Would you trust someone who had maybe disguised himself as a Guatemalan trinket salesman while on the run from the Belize police who wanted to question him about a murder?

Well, I mean, who among us hasn't done that at least once in our lives?

Smashing Security, Episode 218: Microsoft, McAfee, Security and Mayhem with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 218. My name's Graham Cluley.

And I'm Carole Theriault.

And Carole, we've got a special guest with us this week, haven't we? Who is it?

An oldie but a goodie. Well, not old, not old.

Not that old.

Not that old. Hi, Dave D-Dog Bittner.

Well, hello, hello. Welcome. Or no, well, no, wait, I'm not the one who says welcome. This isn't my show. Hold on. Thank you for having me.

Dave, of course, you are from The Cyberwire and Hacking Humans, amongst other shows. So you're not the boss around here. I think we all know who the boss is on this show.

Oh, I think that's perfectly clear, but certainly between you and me, Graham.

It's over to you, Carole.

Well, first, let's thank this week's sponsor, 1Password and SailPoint. It's their support that helps us give you this show for free. Now, coming up on today's show, Graham, what do you got?

I've got a very strange celebrity tale from the world of cybersecurity. Mm-hmm.

And Dave, what about you?

I've got a website that can help you determine whether or not you might be being scammed or not.

Ooh, that sounds fun. And I'm gonna look into that, you know, Microsoft Exchange Server snafu. All this and much more coming up on this episode of Smashing Security.

Now, chums, chums, have you ever considered yourself to be an influencer? Do you think you influence people?

Well, I think I'm a trailblazer, Graham.

Are you?

Yeah, I think I'm a trailblazer. I think a lot of people, you know, I turn a lot of heads, right? Yeah, I think people go, hey, super cool idea, Carole.

You're so funny, Carole. I'll do what she does. Does that happen with you as well, Dave? Do you find yourself—

I would say more of a cautionary tale is how I've lived my life. As a friend of mine says, every now and then it's good to look behind you and see if anyone is following that parade you're leading. So—

Oh, you need followers, oh.

Right.

No, I mean, no, I would not say that I, I would certainly not label myself any sort of influencer, no.

Right. Well, influencers and celebrities online, they need to be careful these days. In fact, they've been warned to be careful what they tweet about, haven't they? So they have to clearly label things as ads or, in fact, there's a specific warning which went out, which was telling celebrities that, you know, if you're using social media networks to tell people to purchase a stock or an investment, that could be illegal if you don't disclose any kind of link you might have with that organisation or whether you're getting paid compensation.

Didn't Elon Musk get in trouble with this a few times?

Well, it's an interesting one, isn't it? Because Elon Musk, of course, his company bought a staggering amount of bitcoin not very long ago.

Yeah, it was $1.5 billion worth or something ridiculous.

He is prone to the occasional odd tweet, isn't he, Mr. Musk?

He's the only one actually. He stands out like a sore thumb, actually, doesn't he, on Twitter?

I think he has had his knuckles wrapped in the past by the SEC, who've said, look, if you're going to tweet anything about your company, you better make sure the lawyers have read it first, because he has been accused sometimes of maybe having undue influence. So the thing is that we need to find people and celebrities who are trustworthy, don't we? So who would be the ultimate trustworthy celebrity, do you think?

Geoff Goldblum.

You know, I knew someone would mention Thom Hanks. Geoff Goldblum.

This is where Graham and I do agree. He's a nice guy.

I'm sure he's a lovely chap. He seems charming in interviews.

Thom Hanks.

I have a problem with some of his movies. And with his Oscar acceptance speeches.

Really?

Yeah. Yeah. There's something about him which just makes my skin crawl.

Is he too perfect for you, Clue?

I don't think anyone's too perfect for me.

That's why you hang out with me, right?

What about George Clooney? How do you feel about him?

I'm all right with him. There's a sort of rhinestones to him, but Hanks, I think his best performance is probably in Toy Story where I can't see him. I liked that movie about the Pentagon Papers. That was quite good.

Is your thing, do you just want to punch him in the face for no reason? No, no, no. No one can go around punching Thom Hanks in the face. That's like a capital offence, wouldn't it? I was just asking.

A nation's hero. Well, I think Thom Hanks, probably many people would consider him trustworthy.

Can I ask one question?

Yes.

If you are in the ocean and on one island is Piers Morgan and the other island is Thom Hanks, where do you swim?

Hanks. Thanks. Really? Okay, so, okay. Let me paint you a picture of a celebrity and see if you would trust him. Would you trust someone who had maybe disguised himself as a Guatemalan trinket salesman while on the run from the Belize police who wanted to question him about a murder?

Well, I mean, who among us hasn't done that at least once in our lives?

My question is, does he have a goatee? Because that's a definite no-no. Well, that just, that indicates evil twin, right? Exactly. That's a giveaway.

