This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

---

---

GRAHAM CLULEY. The rather bizarre story of a journalist who disappeared, and it turned out that her last journalistic endeavor was to interview a man on his private submarine.

---

CAROLE THERIAULT. Yes, submarine! The submarine story!

---

MARIA VARMAZIS. Yeah, I remember that. Yeah, yeah.

---

CAROLE THERIAULT. And he didn't— spoilers!

---

GRAHAM CLULEY. Fucking hell, Carole!

---

MARIA VARMAZIS. Well, now I don't need to see it. Jesus. And then he. What? Her What?

---

CAROLE THERIAULT. I was just remembering the story.

---

UNKNOWN. Isn't that the guy who went, bloop, bloop, bloop, bloop, bloop, bloop, bloop, bloop, bloop. Anyway. Smashing security, episode 212 Dutch leaks, peeping toms and Researchers Under Fire With Carole Theriault and Graham Cluley. Hello, hello, and welcome to smashing security, episode 212. My name's Graham Cluley.

---

CAROLE THERIAULT. And I'm Carole Theriault.

---

GRAHAM CLULEY. And we're joined this week by podcast listener favorite, it's Maria Varmazis. Hello, Maria.

---

CAROLE THERIAULT. She's also my favorite.

---

MARIA VARMAZIS. Hi, Maria. Hi, hi. I'm my favorite too.

---

CAROLE THERIAULT. Oh, how, how are you doing? How's 2021 so far?

---

MARIA VARMAZIS. Um, uh, so far okay. It's got a lot of opportunity to fuck up, but so you still got white knuckle holding on to whatever is around for Yeah, 4 years of— so, you know, it's gonna be interesting.

---

CAROLE THERIAULT. So let's say thanks to this week's sponsors, 1Password. Their support helps us give you this show for free. Now, coming up on today's show, Graham, what do you got?

---

GRAHAM CLULEY. Oh, I'm going to be introducing you to someone a bit beardy and wearing a hoodie in the Netherlands. Is he a hacker or not?

---

CAROLE THERIAULT. Maria, what about you?

---

MARIA VARMAZIS. There's some North Korean shenanigans going down in Google's Dutch story.

---

CAROLE THERIAULT. Oh, and I'm We're going to see how low-tech a hacker can get. All this and much more coming up on this episode of Smashing Security.

---

GRAHAM CLULEY. Now, chums, chums, there is a fellow working at a company in the Netherlands.

---

MARIA VARMAZIS. Okay, I'm in.

---

GRAHAM CLULEY. He hasn't shaved for a while.

---

MARIA VARMAZIS. Same.

---

GRAHAM CLULEY. He's wearing a hoodie.

---

MARIA VARMAZIS. Same.

---

GRAHAM CLULEY. And he has an interest in the darkweb.

---

MARIA VARMAZIS. Okay, that's where we diverge a bit.

---

GRAHAM CLULEY. But he's not a malicious hacker. He is Daniel Vellaarn, who is a cybercrime reporter at the Dutch TV service RTL News. He's the guy who loves to dig up facts about what's going on on the darkweb and amongst cybercriminals and all the hackers. And he's their cool technology guy. And it's his job to dig up details of what the bad guys are up to and uncover cyber goofs.

---

CAROLE THERIAULT. Goofs. Okay, this is what he does for a living, basically.

---

GRAHAM CLULEY. Yeah. Yeah.

---

CAROLE THERIAULT. Okay.

---

GRAHAM CLULEY. For instance, last November, he gained a little bit of notoriety because he gatecrashed a European Union defence minister's video conference call. This was after the Dutch defence minister accidentally posted the login details on Twitter. And I'll— What? Yes, I'm afraid it's still happening. So he wanted to show he was hard at work, so he took a screenshot and he posted up, "Oh, I'm about to join this video conference call with the other defence ministers of the EU." And our man decided to join the conference as well. Well, to the credit of the minister, he didn't reveal all of the PIN code, only some of the digits. So I think there were about 2 missing. And so this inventive young journalist—

---

CAROLE THERIAULT. Took 20 tries and got it.

---

GRAHAM CLULEY. Exactly. And he managed to get in. Well, so that gained him some notoriety, but he's now in the papers again because he has uncovered what appears to be a serious security breach, which has been happening in the Netherlands. He found that someone for months has been going onto Snapchat, onto Telegram, onto Wicker, What's Wickr? Wickr is an encrypted messaging service, a bit like Signal or Telegram.

---

CAROLE THERIAULT. Yeah.

---

GRAHAM CLULEY. Wickr is particularly beloved of drug users.

---

MARIA VARMAZIS. Is that the Bluetooth-only one, or am I imagining that?

---

GRAHAM CLULEY. No, no, no, you're thinking of a different one. Yeah, so Wickr isn't just for local contacts, can be anywhere. But with Wickr, you don't have to give a phone number, so you can— It's sort of like super secret.

---

CAROLE THERIAULT. Anyway. So if you wanna buy your jazz cigarettes, you do that on Wickr.

---

GRAHAM CLULEY. Okay, good to know, good to know.

---

CAROLE THERIAULT. Right, good to know.

---

GRAHAM CLULEY. And what he found is that Someone has been advertising for months up there their access to sensitive data from the Dutch Health Service. Specifically, these people have access to databases of people who have taken coronavirus tests in the Netherlands.

---

MARIA VARMAZIS. Oh no.

---

GRAHAM CLULEY. Or have been documented in the test and trace system. So, their home addresses, their email addresses, their telephone numbers, their dates of birth, and their BSN. The BSN is the Dutch equivalent to a Social Security number.

---

CAROLE THERIAULT. Okay, so someone has been advertising this.

---

GRAHAM CLULEY. Mm-hmm.

---

MARIA VARMAZIS. Oh boy.

