actually does, then they'll be able to be hit with a large cricket bat and maybe booted out of the App Store. So I think actually it's maybe more about that and a way of enforcing removal from the App Store than actually directly helping.

I mean, Apple could just kick out whoever it wants, surely.

True. Knowledge is power, right?

But, you know, they're going to have to very clearly determine and define how someone has broken the rules. So if you have a rule like this, that gives them another method of kicking people out.

Yeah, that's true.

Well, I think you're both very cynical. It's Christmas. I think it's a great move.

It's not a bad move.

I think Apple have acted fairly competently in terms of privacy, despite having to fight off other big technology companies that don't take privacy or security so seriously.

Such a fangirl.

It drives me nuts. Yeah, well, at least I own it, Graham. What would happen if there was a fire in your building? Probably an alarm alerts you to the danger. Emergency operators get you connected so you get help, and firefighters snap into action to put out the flames. When it comes to Kroll Responder, it's the alarm, the operator, and the fire department all rolled into one. You see, Kroll Responder merges hunting, detection, containment, and remediation to deliver best-in-class endpoint security. Kroll responds to over 2,000 cyber incidents every year and is uniquely positioned to bring that capability and expertise 24/7 with Responder. See how Kroll's Responder works at smashingsecurity.com/kroll. That's K-R-O-L-L.

Right. And only when you're in the app. Yeah.

The way I see that is that I think you can control a little bit what apps do. You can say, for example, you can't look at my pictures and no, you can't have access to my microphone, but you have to go through and do that manually for every single app. And you may not even think, it may not even dawn on you that the app would be taking that information. So this way, for those that are, what? Wants what? You know, they might be surprised enough to go check their configurations then. So I think there's something cool about that. Of course, not everyone is happy, right? Advertisers, for one, are all up in arms. You know, how can they sell if they can't secretly snarfle PII from app users? You know, what do you think we're going to do all day? Another grumpy sausage in this fiasco is the Zuckster himself.

This episode of Smashing Security is sponsored by LastPass. Now, everyone knows about LastPass's password manager for end users, but it's also a great solution for businesses. In fact, tens of thousands of companies rely upon LastPass to protect themselves. LastPass Enterprise simplifies password management for companies of all sizes and helps you secure your workforce. So whatever the size of your business, go and check it out. Go and visit lastpass.com/smashing to find out more. And thanks to LastPass for supporting the show. And welcome back. And you join us at our favorite part of the show, the part of the show that we call Pick of the Week.

Pick of the Week.

Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security-related necessarily.

Better not be, especially in our last episode of the year.

Well—

Ah, clue!

I want to take you back to 1969 when the Zodiac Killer was at large.

Oh yes, I read about this.

Yeah, yeah, yeah. Oh, Ted Cruz was roaming the streets.

And there was a movie as well. I think I fell asleep during the movie when we watched it. Watched it together, Carole. So the Zodiac Killer, he claimed to have murdered 37 people in letters to the newspapers, but investigators at the time, they reckon there were maybe about 7 victims, 5 of whom were murdered. But the reason why the Zodiac Killer is remembered is primarily, I think, because of the coded letters which he sent to the San Francisco Chronicle and other newspapers.

Begging to be caught.

Yes, but because they were in code, many of them were not easily deciphered, and some have not been managed to be deciphered in the 51 years since. Until now!

Dun dun dun!

Wow!

Science is amazing.

3 guys worked on this, including an Australian and another fellow, and a guy called Dave Oranchak. And what's interesting to me, and my pick of the week this week, is not just the news that the FBI have confirmed that one of these messages has now been cracked, but also that earlier this year, David Oranchak began to do a series of videos all about the Zodiac Killer's code and his attempts to crack it. And there's a series of, I think, 5 episodes. It's a podcast, but in video form where you can watch his attempts and he discusses the challenge. And of course, in the final video, he only flipping well does it.

Wowee.

Question.

Yes. Do you think this is something I could give to my husband as a Christmas present? 'Cause I don't have anything yet to give him. A link to a video?

Yeah, yeah. By putting a card or something.

It's a bit of a shit present.

What was it?

Could you ask Santa to write him a personalised artisanal letter instead?

I'll send you a letter from Santa.

No, no, here's 3 hours of code-breaking stuff that you'll love.

What about the Santa stripper? Wouldn't he like one of those? Honey, he does not need a stripper. It's true.

Well.

I'm just trying to think, you know, a bit laterally this year since—

Right.

You're going to put links to YouTube in a card?

Here's a YouTube link,

Here's a bunch of letters and numbers.