Oh yes, Spock did it too as well, didn't he? Okay, what if the same person claimed he'd run a team of 23 women to seduce and spy on his enemies? Or he'd tried and failed, obviously, to be chosen as a US presidential candidate?

I think insecure. The fact that he has to tell me about it.

Just the kind of out-of-the-box thinking that we need, right?

Would you trust someone who also said that he would socially engineer a corpse in order to find an iPhone passcode?

I love that, though. What does it even mean?

Well, who knows? But these are all claims of someone who we in the security industry know or may remember. Certainly you're familiar with his surname. It's John McAfee. Yes, you've talked about him on the show a number of times. Are you working for him? I think I may be the only person who isn't getting kickbacks from John McAfee, to be honest.

Aren't you kind of burying the lead here, Graham, though? Didn't he make some sort of pronouncement that if something didn't happen, he was going to take part in some sort of a culinary event of some note?

As I recall, he was expecting something to rise to quite a level. And if it didn't rise to quite a level, then he would perform an act on television. I think that's— it will never stand up in court. That's the end of the joke.

Eat his dick, right? Eat his own dick.

Thank you, Carole, for going straight to the point.

It's all right. I know you guys are professionals, so I'll just lower the tone.

John McAfee is now 75 years old.

Jesus Christ. Is that true?

Doesn't look a day over 80.

He has quite the harem.

I've seen him in a silk robe and something stupid he's done before.

With some bath salts on his upper lip. He's done some curious videos. He has been charged by the US authorities with money laundering and fraud because they claim he's been using Twitter to promote cryptocurrencies— get this— that he was secretly invested in, trying to inflate their value and then sell them for profit.

Yeah, okay. But he's not in the States, right?

No, no, he's not in the States. At the moment, he's holidaying in a Spanish jail cell. Oh! Where he's been since last October. The reason why he's in a jail cell in Spain at the moment is that the US authorities asked the Spanish police to collar him, claiming that he'd been— basically, it's tax evasion. He said, "Look, that's absolute nonsense. Of course, I would never have done anything like that." Here's 10 grand, bring me a cell phone. Right.

Yeah. Okay.

But no, he's been hit with 7 counts of fraud and money laundering by the DOJ. They claim that in 2017 and 2018, he was running an operation. You may well remember it if you follow him on Twitter. He was doing something called Coin of the Day and Coin of the Week, which is where he would choose a cryptocurrency.

He's a Hugh

He said he and his team would thoroughly research it. And then he would give his recommendation. And in recent years, rather than talking about malware, because of course he founded the famous antivirus company McAfee.

Hefner wannabe, isn't he? God.

I can't help thinking about the poor people at McAfee PR who have to have, in copy and paste, they have to have—

We no longer affiliated in any way.

Yes, exactly, exactly.

They just sit there with their head in their hands on their desks every time something like this happens.

Because I think he left the McAfee antivirus company in about 1994 or so.

It's been a while.

Yes, it's been a long time. But he does love to sort of stir up the connection. He did produce a video all about how to remove McAfee from your computer, which he did with a pistol, as I recall, and some hookers.

Can I ask a question? Who the hell would trust him and his advice? Who is following him and going, oh, he's reliable and informed? Well, and is totally sane.

Well, but he's rich, and that's all it takes for a lot of people. He's wealthy. He's living a lifestyle that I suspect many people probably aspire to. Not me personally. I know, Graham, probably not you either. But I could imagine there being a certain appeal, a certain class of people would enjoy, would think that's what I want for myself.

And he was, let's say, a luminary of the cybersecurity industry, an industry which has always been held in the highest regard and with great respect by the general public.

But he then was in South America on the run, wasn't he?

Well, yes. Yes.

Yes.

That's right.

Again, who among us has not found themselves in that exact situation?

Faking a heart attack to evade the police at one point.

Yes!

Extraordinary.

I don't think a 76-year-old man with a heart problem should be trying to eat his own—

Well, no, he's a bit of a yoga expert. Anyway, he's— He's an extraordinary self-publicist. I mean, that we can certainly agree, right? And he managed to get 1 million people after the allegations and going on the run in Belize. He ended up with over a million people following him on Twitter. And in December 2017, to give you one example, he began tweeting about a cryptocurrency, an altcoin called XVG.

Oh, so you're doing his bidding?

Well, no, no, no, I'm going to tell you the story of XVG because what he did allegedly, was he deliberately pumped up the price saying that, you know, well, this is gonna go great guns, you wanna get on board with this.

Yeah, get in early.

