Should insurance companies be banned from helping companies pay ransomware demands? How has malware messed with motorcars in the United States? And how are cybercriminals exploiting alcohol drinking during the pandemic?
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Maria Varmazis.
Visit https://www.smashingsecurity.com/223 to check out this episode’s show notes and episode links.
Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Follow us on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Special Guest: Maria Varmazis.
Sponsored By:
- 1Password: With 1Password you only ever need to memorize one password. All your other passwords and important information are protected by your Master Password, which only you know. Take the 14 day free trial now.
- Duo: While remote work has been on the rise for years now, the recent rapid expansion of work-from-home culture presents new security challenges. Duo Security makes application access more secure for organizations of all sizes. Its modern access security is designed to safeguard all users, devices, and applications - so you can stay focused on what you do best.
- Proactively reduce the risk of a data breach, verify users' identities, gain visibility into every device and enforce polices to secure access to every application. Give your organization the peace-of-mind that only complete device visibility can bring. Visit Duo.com to sign-up for a free 30 day trial.
Links:
- Lessons of the SolarWinds hack — Article by Marcus Willett, IISS.
- Insurers defend covering ransomware payments — BBC News.
- Cyber insurance giant CNA hit by ransomware attack — Graham Cluley.
- FatFace pays out $2 million to Conti ransomware gang — Graham Cluley.
- How do we stamp out the ransomware business model? Ban insurance payouts for one, says ex-GCHQ director — The Register.
- Cyber Attack Forces Vehicle Emissions Testing Company to Halt Operations in 8 States — The Drive.
- Malware attack is preventing car inspections in eight US states — Bleeping Computer.
- Service Restoration Status Update — Applus Tech.
- Changes in Adult Alcohol Use and Consequences During the COVID-19 Pandemic in the US — JAMA Network.
- Rebalancing the ‘COVID-19 effect’ on alcohol sales — NielsenIQ.
- Alcohol does not protect against COVID-19; access should be restricted during lockdown — WHO.
- Lockdown Saw Rise in Wine Domains and Wine Scammers — Recorded Future.
- The Raven Remastered — THQ Nordic.
- The Raven Remastered trailer — YouTube.
- Westworld — HBO.
- Thermapen Fast, Accurate Instant-read Thermometers — Thermoworks.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
GRAHAM CLULEY. To pay or not to pay, that is the question. Whether it is nobler in the mind to suffer the slings and arrows of outrageous malware, or to take armfuls of bitcoins and by paying end them. Exterminate,
CAROLE THERIAULT. exterminate. Exactly, sounds like a Dalek doing Shakespeare. What did you...
GRAHAM. Smashing Security, episode 223. Booze, nudes, and insurance dudes. With Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, episode 223. My name's Graham Cluley. And I'm Carole Theriault. And Carole, we are joined this week by returning guest family favourite, Maria Varmazis.
CAROLE. Hi. And my sticky pickles BFF. Hey!
GRAHAM. Wow, I think that could be a record. Only 12 seconds in, we've already got a plug for Sticky Pickles.
CAROLE. And it wasn't me who did it this time. Amazing. Great. You plug your website every time you say your name. Dot com.
GRAHAM. So what's new with you, Maria? Or indeed with any podcast you may happen to co-host?
CAROLE. Well, our podcast is doing amazingly, so please listen to Sticky Pickles. Exactly. I am half vaccinated. My kid is back in school. Top
GRAHAM. half or lower half? Which half do you have? Oh, you'll have to guess. Okay.
CAROLE. That's for me to know and you to find out. Graham, if you're getting this shot in your ass cheek, something's wrong. One can, though. You can ask for that. Oh, gosh. Can you? Just needs to go in a muscle. If you have any butt muscle left. You don't tend to sit in your shoulder. You tend to sit in your ass. Says
GRAHAM. you. Can I just remind you guys that I'm editing this part of the
CAROLE. podcast. We're making it extra difficult for you. That was gold. You're not going to keep that banter? Exactly. So why don't we move on to thanking this week's sponsor, 1Password and Duo Security. Their support helps us give you this show for free. Now, coming up on today's show, Graham, what do you got?
GRAHAM. I'm going to get Shakespearean on your ass. Crazy. That's the word du
CAROLE. jour. Maria, what about you? Okay. Cars, inspection, and malware. Whoa. Sounds super sexy. And mine is one for the boozers out there, bad guys are after you. All this and much more coming up on this episode of Smashing Security. Now
GRAHAM. chums, after that rather tawdry beginning to the podcast, I feel we need to raise the tone a little bit. We need a little bit of culture. Maybe I'll leave the podcast. So how about this. To pay or not to pay, that is the question. Whether it is nobler in the mind to suffer the slings and arrows of outrageous malware, or to take armfuls of Bitcoins and by paying end them.
CAROLE. It sounds like a Dalek doing Shakespeare. Totally. Oh, my. That was a journey you took us on. I just got to say. Did you see the sci-fi set?
GRAHAM. I'm sorry, Maria. I should have said it in the original Klingon, shouldn't I? It is, of course, a huge debate. Should we pay ransom demands or not if we're hit by ransomware? It's a struggle that many companies have. Paying a ransom can get you out of a sticky pickle for sure. But if you're – oh, even I'm doing it now. Oh, I love it. Because it can work, right? Because if your extortionists keep their word, you'll get a decryption key to recover your data and your files, unlock your computers, and hopefully they'll not release your stolen data to the wider world.
CAROLE. We'll rely on the honor of thieves, right? Yeah. Sure they'll keep their word.
GRAHAM. But they're running a business, aren't they? It would be bad for their brand as criminals if they didn't keep their word because they want to extort more money out of more people. It's simply good business for them.
