Listen early, and ad-free!

214: Lockdown love scams, SolarWinds, and a data deletion bungle

With , ,
February 10, 2021
Read the transcript

Fingerprints and DNA records have been deleted from the UK's police database, the SolarWinds hack continues to wreak havoc and raise questions, and we have some advice for how to fall in love safely under lockdown...

All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Professor Alan Woodward.

Visit https://www.smashingsecurity.com/214 to check out this episode’s show notes and episode links.

Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.

Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!

Warning: This podcast may contain nuts, adult themes, and rude language.

Theme tune: "Vinyl Memories" by Mikael Manvelyan.

Assorted sound effects: AudioBlocks.

Special Guest: Alan Woodward.

Sponsored By:

Support Smashing Security

Links:

Privacy & Opt-Out: https://redcircle.com/privacy

Transcript +

This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

CAROLE THERIAULT. There are people that have that special person that they can't see or they're not living with, and how do you do that? It's time to reach out, but what do you do, send an emoji?

GRAHAM CLULEY. Well, I, I quite like Diana Rigg, so I'd have to hold a séance, I suppose. Um, so that isn't going to work for me.

ROBOT. Smashing Security, episode 214: Lockdown Ransomware and Love Scams, SolarWinds and a Data Deletion Bungle with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 214. My name's Graham Cluley.

CAROLE THERIAULT. And I'm Carole Theriault.

GRAHAM CLULEY. And Carole, we are joined this week by somebody who's brand new to the show, but not new to the pages of cybersecurity. If you've ever read the headlines on the BBC and elsewhere, you will no doubt have seen our guest commenting. It's Professor Alan Woodward. Hello, Alan.

ALAN WOODWARD. Hello, though.

CAROLE THERIAULT. Welcome to the show.

ALAN WOODWARD. It's very nice to be here.

GRAHAM CLULEY. So for folks from further afield who may not have seen you before, Alan, can you describe what you do?

ALAN WOODWARD. I suppose if you ask my family what it is I do, they would say I make computers do things that they're not supposed to do. And when I've learned how to do that, I teach others to do it. So I'm actually a visiting professor at the University of Surrey, where we do a lot of research, and I have some students, MSc students, people like that. And then I also advise various government departments in the UK and actually overseas as well, people like Europol. And then every so often, large organizations that want to know a little bit about how they should be acting more securely in cyberspace.

GRAHAM CLULEY. Fantastic. Well, we all need a bit of that, don't we?

CAROLE THERIAULT. So let's thank this week's sponsors, 1Password. Its support helps us give you this show for free. Now, coming up on today's show, Graham, what do you got?

GRAHAM CLULEY. I'm gonna be talking about the mystery of the disappearing fingerprints and some other data as well.

CAROLE THERIAULT. Ooh, mysterious. Alan, What about you?

ALAN WOODWARD. Well, I want to talk a little bit more about the ever-ongoing story of SolarWinds. It's a story that keeps on giving.

CAROLE THERIAULT. And I'm doing the lockdown Valentine's special with romance scams. All this and much more coming up on this episode of Smashing Security.

GRAHAM CLULEY. Now, chums, chums, have you ever made a mistake? At work?

CAROLE THERIAULT. Nope.

GRAHAM CLULEY. Carole, I used to work with you, so—

CAROLE THERIAULT. Never made a mistake. If ever you disagreed, it was because you got it wrong. Of course.

GRAHAM CLULEY. Alan, as a visiting professor at the University of Surrey, have you— would you own up to any goofs?

ALAN WOODWARD. Yes, I would say I quite often make mistakes. But I'd like to think of mistakes as an opportunity to learn.

GRAHAM CLULEY. Ah.

ALAN WOODWARD. That's what I tell the students anyway. But— Now, unfortunately, yes, I've made— and part of it is one of the very reasons I want to talk about what we're going to talk about later on, which is that you make certain assumptions as you're analyzing various incidents, for example, you base it on a certain amount of information. And as you learn more, you realize that you were mistaken. It's not so much that you were mistaken, but that you jumped to conclusions and you learn very quickly that you really shouldn't do that. Hmm.

CAROLE THERIAULT. Ooh, hurry along, Graham. We got to get to this.

GRAHAM CLULEY. Well, now, now, I used to be a computer programmer. I don't know if either of you have ever programmed computers or anything.

CAROLE THERIAULT. Yes, you do. I haven't really ever.

GRAHAM CLULEY. You haven't even done a 10 PRINT Carole is cool?

CAROLE THERIAULT. Yes, I've done that. That's not programming, really.

GRAHAM CLULEY. Alan, have you ever made any programming mistakes?

ALAN WOODWARD. Oh yes, quite a few. In fact, in some of the earliest programmes I wrote, I mean, you have to go back a long way to find the machines that I first worked on.

GRAHAM CLULEY. Was it punch cards? Were you sort of punching out the wrong hole on a—

ALAN WOODWARD. It was. No, you joke, but it was hole with cards where you would submit them to some high priestess through a hole. And 3 days later, you'd get the results back. And you learned very quickly not to make a mistake because you'd have to go through the whole thing again. So you actually became very, very assiduous with your programs. These days, people make a mistake and, ah, they can just recompile it and away they go. But no, in those days, it was very much, you had to be so careful. So the first half dozen, you always make a mistake in.

GRAHAM CLULEY. Well, I certainly remember making some mistakes in my early days of programming. One of my first jobs was to "Write the Windows version of Dr. Solomon's Antivirus Toolkit." And the way in which we worked in those days is we actually had no computer viruses at the office. All of the computer viruses were in Alan Solomon's spare bedroom at his house.

CAROLE THERIAULT. Safe, secure.

GRAHAM CLULEY. Well, it was more secure than having them in the office, because the last thing we wanted to ever do was ship them to anyone. But that meant that when I did programming on the virus-finding engine, I didn't actually have anything to test it against. So I remember once I was given the source code and the challenge of speeding it up a little bit. And I did some work on it for a few days and I brought it back and I said, I said, I, you know, it's a fair bit faster now. I think I've increased its speed by 20% or something. So Alan took it back to the viruses and he said, well done. Yes, you have sped it up. Unfortunately, it no longer detects any malware at all. So, so it had a 0% detection rate.

