Google warns security researchers that North Korean hackers are pretending to be their buddies, sensitive information connected to Coronavirus testing is available for sale in the Netherlands, and is a Peeping Tom at your home security provider spying on you through CCTV?
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Maria Varmazis.
Visit https://www.smashingsecurity.com/212 to check out this episode’s show notes and episode links.
Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Special Guest: Maria Varmazis.
Sponsored By:
- 1Password: With 1Password you only ever need to memorize one password. All your other passwords and important information are protected by your Master Password, which only you know. Take the 14 day free trial now.
Links:
- Illegale handel in privégegevens miljoenen Nederlanders uit coronasystemen GGD — RTL News.
- Video conference of EU Defence Ministers where a Dutch journalist gatecrashed the system — YouTube.
- John van den Heuvel — Wikipedia.
- Dutch COVID-19 patient data sold on the criminal underground — ZDNet.
- Smashing Security episode 175: Zoom deepfakes, Zardoz, and 'Rona tracing.
- Bonus: Smashing Security After Dark #2 - Zardoz commentary. — Smashing Security on Patreon.
- New campaign targeting security researchers — Google Threat Analysis Group (TAG).
- Google: North Korean hackers have targeted security researchers via social media — ZDNet.
- ADT Employee: I Spied on Naked Customers Through Security Cams — Gizmodo.
- ADT sued after employee accessed more than 200 customers’ home security systems in Dallas area — Dallas Morning News.
- The Investigation — BBC iPlayer.
- The Investigation: why my drama about Kim Wall doesn't name her killer — The Guardian.
- Tobias Lindholm on his take of the Kim Wall murder investigation — Nordisk Film & TV Fond.
- ‘Babylon 5 Remastered’ now available to buy or stream on HBO Max — Engadget.
- High Maintenance — HBO.
- Hear the New Trailer for Wondery's Podcast 'The Apology Line' — Rolling Stone.
- Allan Bridge — Wikipedia.
- The Apology Line — Wondery.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
GRAHAM CLULEY. The rather bizarre story of a journalist who disappeared and it turned out that her last journalistic endeavor was to interview a man on his private submarine.
MARIA VAMARSIS. Submarine, the submarine. Oh yeah, I remember that. Yeah, yeah. And he didn't, he spoilers in hell Carole. Oh now I don't need to see Jesus. And then he what, her what? I was just remembering
CAROLE THERIAULT. The story. Isn't that the guy who went, anyway.
ANNOUNCER. Smashing Security, Episode 212. Dutch Leaks, Peeping Toms, and Researchers Under Fire with Carole Theriault and Graham Cluley.
GRAHAM. Hello, hello, and welcome to Smashing Security, Episode 212. My name's Graham Cluley.
CAROLE. And I'm Carole Theriault. And we're joined this week by podcast listener favorite, it's Maria Vamarsis. Hello, Maria.
MARIA. She's also my favorite. Hi, Maria.
CAROLE. Hi, hi. I'm my favorite too. Oh. How are you doing? How's 2021 so far?
MARIA. So far, okay. It's got a lot of opportunity to fuck up, but so far...
CAROLE. You've still got white knuckle holding on to whatever is around.
MARIA. Yeah, four years of... So, you know, it's going to be interesting.
CAROLE. So let's say thanks to this week's sponsors, 1Password. Their support helps us give you this show for free. Now, coming up on today's show, Graham, what do you got?
GRAHAM. Oh, I'm going to be introducing you to someone a bit beardy and wearing a hoodie in the Netherlands. Is he a hacker or not?
CAROLE. Maria, what about you?
MARIA. There's some North Korean shenanigans going down and Google's got the story.
CAROLE. Ooh, and I'm going to see how low-tech a hacker can get. All this and much more coming up on this episode of Smashing Security.
GRAHAM. Now, chums, chums, there is a fellow working at a company in the Netherlands. Okay.
MARIA. I'm in.
GRAHAM. He hasn't shaved for a while.
MARIA. Same.
GRAHAM. He's wearing a hoodie.
MARIA. Same.
GRAHAM. And he has an interest in the dark web.
MARIA. Okay, that's where we diverge a bit.
GRAHAM. But he's not a malicious hacker. He is Daniel Verlaan, who is a cybercrime reporter at the Dutch TV service RTL News. He's the guy who loves to dig up facts about what's going on on the dark web and amongst cybercriminals and all the hackers. And he's a cool technology guy. And it's his job to dig up details of what the bad guys are up to and uncover cyber goofs.
CAROLE. Goofs. Okay. This is what he does for a living, basically.
GRAHAM. Yeah. Yeah. Okay. For instance, last November, he gained a little bit of notoriety because he gatecrashed a European Union defense minister's video conference call. This was after the Dutch defense minister accidentally posted the login details on Twitter.
CAROLE. Yes, I'm afraid it's still happening.