CAROLE. It's so interesting, that concept, right? That they are going to follow good business practices, but they're an illegal company that just basically, you know, ransack you and then steal from you. Politely. Politely and with, thank you very much for your payment. Please rate us.
GRAHAM. Some ransomware gangs offer better customer service and support than legitimate companies. They will give you advice on how to better secure your business in the future. They just did that with FatFace. Yeah, that's right. It's a UK retailer who just paid up a ransom.
CAROLE. Well, they probably get better paid consultants on the legal side.
GRAHAM. But, of course, by paying, you're sending out a clear message to other criminals that you're prepared to pay ransoms. You know, that's kind of useful to know, isn't it, if you're an extortionist? It sends out a message that cybercrime does pay and encourages others to enter the world of extortion. So there's more criminals jumping into the ring, thinking, oh, this seems like a pretty good thing to get involved with.
CAROLE. So what's missing? Why is this happening? Why is ransomware happening? Do you think? It makes money. Yeah, it makes money because. End of podcast. Do you think it makes money because of lack of legislation? Surely, surely that's the problem.
GRAHAM. It makes money because people pay it and the criminals don't get caught. You know, it's really simple. There's only two things which could change this is if nobody ever paid a ransom, if all the criminals were caught. And neither of those are terribly likely to happen, are they?
CAROLE. No. I don't think legislation is going to make criminals think twice about what they're doing. So
GRAHAM. It continues. Ransomware demands can be pretty high, right? But the cost of not paying can be devastating as well. And so I think some companies are paying because they think, well, we don't really want to pay, but it would be worse if we didn't.
If you didn't pay, you can hold your head up and say, oh, we're proud of our decision. But what happens to your company? Can it survive?
The cost may be higher than the ransom being demanded. What's going to happen to your staff, your business partners, your suppliers? What impact might it have on them as well as your organization?
And what's to say you won't be hit by ransomware again and again and again? And have you learned the lesson from the past?
So some do weather the storm. Notably, Norsk Hydro in 2019, they were hit by ransomware. Their profits plummeted 82%.
For how long? Well, for a while. They weren't able to do any business.
They basically shut down much of their business while they were dealing with it because it was a huge problem. They refused to pay the ransom demand, which would have cost a lot less than the £45 million the attack eventually cost them.
Now inevitably with the rapid rise of ransomware others as I say have seen the opportunity to make a quick buck including insurance firms.
CAROLE. We've talked about this yeah.
GRAHAM. It's now not uncommon for companies to not just have cyber insurance but specific coverage for ransomware attacks to cover the cost of a ransom should one be demanded and the British Association of Insurers they say that paying the ransom is the cheapest and most effective option for companies? Well, they would say that, wouldn't they?
CAROLE. Yeah, because, yeah, they got to cut. The insurers say that.
GRAHAM. The insurers say that. They say paying the ransom is cheaper and more effective for companies than anything else. They still think you should try and prevent it, but they think it's probably the sensible thing financially.
Wow, that's mind-blowing. Well, some people do agree that it's mind-blowing.
For instance, Kieran Martin is the former head of the UK's National Cybercrime Centre. He's now a professor at Oxford University just down the road. He says that insurers are, quote, funding organized crime by accepting ransomware claims.
He says the insurers are doing that. Of course, the insurers are paying out.
Marcus Willett, who is now at the International Institute for Strategic Studies, but used to be a bigwig at GCHQ, the UK snooping outpost. He has argued in a recently published article that payments fund criminal organizations and only make ransomware attacks more likely.
Yes. And he says that what is needed is new laws which establish disincentives to pay ransoms. Oh, so legislation.
CAROLE. So legislation to punish businesses who pay. Oh. Oh, geez.
GRAHAM. And I think what he's actually saying is that the insurers shouldn't be able to offer ransomware insurance because it's currently too convenient for companies to use their insurance to pay up.
CAROLE. Okay. Here, let me give you an example here, right? Let's assume that ransomware is like Mary Jane, which I know is legal in many places, but it's not legal in the UK right now.
Jazz cigarettes, you mean. Jazz cigarettes. Okay, right.
So if I pay money to buy a bunch of jazz cigarettes, an illegal substance. Why would you do such a thing? I am at risk of being arrested. I am breaking the law.
So why is it not the same? If you get ransomware, I'm not saying it's your fault that you get ransomware, but you get ransomware and you're kind of fucked and you're going to go fund an illegal operation in order to justify business proceedings.
It makes me think of the old mafia movie stereotype, I'm sure, based in some reality of the guy showing up at your business going, we provide protection on this street and you got to pay up. Otherwise, we're just going to make life very difficult for you.
And then I'm imagining the grocer turning around to their landlord going, or their insurance company going, can I have money to pay the mafia protection, please? I mean, did that ever happen? Maybe it did. Maybe some listeners are like, actually, that was totally a thing that happened. I don't know.
GRAHAM. I don't know. So Marcus Willett is saying that new laws are needed to establish disincentives to pay ransoms. And I was wondering, can you think of any disincentives that could be put in place?
CAROLE. Yeah, like you get fined a fuck ton, more so than just what the ransomware is asking.
GRAHAM. Maybe that would just get added on to the insurance, though. Would it? It could just be increased, couldn't it, to cover the fine as well? I don't know.
CAROLE. Yeah, I think some companies, if they've got deep enough pockets, will say, well, cost of doing business. Of course, little guys will get screwed.
GRAHAM. Yeah. So I've thought of some disincentives. I've tried to work out, you know, if the government were to follow the advice of these former bigwigs involved in the UK's cybersecurity, well, how could they do that?
So companies are paying ransoms because they think it's quicker and cheaper than the alternative of not paying ransoms, right?