---

GRAHAM CLULEY. So you can pay between €30 and €50 and say, hey, can you tell me the home address, phone number, email address, and Social Security number of this person?

---

CAROLE THERIAULT. What, in this wicker telegram? Yeah, yeah.

---

GRAHAM CLULEY. If you contact the hacker via the ad.

---

MARIA VARMAZIS. Wow, that's a good rate.

---

GRAHAM CLULEY. So, and you can get all those details.

---

MARIA VARMAZIS. Jeez.

---

GRAHAM CLULEY. And you can, of course, request details about more than just one or two people. You can say, well, could you give me all of the information you have about everyone who lives in Amsterdam aged over 50? It's like doing a, you know, a database. Well, it is a database.

---

MARIA VARMAZIS. Database dump, yeah.

---

GRAHAM CLULEY. Yeah, it's a database. It's like a SQL query. Now—

---

CAROLE THERIAULT. Why? Why?

---

GRAHAM CLULEY. What do you mean why?

---

MARIA VARMAZIS. For funsies.

---

GRAHAM CLULEY. Why would anyone want this?

---

CAROLE THERIAULT. Yeah, why would anyone want this information? Like, Say I've had 4 coronavirus tests or I've had 10 or I've had none. Who cares?

---

GRAHAM CLULEY. Well, because imagine you wanted to scam somebody. You could then send them a message or an SMS saying, oh, you know, we know that you took your test on this date and we've now got the results for you. Or can you pay this amount of money to get— you know, we've decided we're going to give you some treatment. Go to this site, enter your credit card details. But more than that, Carole, you also get their Social Security number. And you can begin to do all kinds of fraud. With that. Or, and this is a bit scary.

---

CAROLE THERIAULT. Okay.

---

GRAHAM CLULEY. They discovered that the private data of celebrities was also on sale, and even crime journalists. There is a chap in the Netherlands called— you have to excuse my accent because it's very, very good— Jan van den Heuvel.

---

CAROLE THERIAULT. He is— I'm sure everyone's gonna recognise him or her.

---

GRAHAM CLULEY. Well—

---

MARIA VARMAZIS. Our Dutch friends probably will.

---

GRAHAM CLULEY. In the Netherlands.

---

CAROLE THERIAULT. From that, yes, from—

---

GRAHAM CLULEY. He is famous because he is a crime journalist, a former, I think, police chief. He receives the same kind of full-time police protection which is afforded to the Dutch royal family. So he probably has a squadron of bicycles following around after him with wicker baskets.

---

MARIA VARMAZIS. Oh my god.

---

GRAHAM CLULEY. But seriously, because he's considered so much of a target due to his work in the past assisting in the capture of criminals. And you can read all about him on Wikipedia and what he's been up to.

---

CAROLE THERIAULT. What, so he goes around town with like a dozen of people?

---

GRAHAM CLULEY. Protecting him. Yes, he's got bodyguards. He's got the police looking after him. And so he doesn't want his personal address.

---

MARIA VARMAZIS. How tall is this guy?

---

CAROLE THERIAULT. Jesus.

---

MARIA VARMAZIS. Sorry.

---

GRAHAM CLULEY. Well, he's Dutch. He's gonna be quite tall.

---

MARIA VARMAZIS. Yeah, I know. I say that about a lot of Dutch people. I'm like, how tall are y'all? Jeez.

---

GRAHAM CLULEY. So yeah, so it puts him in danger because of course, he's a person of interest to criminals. And these are criminals saying, can you tell me where he lives and his phone number and his Social Security number? You can imagine he's not terribly pleased about this. So this journalist, Daniel, et cetera, he got the prior consent of individuals, a number of people, a few hundred people, and he did a request. He said, "I would like information about these hundreds of people." He approached the scammers and said, "Hey, you know, I'm thinking of making a purchase. Just as a little test, can you give me details about these people?" And he confirmed the authenticity of the information which had been offered for sale, and it was correct. This is the legitimate information. They even were posting screenshots of the computers with access to the databases. Now, the Dutch Health Service, they say they haven't found any evidence that they've been hacked, but these screenshots suggest—

---

CAROLE THERIAULT. Inside job, inside job.

---

GRAHAM CLULEY. Exactly.

---

MARIA VARMAZIS. Yeah.

---

GRAHAM CLULEY. There are 26,000 workers and call centre employees working inside the Dutch Health Service who've had access to this information. And many of them, of course, at the moment, where are they working?

---

MARIA VARMAZIS. At home.

---

GRAHAM CLULEY. At home. Perfect.

---

CAROLE THERIAULT. What a key.

---

GRAHAM CLULEY. Perfect pitch.

---

CAROLE THERIAULT. Mm-hmm.

---

GRAHAM CLULEY. And that makes it easier, I would argue, for them to pass on the data to criminals or even just photograph their screens or—

---

CAROLE THERIAULT. Well, you can't photograph your screen in the office.

---

GRAHAM CLULEY. Well, you can, but people might notice, you know. Not really.

---

CAROLE THERIAULT. Do you think anyone would have noticed? Anyone doing that?

---

GRAHAM CLULEY. You get your Polaroid camera out.

---

CAROLE THERIAULT. Give me a break.

---

GRAHAM CLULEY. You might do.

---

MARIA VARMAZIS. Look at this killer meme. I don't know how to share it, so I'm gonna take a picture of it and just text it to my mom. Yeah, there you go. There's your cover story.

---

CAROLE THERIAULT. Done.

---

MARIA VARMAZIS. Yeah.

---

GRAHAM CLULEY. Now, I don't know if either of you have ever been employed by the Dutch Health Service call centre for coronavirus testing. Yes, you do.

---

CAROLE THERIAULT. You know that neither of us have been.

---

MARIA VARMAZIS. No, no, not lately.