GRAHAM. So he wanted to show he was hard at work so he took a screenshot and he posted up, I'm about to join this video conference call with the other defense ministers of the EU. And our man decided to join the conference as well. Well, to the credit of the minister, he didn't reveal all of the pin code, only some of the digits.
CAROLE. So inventive young journalist took 20 tries and got it. Exactly. And he managed to get in.
GRAHAM. Well, that gained him some notoriety, but he's now in the papers again because he has uncovered what appears to be a serious security breach which has been happening in the Netherlands. He found that someone for months has been going onto Snapchat, onto Telegram, onto Wickr. What's Wickr? Wickr is an encrypted messaging service, a bit Signal or Telegram. Wickr is particularly beloved of drug users.
MARIA. Is that the Bluetooth only one or am I? No, no, no.
GRAHAM. You're thinking of a different one. Yeah. So Wickr isn't just for local context, can be anywhere. But with Wickr, you don't have to give a phone number. So you can, it's sort of super secret.
CAROLE. Anyway, if you want to buy your jazz cigarettes, you do that on Wickr. Okay. Good to know. Good to know.
GRAHAM. Good to know. And what we found is that someone has been advertising for months up there, their access to sensitive data from the Dutch Health Service. Specifically, these people have access to databases of people who have taken coronavirus tests in the Netherlands or have been documented in the test and trace system. So their home addresses, their email addresses, their telephone numbers, their dates of birth and their BSN. The BSN is the Dutch equivalent to a social security number.
CAROLE. Okay, so someone has been advertising this. Oh, boy.
GRAHAM. So you can pay between 30 and 50 euros and say, hey, can you tell me the home address, phone number, email address, and social security number of this person?
CAROLE. What, in this Wickr telegram?
GRAHAM. Yeah, if you contact the hacker via the ad. Wow, that's a good rate. And you can get all those details. Jeez. And you can, of course, request details about more than just one or two people. You can say, well, could you give me all of the information you have about everyone who lives in Amsterdam aged over 50? It's doing a, you know, a database. Well, it is a database.
CAROLE. A database dump, yeah.
GRAHAM. Yeah, it's a database. It's a SQL query. Now, why? Why?
MARIA. What do you mean why?
GRAHAM. For funsies.
CAROLE. Why would anyone want this? Yeah, why would anyone want this information? Say I've had four coronavirus tests or I've had 10 or I've had none.
GRAHAM. Who cares? Well, because imagine you wanted to scam somebody. You could then send them a message or an SMS saying, oh, you know, we know that you took your test on this date. And we've now got the results for you. Or can you pay this amount of money to get, you know, we've decided we're going to give you some treatment. Go to this site, enter your credit card details. But more than that, Carole, you also get their social security number. And you can begin to do all kinds of fraud with that.
Or, and this is a bit scary, they discovered that the private data of celebrities was also on sale and even crime journalists. There is a chap in the Netherlands called, you have to excuse my accent because it's very, very good, Jan van den Hulvel.
CAROLE. I'm sure everyone's going to recognise him.
MARIA. Our Dutch friends probably will in the Netherlands from that, yes.
GRAHAM. He is famous because he is a crime journalist. It's a former, I think, police chief. He receives the same kind of full-time police protection which is afforded to the Dutch royal family. So he probably has a squadron of bicycles following around after him with liquor baskets. Oh, my God. But seriously, because he's considered so much of a target due to his work in the past assisting in the capture of criminals, and you can read all about him on Wikipedia and what he's been up to.
CAROLE. So he goes around town with a dozen people protecting him.
GRAHAM. Yes, he's got bodyguards. He's got the police looking after him. And so he doesn't want his personal address.
MARIA. How tall is this guy? Jesus.
GRAHAM. Well, he's Dutch. He's going to be quite tall.
MARIA. I know. I say that about a lot of Dutch people. I'm like, how tall are y'all? Jeez.
GRAHAM. So, yeah. So it puts him in danger because, of course, he's a person of interest to criminals. And these are criminals saying, can you tell me where he lives and his phone number and his social security number? You can imagine he's not terribly pleased about this.
So this journalist, Daniel, he got the prior consent of individuals, a number of people, a few hundred people. And he did a request. He said, I would like information about these hundreds of people. He approached the scammers and said, hey, I'm thinking of making a purchase just as a little test. Can you give me details about these people? And he confirmed the authenticity of the information which had been offered for sale. And it was correct. So this is the legitimate information.
They even were posting screenshots of the computers with access to the databases. Now, the Dutch Health Service, they say they haven't found any evidence that they've been hacked. But these screenshots suggest...
CAROLE. Inside job, inside job.
GRAHAM. Exactly. There are 26,000 workers and call centre employees working inside the Dutch Health Service who have access to this information. And many of them, of course, at the moment, where are they working? At home.
MARIA. At home. Perfect.
CAROLE. What a key. Perfect pitch.
GRAHAM. And that makes it easier, I would argue, for them to pass on the data to criminals or even just photograph their screens.
CAROLE. They can't photograph your screen in the office. Well, you can, but people might notice.