Romance isn't dead. It's the thought which counts. Does he listen to the podcast? Because it's just been given away. No.

He doesn't listen to this podcast at all.

No.

Good for him.

Kelly, for Christmas. Occasionally maybe.

Well, this isn't the first encoded message attributed to the Zodiac Killer. There are still two others which remain to be decoded, including one which might contain the killer's name. So the work continues. But it's a fascinating series of videos, so go and check it out. I will put links in the show notes.

Cool.

Interesting.

Maria, what's your pick of the week?

My pick of the week is not about murders. Although sometimes murders are in them. I am in this pandemic feeling very badly the lack of access to the arts. Oh God, yeah. I am a dabbler in a lot of things, and even if I don't — things that are outside of my comfort zone, I try to expose myself to them a couple times a year. Like opera. I am not an opera nerd at all, but I enjoy some opera sometimes.

Yeah, I think I'm like that too.

Do you prefer going on safari?

What was that?

Or polishing some chrome?

What?

I'm making a joke about opera.

Oh my god. A geek. You made a browser joke and I missed it. Yeah, god, you're so embarrassing. Geek card revoked. The browser's okay too, but I'm talking about the art form with people singing loudly. The Metropolitan Opera, the Met in New York, is the one that I would go to when I had access to it once in a while. And they have just launched a streaming video service, so you can watch their operas from their back catalog going back almost two decades now. I'm recommending it because you can watch it on your Roku. And even if you think you're not into opera, which a lot of people think they're not into it — I'm gonna recommend two. Just if you've got some downtime and you're like, okay, you know, I can use some culture.

I can't wait to hear which ones you recommend.

This is perfect.

Okay, if you've got a little one in your life or someone who's just wants something really zany and wacky, the Met in 2006 put on an abridged English version of Mozart's The Magic Flute with puppets and live singers.

With puppets?

Opera singers and puppets, both on the stage. It's a big spectacle, and I will tell you, my 3-year-old loves it. She loves it. She absolutely adores it. Oh, it looks beautiful.

I'm just looking at it now. Oh, I haven't — oh yeah, I don't know anything about it.

Super abstract. If you ever watched Koyaanisqatsi — I can never pronounce those movies, you know, the time-lapse movies from the late '70s, early '80s. It's a really famous Philip Glass soundtrack.

Yes, very famous.

Yes, famous in certain art nerd circles, I guess, film nerd circles. Akhenaten is really cool. It's about the pharaoh Akhenaten and how he kind of started monotheism. But it's very abstract and a visual feast. And I've— I just really enjoy it. There's a lot of other classics. All the classics are on the Met Opera. So if you want to watch La Bohème or whatever, you can go watch it there too. But these are two that I'm recommending.

Great pick of the week.

Yeah, so something to do over Christmas break, I suppose, if you want a little culture.

How does it work? Is it a subscription fee, or—

It is. It's, so think of it like Netflix but for opera, I guess. And I have it on my Roku so I can watch it with a glass of wine. And I think it's $15 a month, but you know, you don't need to subscribe all year. You can just do it for one month and cancel. Yeah, I just thought it was a really interesting thing because it gives me access.

Oh wow, this looks cool, the Akhenaten thing.

Oh, it's super, super, super neat. Just Google it. There's a bunch of, it debuted in London and then it was a whole thing in New York, and there's a bazillion articles about everything that went into it because the lead singer for this, he had to, he appears in the nude every performance and he had to shave his body every day. It was a whole thing. Really fascinating.

I know that feeling. Yeah. And even if you're, oh, my kid would never like it, just try it. I don't know. Well, don't try that one. Don't try the one where you want to eat kids.

In the video version of Akhenaten, he's not nude. They gave him underwear because America.

Oh, okay.

But the Magic Flute in English abridged is very much a doable watch for—

There's a big difference between nude and naked, Clue.

Is it?

Oh, I think so.

That sounds like a bit of a sticky pickle, Pearl.

Grow, what's your pickle of the week?

My pick of the week, since as it's my last pick of the year, I'm choosing a sci-fi audio drama podcast.

Oh, what's this?

This is not a new podcast. I think it finished— the last episode was maybe middle 2018, something like that. New to me though. And it's called Ars Paradoxica. It's created by The Whisper Forge. And here's the blurb: When an experiment in a time much like our own goes horribly awry, Dr. Sally Grissom finds herself stranded in the past, knee-deep in some secret U.S. government plans involving time travel. They grapple with fiddling the fundamental logic of the universe, always hoping to see there'll be no adverse effects. There are. Ooh. It's a great cast, great writing, great soundscaping, great editing, great production. Really, across the board, amazing. Graham, I do not recommend it for you. The story is very complicated, and I literally do not think you'll be able to follow it for— I think you'd just be, "What? What? Who is this now? She sounds the same as the other person. Ah, God!"