CAROLE THERIAULT. So it was super fast. Excellent. Well done, Graham. Good thing you're a podcaster these days.

GRAHAM CLULEY. Exactly, yes. Nothing as dangerous as programming. So coding cock-ups can happen. And I want to talk to you about something along those lines. Now, in the United Kingdom, we have a supercomputer system called the Police National Computer System, the PNC, which stores and shares information and criminal records between forces across the country. So, If police are investigating something, rather than looking at old cards in a filing cabinet or anything like that, they can actually use the computer instead, and they can quiz the computer. And even officers can use it for real-time checks. So if they stop someone in the street, they can call in, someone will look up on the Police National Computer if you're wanted in relation.

CAROLE THERIAULT. Go, I got him! I got him!

GRAHAM CLULEY. Right, exactly. Carole, you know all of course about being in trouble with the law.

CAROLE THERIAULT. Next.

GRAHAM CLULEY. Yeah, okay. Not this week, gonna tell that story, right? Well, last month, it became headline news that some of the records stored on the Police National Computer databases had been unfortunately lost.

CAROLE THERIAULT. What do you mean lost?

GRAHAM CLULEY. Well, I don't mean lost down the back of the sofa.

CAROLE THERIAULT. Okay.

GRAHAM CLULEY. I don't mean—

CAROLE THERIAULT. Interesting you bring up sofas. Interesting.

GRAHAM CLULEY. In fact, why wouldn't I bring up Sophos? What are you talking about?

CAROLE THERIAULT. Oh, you'll see later.

GRAHAM CLULEY. Oh, is it? Okay. In fact, over 200,000 records were reportedly deleted from the Police National Computer Database.

CAROLE THERIAULT. Oh, so not misplaced, but actually—

ALAN WOODWARD. Lost.

CAROLE THERIAULT. Poofed.

ALAN WOODWARD. Lost.

GRAHAM CLULEY. Yeah. Due to what they described as a technical issue.

CAROLE THERIAULT. Oh, it's such a good term.

GRAHAM CLULEY. Now, I think when you've worked in the field of cybersecurity for a while, when you hear that a company's suffering from technical issues, it's very natural to assume the worst. It's very natural to assume, oh, maybe they've been hacked, maybe some ransomware's been planted, maybe something malicious has happened.

CAROLE THERIAULT. Yeah, you feel like they're downplaying it, right? You feel like they're downplaying the snafu that might have happened.

GRAHAM CLULEY. Maybe not sharing enough detail.

CAROLE THERIAULT. Yeah, yeah, yeah. That's true.

GRAHAM CLULEY. So, the Home Office, they said that the lost data related to people who had been arrested and then released without further action. Okay? And so you kind of think, well, that doesn't matter too much, does it? Because, you know, if the police decided not to pursue it, then big deal. But according to the National Police Chiefs' Council, the NPCC, on at least one occasion, a DNA profile which had been taken from a suspect held in custody didn't generate a match to a crime scene. As a result of this information being lost, and that obviously would impede an investigation. So, I don't know if either of you— either of you ever left DNA at a crime scene or anything like that?

ALAN WOODWARD. Inadvertently.

CAROLE THERIAULT. So, are you saying that basically innocent people's DNA has been lost?

ALAN WOODWARD. Yeah, well, actually what's happened in the UK is there is a law about what the law can do.

CAROLE THERIAULT. Okay.

ALAN WOODWARD. If you are found either not guilty or you're not charged, when they collect your fingerprints or your DNA, they're not allowed to keep it.

CAROLE THERIAULT. Yeah.

ALAN WOODWARD. And so what happened in this case was somebody was given a big long list of all those people that were not charged and acquitted and said, "Right, go through the database and weed out," to use their term, "weed out the ones that weren't supposed to be in there anymore." The trouble is they weeded out rather more than the ones they were supposed to.

GRAHAM CLULEY. Overenthusiastic weeding. It's a bit like taking a JCB to your back garden.

CAROLE THERIAULT. Yeah, no, that— yeah, I— that's happened to me. Overenthusiastic weeding is a very good term. I do do that. It's like, oh no, that's a carrot!

GRAHAM CLULEY. Now, according to the policing minister, whose name is Kit Mulhouse, the government hopes that the records haven't been lost permanently, the ones which they did actually mean to keep, and that restoring them, they say, will take about another 12 weeks. Now, I don't know about you, but that feels like quite a long time.

CAROLE THERIAULT. Well, okay, look, you always will pad it by at least double. So, okay, that means they're assuming it's going to take 6 weeks, and then, um, they probably have never had to restore from backup before, so they've buying themselves a few weeks there. And it probably will take 10 minutes, but at least they get time to put the report together and make the web page and whatever.

GRAHAM CLULEY. But normally if you're restoring from a backup, it is something you should test and try out, isn't it? Rather than wait until disaster.

ALAN WOODWARD. You've got to. I mean, absolutely. If you don't test a backup, it's a bit like having a fire drill that you never practice. You really don't want to have to practice it the first time you really need it. But I suspect there's more to this in that because of the way the law is written, you shouldn't have a backup of that data.

CAROLE THERIAULT. Ah.

ALAN WOODWARD. And so they will have overwritten the backups. And what they're trying to do is, as we all know, when you delete something, you don't actually delete it. You simply delete the reference to it. And then whatever media you're using starts to get overwritten and overwritten. And they're trying to, they're trying to recover all the fragments that may be left. So they'll probably be able to recover some of it, but certainly not all of it.

CAROLE THERIAULT. I guess it depends on how industrious they've been since it happened.

GRAHAM CLULEY. So this is really interesting, Alan. So what you're saying is this is really a data recovery job. This is a bit like— Oh yeah. When your hard drive ends up in the bottom of the toilet or something like that, you know, it's like—

CAROLE THERIAULT. Does that happen often, Graham?