CAROLE. And in some cases it is, yeah.
GRAHAM. So maybe we need to make it more expensive to pay the ransom. Maybe the government should introduce a ransomware tax, just as it has on taxes on tobacco or vehicle fuel.
So, yes, you can pay your ransom, but you've also got to pay money to the government when you make that payment.
CAROLE. So you pay the mafia and then pay the government. Yeah. Thank you very much.
GRAHAM. This could get us out of lockdown. This could get us out of all Brexit mess. We could collect money from the ransomware. It's
CAROLE. It's incredible to me that you are not a lead policymaker.
It is to me too. Wow. Just, I'm in awe of that suggestion, Graham.
GRAHAM. I thought all that money ends up in a big pot, right? Which could then be divvied out to the ransomware gangs themselves as protection money saying, hey, hey, leave the UK alone and we'll keep this coming to you.
Go and hit some other countries instead.
CAROLE. Oh, yeah. The internet totally works that way.
Yeah, I've got a much better one. You get caught paying a ransom. You and everyone that works for you has to wear clown shoes for an entire month.
GRAHAM. That is pretty good. Right?
Because it'll be irritating and, you know. Oh, what if you were forced to change your corporate logo to show that you'd caved in?
Yeah. Imagine a fat face with a giant clucking chicken on the front of their store. We paid.
That'd be pretty bad for the brand, wouldn't it? You just had to do that.
CAROLE. You have no sympathy for these guys. I feel really bad for these folks that have to pay the ransomware.
In a lot of cases, they really feel like they have no choice.
GRAHAM. Spoken like a real mum.
CAROLE. No, I just feel... A heart. I feel really bad for the smaller companies.
The bigger ones, a little less sympathy. But, you know, shit can happen to anybody.
But for all these smaller dinky guys. Mom and pop shops that get stung by this stuff and get hit hard and maybe have to close the business as a result suck.
It sucks, right? Yeah. Yeah, because every day that they're not doing business, they're hemorrhaging all that money.
And, you know, how long do they have before it becomes a, we do one or the other, we're screwed either way. Yeah.
But if the equivalent of Ashley Madison got hit by ransomware. Eh. I mean, okay.
If I was working for them, maybe I wouldn't feel that way. Yeah.
There, but for the grace of God, go we. I mean, this whole situation just sucks.
GRAHAM. So in his article, Marcus, by the way, his article, you can't read it in a web browser. You have to download a PDF in order to read his article, which I have to say, when I thought I was being socially engineered, I thought my fingers was going to hit me.
I don't know. But anyway, I'll put a link in the show notes and people can decide if they want to download it themselves or not.
But he does make some good points about the need to take security more seriously, security awareness, better measures against phishing, you know, keep on top of patching and protection and all those sort of things. But what he hasn't done is explain how he's going to disincentivize or de-incentivize the pain of ransoms.
Because it feels to me that a hard… Oh, yeah, it's
CAROLE. Super easy, Graham, as I think we've discovered during the length of your show.
GRAHAM. Yeah, but I think we need to, you know, before you say, oh, this is what we should do, but not actually give any methods of, at least I came up with a couple of methods, Carole, and you came up with clown shoes.
CAROLE. I think at minute three I said legislation. But anyway, yes.
Well, well done. The idea of just punishing people that are stuck paying ransomware just feels just mean.
Really? I mean, God.
GRAHAM. And how does it work multinationally anyway? Because everyone would have to agree, this is what we're going to do, so no one will ever pay.
I think it's a bit dark.
CAROLE. What about if you had a standard, right? So if people meet a specific standard for their website or for their company in terms of security, which is, I guess, you know, if you're meeting certain, like, what are they called?
What is it called?
GRAHAM. You mean that cybersecurity essentials?
CAROLE. Yeah, compliance, compliance, right? Yeah, because that's going so well so far.
No, but if you meet compliance, right? If you meet a compliance, government stipulated compliance, and you're like, check, check, check, check, check, and we've got the sign-off approval of this, then you get stuck by ransomware.
Maybe you're given a pass because that situation might have been… Oh, God.
GRAHAM. The bar is so low to pass these things.
CAROLE. Oh, my God. Yeah.
They're not. You guys, I've read these things.
They're pretty intense. You don't think people fudge that stuff so much and just go by the absolute bare minimum to get the checkbox?
If they fudge, they do not get – but same as insurance, right? You fudge your insurance.
You fudge your health insurance. Good luck getting a payout.
GRAHAM. The irony is now that we saw a company – we mentioned it a couple of weeks ago – CNA Hardy. So some of these cyber insurance companies are themselves getting hacked so that the hackers can identify who's got insurance.
CAROLE. Oh, my God. Of course they are.
GRAHAM. They hack those customers, and then they hack the insurance company and hit them with ransomware as well.
CAROLE. So the solution is to just disconnect your company entirely from the internet yes that's really that's the only way exactly yeah just get off the internet completely go back to like the little paper things for credit cards and if anyone wants a cd-rom of this episode just let us know we only do paper copies now this is actually transcribed we'll fax it to you
GRAHAM. Maria over to you what have you got for us
MARIA VARMAZIS. Well my story is actually kind of potentially ransomware related but let me let me take you to the first to the glamorous world of car inspections so wow words I never thought I'd hear together yeah it's a segue right so I'm gonna just explain like you're five years old what a car inspection is because I don't know how globally this is known. And I know we have listeners in all corners of the world.
Thank you so
GRAHAM. Much, Maria. I really appreciate this.
CAROLE. Yeah, at least one corner, right? So at least here in the States, we have to do maybe every two years, or at least here in Massachusetts every year, a car inspection to make sure your car is roadworthy, safe to drive, and not emitting terrible extra levels of pollution from the tailpipe.