It sounds very up my alley. That sounds super cool.

It's just nerdy and great and passionate, and I just think it's fantastic. They seem to have quite a few others on the Whisperforge that I haven't checked out, so that is what I'm going to be doing when I'm redecorating my office over the Christmas holidays. But check it out. So it's Ars Paradoxica. There's 40 episodes, guys. There's loads.

I think I've heard of one of their other ones, The Far Meridian.

Oh, I think I've heard of that one.

Yeah.

Yeah. Interesting. Oh, cool.

So check it out. Whisperforge. It's called Ars Paradoxica. You can find it wherever you get your podcasts.

Can I mention something? Yeah, about a previous Pick of the Week. John Reisheider's— did I pronounce his last name correctly? His Oral Breeze. Oh yes, I have that. It's amazing. And we heard about it on the show. I'm one of those people that needs stuff like that. I'm super, super, super glad.

So you've attached something to your shower head?

I have, I have.

Do you know what? I looked for it here. You can't get it in the UK.

It works a treat.

Yeah, you can only get the handheld one.

I think it's an EU thing, Carole. I think after Brexit we'll definitely be able to get it I think it's like chlorinated chicken.

Oh, chlorinated chicken. Delicious. Oh yeah.

Oh, life's going to be so much better in January.

It's going to be wonderful. It's going to be wonderful.

Now, I think we said no to chlorinated chicken, did we?

I think we're probably about to say yes to it.

Oh God.

Frankly.

You're going to get it whether you like it or not.

Yeah.

But if you can get the oral breeze, love it.

Carole, we've got a featured interview again this week, haven't we?

We do the last of the year. This is Kroll's Mari DeGrazia, digital forensics expert, giving us insight into their wicked cool tool Responder. I learned so much here. Check it out. So today we're speaking with Mary DeGrazia. She is one of the managing directors in Kroll's cybersecurity team, and I have so many questions. I don't even know where to start. So maybe first, thanks for coming on the show, and maybe you can tell us just a bit about you and how you ended up being one of the head honchos at Kroll's cyber team.

Oh, thank you so much. And I'm actually an associate managing director, so I'm so close to managing director. So thank you. You're giving me inspiration for the next jump in my career. So a little bit about me, I've been in the IT industry for about 20 years now specializing in what we call digital forensics and incident response for about the last 10 years. And it's absolutely a field that I have grown to love. You know, computers and security, as you know, there are so many different facets to it. And I kind of started out my career doing IT support, crawling around underneath the desks. You know, I remember people playing pranks on me. They would switch the monitor cables and say that they were having issues. You know, I think they just like to torture me a little bit.

Why would they torture you more than anyone else?

I think I just got picked on, you know, geeky kid getting into technology.

Well, who's laughing now?

I know, right? Suckers. And then from there, I think, you know, I had kids and I had to make a decision. Do I want to stay at home with my kids and raise them? Do I want to keep on pursuing my career? So I decided I wanted to stay at home with my kids and be there.

Yeah, the Met's one of the biggest opera houses in the world. They have a lot of cash, so they did it up really nicely.

But I still wanted to keep up my skills. So when I was ready to re-enter the workforce, I could make that transition back in, especially with technology. It changes so fast.

So this is a great one for kids, even if you're like, my kid will never sit through it. It's a big flashy spectacle, and my daughter just adores it. So Magic Flute in English is one. And the second one, if you want something really way out there, you may have heard of it because it made the news last November, pre-pandemic.

Totally.

Yeah. So you don't want to lose those skills that you've worked on, like crawling underneath desks.

It's Philip Glass's Akhnaten.

I did not want to lose that, right? So when they got older, ready to transition back out into the market, I actually started looking at Craigslist for a full-time job. And this was over 10 years ago when digital forensics in the security field, I feel like it was relatively new at that point in time.

And I said, yeah, sure, yeah.

And I saw this ad in Craigslist for a digital forensics assistant. I'm like, what is this? I had never even heard of it. So I went in for the interview with all women working there. And I'm like, in the IT industry to have something like that? And I was like, please, please, please let me get this job.

And what year is this, do you think? This is 10 years ago?

Yeah, 10 years ago. Yeah. So I was really impressed. You know, she had started up the company. She made the transition as well into the field. Her story is interesting. You know, she used to work with attorneys doing the IT support, and they started getting these cases, and they're like, we need somebody to help us with these cases. So she's like, you know, this is the field I need to go into. So really inspirational as well. So I took that job and absolutely fell in love with the field, and I've just been off and running since then.