And he tweeted, because some people, some people were skeptical of John McAfee, can you believe that? Some people were skeptical and they said, I bet you've got some of this cryptocurrency. And he said, no, no, no, I own no XVG. I love how you shallow folks cannot distinguish between someone who shamelessly speaks his mind because it's true and someone with an ulterior motive. I bought absolutely none of it at all. If I did, 'I couldn't promote it if I owned any of it.' Well, according to the DOJ, he had bought quite a lot of it.

Oh, so he was categorically lying online and—

Yeah, because of course you have to—

Declare your interest.

Indeed. The price of those coins rose 400% in 4 days after he tweeted.

Jesus.

Cha-ching!

And they've since reduced by about 85%. So some people—

But let me guess, did he sell?

Oh yes, yes he did. And he was working allegedly— I'm sorry, let's insert a few of those—

Allegedly with his, can you add them in?

Allegedly, allegedly, allegedly, allegedly, allegedly.

This message brought to you by the Smashing Security legal team.

So he was reportedly, allegedly, claimed, it's claimed, working with Jimmy Gale Watson Jr.

Okay.

Who used to be John McAfee's security guard, which must be an interesting job. But he got promoted to be executive advisor of McAfee team. Jimmy Gale Watson Jr. and other cohorts were buying the coins, and the DOJ claims to have gained access to the Skype conversations between John McAfee and other members of McAfee team where they're plotting what they're going to do and how to sell for maximum profit, which suggests to me not great operational security.

Do you think security guards have to sit there and go, you can't reach, John, you can't reach, stop now, back away.

David, what have you got for us this week?

Well, earlier this week, I was speaking with Dinah Davis, who is the vice president of R&D at a company called Arctic Wolf. And she's a regular guest over on the CyberWire. And we were talking about some ways to protect yourself from scams and those sorts of things. And one of the things she brought up was a website that I was not aware of that she says she uses all the time in her work in security, and it's called islegitsite.com.

Yeah, I was gonna say, is, I'm gonna write is legit site.

It's not grammatically very

It's not, but the site itself is quite valuable. So basically you go to the site, you put in— well, let's back up a little bit. So there are tons of particularly coronavirus-related websites that are being spun up all the time by scammers taking advantage of the fact that people are nervous, that they're worried, they want to get the vaccines as quickly as possible. So they're spinning up all of these domain names that have something to do with coronavirus, but really just lead you down a pathway of separating you from your money.

good, is it?

So what this tool does is you can put in, let's say you get an email from someone that says, get in line for the vaccine, for example. Well, before you go to that site, you can load that site into this site, islegitsite.com, load that website in there, and they will run it through a series of checks and give you a ranking of how trustworthy they suspect that the site may or may not be. And it's quite useful. So I thought maybe for fun we could run a few of our favorite websites through this.

I just put in Pornhub.

She just goes right for the jugular, doesn't she, Graham? Like, I was thinking, let's run Smashing Security through it. And there's Carole. Pornhub.

85 out of 100%. My male friends would be very happy.

Okay, so which website should we try first? Which one should we try?

Well, let's start with Smashing Security. Let's put Smashing Security in there. It's our favorite website. We'll just click check website. All right, here it says potentially legit.

What?

Now they never say, they don't, they know, they only, there's a limited amount of commitment here that they have, you know, because that's a bit mostly harmless, isn't it?

That's quite—

Yes, it's yeah, yeah, yeah, yeah.

Okay.

So exercise caution. Mm-hmm.

Mm-hmm.

Doesn't have a trust rating yet, but you're not on any blacklists, so that's good. That's good. The domain was created long enough ago that it's not some fly-by-night just started recently. So that's good. You're using an HTTPS connection. Excellent. Excellent. Oh, dear. Website popularity. This website may not have too much traffic.

Oh.

So it says the website is ranked 1,724,362 among millions of websites according to the Alexa traffic rank. Well, after this show, I'm sure it'll get a little boost, so.

Shit. Wow. That's a little bit upsetting.

I feel I've been whipped across the face by wet phishing.

What about your one, Dave? What do you—

Sure, let's— all right, so let's do the CyberWire. So the CyberWire— now then, cyberwire.com. All right, what does it say here? Let's take a look together. What does it say, Graham?

Potentially legitimate. That's good, well done. You're not on any blacklists. It was created 9 years ago, so you've been around a long time. That's very trustworthy. And you're on SSL. That— yes, good. Oh, website popularity. The website has good traffic. It's popular. Ranked 273. This is way ahead of us.

Well, I don't to brag, but—

Is this the whole reason you brought this story to us?

No, no, no, no. Let's move on to one that we know is a potential scam site.

Facebook.com, right? I'm going to enter that. Yes. Okay, go ahead. All right.

Go ahead.

It's come up red. Potentially unsafe. We found Facebook. Yes, it has.

Because of all their tracking.

Found evidence that the site may be unsafe. Oh, this is fantastic. I wonder if we beat them on traffic. So there's probably—

We're probably— oh, Cyberware definitely do. They definitely do.