So here in States, it varies from state to state, but generally you get a little sticker on your car's windshield with a month on it saying that's the month you have to get your car inspected and the color changes every year. And the cops love to pull people over whose car inspection has lapsed.
And you get slapped with a moving violation and your insurance rates go up if you don't get your car inspected. So you got to do it.
And it costs a little bit of money, but it's an important part of owning a vehicle. Except here in eight states in the United States, including the one I'm in, Massachusetts, car inspections have not been happening since about March 30th.
Because of the Rona, I'm guessing?
GRAHAM. Not because of the Rona, no. It's because of malware.
CAROLE. Oh. So here in Mass, they're still not expected to resume until April 17th at the earliest.
And so that's over two weeks of no car inspections happening. And so that's about 15,000 cars a day in this state alone that aren't getting inspected.
And these inspections happen at generally tiny little mom and pop auto shops that really depend on the income that these inspections bring in because it's a flat fee and the auto shops get the bulk of it. So there's a company in Wisconsin called A Plus, and they run an emissions technology business.
And they are the vendor that these eight states officially use and are contracted to to do the emissions test. So they hook up a pipe to a computer to the car's tailpipe, and A-plus' technology basically goes, this car is clean or it's not clean.
So your car cannot pass inspection without that test. So A-plus got hit with some kind of malware, and they're not telling us what.
But because this malware attack of undisclosed nature…
GRAHAM. It was ransomware, wasn't it? Let's be honest. It was almost certainly ransomware.
CAROLE. Almost certainly ransomware, because it's so gnarly that all of these inspections across all these states have shut down. And again, as of right now, two weeks later, they're still not happening.
That's eight states. That's 20% of the states almost.
And these are also big states. This is Massachusetts, New York, Texas.
GRAHAM. Oh, these are states which people live in as opposed to some of your American states.
CAROLE. Yeah, it's not just Wyoming and North Dakota. It's states with lots of people and lots of cars.
I thought it was a state of mind for a second. Oh, my God.
Okay. So the A-plus basically said they got hit with some kind of malware attack, and they found out about it on March 30th of this year.
So right at that month changeover. So whoever hit them was clever about the timing.
We know that the attackers may have been able to steal bank account and other sensitive financial data, not from the car owners, but from the tiny mom-and-pop auto shops. Oh.
Oh. Yeah.
So basically, A-plus, as a vendor that helps with the emissions testing, they get a tiny cut of every single inspection done. And it sounds like they get paid directly by ACH through the auto shop's business checking accounts.
So it sounds like the breach was able to potentially pull the actual banking checking account information from every single one of these mom-and-pop shops.
GRAHAM. Oh, that's terrible. Yeah, I do know someone who runs a little garage in America because I used to watch the Dukes of Hazzard and Cooter.
CAROLE. Okay, that wonderfully sensitive show. Wow.
Cooter used to run. With the very appropriate Daisy Duke.
Yeah, I know him. He lives down the street.
I know. We all know everybody.
Did you always dream to be of being the big boss, Graham? Is that what you're trying to tell us?
Boss Hog. Boss Hog.
GRAHAM. I was more Boss Hogg's train. That's who I wanted to be.
CAROLE. Oh, really?
GRAHAM. Yeah, yeah, he was cool. He was cool.
CAROLE. So what was the point you were trying to get to about knowing a guy?
GRAHAM. No, well, I was just saying, because this whole image of tiny mum and pop little auto, you know, it's not big businesses necessarily who are going to be hugely impacted through no fault of their own cyber security.
Correct. Or of Cooter.
CAROLE. Don't get me wrong. There are definitely bigger auto places or car dealers that are also affected.
But I mean, I live near a lot of places that are just they're tiny. And the inspections really are the vast majority of their business.
So not being able to do these for more than two weeks now is in the pandemic still is killing them. So I'm sure, as you could imagine, the fix is on and it's rather urgent.
So what does it look like to fix a security problem with a car emissions tester was the question that I had.
GRAHAM. Oh, I can answer that.
CAROLE. Okay, yeah. A quick rollout over, you know, the cloud.
What do you think it looks like? I have no idea.
I'm kidding. Oh, my God.
I was really excited for you to tell me what it looked like. So, apparently it requires shipping USB sticks with the software to nearly 2,000 auto shops in this state alone.
What? And then walking each and every one of the auto shops over the phone through the re-imaging and rebooting process for these industrial machines.
Oh, my God. This is the IoT nightmare.
This is it, people.
GRAHAM. And they won't necessarily be that tech savvy, will they? Of course not.
Because it's just they always use the computer in one particular way. So they're booting up Windows.
Windows
CAROLE. Yeah. I mean, there's a place that I take my car to that's right down the block from me. It's like this old Armenian family.
They speak a little English, and I love them. And there is not a single computer in their entire building except for this tailpipe thing.
I mean, this place is like going back in time 50 years. I love it.
And I'm just trying to imagine them walking through this process. You better go over there and help them.
I don't speak Armenian.
GRAHAM. Well, Maria, if you really liked them, you'd learn how to speak Armenian.
That's true. That was
CAROLE. My dad's argument for learning Greek. This sounds very familiar.
GRAHAM. Grohl, tell us what have you got for us this week?
CAROLE. So we're hitting the boozer, kids. Has your alcohol consumption gone up at all during this pandemic?
I have started to drink tea. Yeah, I'm suspecting actually from this little group of three, it's going to just be me, huh?
Yeah, I was going to say, I actually kind of stopped drinking alcohol. Interesting.
Yeah, yeah. Okay, but I know in this little crew I'm alone, right?