But what did you have to learn? How did you make that leap from your previous career? That was a humongous learning curve, but you were hungry and you wanted to learn, or were you just built for this?

I think I want to say a little bit of all of that, right? The first week that I showed up, she was actually testifying in court. And I'm like, what does this program do? And it's one of the main forensic programs out there. And there's a manual sitting on the bookshelf, and I just pulled that out and I started going through it. And then I went on Amazon and I started looking at books and I started reading the books. And I really was self-taught, I want to say, for the first couple of years before I actually got official training in the field. Because it was still kind of new back then. When I went to college for my computer science degree, I felt like there were only two degrees. And now there's so many more degrees to choose from that are all related to different aspects.

So if I say in short, you're this cyber super PI, right? Move over Magnum, okay? You have nothing. You have nothing on Mary.

Okay.

Also, one of the things that I really enjoy about this industry or digital forensics, it's not just about understanding technology, understanding the computer system, understanding the artifacts. It's also having that investigative mindset. You get to dig through people's internet histories, which is opening up a medicine cabinet and seeing what you can learn from somebody just by digging through all of their things. And it's just fascinating to me.

So, okay, so digital forensics, it's kind of we all of us know all about crime forensics from TV, from things like CSI and Law and Order and all this stuff. But how is it different? Is it very different, or can you just get rid of all the smoke and mirrors for us? Tell us what digital forensics is.

Yeah, so I think one of the biggest differences is in these crime shows, detectives will show up, and they'll just jump on a computer and be like, "Oh, I opened up the browser. Look at all these things that they were looking at." In forensics, we have this concept of preservation, especially if the case is going to end up in court. So potentially an argument might come up, "Well, when that detective was on the computer, they changed this, they did that, they altered the evidence, they tampered with the evidence." You know, if you're talking about a computer with a 2 terabyte drive, it might be 6 hours just for us to make a copy of that before we start working on it. So honestly, it's probably not that exciting for somebody to sit here and watch me work on my computer for 8 hours a day like they make it look in the movies.

I really think, screw those shows because all the millennials that watch those shows and thought, "Wow, this is exciting. I don't have to do any paperwork ever." It's not true. There's paperwork in all these places. Yeah, so you're all about protecting the data to make sure that it doesn't get corrupted in any way between A, when you find it and B, when you have to maybe present it in a court of law.

Exactly. And we kind of have this crossover into what we call digital forensics and incident response. Incident response can be a little bit more what we call hands-on keyboard, live. We actually deploy endpoints out to various systems that allow us to collect that data, to look at the systems in live time, collecting live telemetry information from them. That's part of our responder package. So there is kind of this crossover depending on the type of case it is. You know, if we have something that's anticipated to go into court and you have an expert that's testifying, it's going to be handled a lot differently than if a client is going through a major issue. We have to show up, we have to figure out what's going on, we have to figure out how the hackers got into the network, we have to figure out what they stole. Then it's like, yes, we are moving very fast. We're deploying endpoints, we're chasing the hackers through the network. We're working on getting them out. And then it's not necessarily preserving evidence. The chances that this company is going to prosecute someone that's launched ransomware from another country is a lot different way that we approach that type of case.

So people find themselves in the soup, as we say in the UK, right? And maybe they're facing a huge ransomware request, and all their data's being tied up or they've been breached and they come to you. So what happens? How does it work?

Yeah, absolutely. So a lot of times companies actually don't know something's going on until they're notified by a third party. So to give you an example of a case I worked, there was actually another third party company and not a government agency, but they had actually hacked the hackers and had found our client's IP addresses on their system. So they contacted the client like, hey, we have these IP addresses, there's a good chance that some of your systems have been compromised. You just kind of need to take this information and do what you will with it. So our clients call us up, they're like, okay, we traced it back to these systems, we've blocked these IP addresses, we don't really know what's going on. Before COVID we would rush on site, hold their hands, kind of walk them through it, give them that comfort level, hey, we're here to help you.

I didn't even think about that. Of course COVID affects that as well. You can't even go on site.

Yeah.

Wow.

Yeah, so part of our job is really, you know, one of the first things I find that I do a lot is just like, hey, you know, everything's going to be OK. We're going to help you get through this. We're here to help you. So now we give the virtual hug over, you know, WebEx call the best that we can. So, you know, we arrive on site. We help them identify potentially what systems may have been compromised. And we start working with them to deploy our endpoints across their environment so that we can start to get visibility. In this particular case, it was really interesting because I started to collect memory from one of the systems.