Someone has blacklisted them. Yandex Safe Browsing. That's the Russian search engine.

I think they're blacklisting quite a lot of people recently.

That's interesting.

They can't get a or unable to get the date when the domain name was created. Well, that's suspicious, isn't it? It should have very good traffic. The 7th most—

Look at their popularity.

The 7th most popular website, it says.

Yeah, number 7.

Pathetic.

So we're down there in the hundreds of thousands and they're number 7. 7.

Try google.com. I just did.

Loads of dodgy stuff. Oh, potentially unsafe.

Google.com. We found evidence that your website may be unsafe. So I'm a little nervous about this site.

Do you think it's because Google.com obviously does link to dangerous sites and that's why?

Well, so let's put in one we know. I put a link in here, one that I know is a scam website, and it's Corona.com. So let's put that in there, 'cause we know this is a bad one.

Ooh, yes.

And see how it comes up here. All right, so it says potentially unsafe. It has a trust rating of poor, 32 out of 100. Not on any blacklists. The domain creation was a year ago. That actually sort of tracks with coronavirus.

Right.

And it is an SSL connection, but the popularity, it has low traffic or none at all.

Ah, bless.

So that's an indicator. So I would say the overall lesson here is that— is this site the absolute be-all end-all to determine whether or not something is legit? No. But if you're suspicious of something, this is a good place to check in, and this will give you a bunch of information in one place to try to decide if you really want to engage with a questionable website or not. So I think it's a useful tool.

I think it is as well. It's easy to use. It's not too nerdy. And, you know, if you are suspicious of a site, then it may be— obviously don't trust this popularity thing.

No, of course not. That's way off.

Ridiculous.

Yeah. Yeah. Although, you know, it's funny. I feel I want to trust it a little more than you do. I don't know why.

I do find it weird, though, that they say google.com is potentially unsafe. I think that's a bit misleading for some people. Yeah, because they say the trust rating is very high, right?

I've just put in pornhub.com.

I did. Yeah. Oh, did you? Yeah. What did you find?

Well, on your recommendation, Carole, and it says potentially legitimate.

Well, there it is. So start using it at work. I mean, no problem, right?

But not Facebook or Google.

I can't believe after he attacks our site on our own show, you want him to have my joke.

I'm not giving you— I know. Did you actually go to Pornhub, Carole? Yes, I didn't hear you.

85 out of 100. Oh well, you'll see all the edit.

Okay. All right, so once again, is legit site and that is my story this week. Carole, what do you have for us this week?

It's not your show. Carole, what do you have for us this week?

I just keep— sorry, I keep— I just have it. It's a habit. Sorry.

It might be a takeover going on, Graham. And maybe with good reason, because before the show, Graham, you poo-pooed my story. I texted you saying, I think I'm going to cover this. And you wrote back, barrel of laughs, intimating that it wouldn't be funny at all. And what would be the point?

We'll let the audience decide.

You're right on one thing. It's going to be challenging. But the story's a big effing deal, according to one unnamed state official. So I'm doing it. But to make it fun, I'm going to pop quiz you two to see how much you know about this big effing deal. Yes.

Excellent.

Mm-hmm. Totally trust me. I'm going to keep score. So I've got a piece of paper right here. You know, I never cheat Clue.

You have to be careful. There's nothing like a woman scored.

Yeah, there you go. There you go.

Ready? So as you guys know, last week Microsoft made available 4 software updates to patch critical security holes in Microsoft Exchange Server products. Now, this is a big deal because it's not like Microsoft found it and made the patches available before any baddies started to take advantage of the vulnerabilities. With Microsoft being a bit late to the home plate with a patch, thousands upon thousands upon thousands of organizations that use Microsoft Exchange Server products are sitting ducks or infected. But we'll get to that. So let's start with our quiz. Question number 1, gentlemen.

So much pressure.

What is a Microsoft Exchange Server?

Oh, well, it's a computer running the Microsoft Exchange Server software, which you would have on your premises. Rather than using—

For what?

You would use it for email and calendar services.

Mm-hmm. I'm going to give that one to Dave.

Sorry, he just said one word. He just said the word email.

The word I was—

But it was— well, it was the right word, Graham. It's not volume, it's accuracy.

It's Microsoft Exchange is the messaging and collaborative software solution used for managing email, calendars, contacts. Tasks. Yeah, but you said that after he said email.

So more complete answer.

So basically, it allows people to work online remotely, which during the Rona times is vital to business continuity. Question number 2. What is the approximate market share for Microsoft Exchange Server?

I'm going to say 5%.

I'm going to say 10%, and I believe I'm going to be closer than Dave.

You are closer. Do you want another go, Dave?

What do you mean, another go?