I get it. But in the broader crew of the world, I am not. I know that.
GRAHAM. That's true. That's what you keep telling yourself.
Yeah. You're not alone getting sloshed.
CAROLE. Well, okay. So I thought I'd go check this out, right?
Because I heard a number of people telling me just colloquially, oh, yeah, I'm drinking way more, something like this, or worrying about the drinking. So first off, I went to Statista.
And they said the impact of COVID-19 on alcohol consumption in the UK 2020, right? So they said almost half of the consumers surveyed in the UK said their alcohol consumption habits were not affected.
GRAHAM. Yeah, because the ones who were pissed couldn't fill out the form. They couldn't fill out the survey.
Right? Ridiculous survey.
CAROLE. Almost 20 percent up their drinking okay according and while 30 percent are drinking less or stopped completely okay you have to understand this is research on based on what people say they do not necessarily what they actually do that's true so i thought why not go check out the sales right so nielsen is a big researcher in the domain de booze and they reported a 54% increase in UK sales of alcohol for the week ending March 21, 2020. Compared to a year before, it was an online sales increase of 262%.
Okay.
GRAHAM. Can I be nerdy for a second? I have heard some people, in fact, I know of at least one person who has been buying alcohol in order to sanitize their post when it arrives, and they've been spraying their parcels.
With like Pinot Grigio? Because they've been worried.
CAROLE. So interesting. You've just said that.
Really? Yes. Yeah, tell me. Go on.
GRAHAM. They believed that it would help protect them from COVID-19, and they also, I think they got some special lights. Was it infrared or something?
UV lights. UV lights.
Absolutely right. It was UV lights, although a lot which you buy online claim to be effective, but actually don't emit the right level of UV light or something like that.
They're
CAROLE. Just sort of black lights. Yeah. Yep. Yep.
Okay. So interesting.
Because when I saw the 262 rise on the first week of March 2020, I was like, oh, my God, people are panic buying, right? They are worried booze would run out.
They didn't know how they'd cope. So they bought like 15 cases instead of their normal whatever, whatever.
But apparently there was a rumor that started saying alcohol would protect against COVID. Right.
Yeah, I remember that. So, yeah.
So, in fact, in April last year, the WHO, the World Health Organization, warned that alcohol use during the pandemic may potentially exacerbate health concerns and risk-taking behaviors. So a quote from the release says, fear and misinformation have generated a dangerous myth that the consuming high-strength alcohol can kill the COVID-19 virus.
GRAHAM. Oh, these were people who were actually trying to pickle themselves, pickle their bloodstream.
CAROLE. That's a sticky pickle. To prevent the infection. Oh, not another pickle. You see, it's such a good name. We need a bell every time we say it. Yeah. Anyway, so why am I talking about lush's on a technology podcast? Yes, why?
Because with the booze at home market glowing with renewed financial resiliency, thanks to the pandemic, the drinking realm has seemed to have piqued the interest of scammers. So according to Recorded Future and Area One Security, they did some research. They saw a rise in Zoom-related booze-based communions, if you will, right?
GRAHAM. Wine and communion, yeah.
CAROLE. Zoom-related booze-based communions. On Sundays specifically?
GRAHAM. Yeah, was it religious communion?
CAROLE. Well, no, you commune with people, you know, you get together.
GRAHAM. Right, okay. Okay, yeah.
CAROLE. So wine tastings, dates, catch up with old friends, right? People, you know, go to grab the old bottle of whatever, of Chablis or Chardonnay and have a little laugh.
GRAHAM. Of the body and blood in Christ. Yeah, okay.
CAROLE. Exactly. Okay. No, I get it. My God, I'm so slow. You did? Yes. Oh, my God. I was so focused on my story. I missed the joke. I'm sorry. Oh, my God. Okay. Wow.
So Recorded Future noted a super significant increase in the number of new wine-themed domains being registered at the start of April 2020. And it's continued through at least to March 2021, which just passed.
So they looked for these types of words, domain registrations containing one or more of the following, right? So wine, vino, champagne, Bordeaux, Burgundy, Merlot, Cabernet, Sauvignon, and Pinot. And I'm reading this list. I'm saying they forgot a few. What about plonk, gut rot, juice, you know?
But then the next paragraph, they said, oh, no, no, we intentionally left out certain terms to avoid false positives. So I suppose juice and gut rot would be difficult to parse.
GRAHAM. Burgundy could be Ron Burgundy as well. There's a few of those, which, yeah.
CAROLE. That's right. Okay. So what do these guys see? So back in March 2020, right, the wine-themed domain registrations, these are people that are registering domains to basically pretend or legitimately to sell wine or to be in that industry market.
So they'd see 3,000 to 4,000 new wine-themed domains being registered every month. Okay, yeah, that's what I thought. Now in March 2020, it climbed up to 5,500. Okay, that's quite a big climb. Then in April, went up to 7,200. In May, 12,400.
So it kind of screamed up. So that's three times what it was at the beginning of March.
GRAHAM. And the reason why they're grabbing these, what, is it because people are buying wine online and they're hoping that...
CAROLE. Yeah, people aren't going to boozers anymore. They're not going to pubs to have a drink, right? So there's a decline in alcohol being sold in that market because pubs aren't buying. Right. Online shopping. Exactly.
People are buying at home. And so they're getting targeted with maybe malvertising, phishing. So what they found from their tests is at its peak, 7% of the total wine domains that were being tracked were malicious.
So that's almost 1 in 10. Okay. Right? Are we thinking, oh, who cares? I think that's pretty big.
GRAHAM. Because as a wine drinker, I would worry. And I would think if you're a little bit sozzled, then you may be less careful about the website which you end up on. Right?
CAROLE. I don't know if people tend...