---

GRAHAM CLULEY. Well, you are typically paid around €11 per hour for doing that work. But of course, you can receive hundreds for every person's details that you pass on.

---

MARIA VARMAZIS. Mm-hmm.

---

GRAHAM CLULEY. So here's my question for you. What can be done about this? How could you try and fix this problem? Have you got any ideas at all?

---

MARIA VARMAZIS. I was thinking they could do a thing where everybody's login is shown somewhere on the screen in a way that can't be obfuscated. So you could then try and track down who's been doing the screencaps. I don't know.

---

GRAHAM CLULEY. I think that's quite a good idea, but it might be obvious that, oh, that's my user ID in the corner. I was thinking, What if you had a field in the data and it wasn't obvious what it was, but it was somehow sorted with your user ID? So if someone did share that data, not knowing what that particular field was, you'd be able to extract it and say, oh, this is from this particular user. We know where it's come out. So if it was less obvious. That was one idea I had.

---

MARIA VARMAZIS. Or you could do a honeypot user.

---

GRAHAM CLULEY. Yes. Yeah, exactly. You know, or something like— Carole, did you have some ideas?

---

CAROLE THERIAULT. No, no, no, go ahead.

---

MARIA VARMAZIS. We're just being brilliant without Carole Theriault. Okay.

---

CAROLE THERIAULT. It happens often.

---

GRAHAM CLULEY. So what the Dutch Health Service do, the GGD as they're called, is they get their employees to sign a certificate of good conduct.

---

MARIA VARMAZIS. Oh, well that sorts it.

---

GRAHAM CLULEY. Yeah.

---

CAROLE THERIAULT. Guys, I like that!

---

GRAHAM CLULEY. Well, I'm not saying it's bad.

---

CAROLE THERIAULT. No, no, but you know, okay, so you're saying the person who's doing this is obviously malevolent in his intent or her intent if they are working internally and leaking all this info, right? And you're thinking it is an inside job.

---

MARIA VARMAZIS. Well, it's quite possible.

---

GRAHAM CLULEY. It does seem quite possible.

---

CAROLE THERIAULT. Well, it seems more than possible. It seems more likely.

---

GRAHAM CLULEY. They're also conducting random checks, and people have been fired in the past for being naughty. So, and one thing you could do, of course, and this is a bit controversial, and this will get Crowell's goat, is that you could run some kind of software on the computers of the people working from home to observe what they are doing.

---

MARIA VARMAZIS. Oh no. Oh, oh no.

---

GRAHAM CLULEY. I know, yeah.

---

CAROLE THERIAULT. You mean like video surveillance?

---

GRAHAM CLULEY. Well, either that or—

---

CAROLE THERIAULT. Basically like spyware. He's taking a picture of the screen!

---

MARIA VARMAZIS. You know what I mean? You know what that means? Yeah, how are you gonna— yeah.

---

GRAHAM CLULEY. Call voodoo hooter! Or maybe unusual behaviour if people are accessing individuals and they don't have a good reason to. I don't know, some kind of audit trail. I'm not sure. Anyway, clearly it's not easy. Last Saturday, police in the Netherlands arrested two suspects. A 21-year-old from the city of Hulloo.

---

MARIA VARMAZIS. Hulloo!

---

GRAHAM CLULEY. And a 23-year-old from the city of Good mooded. No, no, no. Al-Blassabdamm. Unfortunately, it would have been good if it was. Computers have been seized and houses searched.

---

CAROLE THERIAULT. Yeah.

---

GRAHAM CLULEY. And apparently these chaps were working at health service call centres.

---

CAROLE THERIAULT. Yeah, my gut says inside job and it's for a little— Yeah, it's like you said, it's for some chump change.

---

GRAHAM CLULEY. But it's a bit of a worry, isn't it? Because you want the public to have confidence in these systems and the data's been properly collected. And if you are someone who's got police protection to keep your identity secret and your location, you're going to be pretty miffed that this is so easy to access.

---

MARIA VARMAZIS. When a 21-year-old from Hilloo goes around.

---

CAROLE THERIAULT. The other thing is, though, with a certificate of good conduct and confidentiality agreement, that is not just to say, oh, I'm an upstanding person. It's also a liability issue, right? Oh, yeah. Because if they're able to find them, they can go, yeah, you're the bad guy and we're going after you now. Yes, because—

---

MARIA VARMAZIS. yeah, so you said you wouldn't do it and then you did it. Oh, you're in trouble now.

---

GRAHAM CLULEY. Yeah, so if you are a Dutch celebrity, be very careful about—

---

CAROLE THERIAULT. Graham, your connection seems weird.

---

MARIA VARMAZIS. Yeah, you sound like a deceased actor from the James Bond franchise. From Zardoz. Excuse you, we have to go over that again. Seriously, we did that.

---

CAROLE THERIAULT. Oh my God, I can't believe we did that. It's not my proudest moment.

---

MARIA VARMAZIS. Oh my God.

---

GRAHAM CLULEY. Links in the show notes. Um, uh, so Maria, what have you got for us this week?

---

MARIA VARMAZIS. Well, last evening when I was trying to figure out what I wanted to cover for the show, there was a story breaking on Twitter, and I was so happy because I think both of y'all were asleep, so I was like, I get dibs on this story. The 5-hour difference helps a little bit.

---

CAROLE THERIAULT. 5-hour time advantage.

---

MARIA VARMAZIS. So the story that was breaking, which I, I I'm so fascinated by this one, is Google says that North Korean state hackers are targeting security researchers.

---

CAROLE THERIAULT. Researchers.

---

MARIA VARMAZIS. Researchers. So the news that broke last night via Google's Threat Analysis Group, which specializes in what us nerds call advanced persistent threats or APTs.

---

CAROLE THERIAULT. Malware for the rest of us.

---

MARIA VARMAZIS. Yeah. Okay.

---

CAROLE THERIAULT. So anyone who's normal.

