Researchers reveal how your eyeglasses could be leaking secrets when you're on video conferencing calls, we take a look at the recent data breaches involving Uber and Grand Theft Auto 6, and we cast an eye at what threats may be around the corner...
All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by The Register's Iain Thomson.
Plus - don't miss our featured interview with Sal Aurigemma, the faculty director of the Master of Science in Cyber Security program at the University of Tulsa.
Warning: This podcast may contain nuts, adult themes, and rude language.
Episode links:
- “Iain Exotic”, Iain Thomson’s dress-up homage to Joe Exotic, the Tiger King - Twitter.
- “Private Eye: On the Limits of Textual Screen Peeking via Eyeglass Reflections in Video Conferencing” - Research paper by Yan Long, Chen Yan, Shilin Xiao, Shivan Prasad, Wenyuan Xu, and Kevin Fu.
- “We saved you a seat in chat” - Rather large text on the Twitch website.
- Stalker zoomed in on Japanese idol’s eyes to find out where she lived - Graham Cluley.
- Uber is looking for more security staff - Twitter.
- Uber explains how it was pwned this month, points finger at Lapsus$ gang - The Register.
- Uber’s hacker *irritated* his way into its network, stole internal documents - Graham Cluley.
- Security update - Uber.
- Grand Theft Auto 6 maker confirms source code, vids stolen in cyber-heist - The Register.
- Cybersecurity Awareness Month - CISA.
- The scary future of the internet: How the tech of tomorrow will pose even bigger cybersecurity threats - ZDNet.
- U.S. Government Spending Billions on Cybersecurity - Hacker News.
- The Mitchells vs The Machines trailer - YouTube.
- The Mitchells vs The Machines - Netflix.
- NASA is ready to knock an asteroid off course with its DART spacecraft - New Scientist.
- DART’s Small Satellite Companion Takes Flight Ahead of Impact - NASA.
- Search and find UK Defibrillator Locations near you now - HeartSafe.
- Apply for a part funded Public Access Defibrillator - British Heart Foundation.
- Defibrillator guide for first time buyers - St John’s Ambulance.
- Every school will have a life-saving defibrillator by 22/23 - Gov.UK.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsored by:
- Pentera - Pentera’s Automated Security Validation Platform is designed to help teams increase their security posture against modern day threats across the entire attack surface. Evaluate your security readiness with continuous and consistent autonomous testing with granular visibility into every execution along the way.
- Kolide – the SaaS app that sends employees important, timely, and relevant security recommendations concerning their Mac, Windows, and Linux devices, right inside Slack.
- Bitwarden – Password security you can trust. Bitwarden is an open source password manager trusted by millions of individuals, teams, and organizations worldwide for secure password storage and sharing.
Support the show:
You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.
Become a Patreon supporter for ad-free episodes and our early-release feed!
Follow us:
Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.
Thanks:
Theme tune: "Vinyl Memories" by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
Privacy & Opt-Out: https://redcircle.com/privacy
Transcript +
This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.
CAROLE THERIAULT. If you think about it, you think of all the manufacturers from, you know, smart washing machines to ping pong sticks.
GRAHAM CLULEY. What's a ping pong stick?
CAROLE THERIAULT. Oh, I meant pogo stick. I was basically being polite for vibrator.
GRAHAM CLULEY. I think. But I said ping pong.
UNKNOWN. I thought I was going to be too rude for this show. Smashing Security, Episode 290: Uber, Rockstar, and Crystal Balls with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 290. My name's Graham Cluley.
CAROLE THERIAULT. And I'm Carole Theriault.
GRAHAM CLULEY. And Carole, this week on the show, we've got someone who's returning to us after a 5-year absence.
CAROLE THERIAULT. Shut up. That long?
GRAHAM CLULEY. He's— He's upgraded his internet connectivity. He's on fiber. It's Iain Thomson from The Register. Hello, Iain.
IAIN THOMSON. Hello, Graham. Hello, Carole.
CAROLE THERIAULT. Hi.
IAIN THOMSON. Pleasure to be back. It's been a while.