GRAHAM CLULEY. Well, all right, everyone's had a smartphone fall in the bath.

CAROLE THERIAULT. Oh, touché, touché.

GRAHAM CLULEY. Right? Everyone's had that sort of disaster happen to them, and you think, "Oh, but I need my data off it." So the challenge they have is they need to get back the data they didn't mean to delete. Yep. But they need to be really careful that the data they did mean to delete remains deleted.

ALAN WOODWARD. Exactly.

CAROLE THERIAULT. Hence 12 weeks, I guess.

ALAN WOODWARD. Mm-hmm. But it's a much more complicated exercise than it first looks like. I mean, it's— if anybody's as old as me, they remember things like head crashes on— I mean, in those days, the hard disks we had were sort of like 3 feet wide and kept you about 4 megabytes. But if you had a hard disk crash on one of those, I mean, it really did scratch the surface and you lost a lot of data. And then you would have to recover different segments, sectors of the disk off and You would then try to see which parts of the file allocation tables could I look at to see where it should have been on the disk? And you start to sort of literally sellotape and chewing gum, and you're putting all these bits of data back together and hope that that's what was actually meant to be there.

GRAHAM CLULEY. Do you think, just like there are vinyl record enthusiasts, there are also people who are enthusiasts for old forms of data storage?

CAROLE THERIAULT. Of course there are!

ALAN WOODWARD. Yes, of course.

GRAHAM CLULEY. Oh, the data's so much better on this old Western Digital 20-megabyte.

ALAN WOODWARD. Well, there are people that are still out there for VCRs. I mean, One of the very first systems I worked on was all about collecting masses of data from, actually it was from ships. And it was all done on VCR tapes. And because they collected so much, that you could collect so much data in that fashion. Some of the people that I know, they still will say to you to this day, well, when you get video on something like a Betamax tape, oh, it's so much better than all these modern digitized versions.

GRAHAM CLULEY. Oh yes.

ALAN WOODWARD. Unless you can hear the crackles, it's not real music.

GRAHAM CLULEY. Well, police in the meantime are being told to use alternatives. I'm not quite sure. What does that mean? Well, I don't know if it means they've got their little notebooks or they've got a little black book full of dodgy-looking people, people who wear loud shirts or walk on the cracks in pavement.

CAROLE THERIAULT. Court sketches.

GRAHAM CLULEY. Yeah, exactly. He looks like a wrong'un. His eyes are too close together. That kind of thing. I have no idea. Now, No less an authority on sane reaction to breaking news than Mr. Piers Morgan.

CAROLE THERIAULT. Oh, your favourite, your bud bud.

GRAHAM CLULEY. Friend of the show.

CAROLE THERIAULT. You love him.

GRAHAM CLULEY. Friend of the show. He's called on Home Secretary Priti Patel to resign over this matter. I'm not sure that's going to happen. I don't think Priti Patel is the type to resign. From everything I've read about her and the way she operates in the office, I think she'd probably need to be very convinced there was some evidence of wrongdoing, or maybe her boss wouldn't. And maybe the evidence has already been deleted by now. So how did the data disappear? Well, it's now been revealed, as Alan was alluded to, that this was a coding error which is being blamed. So it's the programmer which did it with a piece of lead piping in the conservatory, or maybe a piece of pizza by the water cooler. Somebody coded this incorrectly. And when they were told to do the weeding, their algorithm, a bit like my algorithm when I was rewriting Dr. Solomon's antivirus detection was a little bit too enthusiastic in one area and not in every way that it should have been.

CAROLE THERIAULT. It's all about balance.

GRAHAM CLULEY. Yeah. And this goof actually reminds me, do you remember, this is going to take you back. In 2007, we then had a Labour government, just to be fair. So I've got some balance on the show now. And they told families to keep an eye on their bank accounts for unusual activity because they lost two CD-ROMs containing the banking details of 25 million individuals, 7.25 million families, which were put in the post and never seen again. Unencrypted.

CAROLE THERIAULT. Those were the old days. You see, we've come a long way.

ALAN WOODWARD. It was, I mean, that was basically the entire HMRC database they put onto two DVDs. Yeah, put it in an envelope.

GRAHAM CLULEY. Yeah.

ALAN WOODWARD. I'm not sure they even sent it first class. And it, you can just imagine what happened to it. I mean, it's just, it's horrifying to think. And the other thing that really worries me about that is when you think about forward secrecy, that data is still out there somewhere. And that data, although I know it's 2007, a long time ago, but the details on there are exactly the same for me as they were then. So I just hope somebody never finds those.

GRAHAM CLULEY. It's interesting, isn't it? Because, you know, breaches sort of disappear into the mists of the past, but data which was stolen, as you say, years and years ago can still be abused.

ALAN WOODWARD. The thing is, people don't move that often. And one of the things that's becoming more, ever more permanent is your phone number, is your mobile phone number. In fact, it's used as a proxy for your identity in many parts of the world.

GRAHAM CLULEY. Yeah.

ALAN WOODWARD. In fact, the World Bank uses phone numbers and the number of phone numbers that are issued as a proxy for the population. 'Cause in many parts of the world, They don't issue birth certificates and death certificates, but they know how many phone numbers there are. So you can start to work out how many people there are. And your phone number these days is, is who you are. So if you've got that and a physical address, I mean, I've actually had cards cloned before when all they had to be able to set up the account was the birthday and the address. And some people will set those up as, you know, as taking a unique proof of ID, which of course it certainly isn't.

GRAHAM CLULEY. No. Well, I think it's another case of the public sector possibly doing a worse job of securing our personal information than private companies. It does seem to be happening time and time. I know it's a low bar.

CAROLE THERIAULT. I've never heard of a private company having any issues like this.

GRAHAM CLULEY. No, I'm not saying they don't, Kroll. All I'm saying is, low as that bar is, maybe actually public sector is performing even worse.