---

MARIA VARMAZIS. An APT is a highly targeted and extremely cutting edge attack. So usually these are only used on high-value targets like a government official or, you know, a CEO of a company. Like, they're super, super valuable. So, like, the average person doesn't really need to lose sleep over APTs, even though they get really cool headlines and they are really fascinating. But this APT, we actually might want to lose a little sleep over this one. So in this case, the attack that Google was outlining starts out with some good old-fashioned social engineering. So the North Korean attackers for months apparently were reaching out to their victims via email or social media or even comments in blog posts. Like, they were using Twitter DMs, LinkedIn messages, Keybase, Telegram, and Discord.

---

CAROLE THERIAULT. Okay.

---

MARIA VARMAZIS. Posting fake research on GitHub. And they themselves are posing as benevolent security researchers saying, I found this cool exploit. And they were establishing themselves in the security community online, having legitimate conversations for like weeks, months with some some people who are actually quite well known in the security field and well respected. Crikey. Yeah. And so they really took their time to establish themselves using fake profiles, of course.

---

CAROLE THERIAULT. And the research must have had some quality to it because people were reading it and probably going, oh, good paper, nice find, or whatever.

---

MARIA VARMAZIS. Well, yeah, Google said that some of these proofs of concepts were fake and were provable as fake, but others, they're still kind of like, they actually might be real. And the thinking is that maybe the North Koreans actually really did have some exploits that they were willing to burn just for the sake of building credibility for these attacks. Yeah, anyway, so after these attackers took their time to build rapport, they would then, when the time was right, deploy their ruse, which was that they had a new proof of concept on exploiting a new or previously patched vulnerability, or saying like they had a new method to exploit a known bug, that kind of thing.

---

CAROLE THERIAULT. Okay.

---

MARIA VARMAZIS. So that would work.

---

CAROLE THERIAULT. That's like, that's the little fishy, the little worm on the hook. Right.

---

MARIA VARMAZIS. And again, as Google said, as I mentioned, Google said some of these proofs were faked, but a lot of them were made convincing enough that it fooled a few people, even savvy researchers. So when the attacker would like DM a researcher saying, hey, uh, do you want to collaborate on this research because like I need specific expertise and you have it and I don't, that sounds like a legit ask. Like people do that in the, in the research field.

---

CAROLE THERIAULT. Yes, they do. Oh my God.

---

MARIA VARMAZIS. So if you've spent weeks or months ingratiating yourself in a not too scammy way, like a researcher might go, you know what, I'll— yeah, let's read, let's collaborate. So as part of that process, the attacker would then direct their target researcher to a Visual Studio project with the source code to their exploit, you know, so they could look at it and collaborate on it. So the hitch is that hidden in that Visual Studio project, there would be a little hidden DLL, which is like a little, like a little program that would install backdoor malware on the researcher's machines. So that researcher's machine would now be hooked up to a North Korean-owned command and control server.

---

GRAHAM CLULEY. Presumably with the intention of either stealing other work that those researchers were working on or that company was working on, or—

---

MARIA VARMAZIS. Keeping an eye on what they're up to.

---

GRAHAM CLULEY. Yeah, spreading throughout that company, because of course that company may be in the business of unlocking North Korean threats, right?

---

CAROLE THERIAULT. Yeah, yeah.

---

GRAHAM CLULEY. So cunning, isn't it?

---

CAROLE THERIAULT. Did they want access to the lab, or they wanted just to kind of compromise the researcher's system and just have whatever access they had?

---

MARIA VARMAZIS. I imagine whatever they could get access to is probably worth —was Bitdefender.

---

CAROLE THERIAULT. And that would be pretty good. Okay.

---

MARIA VARMAZIS. Yeah. And to the credit of many researchers, many of them saw that little hidden DLL and went, wait a second. So, and they caught it, but not everybody did. And here's the thing, what I just described was the simple version of the attack. There's actually a much more sophisticated one that's still a mystery. And this is actually what really grabbed the headlines last night. So sometimes when the North Korean attacker would do that whole social engineering song and dance, they would just send the researcher over to their own website, which was set up to look like a legitimate research blog. And even though these researchers were all using the most updated and patched versions of like Windows 10 and Chrome, and they were otherwise presumably locked down because, you know, they're researchers, somehow just by visiting that fake research blog, the targets would then get malware installed on their machine calling into that CNC server. So this is why Google's involved. This is why their APTA team is on this because it seems that the North Korean group was exploit— is exploiting a heretofore unknown Chrome vulnerability. So that is a Chrome zero-day in the wild, y'all. That's— and that's what the news was last night. So kind of scary.

---

CAROLE THERIAULT. So that means basically anyone that uses Chrome is potentially vulnerable to this, but really they're only currently attacking researchers.

---

MARIA VARMAZIS. Well, if you visit the blog, yeah, if you visit the blog, yeah, yeah, you're, you're vulnerable right now. There's no fix for this. So the Google Smashing Security Threat Analysis Group wrote in their blog post that, we hope this post will remind those in the security research community that they are targets to government-backed attackers and should remain vigilant when engaging with individuals they have not previously interacted with. So like I said earlier, most APTs are like sexy headlines but don't make much of a difference to, you know, the average person. But, um, this one, like, the thought of a compromised security researcher does make me lose a bit of sleep last night, uh, you know, especially if they're working on behalf of your supposedly benevolent government. So That's kind of a yikes. So as you said, is this just something a researcher needs to worry about? No, it's wicked, wicked important. Note, so we don't all get hacked by North Korea, don't visit the blog that Google put in their blog post. Like, the link to the North Korean blog is in a lot of the media coverage. It is. It is. Did they hyperlink it? They put a little note in parentheses after it like, don't visit this. But oh my God. But you know what, like they'll obfuscate it by just like saying, you know, a period goes here in the URL. Like, it's not very difficult to just put it in yourself. And I'm just like, you know, I'm a very curious person. Like, part of me wants to be like, what does this thing look like?