What does memory mean? What do you mean by memory?

Oh yeah, memory. The RAM on your system is constantly caching information from your browser. It's temporary though, so as soon as you shut down your system, you know, it's gone, right? So, if a system is shut down before we get there, potentially we can lose information that would only be available in the memory of the system, which is why it lets our modern-day systems operate so fast because memory is one of the fastest components in a system.

So, would you say if something dramatic happened and I was about to call you Batman guys in, like, crawl, come to help us, right? Would you say don't switch off the system?

Yeah, and what we would typically recommend is to disconnect it from the network, you know?

Right, take it off the network, but don't turn it off.

Yeah.

Keep it powered.

Yeah, because there's so many things that can be in memory that attackers do that we just can lose visibility into if the system gets shut down.

Interesting, okay.

So in this case, I actually found open connections to a system. When I pulled memory, I could see that there was an open network connection to an external IP address. I was like, wait a minute, I thought you said you blocked this IP address. And you know, they're running around like, we thought we did, we thought we did. What system is this on? I'm like, oh, it's on blah blah blah system. They're like, wait a minute, that processes all of our credit cards. And next thing I know, the IT staff is running down the hallway just full bore, and everybody else is sitting in their cubes. And they're like, what's going on? IT staff booking it.

Okay, right. I'm picturing it.

So they run in there and, you know, they start, you know, they're trying to do the right thing. They're trying to disconnect their servers from the network. One they could, the other one, they're just like, we can't, screw it, just turn it off. And so they turn that one off. And so we had a chance to examine, you know, the system that was identified. And basically we had stopped the attackers from exfiltrating out a large credit card file. Basically, they had been collecting credit card data and it had been in an output file and basically stopped them from pulling back this file right in the middle of it. So it was a really exciting case. It was fun to work. The client was fabulous to work with.

And Mary, when are you going to sell your script to Netflix or something? This is, you know, move over old school murders. Let's get with the times.

I know I'm ready. They can call me any time.

Mary, tell me a bit about your responder service. This?

Yeah, absolutely. This is really cool. One of the things I mentioned is when we show up on site and we respond to an incident that's going on, as part of our service, we deploy something called Responder. This is basically a 24/7 monitoring service. It's threat hunting, it's detection, it's response. A lot of times when companies are looking for additional security, this layered approach I was talking about, this is literally something you just install on your system, and then we just handle the rest. And it's different than AV in that we have live humans monitoring it. It's looking for specific activity that threat actors might do in a network. It's really cool, and it's something I think when I first started this industry, it wasn't really around, and it allows us to do so many things and build on top of existing AV at the same time.

Honestly, Mary, I think we've gotten more information in this little segment than I've done in the Yes, this has been amazing. Thank you so, so much. We've got how you work, where you came from, the whole process, how the technology works. Fantastic.

Great.

So listeners, to learn more about Kroll and the Responder Service, go to www.kroll.com/smashing. And that's Kroll, K-R-O-L-L. Thank you so much for coming on the show.

Thank you so much. I just have to say, I really do enjoy your podcast. It almost reminds me a little bit of Car Talk, but for technology people.

Oh, when I tell Graham that, he's gonna be thrilled.

Fabulous. Well, that just about wraps up the show for this week. Maria, thank you so much for coming on the show. It's always terrific to have you. I'm sure lots of our listeners would love to follow you online. What's the best way for them to do that?

Oh, Twitter is the place to be. So @Mari DeGrazia is me on Twitter.

Fantastic. And you can follow us on Twitter @SmashingSecurity, no G, Twitter must have a G, and on Reddit, just search for Smashing Security up there. And don't forget, subscribe in your favorite podcast apps such as Apple Podcasts, Pocket Casts, and Spotify.

Do you think people need to be told that they need to subscribe?

Yes.

Surely they know.

I don't know. I don't think they do. I think they really need to be told.

Okay.

Again, huge thank you to our sponsors, Kroll and LastPass, as well as all our individual contributors via Patreon. You all rock. It's your support that helps make the show free for all. And details on past episodes and sponsorship, guest lists, and the entire back catalog of our pick of the weeks, you can go to smashingsecurity.com. If you can't make our Christmas party, we will see you on January 14th. So happy, happy holidays, everyone.

Absolutely. Thank you everyone for joining us this year, all of our guests as well. It's been terrific having you. Hope to see some of you at the Christmas party. Go to smashingsecurity.com/live. Until then, cheerio. Bye-bye.

Happy New Year.

Happy New Year. Happy holidays. Happy holidays to you. Oh, Asthmatic Santa.

Please, God, we need one. Yeah, okay, boomer.