CAROLE THERIAULT. Oh, okay. You should get a job at the Daily Mail with common sense.

GRAHAM CLULEY. Well, I'll have to speak to my friend Piers, perhaps. Yeah, you should.

CAROLE THERIAULT. See if he can—

GRAHAM CLULEY. Thank you, mate.

CAROLE THERIAULT. Oh, me?

GRAHAM CLULEY. Yeah. Alan, what story have you got for us this week?

ALAN WOODWARD. Well, the one I wanted to talk about was SolarWinds, sometimes called Solarigate, by Microsoft. It all originated, or at least it appeared to originate, from when the company FireEye detected that there was something rather strange about the SolarWinds software. SolarWinds is a piece of network management software which is extremely popular. It's probably one of the most popular pieces of software nobody's ever heard of, but it is literally running all the infrastructure that surrounds us, including in some very large government departments and particularly in America. So they found that there was something very peculiar in this software in that it had a backdoor in it. So they thought, well, that's not right, shouldn't have a backdoor in it. But the thing that confused them more is they couldn't find out how it had got in there because it wasn't in the source code. So if you imagine the build process for this software is some very clever people write the source code, it then gets put into the build process, turned into the object and machine code in a way, and then gets sent out in the update process. What was happening was it wasn't detectable in the source code, so none of the usual security checks in the source code were finding anything. But at the other end of the update cycle, in the update path, people were being sent updated software with this backdoor in it. Now, you know, you've got people like me who bang on like a broken record about you've got to keep your software up to date. It's got to be the latest version. Yeah, it's one of those mantras, isn't it? And of course, the poor people who actually followed that advice were the very ones that got hit with this. As it turned out, there was about, I can't remember, about 18,000 of them. And it was from March last year, March 2020, when they did the update then. So they were trying to work out how on earth did this happen? And it's only recently as they pieced it together. The other bit that was really strange about this was that when it got to the other end of the update cycle, it was digitally signed. So it had the digital signature attached to it. This software was really from SolarWinds as far as your Microsoft machine was concerned, it really was from SolarWinds.

CAROLE THERIAULT. And the checks happened, like the checks that you expect to happen happened and they came back with the answers you expected so you wouldn't worry, you wouldn't go digging.

GRAHAM CLULEY. Users would be reassured it hadn't been tampered with.

CAROLE THERIAULT. Yeah.

ALAN WOODWARD. Absolutely. And then when they dug a bit further, what they found that was happening was somebody had managed to get into the build servers of SolarWinds and they had managed to get a script in there that injected their bit of code, a relatively small piece of code, into the SolarWinds code. And it was pretending to be a particular DLL such that when it was built, it went through the build process, it was all digitally signed by SolarWinds. So it got injected just at the right point that nobody would have spotted it. It just snuck in under the door, got signed, and out it went into the out process so that it went to the updates.

CAROLE THERIAULT. Yeah.

ALAN WOODWARD. No checks would have picked it up at the SolarWinds end. No checks would have picked it up at the receiving end because it was signed, etc. And then, you know, a lot of intrusion detection systems, for example, will look for unusual activity on your network. But this bit of software was clever. It went to sleep for two weeks. Once it got in, it went to sleep for two weeks. And only after that did it dial home. It dialed home to the command and control servers and said, "Right, I'm here." I'm here. "I'm active. What do you want?" And it would allow them to come in and do— take files off, or just to come in as a general backdoor, actually, and implant other software as well. So—

CAROLE THERIAULT. Yeah. Anything they wanted, basically.

ALAN WOODWARD. Yes. But then came a slightly mysterious twist. There's been all sorts of twists and turns in this tale, in that What became clear was that Microsoft had been hit and they weren't sure whether Microsoft had been hit because they had installed SolarWinds that had a backdoor in it, or was it that Microsoft's 365 product had somehow been infiltrated and that was used to get the credentials to then go and attack SolarWinds' build servers? And that's all still a bit up in the air at the moment. So nobody quite knows what came first, the chicken or the egg here, but it's looking like somehow something was involved outside of SolarWinds that allowed them to get the credentials to go into that build server. Either way you put it, it's SolarWinds that are now squarely flagged with having had this problem, as you can tell from their share price.

CAROLE THERIAULT. Do you think it's one of the more clever attacks that have happened because there's so much thought put into how to sneak around?

ALAN WOODWARD. Yes. In the good old days, tradecraft, as they call it, was sort of the benchmark of all the espionage we ever did. And this had an enormous amount of tradecraft in it. This wasn't just building something that was sophisticated, very clever. As with most things, I mean, it exploited what's called the picnic problem, as in the problem's in the chair, not in the computer. So you get the person to do something that then lets something else happen, that lets something else happen. And it's these chained exploits that are the really clever ones. I mean, you know, you see some 16-year-old breaking into TalkTalk using a SQL injection tool that they can get on Kalix Linux.

CAROLE THERIAULT. Yeah, and you're like, yawn.

ALAN WOODWARD. Yeah, yeah, yeah. But this, no, this was really thought through. This must have taken a couple of years.

GRAHAM CLULEY. Now, obviously, many thousands of companies and organizations will have been running this compromised version of SolarWinds and potentially would have been vulnerable to attack. But it wasn't really an attempt to compromise thousands and thousands of companies, was it? It appears that they had particular targets in mind.

ALAN WOODWARD. This is again one of the really interesting parts about this in that if you look, I suspect a lot of companies were caught in the crossfire. Because, because we were then able to identify the command and control servers, so the indicators of compromise were very definite for where information had been exfiltrated from organizations. You could actually go and look and see using passive DNS, for example, you could see who had been not just attacked, but that attack had then been used to suck information out. And it turned out to be relatively few. A lot of them were large government departments in the US. In the UK, far less so. There was a mild, I think slightly knee-jerk reaction. It's quite interesting that the US took the approach that rip it out, and they basically issued this emergency order to rip it out of everywhere. The UK, the National Centre for Cybersecurity didn't say that. They said, well, first of all, find out if you're subject to it. Secondly, look for these indicators of compromise. And then thirdly, close them off. So no data could be exfiltrated, and then you can clean house whilst, you know, nobody can get anything out. So it was a much more measured approach.