GRAHAM. To buy booze when they're a little tipsy. Is that what happens? Some people are permanently tipsy, Carole, aren't they?
CAROLE. I'm sort of chewing on this one a little bit because the times that I did buy some alcohol over the course of the last year, it was from my local liquor store that I know well that does deliver. I mean, I was never going... I mean, I'm just thinking through me. I wasn't going through a brewery.
But what if you got an email from said place saying, hey, we've got a special deal. And then you click on the link and you end up on a phishing site that looks exactly the same as your local site.
So a lot of people were buying things online, certainly in the UK, online purchasing was huge. I don't know if you guys can buy alcohol online in the States.
GRAHAM. It varies from state to state.
CAROLE. Yeah, it really varies. I reached out to the senior security analyst behind this research, Alan Liska, I did that this morning and I was saying, look, because the research is really good and the piece is really well written. So I recommend you guys go read it.
But I had a little chat with him and I asked him what surprised him in it. And he said it was the staying power of these new domains. Because often in these kind of situations, domains kind of come and go really quickly if they're spoofing. And these ones are just sticking around.
So that's kind of interesting. And, you know, maybe few people are looking at it as a potential phishing vector. It's the first time I've ever heard of it. Yeah, maybe that's why I'm sort of stumped by this one because I'm just not what I would expect, but maybe that's what makes it work so well.
Yeah, because he said, what's the growth about? Is that because they're really making a ton of cash or is that because they're just following suit? And he said, he couldn't say for sure, but he said, malicious actors are not always that smart. So sometimes one gets a good idea and then all the others follow suit.
I mean, registering domain names in bulk is not exactly expensive.
GRAHAM. Had they seen similar behavior in regards to toilet paper?
CAROLE. Oh, I didn't ask him that one. Yeah, that would be, yeah. That I'd, yeah. I'd be very curious to hear that.
The takeaway here is I know that there are going to be a few of you out there that are drinkers, unlike my two fellow wonderful mates. I drink, I just didn't up my consumption. Yeah, just to be clear. There's no judgment. I'm jealous.
I do drink.
GRAHAM. I just don't swallow any of it.
CAROLE. There you go. Oh, nice.
You just spit it across the room. Nice. Like a connoisseur.
But to my fellow lushes out there, don't be duped by an unexpected communique offering you a great deal on wine or vino, right? Do you like Maria? Go to your local shop, right? Be embarrassed. I'm here again. Hi, it's me, Frank.
If you want to learn more, there's a load of links in the show notes for you, including the research done by Recorded Future and Area 1 Security. Oh, yeah. You know what? Alaniska said something else super important. He said he loved the show. Oh. And he also said that I was definitely his number one favorite.
Oh, well. Obviously. You asked him, didn't you? You asked him.
Okay. I'm lying about one of these things. I'm lying about one of them. He hates the show, but he loves Carole.
Gotcha. Maybe.
GRAHAM. Using a password manager like 1Password can help increase productivity and save you money. How does it do that? Well, a password generator tool creates strong, unique passwords that are saved and filled in automatically.
Features like Watchtower alert you to any issues with your employees' accounts, give new oversight and more security control, and you can get notified immediately when a breach occurs with domain breach reports. Find out more. Check out 1Password for yourself at 1Password.com.
And thanks to 1Password for supporting the show.
CAROLE. Protect your workforce with simple, powerful access security from Duo, powered by Cisco. The rapid expansion of remote working has presented challenges for all of us.
At Duo Security, it's their mission to make application access more secure for organizations of all sizes. It's modern access security is designed to safeguard all users, devices and applications, so you can stay focused on what you do best.
So, want to proactively reduce the risk of a data breach, verify users' identities, gain visibility into every device, and enforce policies to secure access to every single application? Thought you would. Why not give your organization the peace of mind that only complete device visibility can bring?
Visit duo.com to sign up for a 30-day trial. That's duo.com. I mean, how easy is that to remember?
GRAHAM. And welcome back and you joined us at our favorite part of the show, the part of the show that we like to call pick of the week.
Pick of the week is the part of the show where everyone could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website or an app, whatever they wish. It doesn't have to be security related necessarily. I hope it's not.
Well, my pick of the week this week is not security related. As many of you will know from recent picks of the week over the last year, I have chosen many computer games trying to keep my son entertained and me as well.
A lot of computer games which we play and video games, I'm rather rubbish at. So I quite like to sort of locate myself on the sofa and oversee and occasionally chip in with advice. And that doesn't work with the likes of Fortnite and games like that, but it does work remarkably well with the old point-and-click adventure games.
CAROLE. Oh, those are great. Yeah, I love adventure games.
GRAHAM. Yep. And I think it's good for the kids as well. They get to read and, you know, they get to use their brain a bit and think about what's going on with characters and listen and pay attention.
Some of them are stupendously hard, too. Some of them are very tricky. Some of them are a bit buggy.
CAROLE. Or, yes. Yeah. So you have to go onto the internet. I know what to do, it just doesn't work. It doesn't work.
Yeah. Same. Yep.
GRAHAM. I have been playing a game called The Raven Remastered, which first came out a few years ago. It's London. It's 1964.
And an ancient ruby has been stolen from the British Museum. All that's left at the crime scene is a raven feather. Could the raven have come back from the grave? He was killed years before.
Has he returned or is someone else posing as the legendary master thief? And on your investigation, you will find yourself on the Orient Express going through the Swiss Alps. You'll find yourself in Venice. And you will find yourself on a cruise ship going to Cairo.
CAROLE. Wow. What are the graphics like? Is it like...
The graphics are great. Yeah. How are they? Yeah, it's not...
Compared to Zelda. Which one?