---

CAROLE THERIAULT. No, Maria, do not do it, Maria.

---

MARIA VARMAZIS. Yeah, it is very tempting. I had to really stop myself from visiting. So like, don't go to that website. Slap that hand.

---

GRAHAM CLULEY. You know, I've been going on a lot of walks during lockdown and I go through a field full of sheep.

---

CAROLE THERIAULT. Are you allowed to go for walks? Yes, I am. Are you walking 7 kilometers from your house like BoJo did and got in trouble? Don't do too much either.

---

MARIA VARMAZIS. But anyway.

---

GRAHAM CLULEY. But there's an electric fence, and there is a sign on there saying, "Do not touch electric fence." And there's something about me which makes me think, "Oh, I wonder if that really is electrified." Did you touch it?

---

CAROLE THERIAULT. Did you lick your fingers first?

---

MARIA VARMAZIS. Then touch it? For the extra— Yeah.

---

CAROLE THERIAULT. Yeah, for the extra zing and the flavour.

---

GRAHAM CLULEY. I cannot stop myself touching electric fences.

---

CAROLE THERIAULT. That's— Okay, Graham, this is the wrong show. You need to come on Sticky Pickles for that.

---

MARIA VARMAZIS. That explains a lot. I'm not touching it with my pickle.

---

GRAHAM CLULEY. Not yet. Oh God. Depends how long lockdown goes on for. Carole, what have you got for us?

---

CAROLE THERIAULT. Well, interesting, this follows very well from Ria's story. I wanted to start by asking you guys to define the word grubby for me. Grubby. Grubby. Grubby. Like, what kind of actions would you say would be labeled grubby?

---

GRAHAM CLULEY. Grabby. Grubby, grabby. Something where, you know, there's a podcast and it's meant to be about a serious topic, but they just keep on getting a little bit lavatorial. Something like that.

---

CAROLE THERIAULT. Well, if like 2019, I would have said not washing your hands after a poop, but now that's up there with murder, right? Don't screw around. It might be murder. But I think our main character in this story, a Mr. Aviles, is most definitely, inarguably, in fact, grubby. Do you want to know what he did? He's a digital peeping Thom. Beautiful. At 35 years old, Mr. Aviles was a technician for ADT, the well-known home security company. And he helped people install their systems. And one day, he decided if he could secretly access the footage of some of his customers' surveillance systems. Oh no. Why do people put these cameras inside, pointing inwards to their living room or bedrooms or house? Like, why? Why do they need their internals always under constant digital surveillance?

---

GRAHAM CLULEY. Um, we might be worried about getting robbed. You might be worried about the cleaners, or, you know, some workmen, or the nanny, or, yeah, somebody working for you in your house.

---

MARIA VARMAZIS. I, I don't ascribe to that kind of viewpoint, but I— that's my understanding. Yeah.

---

CAROLE THERIAULT. Okay, so you're so worried about things being stolen from you that you basically live under constant surveillance?

---

GRAHAM CLULEY. Well, I don't because I don't have these cameras, but I, I think some people will think it's— they're probably not worried about so much about their privacy.

---

CAROLE THERIAULT. I bet it's for insurance, actually. You know, it's like, here's video of the guy, you know, stealing my phones or whatever. So this guy, Mr. Aviles, managed to gain access to 200 different ADT customer video surveillance feeds in and around Dallas. All right. And can you guess what his motivation was according to Gizmodo? Butts.

---

GRAHAM CLULEY. Was it that he's a superhero in the making and he really wanted to see if a crime was being committed? And if he saw someone uncouth— Grubby man flying through the stars. I thought he was going to swoop in and save the day. Is that not the case? As Grubster in his underpants.

---

CAROLE THERIAULT. Over his tights. No, he wanted to spy on women and letch over couples doing the nasty butts. Exactly. Just butts. Yeah, butts. Exactly. Half butts, full butts. He did this for years, years until he was caught. He accessed 200 streams almost 10,000 times.

---

MARIA VARMAZIS. He had some favorites is what it sounds like.

---

CAROLE THERIAULT. Like, let's be generous. Let's be generous. Let's say that, you know, over years, let's say they mean 5 years, right? So that's 200 times a year he's accessing these streams, like 4 times a week, right?

---

GRAHAM CLULEY. I'm thinking he not only saw pickles, he probably had quite a sore pickle himself. Talk about grubby.

---

CAROLE THERIAULT. The authorities say that the IT technician, Mr. Aviles, took note of which homes had attractive women. No shit. Then repeatedly logged into these customers' accounts in order to view their footage for sexual gratification.

---

GRAHAM CLULEY. This is horrendous.

---

CAROLE THERIAULT. Yeah, I'll get to how he pulled off this incredible hacky feat, right? Because of course, presumably it should be not impossible to gain access to someone's unauthorized stream, digital stream, right?

---

GRAHAM CLULEY. Was he doing this from his office? Was he doing this from his workplace?

---

CAROLE THERIAULT. That's a good question. That's a good question.

---

GRAHAM CLULEY. Had he not signed the good behavior agreement, the sign of good conduct?

---

CAROLE THERIAULT. Maybe he needs to reread it.

---

MARIA VARMAZIS. A little reminder.

---

CAROLE THERIAULT. So I wanted to know, I'm sure people who are thinking about putting this kind of surveillance into their house obviously go and research like who has access to the video stuff. Yeah. So there is a very helpful ADT FAQ that I was able to find very easily, and the question was, are the internal IP cameras secure? That is, can someone else access the wireless camera signal and view the images captured by the cameras in and around my home? And ADT answered that ADT requires authorized users to log in through a personal ADT smart home website, and there's TPS protocol, and they say it's similar to what the banking industry uses in order to offer you secure online banking features. Okay, so sounds impressive.