GRAHAM. Not really. Do you think anyone would have noticed? Get your Polaroid camera out. Give me a break. You might do.
MARIA. Look at this killer meme. I don't know how to share it, so I want to take a picture of it and just text it to my mom. Yeah, there you go. There's your cover story. Done. Yeah.
GRAHAM. Now, I don't know if I have ever been employed by the Dutch Health Service Call Centre for coronavirus testing.
CAROLE. Yes, you do. You know that neither of us have been.
GRAHAM. No, not lately.
CAROLE. Well, you are typically paid around 11 euros per hour for doing that work. But of course, you can receive hundreds for every person's details that you pass on. So here's my question for you. What can be done about this? How could you try and fix this problem? Have you got any ideas at all?
MARIA. I was thinking they could do a thing where everybody's login is shown somewhere on the screen in a way that can't be obfuscated. So you could then try and track down who's been doing the screen caps. I don't know.
GRAHAM. I think that's quite a good idea, but it might be obvious that, oh, that's my user ID in the corner. And I was thinking, what if you had a field in the data and it wasn't obvious what it was, but it was somehow sorted with your user ID? So if someone did share that data, not knowing what that particular field was, you'd be able to extract it and say, oh, this is from this particular user. We know where it's come out. So if it was less obvious.
That was one idea I had. Or you could do a honeypot user.
MARIA. Yes. Yeah, exactly. You know, or something like, Carole, did you have some ideas?
CAROLE. No, no, no. Go ahead. We're just being brilliant without Carole. Okay. It happens often.
GRAHAM. So what the Dutch Health Service do, the GGD as they're called, is they get their employees to sign a certificate of good conduct. Oh, that sorts it.
MARIA. Yeah. Guys, I like that.
CAROLE. Well, I'm not saying it's bad. No, no. But, you know, OK, so you're saying the person who's doing this is obviously malevolent in his intent or her intent if they are working internally and leaking all this info, right? And you're thinking it is an inside job.
GRAHAM. Well, yes. It's quite possible. It does seem quite possible.
CAROLE. Well, it seems more than possible. It seems more likely.
GRAHAM. They're also conducting random checks, and people have been fired in the past for being naughty. So one thing you could do, of course, and this is a bit controversial, this will get Carole's goat, is that you could run some kind of software on the computers of the people working from home to observe what they are doing.
MARIA. Oh, no. I know that. You mean like video surveillance? Well, either that or basically like spyware.
CAROLE. He's taking a picture of the screen. You know what that means?
MARIA. Yeah. How are you going to?
GRAHAM. Or maybe unusual behaviour if people are accessing individuals and they don't have a good reason to. I don't know. Some kind of audit. I'm not sure. Anyway, clearly it's not easy. Last Saturday, police in the Netherlands arrested two suspects, a 21-year-old from the city of Hallo and a 23-year-old from the city of Good Malden. No, no, no. Alkmaar, unfortunately. It would have been good if it was. Good movie. Computers have been seized and houses searched. Yeah. And apparently these chaps were working at health service call centres. Yeah, my gut says inside
CAROLE. Job and it's for a little, yeah, it's like you said, it's for some chump change. But it's a bit of a worry, isn't it?
GRAHAM. Because you want the public to have confidence in these systems and the data's been properly collected. And if you are someone who's got police protection to keep your identity secret and your location, you're going to be pretty miffed that this is so easy to access.
MARIA. When a 21-year-old from Hallo goes around.
CAROLE. The other thing is, though, with a Certificate of Good Conduct and Confidentiality Agreement, that is not just to say, oh, I'm an upstanding person. It's also a liability issue, right? Because if they're able to find them, they can go, yeah, you're the bad guy and we're going after you now. You said
MARIA. You wouldn't do it, and then you did it. Oh, you're in trouble now.
GRAHAM. So, if you are a Dutch celebrity, be very careful about... Graham, your connection seems weird.
MARIA. Yeah, you sound like a deceased actor.
GRAHAM. From the James Bond franchise. From Zardoz, excuse you.
CAROLE. Zardoz. Do we have to go over that again? Seriously? We did that. Oh, God, I can't believe we did that. It's not my proudest moment. Links in
GRAHAM. The show notes. So Maria, what have you got for us this week?
MARIA. Well, last evening, when I was trying to figure out what I wanted to cover for the show, there was a story breaking on Twitter. And I was so happy because I think both of y'all were asleep. So I was like, I get dibs on this story. The five hour difference helps a little bit. Five hour time advantage. So the story that was breaking, which I'm so fascinated by this one, is Google says that North Korean state hackers are targeting security researchers. So the news that broke last night via Google's threat analysis group, which specializes in what us nerds call advanced persistent threats or APTs. Malware for the rest of us.
CAROLE. Yeah, okay. Anyone who's normal.