It's 31% according to Data Knives, which is a weird website, but for the server version, is it really? Oh, yeah. So I put the link in the show notes. Anyone who knows better, tell me, but they claim it's about 31% based on their little algorithm that work it. And for—

Wait, wait, wait, wait, wait, 31% of what?

Of people using collaborative working systems. And for an extra point, Dave, can you name any competitors, or Graham, you too, any competitors to Microsoft Exchange Server products?

Well, what about Gmail?

Well, Google Workspace, I think you'd call it Google Workspace.

Right, are we categorizing them separately that the thing you have running on your own server is different from a cloud-based service like Gmail? Is that what we're, is that the hair we're splitting?

I would think Novell GroupWise, Veritas Enterprise Vault, Open Exchange, Kerio Connect.

Someone's got a Google connection. Someone's looking.

Wow, it's amazing he's able to get that off the top of his head.

None of you have named the three that I was hoping for. According to Datanyze, the 3 main competitors are Microsoft SharePoint, 26% of the market, Slack with about 6% of the market, and Confluence.

Slack isn't, that's a load of—

Slack is used by a lot of companies.

But it's not email, is it?

It's just chit-chat.

No, but it is communications, it is a collaborative work environment.

Well, I'm sorry that the question wasn't better phrased, that's all, otherwise I would've Googled for a different answer. Right, right.

Well, look, if Datanyze is right, if that means basically 1 in 3 people who use collaborative software are at risk because they're using some Microsoft Exchange Server product, right? Okay.

But it's important to emphasize it's the server, it's the on-premises server version, not the cloud-based version.

Yes.

Excellent quiz master, carry on.

Yeah, thank you. One of the problems is not all users that rely on Microsoft Exchange Server products are necessarily the brightest and smartest cybersecurity gurus out there because we're talking a lot of small businesses, local governments, city councils, schools, medical centers, retail outfits, not where the stars go and make their names. So at risk of what, I hear you ask? Well, basically data stealing, right? So these zero-day attacks are about stealing data and even voicemails can be handled in this as well. So some people tie their voicemails in an email. Do you know that too?

I knew that. I was hoping that would be a question.

There's a question coming, 'cause I know you know a lot of— And you know, it's worth being concerned because we know what people share on email. Like how many people share confidential, private, sensitive information via email or on voicemail? It's stuff you definitely don't want in an attacker's hands, whether you're a company or an individual, right? Okay, question number 3. When was Microsoft first notified about the vulnerability?

Ah, according to Krebs, it was in January.

Correct.

Bing, bing, ding.

You have all this stuff open and you're not using your brain.

I knew that. I knew that.

Okay. Can you close your— I can't even trust you to close your stuff.

No, I haven't. I haven't.

I knew that. You're cheating on a quiz in front of all our listeners.

I know Krebs wrote about this and I know he said that.

He did say it was in early January and on March 2nd. So 2 months later, Microsoft patched Exchange Server 2013 through 2019 and even Exchange Server 2010, which is no longer supported. Microsoft, the kind software giant that it is, made a defense-in-depth exception and gave their 2010 server a freebie patch too.

Mm-hmm.

Now, according to The Verge, Microsoft were waiting for Patch Tuesday to get these patches out, which was going to be today, day of recording. They ramped it up a week ahead, right? And made a bespoke, you know, update available a whole week early. So that's how serious this baby is. Now you'd think once Microsoft put its patches out to thwart these attacks, the attackers would have maybe gone into hiding. But a bunch of thirsty vampires invited into a frat house, they are snarling up private data from unpatched Exchange servers as fast as they can. Told you I could make it fun. Okay, question number 4. This is more an opinion piece, and I'll give points based on the answers of two months between when they first heard about these vulnerabilities in their products and making patches available. What do you think of that? Is that a short time, reasonable time, ridiculously and stupidly long time? What is your expert opinions, gentlemen?

If I may answer first.

Sure, go ahead.

At great length. Actually, I'm not sure it is a good tactic to answer first. Maybe Dave should answer first.

No, go ahead.

Okay. No, no, please, please. Well, I would argue that it's obviously an unfortunate length of time and everyone would love to get a patch out earlier, but I don't think from the outside we can easily state just how easy it is to patch a number of zero-day vulnerabilities and test them properly, because if a patch was rolled out which was faulty in some fashion, that could cause even bigger problems.

Okay. Do you think it's cool that they didn't tell anybody? They didn't make it public.

I'm not sure if that's actually been confirmed. I know Brian Krebs has claimed that. I don't know if that's absolutely been confirmed at this stage. I think there's a slight question mark around that.