---

MARIA VARMAZIS. Sounds a little vague to me. I don't really under— I'm like, I don't— that's not enough information for me, but okay. So obviously Mr.

---

CAROLE THERIAULT. Avilés had Harrison Forge archenemy level of sophistication, right? Because they use bank security practically. What is—

---

GRAHAM CLULEY. I think Maria and I are both thinking the same thing. You're like, what? What are these Harrison Ford qualifications you're talking about?

---

CAROLE THERIAULT. I'm going to tell you, I'm going to tell you. These Harrison Ford archenemy qualifications. Is shooting first. Is basically go low tech. So Mr. Olivas was no computer mastermind, but just a cunning little pervert. And he gained access by adding an email address to the customer's account. So whilst he's installing the system, He just makes sure that his private email address also had access to all the surveillance material.

---

MARIA VARMAZIS. Oh, so he set it up for them. He's setting it up and he goes, okay, lady of the house got a nice rocking bod. Let me make sure I leave my little calling card so I can check back later. Exactly. Yeah. Okay. This is about as gross as I imagined it was.

---

CAROLE THERIAULT. After years, right, of grubby behavior, a single ADT customer in South Dallas reported an unauthorized email address on her account. Listed inside the ADT's own app, which is called ADT Pulse. Right. So yeah, the company launched immediately an internal investigation, discovered the employee's personal email address in 220 different accounts of ADT. The same email address.

---

MARIA VARMAZIS. Not subtle is what that is. That's someone who's pretty sure he's not going to get caught or doesn't care.

---

GRAHAM CLULEY. But he didn't get caught for years. You'll say for years.

---

MARIA VARMAZIS. Yeah, he got away with that red-handed, if you will.

---

CAROLE THERIAULT. 220 different accounts, right? Maria, it's only like 10 in the morning for you.

---

MARIA VARMAZIS. I know, it's really early for me. It's way too early for me to be saying shit like this. Oh my Lord, I just had my morning coffee. I'm still in my pajamas, although it has nothing to do with the time of day anymore. Seriously.

---

CAROLE THERIAULT. Now, news of this scandal initially emerged last April. When ADT reported the breach publicly pretty darn quickly, and they said, we deeply regret this incident, remain committed to working with law enforcement to support them in whatever they need to help bring justice to the victims of this former employee, the company wrote on its website. The company said it implemented procedures to prevent similar attacks from taking place in the future, including sending notifications to customers when users are added to accounts. Although it wouldn't have helped here because if you added up during setup, yeah, you would just Anyway, but this week, this week, two federal class action lawsuits. You knew they were coming around the corner. These have been filed on behalf of the hundreds of ADT customers who recently learned that their accounts with a home security company were compromised by a former employee. Oh boy. Each lawsuit is in excess of $5 million. And I think this is where we all have to remember to regularly check your settings, right? If ever there was a remember to check your settings regularly, right? This is it.

---

GRAHAM CLULEY. And not just on something like your cameras, but also your email account, because you may have additional email addresses associated with your Google account, for instance, or places where your messages are being forwarded to or delegation.

---

CAROLE THERIAULT. Yeah, I wonder, he probably just had an email address like or something like that. Anyway, so years, no one noticed. 220 different people did not notice that someone else's name was listed in the, You know, the 'I can access this feed.' So, and why didn't ADT notice that the same email address was across 220 different accounts? Like, ish. They were—

---

MARIA VARMAZIS. I'm sure they were not monitoring for that. Like, why, you know, think why would they be monitoring? Well, I think they will be now. Yeah, now they will be.

---

CAROLE THERIAULT. Yep. Wake-up call to the rest of us.

---

GRAHAM CLULEY. So what's happening? What's, what's happening to this guy? Is he, has he been sentenced?

---

CAROLE THERIAULT. He's, uh, yeah, he's facing 5 years in jail. He's facing 5 years. Has he admitted it? Yeah, yeah, he's come clean. Okay.

---

GRAHAM CLULEY. Are they gonna put a CCTV camera in his cell?

---

CAROLE THERIAULT. Oh yeah, 'cause you'd be watching that, wouldn't you? Grubby, grubby little pervert.

---

MARIA VARMAZIS. Oh, I, you know, this story reminds me a little bit of, I think it was Google that implemented some sort of feature now where a person is added to an account, everyone gets notified. And there was a lot of hubbub about it because it was— it had something to do with like, uh, underage accounts being notified if a parent is adding themselves. And it's like, the reason is because shit like this happens, and you know, people have a right to know who's monitoring their accounts. Like, it's— you want to— like, I understand people are like, my teenager shouldn't have to consent to stuff like this. Like, I don't agree with it, but I mean, totally, 100%. Somebody's gonna put— do something like this on the down low, I want to get an email about it saying, hey, um, is monitoring your camera, do you want this to continue? Exactly. I know.

---

CAROLE THERIAULT. Listeners, listeners, this is call to action time. Can any of you that have surveillance systems specifically inside the house or outside, can you please go check, make sure everything is kosher and, and as expected? Yeah, check those settings. Check those freaking settings, guys. Freaking settings.

---

GRAHAM CLULEY. Check those settings. Sorry, everyone else had said it.

---

MARIA VARMAZIS. I thought maybe I should as well. You need to be involved. You have to join us. Hey, Graham.

---

GRAHAM CLULEY. Hey.

---

CAROLE THERIAULT. Now that it's 2021, are you ready to admit that maybe your brain is turning to mush?

---

GRAHAM CLULEY. Why are you saying that? Are you thinking I'm getting forgetful?

---

CAROLE THERIAULT. Yes. Often. Very. And I'm a little bit worried about it. I suppose most of us, you know, working from home all the time. I mean, how the heck do you even remember a password in these scenarios? Nice segue, eh?