MARIA. An APT is a highly targeted and extremely cutting edge attack. So usually these are only used on high value targets, like a government official or, you know, a CEO of a company, like they're super, super valuable. So like the average person doesn't really need to lose sleep over APTs, even though they get really cool headlines. And they are really fascinating. But this APT, we actually might want to lose a little sleep over this one. So in this case, the attack that Google was outlining starts out with some good old fashioned social engineering. So the North Korean attackers, for months, apparently, were reaching out to their victims via email or social media or even comments and blog posts. Like they were using Twitter DMs, LinkedIn messages, Keybase, Telegram, and Discord. Posting fake research on GitHub. And they themselves are posing as benevolent security researchers saying, I found this cool exploit. And they were establishing themselves in the security community online, having legitimate conversations for weeks, months, with some people who are actually quite well-known in the security field and well-respected.
CAROLE. Crikey. Yeah. And the research must have had some quality to it because people were reading it and probably going, oh, good paper, nice find or whatever.
MARIA. Well, yeah, Google said that some of these proofs of concepts were fake and were provably fake. But others are still kind of like they actually might be real. And the thinking is that maybe the North Koreans actually really did have some exploits they were willing to burn just for the sake of building credibility for these attacks. Anyway, so after these attackers took their time to build rapport, they would then, when the time was right, deploy their ruse, which was that they had a new proof of concept on exploiting a new or previously patched vulnerability or saying they had a new method to exploit a bug, that kind of thing.
CAROLE. That would work. That's the little fishy, the little worm on the hook.
MARIA. Right. And again, as Google said, as I mentioned, Google said some of these proofs were faked, but a lot of them were made convincing enough that it fooled a few people, even savvy researchers. So when the attacker would DM a researcher saying, "Hey, do you want to collaborate on this research? Because I need specific expertise, and you have it, and I don't," that sounds like a legit ask. People do that in the research field.
Yes, they do. Oh, my God. So if you've spent weeks or months ingratiating yourself in a not too scammy way, a researcher might go, "You know what? Yeah, let's collaborate."
So as part of that process, the attacker would then direct their target researcher to a Visual Studio project with the source code to their exploit, so they could look at it and collaborate on it. So the hitch is that hidden in that Visual Studio project, there would be a little hidden DLL, which is a little program that would install backdoor malware on the researchers' machines. So that researchers' machine would now be hooked up to a North Korean-owned command and control server.
GRAHAM. Presumably with the intention of either stealing other work that those researchers were working on or that company was working on or...
MARIA. Keeping an eye on what they're up to.
GRAHAM. Yeah, spreading throughout that company, because of course, that company may be in the business of unlocking North Korean threats. So cunning, isn't it?
CAROLE. Did they want access to the lab or they wanted just to kind of compromise the researcher system and just have whatever access they had?
MARIA. I imagine whatever they could get access to is probably worth getting. And that would be pretty good.
Yeah. And to the credit of many researchers, many of them saw that little hidden DLL and went, "Wait a second." So they caught it, but not everybody did. And here's the thing: what I just described was the simple version of the attack. There's actually a much more sophisticated one that's still a mystery. And this is actually what really grabbed the headlines last night.
So sometimes when the North Korean attacker would do that whole social engineering song and dance, they would just send the researcher over to their own website, which was set up to look like a legitimate research blog. And even though these researchers were all using the most updated and patched versions of Windows 10 and Chrome, and they were otherwise presumably locked down because, you know, they're researchers, somehow just by visiting that fake research blog, the targets would then get malware installed on their machine calling into that C&C server.
So this is why Google's involved. This is why their APT team is on this, because it seems that the North Korean group was exploiting a heretofore unknown Chrome vulnerability. So that is a Chrome zero day in the wild, y'all. That's what was the news last night. So kind of scary.
CAROLE. So that means basically anyone that uses Chrome is potentially vulnerable to this, but really they're only currently attacking researchers?
MARIA. Well, if you visit the blog, yeah. If you visit the blog, yeah, you're vulnerable right now. There's no fix for this.
So the Google Threat Analysis Group wrote in their blog post that "We hope this post will remind those in the security research community that they are targets to government-backed attackers and should remain vigilant when engaging with individuals they have not previously interacted with." So as I said earlier, most APTs are sexy headlines but don't make much of a difference to the average person. But this one, the thought of a compromised security researcher does make me lose a bit of sleep last night, you know, especially if they're working on behalf of your supposedly benevolent government. So that's kind of a yikes.
So as you said, is this just something a researcher needs to worry about? No, it's wicked, wicked important note. So we don't all get hacked by North Korea, don't visit the blog that Google put in their blog post. The link to the North Korean blog is in a lot of the media coverage.
CAROLE. It is? It is. Did they hyperlink it?
MARIA. They put a little note in parentheses after it saying, "Don't visit this." Oh my God. But you know what? They'll obfuscate it by just saying, "A period goes here in the URL." It's not very difficult to just put it in yourself. And I'm just like, I'm a very curious person. Part of me wants to be like, "What does this thing look like?" No, Maria, do not do it, Maria.
CAROLE. Yeah, it is very tempting.