Well, it seems as though they were informed in early January, as we said, and then March 2nd is when they came out. The problem was, of course, there's already attackers, you know, pillaging data from victims before there was any patch available. So according to Volexity, they say attacks took advantage of these 4 zero-day vulnerabilities, and they think they may have started as early as January 6th, 2021. And Dubek reported suspicious activity on Microsoft Exchange servers in that same month of January. So what Krebs did say is that by March 3rd, 24 hours after the patch was made available by Microsoft, already tens of thousands of Exchange servers were compromised around the world. And 1,000 more servers getting freshly hacked every hour, he says.

Well, so the thing is when a patch comes out, it's open season on all the folks who reverse engineer the patch and come after the vulnerability based on what they can learn about from the patch. So I think it's important to keep that in consideration as well, that a part of Microsoft keeping this information close to the vest was knowing that as soon as they publish something, there's going to be a whole second wave. And so while the first wave of this, I believe the current understanding is that it was probably Chinese state-sponsored folks. Once the patch comes out, it's every bad guy around the world has their way with this. So I think that's worth considering as you pass judgment.

Yeah, that's a very good point. And I was going to make the same point myself. Excellent, Dave.

Well, I apologize.

No, no, no, no.

The thing is, though, were I a customer, it's nice that you guys are understanding how Microsoft had to deal with this. But at the same time, customers that rely on Microsoft Exchange Server products to be, you know, on par, we're sitting ducks.

Yep.

Right. But the primary thing they're relying on Microsoft Exchange servers to do is work.

Right.

And so if, as Graham said, if Microsoft were to roll out a patch prematurely that got in the way of that, that could be problematic. I mean, the other thing I've heard is that there are a lot of organizations who have Microsoft Exchange servers that are just sort of rolling along in a legacy mode. They've since switched all of their primary services to cloud-based providers because that is the way most people are doing it. But they keep the Exchange server running just because who knows what you're going to break if you turn it off. There are behind the scenes things that may be relying on it that we just don't know about. And, you know, some people say, well, turn it off. And when someone complains, then, you know, right.

So certainly if you are a smaller organization in particular, then there's quite a lot of merit in going cloud-based for something like Exchange instead of running your own server because you effectively wash your hands of the responsibility of patching it up in the cloud.

Right, right.

So I'll give you guys both a point for that.

What's our tally so far? How are we doing?

Dave has 3, you have 1. Okay, so question number 5: who— any idea who's behind the attack? So there's been a lot of chatter. Hafnium.

China.

I already said that. I already— I already— I buried the lede on that one. I already—

It wasn't— you did answer.

If you answer the right answer in the wrong question, preemptively answered your question, Carole. I—

Dave, you were keyword stuffing. That's what you were doing. You were just—

Yes, I was.

Yes, I was. As you could.

That's right. China, Russia, Iran, North Korea.

So Hafnium, I'm going to give you half a point because MIT Technology Review reported 3 days ago that Hafnium is perhaps not the only threat, citing a cybersecurity analyst saying there appears to be at least 5 hacking groups actively exploiting the Exchange server flaws. I know, as of Saturday. So to Dave's point earlier, Hafnium may have started it, but of course, China's denying anything to do with this, right? So Hafnium is what is being called the Chinese-based attack, and China's saying, "Uh-uh-uh, nothing to do with us, dudes." So I don't think it actually matters to most of us or anybody that is running an Exchange server and needs to patch where it comes from and where the threats are. All they need to know is it's really, really effing serious and you need to patch.

No, no, all people should really care about is what is the score right now? Right now because Dave just got a point there or not. That's right, exactly.

Dave right now has 3 and you have 1.5.

So it might not be possible for you to win at this point, Graham. I'm just pointing that out, just okay.

So as your friend, Graham, you can maybe win a few points. What should people do if they have a Microsoft Exchange server?

Well, obviously I hope that you're going to patch because Microsoft have pushed—

What's the patch number? Can you do it off with your eyes? No, I can't do the patch numbers off the top I can.

Well, you have the CVE number?

Yeah, of course I do. Of course I know the CVE number.

If, however, you're unable to patch for some reason, there are mitigation steps you can take. And regardless, you should also scan for indicators of compromise, because even if you do patch, you want to make sure that you haven't already been compromised and that the bad guys haven't been in there. And there is a tool from Microsoft which you can download to do that.

I would assume you are compromised at this point.

Yeah.

If you're running Microsoft Exchange Server, assume you're compromised and you need the tool from Microsoft. Yep.

Yep.

And because, Graham, unfortunately you just made it 2.5. If you had known the CVE number, you would have got through. Let me share that with folks. So CVE-2021-27078. You see, if you had just known that.

Rolls trippingly off the tongue, doesn't it?

Yes. Yes.

Yeah, so as Dave said, no dilly-dallying, right? Apply the patch ASAP. Posthaste.

It's a serious one. It is a serious one. No, no.

Big effing deal.

Yeah.

Yep, yep, yep, yep, yep.