---

GRAHAM CLULEY. Yeah, well, I use a good password manager.

---

CAROLE THERIAULT. I, in fact, use 1Password. 1Password, that's one with a one, right? That's right. 1Password.

---

GRAHAM CLULEY. It's a great password manager. It works for home use, it works for families, it works for business. So I run a little business here at home, um, and it means, and imagine I worked in a bigger business, right? Imagine I was a part of the remote workforce. I could still work safely online, make it really easy for me to create and use strong passwords or share them with my colleagues.

---

CAROLE THERIAULT. Oh, and tell you what, now that all of us are working working from home and your computer is being used not just for work, but also for home stuff more often than ever before, this kind of stuff keeps everything nicely segregated.

---

GRAHAM CLULEY. You know what I mean? Yeah. And listeners can find out more and they can try 1Password for free for 14 days at 1password.com. And thanks to them for supporting the show. And welcome back. And you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.

---

CAROLE THERIAULT. Pick of the Week. Pick of the Week.

---

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related necessarily. Better not be. Well, for the last few days, I thought, you know what, how should I spend my evenings? I thought I could do my normal trick of just watching chess on Twitch, or maybe I should do what everyone else in the world seems to be doing, which is binging on TV shows. And I found a Scandi noir docudrama. Scandi noir. It's already been shown in Scandinavia, but it's currently available on BBC iPlayer as well. It's called The Investigation. It is a real-life crime drama from Denmark. And it's all about— do you remember the rather bizarre story of a journalist who disappeared? And it turned out that her last journalistic endeavour was to interview a man on his private submarine. Yes! Submarine! The submarine story!

---

MARIA VARMAZIS. Oh yeah, I remember that.

---

CAROLE THERIAULT. Yeah. Yeah. And he didn't he? Spoilers! Fucking hell, Carole.

---

MARIA VARMAZIS. Well, now I don't need to see it. Jesus. And then he what her what?

---

CAROLE THERIAULT. Okay, yeah. I was just remembering the story.

---

GRAHAM CLULEY. Isn't that the guy who went, "Bloop bloop bloop bloop bloop bloop bloop bloop bloop"? Anyway. It's really rather good. It is in Danish and Swedish, English subtitles. I love a bit of subtitles. In fact, I was watching another Scandi noir drama the other day, which had been dubbed into American. And I was thinking, this is rubbish. And I ended up changing on Netflix or Amazon Prime or whatever it was, the language to put it back into Swedish and put on English subtitles, and it instantly became better. Yeah.

---

CAROLE THERIAULT. But if you put on both the dubbing and the subtitles, there are some very interesting differences in both of them. And it can be a very meta experience to enjoy. Meta fun. Watching the two fight against each other, because someone's more rude, or someone's more— it's fantastic.

---

GRAHAM CLULEY. The chap who's made this is a guy called Tobias Lindholm. And what's good about it, I think, is it focuses very much on the police investigation and the family of the victim. The suspect never ever appears. He's never interviewed throughout the drama. And in fact, apparently, the chief policeman never did interview him throughout the entire investigation. So it's very respectfully done. It also features the real divers who were trying to bring up the submarine and looking for evidence. It's very, very interesting. I will watch it. Yeah, it was good. I liked it. So it's called The Investigation, and I will put some links in the show notes where you can read more.

---

CAROLE THERIAULT. It's almost as good as my pick of the week, Graham.

---

GRAHAM CLULEY. Great. Maria, what have you got for us?

---

MARIA VARMAZIS. I also had a TV show recommendation, except— Uh, I, I kind of want to make mine a twofer because I, I— before I came on the show this morning, I saw some news that I also was like, oh, I need to include that. So the thing I saw this morning that I have to put a shout out for is, uh, Babylon 5, the remaster, is now available on HBO Max. So for, for my hardcore nerds who've been missing it on their streaming platforms, you can now see it, and it's in the original— sorry, Babylon, Babylon 5.

---

GRAHAM CLULEY. Oh, Babylon 5. I thought you said Batborn. I thought it's No, no, Babylon 5.

---

CAROLE THERIAULT. It's his ears, darling.

---

MARIA VARMAZIS. Yeah, is it my connection? Sorry. Babylon 5: The Renaissance. No, no, just— it's just a remaster of the original. Um, it's just— I should just shut up.

---

CAROLE THERIAULT. Yeah, it's just— it's just a little crisper, Graham.

---

MARIA VARMAZIS. It's a little crisper. It's just worth— and it's a great series that sci-fi nerds really love, so, you know, I'm gonna rewatch it now anyway. But my actual pick of the week for this week, before I saw the Babylon 5 news Um, is a series that ended in early 2020 that's also on HBO, but I believe it's globally available. It's called High Maintenance, and it's about a guy who sells weed to a bunch of people in Brooklyn. And yes, there is some marijuana use in the show, but it's really not about using drugs. It's really a lot of vignettes about the many, many wonderful different types of people who live in big cities like New York. So if you're the kind of person who loves like slice-of-life stuff that's kind of heartwarming. This show is such comfort food, and it's all pre-pandemic. Uh, so for me, it's like, okay, this is the stuff I love about New York or big cities like London. Like, that's the kind of stuff I love when you get so many different types of people crammed together, and some of them have some really interesting idiosyncrasies.

---

CAROLE THERIAULT. Do you ever watch TV now and go, oh, pre-pandemic? Oh, yeah, like, oh, they're hugging. Yeah, like, yeah, there was this show recently I watched. I think I was watching 13 Reasons Why, and at one point one of the guys bits in the other guy's face.

---

MARIA VARMAZIS. And I was like, whoa! Party foul, pandemic!

---

GRAHAM CLULEY. They are making some dramas where people snog and things. I was reading about this.