MARIA. I had to really stop myself from visiting. So don't go to that website. Slap that hand. You know, I've been—
GRAHAM. Going on a lot of walks during lockdown and I go through a field full of sheep.
CAROLE. Are you allowed to go for walks? Yes, I am. Are you walking seven kilometres from your house like Bojo did and got in trouble?
GRAHAM. That's not too much either. But anyway, but there's an electric fence and there is a sign on there saying, "Do not touch electric fence." And there's something about me, which makes me think, "Oh, I wonder if that really is electrified."
CAROLE. Did you touch it? Did you lick your fingers first?
MARIA. For the extra. Yeah, for the extra zing.
GRAHAM. I cannot stop myself touching electric fences.
MARIA. Okay, Graham, this is the wrong show. You need to come on Sticky Pickles for that.
GRAHAM. That explains a lot. I'm not touching it with my pickle. Not yet. Oh, God. That's how long lockdown goes on for. Carole, what have you got for us?
CAROLE. Well, interesting. This follows very well from Maria's story. I wanted to start by asking you guys to define the word grubby for me. Like what kind of actions would you say would be labeled grubby?
GRAHAM. Something where, you know, there's a podcast and it's meant to be about a serious topic, but they just keep on getting a little bit lavatorial. Something like that.
CAROLE. It's like 2019, I would have said not washing your hands after a poop. Now that's up there with murder, right? Don't screw around. It might be murder. But I think our main character in this story, a Mr. Aviles, is most definitely, inarguably, in fact, grubby. Do you want to know what he did? He's a digital peeping Thom.
At 35 years old, Mr. Aviles was a technician for ADT, the well-known home security company. And he helped people install their systems. And one day he decided if he could secretly access the footage of some of his customers' surveillance systems.
GRAHAM. Oh, no. Why do people put these cameras inside, pointing inwards to their living room or bedrooms or house? Like, why? Why do they need their internals always under constant digital surveillance?
We might be worried about getting robbed. You might be worried about the cleaners or, you know, some workmen.
MARIA. Or the nanny or, yeah, somebody working for you in your house. I don't ascribe to that kind of viewpoint, but that's my understanding.
CAROLE. Yeah. Okay, so you're so worried about things being stolen from you that you basically live under constant surveillance.
GRAHAM. Well, I don't because I don't have these cameras. But I think some people will think it's – they're probably not worried so much about their privacy. I bet it's for insurance, actually. You know, it's here's video of the guy, you know, stealing my phone or whatever.
CAROLE. So this guy, Mr. Aviles, managed to gain access to 200 different ADT customer video surveillance feeds in and around Dallas. And can you guess what his motivation was, according to Gizmodo? Butts.
GRAHAM. He's a superhero in the making and he really wanted to see if a crime was being committed. And if he saw someone uncouth. Grubby man flying through the stars. I thought he was going to swoop in and save the day is that not the case as grubster in his underpants over his tights.
CAROLE. No, he wanted to spy on women and couples doing the nasty. Butts exactly, just butts, yeah, butts exactly, half butts, full butts. He did this for years until he was caught. He accessed 200 streams almost 10,000 times.
MARIA. He had some favorites is what it sounds like.
CAROLE. Let's be generous. Let's say that over years, let's say they mean five years, right? So that's 200 times a year he's accessing these streams, four times a week, right?
GRAHAM. I'm thinking he not only saw pickles, he probably had quite a pickle himself. Don't watch him that much. Talking about grubby.
CAROLE. The authorities say that the IT technician, Mr. Aviles, took note of which homes had attractive women, then repeatedly logged into these customers' accounts in order to view their footage for sexual gratification. This is horrendous. I'll get to how he pulled off this incredible hacky feat, right? Because of course, presumably it should be not impossible to gain access to someone's unauthorized digital stream, right?
GRAHAM. Was he doing this from his office? Was he doing this from his workplace? That's a good question. Had he not signed the good behavior agreement, the sign of good conduct? Maybe he needs to reread it. A little reminder.
CAROLE. So I wanted to know, I'm sure people who are thinking about putting this kind of surveillance into their house, obviously go and research who has access to the video stuff. So there is a very helpful ADT FAQ that I was able to find very easily. And the question was, are the internal IP cameras secure? That is, can someone else access the wireless camera signal and view the images captured by the cameras in and around my home. And ADT answered that ADT requires authorized users to log in through a personal ADT smart home website. And there's HTTPS protocol. And they say it's similar to what the banking industry uses in order to offer you secure online banking features. Okay, so sounds impressive.
MARIA. Sounds a little vague to me. I don't really understand. I'm that's not enough information for me, but okay.
CAROLE. So obviously, Mr. Aviles had Harrison Ford arch enemy level of sophistication, right? Because they use bank security practically.
GRAHAM. What is... I think Maria and I are both thinking the same thing. What are these Harrison Ford qualifications you're talking about?