CAROLE THERIAULT. How unusual.

ALAN WOODWARD. Whereas the Americans, it was just kind of rip it out. But the trouble with the rip it out approach is these things are so interconnected these days, you don't always know the full ramifications of ripping it out of your system.

GRAHAM CLULEY. It's a bit of an odd name for a company though, isn't it? SolarWinds.

ALAN WOODWARD. Yes, well, SolarWinds, an awful lot of their names are sort of astronomical. I suspect whoever set it up ended up as an astronomy buff because actually the product that was affected was called Orion. So yes, they seem to, but then I guess we're running short. We've gone through most of the fruits like apples and acorns and all the rest of it. So, but maybe we're now onto astronomical metaphors.

GRAHAM CLULEY. Crow, if you set up a software company, would you name it after Uranus? That's just a cheap schoolboy joke. And I apologize for that.

CAROLE THERIAULT. Oh yeah, that's good. That's all you need to do.

GRAHAM CLULEY. Yeah. Carole, what have you got for us this week?

CAROLE THERIAULT. All right, cue romantic music. Now, this show is being published a few days before Valentine's Day. And if you have a special someone in your life, I assure you that this is not the year you want to skip on— ooh, forgot— because it's been a pretty bad year for most of us. And if you're living with this person. They've been putting up with your crap day in, day out, because especially if they've been in lockdown, there's been no respite at all, has there? And so, you know, and also they'll feel bad if they didn't do anything. So you have the upper hand after that as well.

GRAHAM CLULEY. And if you're not— card saying there is no one I would like to spend the rest of my life locked up in one room with than you, couldn't you? Because now I've experienced it.

CAROLE THERIAULT. Way to kill the romance. Now, uh, there are people that, uh, have that special person that they can't see or they're not living with. And how do you do that? How do you reach— you know, it's time to reach out, but what do you do? Send an emoji?

GRAHAM CLULEY. Well, I, I quite like Diana Rigg, so I'd have to hold a séance, I suppose. So that isn't gonna work for me. Yeah, good question.

CAROLE THERIAULT. I don't know, I say throw caution to the wind. I say reach out.

GRAHAM CLULEY. Right.

CAROLE THERIAULT. Digitally hug her, digitally hug her somehow, the way you can. But there are some people out there that need to avoid throwing caution to the wind, and that's those that are in brand new online relationships. They need to be extra careful because this is Valentine's Month, and romance scams are on the rise. Isn't that annoying? You have like one day which— did it always exist? See, I'm showing my ignorance.

ALAN WOODWARD. Oh my God.

GRAHAM CLULEY. Oh, that's a good question.

CAROLE THERIAULT. Well, there is a Valentine saint, I think, isn't there? There's a saint.

GRAHAM CLULEY. Yes, yes, there is.

CAROLE THERIAULT. Yeah, like, that's why it's named.

GRAHAM CLULEY. I'm sure, I'm sure there has probably been a celebration for love and buying cheap chrysanthemums at the nearest service station for years and years. I'm sure that's, that's probably been going on.

CAROLE THERIAULT. That's the worst, honestly. So, um, so even Interpol issued warnings a few weeks ago to a whopping 194 member countries, and it's, uh, the notice describes a new modus operandi on dating applications which Interpol says, quote, takes advantage of people's vulnerabilities as they look for potential matches and lures them into sophisticated fraud schemes.

GRAHAM CLULEY. Ooh, well, that'd be quite interesting to know about, because even if you weren't a fraudster, if you were looking for love, if there was a method fraudsters were using to entangle you into a quasi-relationship with them, then if you were a person who was looking for love, you could use that same technique, but just not scam them at the end. Right?

CAROLE THERIAULT. Oh, right. Because you're saying they're really successful.

GRAHAM CLULEY. If they're really successful at chatting up people online, That sounds like, that sounds kind of useful to know about, right?

CAROLE THERIAULT. Right, so turn their evil tricks to good and use it for love. Interesting.

ALAN WOODWARD. The problem is though, Graham, you see, when you actually look at the statistics of those romance scams, it's a numbers game because for every one that you would succeed in, you'd have to do about 1,000 that didn't succeed.

GRAHAM CLULEY. That is what I'm doing. That is what I'm doing at the minute, right?

ALAN WOODWARD. Most of us would lose heart at that point.

GRAHAM CLULEY. 1 in 5,000. If it's 1 in 5,000 replies, that's good.

CAROLE THERIAULT. So the notice here, the notice, the Interpol notice says new modus operandi, right? So let me just describe how this works and you guys tell me, because I found it a bit like, isn't this how they all work? So I guess I was missing the trick. Okay, so users sign up to a dating app such as Tinder, eHarmony, Bumble.

GRAHAM CLULEY. Bumble? There's one called Bumble?

CAROLE THERIAULT. Yep, there is one called Bumble. Okay, so a user signs up to a dating app and unknowingly ends up matching with a scammer, right? Obviously, they're a scammer. And once there's a level of trust that's been established, the scam artist will then turn the conversation over to finance or potential investments, encouraging the match to join them in a financial venture. Right? Like, hey, let's invest in this. I've heard great things. Now, I guess anyone who is meeting someone for new, you'd probably go, oh, sounds interesting. But to appear genuine, the scammer will give the victim investment tips and lure them down a fake trading app, right? So they sign up for financial products and they work their way up a so-called— it sounds like, you know, what's that called, that marketing pyramid scheme?

GRAHAM CLULEY. Multi-level marketing.