GRAHAM. Yeah. Good. Thank you. Thank you. That's shudder up.
CAROLE. I don't know. I don't know. I don't know, game nerd. Anyway,
GRAHAM. The graphics are great. The voice acting is terrific as well.
But what I really liked are the twists and turns in the plot. Because at one point I thought, oh, we've nearly finished this game. Oh, no, we had not.
CAROLE. And you were happy about that? Or were you oh, God.
GRAHAM. I was very happy. I was very happy that it was so inspired by sort of Agatha Christie. In fact, there was a character in the game. The main lead character is clearly a ripoff of Poirot.
CAROLE. I was wondering if that was just my imagination with the upturned mustache thing. Yes. Yeah, okay.
GRAHAM. And there's also a character who writes murder mysteries, an elderly lady who's observing everybody, who's clearly based on Christie as well.
Super subtle, yes. But it's inspired by Death on the Nile and Orient Express, and it's really good fun. It is available on the PlayStation, Xbox, PC, Mac, and we have been playing it on the Nintendo Switch, and the Raven Remastered gets the thumbs up from me, which is why it's my pick of the week.
What's your son think?
CAROLE. He's loving it. He's really enjoying it.
GRAHAM. Okay. I trust him more than I trust you.
We haven't quite finished it yet, but we're probably about, I think we're over two-thirds of the way through. But yeah, it's some real good twists in the tale. It's clever. It's a clever game.
CAROLE. Well, for you.
GRAHAM. Yeah, it's all relative, Carole. It's all relative.
Let's say Maria what's your pick of the week just rude.
CAROLE. Okay so my pick of the week is a show that is not new but it is still ongoing and I searched the Smashing Security archives because I could not believe nobody's recommended this before so may I be the first person to announce for pick of the week Westworld. Have you heard of it?
GRAHAM. The TV show not the movie with Yul Brynner.
CAROLE. The TV show, the TV show yeah I know that's based on a book and there's been other things yep.
GRAHAM. I heard it's a bit sexy. I've never seen it. Is it sexy because that could get me?
CAROLE. It's not Firefly no oh God no okay. It's cowboys and robots isn't it?
GRAHAM. Caveat that I've only seen season one and I know that it changes a lot in the subsequent seasons but the Wild West part is just a part of it. The larger broader story is way bigger than that and it's not in the Wild West. It is very much about the nature of what it means to be a conscious living being and involves robots and it is super super fascinating. A lot of moral quandaries, the nature of creation, what does it mean to be human, what does it mean when our human creations robots start to become self-aware, what kind of rights does that confer? I love this stuff.
In terms of is it sexy I mean yeah the robots themselves when they are not spoiler alert at the Wild West themed theme park that they're employed in not employed enslaved in really when they're not there they walk around totally naked so you will see just penises.
GRAHAM. Goodness gracious.
CAROLE. Yeah. It is what separates them from their human keepers, is that the human keepers are always fully clothed, and you'll just see the robots just sitting around naked and talking about stuff that happened to them.
GRAHAM. Yeah. I was wondering if they bypassed the Garden of Eden. Is that the story thread? So they're unshamed?
CAROLE. Well, my argument would be that the entire first season is about them trying to escape the Garden of Eden. And this theme park that they're in is basically the walled garden. And there's an Adam and Eve robot pair. And the religious overtones with reincarnation and the nature of suffering and Adam and Eve and Genesis and all that stuff is very overt. So I'm not being super deep about this. I think most people with a passing knowledge of major religions of the world would understand that the metaphors. It's not hard to understand.
I think the storyline is super fascinating. I would heartily recommend it for people who cerebral shows.
GRAHAM. Yeah but also looking at naked people.
CAROLE. And also naked people and also naked people in various states of from the extremely sexy Hollywood actor body type to regular folk. They're all in there so wasn't there a show Naked Attraction on Channel 4 or something where basically this person would be standing in some kind of weird pill-like vessel and this screen would come up from their feet and you'd judge them based on their knees down and then it would go up to their bits down and you judge them yeah and then it would go up to halfway up their chest and then the whole thing and you decide if you would package you wanted of the five naked boys you were looking at or girls. That sounds hell on earth yeah my God.
GRAHAM. It is hell on earth yeah probably watched it 20 times each episode. I'm just I just find it no it's car crash TV to me. It's almost watching The Office. It's just terrific.
They decide who to date based on their dong or doodle or whatever. Yes. Whatever they may have.
I haven't watched this. This sounds right up my street, but because it's on Sky and I don't have Sky, so I don't get to see any of the HBO programs. I was trying to figure out how to watch this outside of the US, and the only thing I could find was you've got to use a VPN. So that is a bummer.
CAROLE. It is. Yeah. I tried watching it when it first started, and for some reason I couldn't get into it. I don't know if thanks to the pandemic, I have more capacity to concentrate on a TV show now. But now on this second attempt of watching it, I've been totally engrossed.
GRAHAM. It is on Amazon Prime. You may have to pay 20 quid for the season or something, but it is on Amazon Prime.
CAROLE. Yeah, give it a shot. Give it a shot. Thanks. I it.
Yeah. Good pick of the week.
GRAHAM. What's your problem? Well, I just, you know. Cold? Naked people.
Oh, right. Yeah, we're back to the boobs. I forgot. Exactly.
Well, and besides. Carole, what's your pick of the week?
CAROLE. What is your weather like if you guys look out a window at the moment? Is it nice, gorgeous, sunny day or?
Overcast. It is gorgeous. Okay. So Maria, close your eyes. Graham, look out the window. It's a beautiful sunny day. Okay. Birds are tweeting. Bees are humming. And you're thinking it's time for a barbecue, and you are excited, but you're a little nervous because, you know, cooking your sausages and burgers on the barbecue, you want to make darn sure that they're cooked correctly, right?