CAROLE. I'm going to tell you. These Harrison Ford arch enemy qualifications... Shooting first. Is basically go low tech. So Mr. Aviles was no computer mastermind, but just a cunning little pervert. And he gained access by adding an email address to the customer's account. So whilst he's installing the system, he just makes sure that his private email address also had access to all the surveillance material.
MARIA. Oh, so he's setting it up for them. He's setting it up and he goes, okay, lady of the house got a nice bod. Let me make sure I leave my little calling card so I can check back later. Exactly. Oh, okay. This is about as gross as I imagined it was.
CAROLE. After years of grubby behavior, a single ADT customer in South Dallas reported an unauthorized email address on her account listed inside ADT's own app, which is called ADT Pulse. So yeah, the company launched immediately an internal investigation, discovered the employee's personal email address in 220 different accounts of ADT. The same email address, not—
MARIA. Subtle is what that is. That's someone who's pretty sure he's not going to get caught or doesn't care.
GRAHAM. But he didn't get caught for years. For years.
CAROLE. Yeah, he got away with that red handed if you will. 220 different accounts, Maria. And it's only like 10 in the morning. I know it's really early for me.
MARIA. It's way too early for me to be saying shit like this. Oh my lord, I just had my morning coffee. I'm still in my pajamas, although it has nothing to do with the time of day anymore. Seriously.
CAROLE. Now, news of this scandal initially emerged last April when ADT reported the breach publicly pretty darn quickly. And they said, "We deeply regret this incident, remain committed to working with law enforcement to support them in whatever they need to help bring justice to the victims of this former employee," the company wrote on its website. The company said it implemented procedures to prevent similar attack from taking place in the future, including sending notifications to customers when users are added to accounts. Although it wouldn't have helped here because if you add it during setup, you would just—anyway. But this week, this week, two federal class action lawsuits—you knew they were coming around the corner—these have been filed on behalf of the hundreds of ADT customers who recently learned that their accounts with a home security company were compromised by a former employee. Oh, boy. Each lawsuit is in excess of 5 million. And I think this is where we all have to remember to regularly check your settings, right? If ever there was a remember to check your settings regularly, right, this is it.
GRAHAM. And not just on something like your cameras, but also your email account, because you may have additional email addresses associated with your Google account, for instance, or places where your messages are being forwarded to or delegation.
CAROLE. Yeah, I wonder, you probably just had an email address like pervypervpervperv at gmail.com or something like that. Anyway, so years no one noticed. 220 different people did not notice that someone else's name was listed in the, you know, the "I can access this feed." So, and why didn't ADT notice that the same email address was across 220 different accounts? Like, ish.
MARIA. I'm sure they were not monitoring for that. Like why, you know, think why would they be monitoring? Well, I think they will be now. Yeah. Now they will be. Yeah.
GRAHAM. Wake up call to the rest of us. So what's happening? What's happening to this guy? Has he been sentenced?
CAROLE. Yeah. He's facing five years in jail. He's facing five years. He admitted it. Yeah. Yeah. He's come clean.
GRAHAM. Okay. Are they going to put a CCTV camera in his cell? Oh, yeah. Because you'd be watching that, wouldn't you?
CAROLE. Grubby, grubby little pervert. Jeez.
MARIA. Oh, I, you know, this story reminds me a little bit of, I think it was Google that implemented some sort of feature now where a person is added to an account everyone gets notified and there was a lot of hubbub about it because it had something to do with underage accounts being notified if a parent is adding themselves and it's like the reason is because shit like this happens and you know people have a right to know who's monitoring their accounts. Like it's, you want to, I understand people are like my teenagers shouldn't have to consent to stuff like this. Like I don't agree with it, but I mean totally 100%. Somebody's gonna put do something like this in the download. I want to get an email about it saying hey, wetpalm69 at adt.com is monitoring your camera, do you want this to continue? Exactly, no I don't.
CAROLE. Listeners, listeners, it's call to action time. Can any of you that have surveillance systems specifically inside the house or outside can you please go check? Make sure everything is kosher and as expected. Yeah, check those settings.
MARIA. Check those freaking settings guys, come on. Settings, check those settings. Sorry.
GRAHAM. Everyone else had said it, I thought maybe you need to be involved.
MARIA. You have to join us.
CAROLE. Hey Graham, hey, now that it's 2021 are you ready to admit that maybe your brain is turning to mush?
GRAHAM. Why are you saying that? You thinking I'm getting forgetful?
CAROLE. Yes, often very and I'm a little bit worried about it. I suppose most of us, you know, working from home all the time. I mean how the heck do you even remember a password in these scenarios? Nice segue eh?
GRAHAM. Yeah. Well I use a good password manager. I in fact use 1Password.
CAROLE. 1Password, that's one with a one right? 1Password.
GRAHAM. It's a great password manager. It works for home use. It works for families. It works for business. So I run a little business here at home. And it means, and imagine I worked in a bigger business, right? Imagine I was a part of the remote workforce. I could still work safely online, make it really easy for me to create and use strong passwords or share them with my colleagues.