CAROLE THERIAULT. Yes, multi-level marketing, under the supervision of the connection, right, on the dating app. So they're, they're, I don't know, their romance person. And in order to get the victim to part with their cash, the fraudster will provide incentives, just like promising they will reach gold or VIP status. Right? As if they follow their advice. Once the person has been milked for their cash, they're locked out, of course, of their investment accounts and the scam artist goes poof. It effectively disappears completely, closing down accounts and laughs all the way to the Tesla dealership.

ALAN WOODWARD. That is quite different. That is quite different from the original ones. The ones that in the last few years that have been happening. If you look at the data we collect at a place like Europol, What typically was happening is people were being drawn in and building these very intense relationships online. And the other party was in another country. And then suddenly they would get an urgent call such as, "I've been in an accident." "I just need £5,000 for my hospital fees or to get home or something like that." "Wire me the money and I'll be—" And then of course you do and you never hear from them again. So the fact that they're getting them to invest actually sounds quite a— Quite a new departure for them.

CAROLE THERIAULT. Yes, it's a bit like Crypto Queen meets romance scammers. Um, yeah, so actually that's a good— let's go through those. So a few popular romance scams that are apparently still doing the rounds are, you know, exactly as you say, living or traveling outside the country of residence, so the UK or the US, whatever, whatever country they're focusing on. Um, they'll use things like working on an oil rig, or I'm in the military, or I'm a doctor with an international organization. I can't say which, hush-hush.

GRAHAM CLULEY. You don't even have to claim to be 'on an oil rig now, and that's why you can't come round.' Do you? Because you just say it's pandemic. 'I live in Oxfordshire, and I'm not allowed to walk more than 300 metres from my house, because we're bloody locked down here.' And as Alice says, after they build up the rapport, they're going to bring up a problemette, right?

CAROLE THERIAULT. Such as, 'Oh my God, sweet cheeks, I'd love to come see you, but I can't afford the plane ticket.' Or as you say, Graham, 'There is a pandemic.' There aren't any planes. Yeah. There are no planes. How would you get money out then during a pandemic if you can't use the, uh—

ALAN WOODWARD. Oh, I reckon the one that's going to come up, and it's already started to come up, is in overseas countries. Is it in order to get my vaccination, they're going to charge them in this country? Um, where is you, lucky old thing, you've got the NHS in Britain, they're going to give it to you free. Over here in wherever it is, in the middle of Africa or something, they're not going to allow that. You've got to, you know, say, and I can't get out of the country unless I've got a vaccination certificate, please send me $1,000.

GRAHAM CLULEY. Yes. That's very interesting. I was reading in Private Eye that obviously we've had, you know, a good deal of success vaccinating a reasonable percentage of the population already. I think we've got over 10 or 12 million now. And they were saying in Africa, in total, the number of people who've been vaccinated is 25. And it's like, well— Yes.

CAROLE THERIAULT. Because there was a bidding war, right?

ALAN WOODWARD. They're probably the presidents of the various countries as well.

GRAHAM CLULEY. No, this is a global problem. We can't just vaccinate ourselves. We all have to be vaccinated to stop this becoming a problem. So yeah, so I mean, that's— That sounds quite plausible.

CAROLE THERIAULT. You're going to be put to work as soon as you're vaccinated, right? It's like, you know, in the airplanes, put your own mask first.

ALAN WOODWARD. Well, it's quite interesting. When I got the text through, because I've had my vaccine, my first vaccination, and I got the text through and it said, here's a link, and I'm always suspicious of SMS messages that have a link in them anyway, and the first thing it said was, this, we will never ask you for your, for details other than your date of birth and your name to prove who you are. If anybody in any of this chain asks you for bank details, for example, then stop and phone the police. So the NHS obviously can see it's happening somewhere. And we've heard stories already in the UK of people just turning up at the doorsteps with old vulnerable people and saying, pay us £90 and you can have your vaccination. God knows what they're being vaccinated for.

GRAHAM CLULEY. Probably been injected with bleach. I heard that. I heard an expert on the topic expounding the virtues of that.

CAROLE THERIAULT. We don't even have to talk about that anymore.

GRAHAM CLULEY. Oh no, he's gone, right? He's gone, right?

CAROLE THERIAULT. Gone but not forgotten. The thing is, what I find amazing about romance scams is, like, how can they be so attractive? Because the amount of legwork you have to do and the number of people you have to effectively woo, you know, is huge. But it turns out the returns are hugely sweet.

ALAN WOODWARD. They also are teams of people. Yeah. So you may see a picture, because you'll note one of the things they don't do in those dating, those sort of online romance scams, is they never have videos with you. You'll see pictures of some very handsome gentleman or some very pretty lady. Okay. But actually, you typically, people are interacting with them by text. So you never hear their voice and you never see them moving. So it's actually a team of people. It's like a boiler house. So you've got, you know, you're interacting with what you think is one person, or thousands of men might be interacting with what they think is one pretty lady, and yet it's a team of people behind there who are interacting back with them.

CAROLE THERIAULT. I just can't imagine you wouldn't notice. Like, I can't imagine not kind of going, "Okay, that's a weird turn of phrase," or, "They don't usually write like that." Like, uh-huh.

ALAN WOODWARD. You would think. You would think, wouldn't you? Scripts. Yeah. You've got to remember as well that Part of this is that they are preying on people who are desperate for romance. Yeah, yeah. And people will overlook all sorts of things when they get into that situation. I mean, yeah, I mean, I feel desperately sorry for them. And one thing I think is really important— sorry, I'll get my stern hat on here— I believe it, you know, you mustn't victim shame because it is so easy in different circumstances to get drawn in. I once wrote an article called The Seven Deadly Sins, which was about that there are the seven human traits which are exploited by all these people, um, and one of them is the quest for love. I mean, it's, you know, people want to be loved, and if they think there's someone and they're saying the right things, um, it's just— it's, it's horribly easy to exploit them.

GRAHAM CLULEY. The only thing I want more than love is a decent broadband connection. Don't get me going.

CAROLE THERIAULT. Don't we all? Don't we all?

ALAN WOODWARD. I think I traded my wife for that.