GRAHAM. If I was a Westworld robot, I definitely would not want to cook on the barbecue in case I might broil my sausage too much.
CAROLE. You know, I really get tired sometimes of... it's Maria who brought all this smut to the episode. She did not. She just said nude people. That was you that went running with it. That's very okay, Graham. I expect nothing less. Okay, so see, I've lost my train of thought now for your fucking pathetic joke and that's it for pick of the week. Yeah, that's it. Well done, Graham.
So a lot of people when they're excited about a barbecue they're nervous about being the actual cook of the barbecue, right? Because you have to cook these sausages and burgers and stuff and you want to make sure they're cooked correctly. You don't want burnt pucks. You don't want raw things and you don't want to give people bouts of tummy trouble.
Correct, yeah. I actually know people that cook everything beforehand in an oven and then bring it and just kind of grill it for five seconds on a barbecue and just go, hey, I put some barbecue sauce. Yes, because they're so worried about having flamed food. Oh, gosh, no.
Well, I have a gadget. I've had this gadget for five years, but it is indispensable to me. And I'm going to share it with you. It's called a thermo pen.
I have that! Right? How great is it?
How great is it? It's amazing. Highly recommend as well.
Yeah, totally. Okay. So I use all of...
GRAHAM. Hang on, for those of us who aren't you or Maria, what's a thermo pen?
CAROLE. So it's a needle that you stick into whatever you're cooking and you get a battery operated non-smart, okay? No IoT to be seen, insta-reading of the internal temperature of whatever you're cooking in either Celsius or Fahrenheit. So you know if you've hit the 160F, you're all right for your, you know, to take it off the barbie or whatever. You can use it for anything.
And it's great. I use it for baking all the time, right? Sourdough bread should be 200. You just make sure.
GRAHAM. Could it also be used as a personal thermometer? If you wanted to stick that up your ass.
CAROLE. Yeah, it's very pointy. It's pointy, Graham, and you might puncture something. It is pointy and a very long needle. It's going to go too far. You're going to go too far.
I don't know what you're into. I don't even want to judge. But it wouldn't be my... There are better things than this. I think we can both recommend not doing that.
But they are pretty rugged, Graham. So you could have a crack at it because I drop mine all the time though. I would recommend, Maria, you can - I don't know what you did - but I bought a silicone sleeve for mine for a couple quid. I have not done that. Washable.
The classic super fast thermal pen, okay, runs about 80 or about 50 quid, 60 quid maybe in the UK. Yeah, I have it in my kitchen drawer. I use it probably daily more than once and I think it's an amazing thing. Links in the show notes at thermoworks.com. You can learn all the other stuff. That's the online shop. But I am a big fan of the thermo pen. It's way better than Thom Langford's, you know, keep my tea hot gizmo.
Can I make a supplemental recommendation?
MARIA. Yes. I also love their stuff. They make this thing called the smoke which for people who are smokers - sorry, this is smokers - they barbecue smoke, American style barbecue slow and slow barbecue. It allows - it has these probes that hook up to this relay station. So basically if you're doing US style barbecue real low and slow, you can be smoking something for 12 plus hours. I have this for when I smoke pork or stuff like that and it really... it's awesome if you can get accurate temperatures and it tells me I don't have to go outside and keep checking it all the damn time. It's great.
CAROLE. So that is incredible because it is my 10 year anniversary, wedding anniversary is coming up and I am going to buy him that.
MARIA. Yes, you should. He doesn't listen to the show so he will not know. Don't tell him if you know him.
I bought a cheaper knockoff version of it and it lasted maybe one or two smokes and then it just crapped out. This thing, I've had it, the Thermal Works smoke for years and it's awesome, awesome, awesome.
CAROLE. Yep. There you go. A twofer from me and Maria just because we're such a good team. So my pick of the week is the thermo pen. Brilliant.
GRAHAM. Well on that culinary catch-up corner we've just about wrapped up the show for this week. Maria, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that?
CAROLE. Honestly, listen to me on Sticky Pickles. StickyPickles.com. Like and subscribe.
GRAHAM. Unbelievable. And you can follow us on Twitter at SmashingSecurity - no G Twitter and last have a G - and we're also up on Reddit as well. Don't forget if you want to never miss another episode, follow Smashing Security in your favorite podcast app such as Google Podcasts, Spotify, and Apple Podcasts.
CAROLE. And huge thank you this episode sponsors Duo Security and 1Password. And to our wonderful Patreon community, it's thanks to them all that the show is free. For episode show notes, sponsorship information, guest lists, and the entire back catalogue of more than 222 episodes, check out SmashingSecurity.com.
GRAHAM. Until then, cheerio. Bye-bye. Why are you talking so weird?
CAROLE. I don't know. It's like David Caruso has just walked into the room. I thought my connection was bugging again.
Everybody's pausing. Giving their best William Shatner impression. Bye.
Do you know, I just read, I think William Shatner is 90.
GRAHAM. Yes, he is. Picture yourself.
CAROLE. On a boat on a river he can still crank those tunes out though see he's a smart guy he's a smart guy he went for the long play smart we should get him on the show I want to get Dave Shatner on the show yeah okay if that happens I want to be the fourth supplemental guest
GRAHAM. We got Crichton from Redwood I know you did that's so amazing is that such a big jump to get TJ Hooker on
CAROLE. Exactly Graham with your clout and personality and charm. You are verified on Twitter, after all.
Oh, yeah. You have that in common with the chat.
Yeah. Monsieur chat to you. Oh, well.
He's Canadian. This is true.
-- TRANSCRIPT ENDS --