CAROLE. Oh, and tell you what, now that all of us are working from home and your computer is being used not just for work, but also for home stuff more often than ever before. This kind of stuff keeps everything nicely segregated.
GRAHAM. And listeners can find out more and they can try 1Password for free for 14 days at 1Password.com. Thanks to them for supporting the show.
And welcome back. Can you join us at our favourite part of the show? The part of the show that we like to call Pick Of The Week. Pick Of The Week. Pick Of The Week. Pick Of The Week is the part of the show where everyone chooses to say you like. It could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security-related, necessarily.
Better not be. Well, for the last few days, I thought, you know, how should I spend my evenings? I thought I could do my normal trick of just watching chess on Twitch. Or maybe I should do what everyone else in the world seems to be doing, which is binging on TV shows.
And I found a Scandi Noir docudrama. Scandi Noir. It's already been shown in Scandinavia, but it's currently available on BBC iPlayer as well. It's called The Investigation. It is a real-life crime drama from Denmark.
And it's all about, do you remember the rather bizarre story of a journalist who disappeared and it turned out that her last journalistic endeavour was to interview a man on his private submarine? Yes,
MARIA. submarine. The submarine story. Oh, yeah, I remember that. Yeah, yeah. And he f***ed, didn't he? Spoilers. Spoilers in hell, Carole. Well, now I don't need to see it. Jesus.
And then he what or what? I was just remembering
CAROLE. the story. Isn't that the guy who would plop, plop, plop, plop, plop, plop, plop, plop, plop?
GRAHAM. Anyway, it's really rather good. It is in Danish and Swedish, English subtitles. I love a bit of subtitles. In fact, I was watching another Scandi Noir drama the other day, which had been dubbed into American. And I was thinking, this is rubbish. And I ended up changing on Netflix or Amazon Prime or whatever it was, the language to put it back into Swedish and put on English subtitles. And it instantly became better.
CAROLE. Yeah. But if you put on both the dubbing and the subtitles, there are some very interesting differences in both of them. And it can be a very meta experience to enjoy watching the two fight against each other because someone's more rude or someone's more. It's fantastic.
GRAHAM. The chap who's made this is a guy called Tobias Lindholm. And what's good about it, I think, is it focuses very much on the police investigation and the family of the victim. The suspect never, ever appears. He's never interviewed throughout the drama. And in fact, apparently the chief policeman never did interview him throughout the entire investigation.
And so it's very respectfully done it also features the real divers who were trying to bring up the submarine and looking for evidence. It's very very interesting. I will watch it. Yeah, it was good, I liked it. So it's called The Investigation and I will put some links in the show notes where you can read more.
It's almost as good as my pick of the week. Great, Maria, what have you got for us?
MARIA. I also had a TV show recommendation except I kind of want to make mine a twofer because before I came on the show this morning I saw some news that I also was like oh I need to include that. So the thing I saw this morning that I have to put a shout out for is Babylon 5 the remaster is now available on HBO Max. So for my hardcore nerds who've been missing it on their streaming platforms you can now see it and it's in the original.
Babylon 5. Oh
GRAHAM. Babylon 5 I thought you said Batborn I thought it sank about the
MARIA. No, no. Babylon 5. It's his years, darling. Yeah. Is it my connection? Sorry. Babylon 5, the Renaissance. No, no. It's just a remaster of the original. I should just shut up.
CAROLE. Yeah, it's just a little crisper, Graham.
MARIA. It's a little crisper. And it's a great series that sci-fi nerds really love. So, you know, I'm going to rewatch it now.
Anyway, but my actual pick of the week for this week, before I saw the Babylon 5 news, is a series that ended in early 2020 that's also on HBO, but I believe it's globally available. It's called High Maintenance. And it's about a guy who sells weed to a bunch of people in Brooklyn. And yes, there is some marijuana use in the show, but it's really not about using drugs. It's really a lot of vignettes about the many, many wonderful different types of people who live in big cities like New York.
So if you're the kind of person who loves slice of life stuff, that's kind of heartwarming, this show is such comfort food and it's all pre-pandemic. So for me, it's like, OK, this is the stuff I love about New York or big cities like London. Like, that's the kind of stuff I love when you get so many different types of people crammed together. And some of them have some really interesting idiosyncrasies.
CAROLE. Do you ever watch TV now and go, oh, pre-pandemic, oh, pre-pandemic? Whenever they're hugging. There was this show recently I watched, I think I was watching 13 Reasons Why. At one point, one of the guys spits in the other guy's face and I was like, whoa!
They are making
GRAHAM. some dramas where people snog and things I was reading about this. People are still having sex. Graham, you know single
CAROLE. people are dating and stuff
GRAHAM. I know, I know but in some cases what they've done is they've hired the girlfriend or boyfriend of the actor to act as a body double for their fictional partner. Can you wear this wig? They're doing the saucy scenes but in other cases they're simply testing people every day and they're full-on snogging. And I'm thinking, seriously, I mean, I wouldn't do that. If I might imagine, probably no one would do it to me either. But, you know, I don't think I'd want to take that sort of risk.