I bet I can beat you at chess, Dave.

God, it's like sandbox fights.

No, I'm really quite unhappy. I'm quite unhappy.

How flexible are you, Graham?

You know you can't do business without technology, and you also know you can't securely access technology without identity security. Enter SailPoint identity security for the cloud enterprise. It enables access and protects businesses with automated, managed, and governed access in real time with AI-enhanced visibility and controls. SailPoint lets companies run with speed, security, and scale in a cloud-critical threat intensive world. Plus, it tracks usage and enforces policies for all users, apps, and data continuously. Want to learn more? I bet you do. Check out smashingsecurity.com/sailpoint. That's smashingsecurity.com/sailpoint. And thanks to SailPoint for supporting the show.

This week's podcast is also sponsored by 1Password's Random But Memorable podcast. Random But Memorable is a podcast filled with lighthearted security advice and banter with hosts Matt, Anna, and Michael. I've been on the show myself, so I can confirm it's great fun. Tune in to Random But Memorable to hear about the latest security horror stories. They've produced over 50 episodes covering data breaches, password hacking, surveillance, and more. Check out Random But Memorable in your favorite podcast app, and thanks to 1Password for their support. And welcome back. Can you join us at our favorite part of the show, the show that we like to call Pick of the Week.

Pick of the Week.

Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security-related necessarily.

Better not be.

Well, my Pick of the Week this week is just a quick one. It's nothing very substantial, in fact. It is 1K of JavaScript, which has been wrapped up with some glorious CGA-style graphics. If you remember the old 4-color graphics, it is a game called the Killer Bytes Gambit. Links in the show notes.

Can you describe CGA for us, please?

We don't know what CGA is. CGA was the graphics standard before EGA and VGA.

I'm just not as old as you are. Why don't you get that?

I remember, Graham. I remember.

Do you know what? On Reddit, this guy— there's a Reddit thread which is like, what is this? So people kind of post crazy pictures of weird animals or weird things they find in new houses. And this guy posted this picture of this thing and he's like, what is this? It's like a connection. And it was an old phone line, like an old phone box, you know, like the landline. He had no idea what it was.

Oh my goodness. Wow.

Yeah.

Well, I have none other than Carole Theriault to thank very much. Thank you very much for bringing this particular online game to my attention. It is a pretty cool chess game. What's impressive about it is not only the retro graphics, but it's an entire chess engine, which even knows about en passant and castling, within 1K, just 1,000 bytes of JavaScript. And it plays an unusual game of chess, I have to say, particularly the opening. It's very keen on moving lots of pawns, but it's quite strong. And I did at one point think, oh, I'm going to have to concentrate a bit more here to actually beat this thing. So it can think about 4 moves ahead, but amazing to have crammed so much understanding of the game of chess into such a small space. I was really impressed by it.

Do you think more than 4 moves ahead?

Rarely.

Yeah, I think that would be hard. I bet, yeah.

I like this. I like the old-style graphics. It takes you back. And the— I guess the woman that you're supposed to be playing against here has Disney princess eyes. The size of cue balls, you know.

It's Queen's Gambit girl.

She looks like the girl from Queen's Gambit. That's right.

Oh, okay. Got it. Got it. Of course.

And you can also check out the actual code as well. They've— there are links where you can check out the 1K of the chess code and maybe put that into your own game as well. So that is my pick of the week.

There. There. Good one.

Dave, what's your pick of the week?

Well, my pick of the week is a television program that I suppose is probably well known to those of you who are on the side of the pond you and Carole are on, but it's new to me and I came across it on Netflix and it's called The Repair Shop. And this is a show where people— it takes place in the UK and it's this beautiful old thatched roof barn where there are old school craftspeople who— people bring their old family heirlooms to that have fallen into disrepair. And they bring them to these people to bring them back to life and make them as good as new. And it's just a gentle show where you watch people who are very good at the things they do, doing the things they do. It's just a nice show to sit and watch during COVID if you want to relax and appreciate fine craftspeople doing their crafts. I do quite enjoy it.

David, it really does sound like your kind of show. I can picture you there with your sort of travel blanket over your knees, and maybe sucking on a Werther's Original. And it's just, you know, and nothing too horrible, nothing that's going to upset you.

No, no, exactly. There's no yelling. There's no rock and roll music. No, it's just gentle. And I will say, I've noticed that Brits tend to have understated responses to the unveilings. So these people have taken weeks, hundreds of hours of restoration, right? And this family heirloom that's been in the family for 500 years, it's good as new, and they pull the blanket off of it, and the person they're revealing it to says, "Yeah, well, that's quite nice, isn't it?" That's it.

Whereas in America, they literally start crying, fall— right, they burst into tears. They run around the room. I did it!

Yes! It's beautiful! It's beautiful! Thank you so much! Carole, what have you

Right, right.