---

CAROLE THERIAULT. People are still having sex, Graham. You know, single people are dating and stuff. I know, I know.

---

GRAHAM CLULEY. But in some cases, what they've done is they've hired the girlfriend or boyfriend of the actor to act as a body double for their fictional partner. Can you wear this wig? They're doing the saucy scenes. But in other cases, they're simply They're testing people every day, and they're full-on snogging. And I'm thinking, seriously? I mean, I wouldn't do that. Mind you, probably no one would do it to me either. But you know, I don't think I'd want to take that sort of risk. Really?

---

CAROLE THERIAULT. Diana Rigg rises from her— Yes, lovely.

---

MARIA VARMAZIS. I was gonna say, she has passed on, so that— She rises. Yeah.

---

GRAHAM CLULEY. Can you be a little bit more respectful to the Dame?

---

CAROLE THERIAULT. What? No, she's gorgeous. I adore her. I was just picturing— something quite funny. Jesus Christ. I do apologize, Maria.

---

MARIA VARMAZIS. No, no, no, I'm just, you know— oh no, it's my turn to talk.

---

GRAHAM CLULEY. What's your pick of the week? Let's say you— anyway, so that's called High Maintenance, isn't it? Yes, excellent.

---

MARIA VARMAZIS. Thank you. Really like it. Yes, I'm sorry, that has nothing to do with shagging dead people. A lot about really nice, happy people. It's a comfort food show, and you don't need to be high to watch Carole, should we go to your pick of the week now?

---

CAROLE THERIAULT. Okay, this week I have a brand spanking new podcast, Sticky Pickles.

---

MARIA VARMAZIS. Oh no, no, it's not brand new, but from Wondery called The Apology Line.

---

CAROLE THERIAULT. Now it's only two episodes in, uh, podcast for those of us not using the Wondery app, but I'm so hooked already. And Graham, I think this is right up your street. Maria, I'm not sure, you let me know. So I'm gonna get the annoying things out of the way first, because there's, there's two. One are the ads. Okay, Wondery just jams a fuckton of ads inside their 45-minute program. It reminds me like TV from the days of yore.

---

GRAHAM CLULEY. Is that a metric fuckton or an imperial fuckton?

---

CAROLE THERIAULT. A lot. And remember, like, Wondery has the backing of 20th Century Fox, and the Wall Street Journal reported that Amazon's in talks to, you know, get it at $300 million. That's the valuation. So it's not like independent show like Smashing Security or Sticky Pickles or whatever. Two, two, the other annoying thing is episodes are coming out only weekly. So you have to wait a whole week and it's like done. You just want to know what's happening. But the content makes it worthwhile. So the Apology Line was the name of a confessional hotline that existed in the '80s in New York, right? And it slowly consumed Mr. Apology, the pseudonym for the creator, who turned out to be Alan Bridge. Now the whole point of this was to call this answerphone machine and confess your wrongdoings, right? And quote, apparently Alan was a petty criminal in his early life, and he worried that people could fall too easily into either being predator or prey. So he wanted to try and make the world a better, better place. So he ran this hotline off a basically nondescript souped-up 386SX. That's for my geek friends. I remember them well. Yes. Okay. And he funds the whole operation himself for 15 years. It ran and amassed literally thousands of hours worth of messages. And some were, you know, banal. Some were really grubby— word of the day— and some were downright terrifying. And the problem was the creator, Alan Bridge, became obsessed with some of his callers and got deeply involved in their lives. Oh, okay. Yeah. So from '80 to '95, Alan Bridge ran this hotline. Like, he was kind of like a secular priest. He was offering potential forgiveness through the catharsis of tape confessions. And I was like, "How is this coming out now? Like, because he's not on the show." Turns out he died. He was killed by a jet skier who ran over him while he was swimming. That's awful. And then fled the scene and was never identified. And you think, "Hmm, he got death threats." Right. So my conspiracy theory is, was he murdered?

---

GRAHAM CLULEY. What are you like? Everything's a bloody conspiracy theory of you, isn't it?

---

CAROLE THERIAULT. So this is all being told by his second wife, Marissa Bridge. Oh. So—

---

GRAHAM CLULEY. What did she do with her inheritance? Did she buy a new jet ski?

---

MARIA VARMAZIS. Jet ski. Yeah. Last one out of the internet.

---

CAROLE THERIAULT. I'm the asshole. Ooh. Anyway, I'm utterly hooked. It's called The Apology Line. Bitcoin. It's from Wondery. Check it out. It's just fascinating and I love it. So that's my pick of the week.

---

GRAHAM CLULEY. Excellent. Well, that just about wraps it up for this week. Maria, thank you so much for joining us yet again. I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that? Twitter.

---

MARIA VARMAZIS. Yeah, @mvarmazis. I'm on Twitter. Come find me there.

---

GRAHAM CLULEY. And you can follow us on Twitter @SmashingSecurity, no G. Twitter doesn't allow us to have a G. And we're also up on on Reddit. So just look for the Smashing Security subreddit. And don't forget to ensure you never miss another episode, subscribe in your favorite podcast apps such as Apple Podcasts, Pocket Casts, and Spotify.

---

CAROLE THERIAULT. And huge thank you to this week's episode sponsor, 1Password, and to our wonderful Patreon community. Thanks to them, this show is free for all. Uh, for episode show notes, sponsorship information, guest lists, and the entire back catalog of more than 200 10 episodes, check out smashingsecurity.com.

---

GRAHAM CLULEY. Until next time, cheerio, bye-bye, bye-bye.

---

CAROLE THERIAULT. Oh, I was hoping you'd do your friend's one. Bye! Cool.

---

MARIA VARMAZIS. And no technical problems. Hooray. Marvelous.

---

CAROLE THERIAULT. There we go. Another one wrapped. I'm stopping the record.

-- TRANSCRIPT ENDS --