CAROLE THERIAULT. And just one point, we often think romance cams just affect women, right? That women are the ones that are targeted. And that whilst that is true, men have also fallen for romance scams. There was this guy just a few weeks ago, Andrew Marvin, lost £38,000 after he was scammed from 3 separate accounts, all 3 posing as single women. So guys, don't play the field online too much there. The problem was that he was grieving, coming to terms with the death of his mom. And so he was perfectly ripe for the romance scammer because they probably, as soon as they found that out, you know, when he probably posted it, and then they had a perfect in to go and listen to him.

ALAN WOODWARD. And the other thing, they get, they, they get found out, they get found as well, because, um, what happens is that on, on social media, we'll— I mean, generation overshare. That it's possible to look for people that, you know, have lost parents, have lost loved ones, and they're gonna be in a vulnerable position. Or some other life-changing event has happened and they will find that they're in, you know, they're in a vulnerable position. So those are the ones that they go after.

CAROLE THERIAULT. Yeah, basically don't have any secret romances online. Tell at least one person you trust because that's the worst. Two brains are much harder to dupe than one. And it's the whole like, "Don't tell anyone, but," or, "This is our secret little affair," or all that kind of garbage. Can lead to a lot of trouble. Anyway, there you go. So, you know, don't be duped this Valentine's Day. And if you have someone you do love and trust, you know, hail they on Valentine's Day.

GRAHAM CLULEY. There you go. Wonderful. Last week, more than 3 billion unique sets of login credentials were shared online in what's likely to be the largest data breach of all time. Even though it appears no new login details were exposed, the sharing of so much data increases the risk that previously exposed credentials could be used to gain access to your online accounts, particularly where passwords have been reused. 1Password's Watchtower feature can check for passwords that have been affected by breaches and tell you when a password has been reused. Don't wait for a data breach. Check out 1Password at 1password.com. And thanks to them for supporting the show. And welcome back, and you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.

CAROLE THERIAULT. Pick of the Week.

ALAN WOODWARD. Oh, sorry. Pick of the Week.

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security related necessarily. Better not be. Well, my Pick of the Week this week is not security related, but it is— Good. A board game, a board game made digital. Now, regular listeners to the show will know that I'm rather obsessed with chess. And that is, of course, the greatest game in the universe. However, there are some other games which I think are rather fun. And one of them is the game of Scrabble. I love a game of Scrabble. I'm quite a demon on a Scrabble board. Are you? I'm not bad, Crow. I'm really not bad. There's quite a lot of strategy that goes on. It's not just going for the biggest number of points.

CAROLE THERIAULT. Maybe I should put you against, you know, the old Chewbacca that I married.

GRAHAM CLULEY. The old Wookiee. The old Wookiee.

CAROLE THERIAULT. All right. Well, he's pretty shit hot as well.

GRAHAM CLULEY. Maybe we'll do that sometime. Now, one of the problems with Scrabble is, of course, now I'm locked away and there are limited opportunities to play a game of Scrabble. So I'd have to play online. And the official Scrabble app is an utter abomination. In fact, Zoe Kleinman, friend of the show, has even written on BBC News an article all about how Scrabble fans hate the official Scrabble app and just how dire bloody bollockal it is. Because it is ghastly. And they've added all these jewels and pop-ups and stupid things.

CAROLE THERIAULT. I tried. I tried. I paid money for it. It's awful. I took it off my phone.

GRAHAM CLULEY. It's awful. And I kept on thinking, why has no one done a decent game of Scrabble online that I can play? And I think it's all tied up with— Copyright. Yeah, it's all tied up, rights and things. And so no one can do it. And then finally I found one. It's been doing the rounds for a few years. It's called Lexulous. Lexulous. And they somehow have got away. I think they used to call themselves something which sounded more Scrabble-y, and they probably were told to stop using that name. Scramble. It is available on the web. It's also available for your iPhone, Android, and even BlackBerry.

CAROLE THERIAULT. And it is— It's getting propped up now by Wall Street Bretts, isn't it? So, you know, who knows?

GRAHAM CLULEY. And it is a pretty good replica. I mean, there are a few— there are some very minor changes with the scoring of some of the letters. And I think you get one more tile in your rack. So they've made a couple of minor changes so that they don't get sued to oblivion. It is—

CAROLE THERIAULT. But the essence is there. It feels good.

GRAHAM CLULEY. Oh yeah, because it's not trying to be anything which it isn't. You can pay a couple of quid for the paid version, which I did, because you don't want the ads popping up and things like that. But it's a great game of Scrabble, and you can play it for free entirely online. Not Scrabble.

CAROLE THERIAULT. Lexulous. Lexulous.

GRAHAM CLULEY. Don't give them a copyright issue. And that is why it is my pick of the week. Fair enough. Alan, what's your pick of the week?

ALAN WOODWARD. My pick of the week is, well, I have to say it's probably become something of an obsession now in that I like things to take my mind off of other things. My mind gets too intense when I'm thinking through some of these, the various problems to deal with every day. And so I quite like playing phones on my, games on my iPad or whatever. Oh yeah. I've been looking for simpler and simpler games to play, things where I don't have to think very much. And I've come across one called Bubble Breaker, and I can't stop playing it. My mum loves it too.

GRAHAM CLULEY. Are you— your mum knows this as well? Yes. Yeah, yeah.

ALAN WOODWARD. And you just keep going for a higher and higher score, and you think, how high can I go? How am I gonna go? And you get to the point where you're just about, and then suddenly it all collapses, and you think, oh God, no, I'm— you know, it's— and you— I'll do it next time, I'll do it next time.

CAROLE THERIAULT. Isn't it kind of like Tetris but in reverse? Would you agree with that?

GRAHAM CLULEY. Yeah, it is. Absolutely. You have to—

ALAN WOODWARD. that's right, ping away the bubbles, and you have bubbles of all the same colour, you need as many of those to pop at the same time. And it's— gosh, I mean, but I find it now, even because I've got it on my phone as well as my iPad now. So even if I'm off waiting somewhere, I'll sneak the phone out. And that's what— if you find— see me on my phone, I'm probably playing Bubble Breaker, I'm afraid.