Yeah.

I don't know what's better, Dave.

I don't know either, but it's fun to watch.

Maybe somewhere in the middle.

Yeah. So there's one season of it available on Netflix for those of us who are on this side of the world.

got for us?

You all have 6 seasons of it where you are. I believe it's a BBC program.

I've never even heard of it.

I've heard of it, but I've never seen it.

I'm quite tempted. It's your thing. You know, really stressed today? This is maybe what you need. No, it is. It's just gentle and peaceful. But where did it become famous? And what is it? He's on BBC Two now at 12 o'clock. There's a secret pick of the week for people who need to calm down.

Well, okay, so the story I was told was that there was a bank raid or a heist or something where they took hostage people inside the bank for a length of time and the police were surrounding the place and somehow the— No, you would've thought Patty Hearst.

So, The Repair

Patty Hearst made it famous. A podcast. So my pick of the week is a really effing good podcast called Sideways. Have any of you heard it?

Shop is my

Hmm. Well, she I've heard of

I've heard one episode, it was recommended to me because I sneaked it to you. pick of the week.

I snuck it to both of you, but Graham couldn't be arsed. So it's hosted by Matthew Syed, a British journalist, broadcaster, author of several books, also a Commonwealth ping-pong champion of some sort.

it, but I

I'm thinking of the Stanford Prison Experiment, which I think was similar.

wasn't in Stockholm. It was a bank thing in Stockholm, wasn't it?

So he does things on Radio 5 Live as well. Anyway, so he hosts the show, and it's basically— the whole premise is to challenge assumptions or pseudo-knowledge that we all occasionally and unwittingly accept into our lives.

haven't heard any episodes.

There was a bank thing in Stockholm in 1973. I'm just surprised you know about it. So one of the episodes was looking at Stockholm Syndrome. What do you know of Stockholm Syndrome, you guys? What's—

Well, that's where the name Stockholm Syndrome comes from.

Well, I know, but how do you know that? Why would you know that?

Because I'm quite a knowledgeable person.

Well, really?

Yes. Really?

So how did it come established then? How did they establish the You know a lot of stuff, but basically I'm telling you you're misinformed. You may want to go listen to this podcast and get a few key facts that totally changed my view on the syndrome and how it works.

I know it, I live it.

I feel I'm just being gaslit.

condition? What was it based on?

Are you going to tell us? No. Should I tell you? I don't think I'm going to tell you. I'm going to say go listen to it.

Yeah, that's the one I listened to.

Oh, did you?

OODA loop, which is in warfare. It's this method of establishing what's situational awareness and so on. But perhaps most interesting to me was I learned where Maverick in the movie Top Gun got his signature move.

Yes, I thought that when I heard that episode too.

Yes, yes, exactly. So if for nothing else, listen to find out that little tidbit. That's quite good.

No. Yeah, weird that they then segue to Dominic Cummings and a route to secure Brexit, right? So anyway, super interesting, well produced.

I don't know that. Marvelous. Well, that just about wraps it up for this week, Dave.

Just check out thecyberwire.com.

I've heard the podcast.

That's really famous, lots of—

I'm just telling you I kind of know the—

Quite a lot of web traffic.

Yeah, yeah.

And you can follow us on Twitter at Smashing Security, no G, Twitter @LastPassG, and you can also join us on the Smashing Security subreddit. And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast apps, such as Apple Podcasts, Spotify, and Google Podcasts.

Another episode I heard was about a family who had been, you know, who had two children die unexpectedly. And she was— the mother lawyer was accused of murder. High five for this episode's sponsors, 1Password and SailPoint, and to our wonderful Patreon community. It's thanks to all of these people this show is free for all. Do you remember this? I think this was in the '90s in the UK. And for episode show notes, sponsorship information, guest list, and the entire back catalog of more than 217 episodes, check out smashingsecurity.com. And there was a crucial statistic that was at the heart of the trial that changed the outcome completely. And it's, once you dig into it, it's kind of actually astounding that no one caught this.

Until next time, cheerio, bye-bye.

Bye.

Bye-bye.

So Dave D-Dog, do you think that your traffic went up when I started doing segments for the cyberwire.

Do I think my traffic went up when we started? Oh, oh, absolutely. Undoubtedly. We saw a huge boost in people visiting our website when you started doing stories for us.

Just think you could share some of the joy.

That is a true thing that happened.

It is a true thing that happened. Just saying.

Graham, help me here, buddy.

Help me out here, buddy.

I'm not getting involved.

Oh, now he's your buddy, Graham.

You've got more points than me.

Come on, we were competitors moments ago, but there's got to be a little— He kicks us in the shin.

Now he's offering you a Coke.

I'll give you— you can have all of my points. You can have all of my points if you bail me out of this.