CAROLE. Really? Diana Rigg rises from her dear? Yes, lovely. I was
MARIA. going to say, she has passed on, so that – She rises from her dear? Yeah.
GRAHAM. Can you be a little bit more respectful to the dame?
CAROLE. What? No, she's gorgeous. I adore her. I was just picturing something quite funny. Oh, Jesus Christ. I do apologize, Maria.
MARIA. No, no, no. I'm just, you know. Oh, no.
GRAHAM. It's my turn to talk. Carole, what's your pick of the week? Let's see. Anyway, so that's called High Maintenance, isn't it, Maria? Yes. Excellent. Thank you. Really like it. Yes. Comfort food. Comfort food. It has nothing
MARIA. to do with shagging dead people. A lot about really nice, happy people. It's a comfort food show and you don't need to be high to watch it. Carole, should
CAROLE. we go to your pick of the week now? Okay, this week I have a brand spanking new podcast. Sticky Pickles! Oh, no. No, it's not brand new. But from Wondery called The Apology Line. Now, it's only two episodes in. No baby podcast. For those of us not using the Wondery app, but I'm so hooked already. And Graham, I think this is right up your street. Maria, I'm not sure. You let me know. So I'm going to get the annoying things out of the way first because there's two. One are the ads. Wondery just jams a fuck ton of ads inside their 45-minute program. It reminds me of TV from the
GRAHAM. days of yore. Is that a metric fuck ton or an imperial fuck ton?
CAROLE. One must know. A lot. And remember, Wondery has the backing of 20th Century Fox and the Wall Street Journal reported that Amazon's in talk to get it at 300 million. That's the valuation. So it's not like a little independent show like Smashing Security or Sticky Pickles or whatever. Two, the other annoying thing is episodes are coming out only weekly. So you have to wait a whole week and it's done. You just want to know what's happening. But the content makes it worthwhile. So the Apology Line was the name of a confessional hotline that existed in the 80s in New York. And it slowly consumed Mr. Apology, the pseudonym for the creator, who turned out to be Alan Bridge. Now, the whole point of this was to call this answer phone machine and confess your wrongdoings, right? And apparently Alan was a petty criminal in his early life, and he worried that people could fall too easily into either being predator or prey. So he wanted to try and make the world a better place. So he ran this hotline off a basically nondescript, souped-up 386SX. That's for my geek friends.
I remember them well, yes. Used to have one. Okay. And he funds the whole operation himself for 15 years and amassed literally thousands of hours worth of messages. And some were banal, some were really grubby, word of the day, and some were downright terrifying. And the problem was the creator, Alan Bridge, became obsessed with some of his callers and got deeply involved in their lives. Oh, okay. Yeah. So from 80 to 95, Alan Bridge ran this hotline. He was kind of like a secular priest. He was offering potential forgiveness through the catharsis of tape confessions. And I was thinking, how is this coming out now? Because he's not on the show. Turns out he died. He was killed by a jet skier who ran over him while he was swimming.
That's awful. And then fled the scene and was never identified. And you think, he got death threats. Yes.
GRAHAM. My conspiracy theory is, was he murdered? Everything's a bloody conspiracy theory with you, isn't it? So this is all being told
CAROLE. by his second wife, Marissa Bridge.
GRAHAM. What did she do with her inheritance? Did she buy a new jet ski? I'm the asshole.
CAROLE. Anyway, I'm utterly hooked. It's called The Apology Line. It's from Wondery. Check it out. It's just fascinating and I love it. So that's my pick of the week.
GRAHAM. Excellent. Well that just about wraps it up for this week. Maria, thank you so much for joining us yet again. I'm sure lots of listeners would love to follow you online. What's the best way for folks to do that?
MARIA. Twitter. Yeah, at M-Vamarsis. I'm on Twitter. Come find me there.
GRAHAM. And you can follow us on Twitter at Smash-Security. No G. Twitter wouldn't allow us to have a G. And we're also up on Reddit. So just look for the Smash-Security subreddit. And don't forget to ensure you never miss another episode. Subscribe in your favourite podcast apps such as Apple Podcasts, Pocket Casts and Spotify.
CAROLE. And huge thank you to this week's episode sponsor, 1Password. And to our wonderful Patreon community. Thanks to them. This show is free for all. For episode show notes, sponsorship information, guest lists, and the entire back catalogue of more than 210 episodes, check out smashingsecurity.com
GRAHAM. Until next time, cheerio.
CAROLE. Bye-bye.
MARIA. Bye.
CAROLE. Bye. Oh, I was hoping you'd do your Friends one.
MARIA. Bye.
CAROLE. Bye. I do that.
MARIA. Cool and no technical problems.
CAROLE. Marvellous. There we go, another one wrapped. I'm stopping the record.
-- TRANSCRIPT ENDS --