CAROLE THERIAULT. So if this was a real-life game, you'd have to imagine yourself inside one of those playpens at IKEA where they start throwing the balls at you. The yellow balls and the blue balls, and your job is just to catch the one color bulb as much as you can. And when you switch, you lose points, you see. So yeah, and it comes faster and faster, more and more.

ALAN WOODWARD. And you convince yourself that there are strategies that are gonna work. Yes.

GRAHAM CLULEY. And none of them do. Is it a game which basically goes on forever until you fail? Like Tetris, for instance? Yes. Right, okay. Yeah. Yeah. Wow.

ALAN WOODWARD. But then it says, "Oh, good score, nearly there." And it draws you in to say, "Just one more and you could have done it." got higher. So all you're, all you're doing is playing yourself. You're playing yourself all the time, and you're trying to get higher and higher and higher scores. And it really is, it's addictive. Absolutely.

CAROLE THERIAULT. How much psychological information you're giving away, Alan, I cannot even tell you. Cool.

GRAHAM CLULEY. Okay, so that's Bubble Breaker. Brilliant.

CAROLE THERIAULT. There you go, two games.

GRAHAM CLULEY. Carole, what's your pick of the week?

CAROLE THERIAULT. Mine is not a game. Okay, so my pick of the week has to do with IKEA and sofas, Graham, which is why you brought them up earlier. I know a lot of us have pieces of IKEA furniture in our houses. A lot of those people have IKEA sofas. I, in fact, have two Klippan, which I've had for like 10 years, and they were secondhand when I got them.

GRAHAM CLULEY. That's a type of IKEA sofa, is it?

CAROLE THERIAULT. That's a type of IKEA. Yeah, that's the one problem. You do need to know the type of sofa you have for this pick of the week to work, which is not always easy. Now, the thing is, is, you know, But I obviously don't have the original covers, right? Because I have a hairy husband and I used to have a very beautiful, fluffy cat, and who loved to use it as a scratching post and all that stuff. And IKEA, of course, do sell sofa covers, but in the UK, at least, there's only maybe 3 or 4 different styles. And that's the problem with IKEA, right? Not everyone wants to have the same exact sofa that everyone else has. Does that mean you have to go out and buy a new sofa from fancy place? No, no, no, it does not. You go to BEMZ, B-E-M-Z, okay, website. It is an EU-based store that sells sofa covers specifically for IKEA sofas, all of them, right? So I would go in there and say, yeah, I'm choosing the Klippan, and yeah, it's the two-seater one. And then I go and look and there's maybe about 300 different types of covers that I can have. They will make them for me. They will charge me maybe £100, maybe £200, maybe £300 at the very You know, at the high level, at the expensive level, which— and they sell them in the US as well. In the US, they're actually even cheaper. So BEMZ people, if you need a little, a little cheap refresh in your house, check out BEMZ.

GRAHAM CLULEY. And they specialize in covers for IKEA.

CAROLE THERIAULT. Only IKEA. Yeah, they're IKEA partner, but somehow BEMZ offers many, many more options than they offer in store.

GRAHAM CLULEY. So, well, that sounds like a really good pick of the week because loads of people do have IKEA furniture.

CAROLE THERIAULT. Well, thank you very much, Graham.

GRAHAM CLULEY. And if you puke, if you puke all over the sofa, you—

CAROLE THERIAULT. Do you do that often?

GRAHAM CLULEY. Red wine or something, then you want to fix it, don't you? Very good.

ALAN WOODWARD. Lots of people at home in the moment wanting to do something for DIY as well, aren't they? Yeah. Yes. If you can't quite muster up the energy to repaint the kitchen, then changing the sofa covers is probably the next best thing.

CAROLE THERIAULT. 100%. Exactly. And they're removable, so you can wash them in the washing machine if you don't have a ginormous sofa.

GRAHAM CLULEY. So anyway, check out Bem's They're amazing. To be honest, Alan, you're not going to fix up the kitchen or change the sofa covers. You're going to be playing bubble breaker.

ALAN WOODWARD. Too true. Too true.

GRAHAM CLULEY. Well, that just about wraps it up for this week. Alan, thank you so much for joining us on the show. I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that?

ALAN WOODWARD. Oh, I'm most active on Twitter, I suppose, which is @ProfWoodward.

GRAHAM CLULEY. Cool. And you can follow us on Twitter at Smashing Security. Smashingsecurity, no G, Twitter allows to have a G, and we're also on Reddit, just look for the Smashing Security subreddit. And don't forget to ensure you never miss another episode, subscribe in your favorite podcast apps such as Apple Podcasts, Pocket Casts, and Spotify.

CAROLE THERIAULT. And huge thank you to this week's episode sponsor, 1Password, and to our wonderful Patreon community. It's thanks to all these people that this show is free for all. For episode show notes, sponsorship information, information, guest list, and the entire back catalog of more than 212 episodes, check out smashingsecurity.com. More than 213, actually. Yeah, I thought you were going to correct me. I left that for you.

GRAHAM CLULEY. You're welcome. Yeah. Until next time. Cheerio. Bye-bye. Bye. Bye.

CAROLE THERIAULT. Now, of course, this show is being published the day before Valentine's Day, and if you have a special someone in your life, I assure you that this is not the year you want to— excuse me, did someone say something?

GRAHAM CLULEY. Sorry, I was It's not coming out the day before Valentine's Day. Valentine's Day is Sunday. Is it?

CAROLE THERIAULT. Yes. Oh, you see, I thought it was on Friday. God, see, I was all panicking. I wouldn't get my stuff.

GRAHAM CLULEY. Sorry, I really tried hard to pull back that nerdy bit of me. Maybe you could say a few days before Valentine's Day.

CAROLE THERIAULT. Oh, hey, novel idea, Graham. Thank you.

-- TRANSCRIPT ENDS --