GRAHAM CLULEY. Yes. Yes.
IAIN THOMSON. Lovely to chat.
CAROLE THERIAULT. Well, thank you for joining us so early in the morning from your part of the world.
IAIN THOMSON. Ah, well, the sun is shining. The sky is clear. We actually had rain yesterday, which was fantastic. We haven't had that in months. I know as a Brit, you really miss some things and rain is one of them.
CAROLE THERIAULT. And where are you?
IAIN THOMSON. Just for our listeners, just Oh, I'm in the East Bay, just across the water from San Francisco.
CAROLE THERIAULT. Nice.
IAIN THOMSON. I've gotta say, it's pretty good. It's an interesting place to live.
CAROLE THERIAULT. Let's first thank this week's sponsors, Bitwarden, Kolide, and Pantera. It's their support that help us give you this show for free. Now, coming up on today's show, Graham, what do you got?
GRAHAM CLULEY. Zoom, just one look and your privacy went boom.
CAROLE THERIAULT. You've missed your calling. What about you, Iain?
IAIN THOMSON. I just can't follow that. That's amazing. Good. Well, I mean, for me, it's the uber rockstar hacks. It's an amazing issue to go into. And there are some very, very weird things about this.
CAROLE THERIAULT. Ooh, I'm excited. And with me, we will be gazing into the crystal ball cybersecurity style. Plus, we have a featured interview with cybersecurity kingpin from the University of Tulsa, Sal Aurigemma. And Sal will explain why password managers like that of our sponsor Bitwarden are so valuable. All this and much more coming up on this episode of Smashing Security.
GRAHAM CLULEY. Now, chums, chums, we have emerged now, blinking from our self-imposed isolation during the pandemic. We've ditched our caftans, we've hung those up, we've hitched up our trousers, we've tried to put a belt on if it still fits, we've deodorized ourselves because now we are interacting with our humans for months. And months, we had been able to fool our colleagues, hadn't we, into believing we were fragrant-smelling. All the time we weren't even wearing underpants, because they never saw us.
CAROLE THERIAULT. We were wearing suitsies, weren't we?
GRAHAM CLULEY. Is that what they call them, suitsies?
CAROLE THERIAULT. It's like a onesie, like a baby onesie, but it actually has the finish of a suit. So you can actually just cuddle into it and look professional at the same time.
IAIN THOMSON. Oh my word. No, I actually wore a kilt at one meeting, but yes.
GRAHAM CLULEY. How did you prove that, Iain?
IAIN THOMSON. When the lockdown first started, we figured it was gonna be, what, 2, 3 months? And the very first video conferencing meeting that we had, I was just out of bed wearing a sweatshirt. My hair was all a mess. And comments were made. So the day after, I got dressed up in full kilt and fig and held the meeting that way. And the response was really good, 'cause I mean, The essence of working as journalists is that you've got the news meeting, you know, everyone's knocking ideas off each other. And that was a real dislocation. So I figured, you know, keep the spirits up and ended up doing like 30, about 30, 35 different costumes at the start.
CAROLE THERIAULT. Yes. Iain, you've got to send us some of these pictures.
GRAHAM CLULEY. Oh, no need. No need, Carole, because I remembered following Iain on Twitter at the time, and I found a picture of you dressed as Iain Exotic, which was your homage to the Tiger King.
IAIN THOMSON. Yes.
GRAHAM CLULEY. Yes. Including—
IAIN THOMSON. Monica had some leopard skin stuff lying around. And that whole weird cat people documentary was raging at the time. So I figured, why not?
CAROLE THERIAULT. Wow. I love it, Iain.
GRAHAM CLULEY. So link's in the show notes if you want to go and check out Iain dressed up as Joe Exotic. But I never went that far. I might have occasionally donned a pair of glasses to appear more intelligent, even though I can't actually read my computer screen if I'm wearing glasses. But we're all of an age, I suspect. You know, we've been round the block a few times, haven't we? Be careful. Be careful, Graham. You know, I mean, I— Iain, do you ever wear glasses these days?
IAIN THOMSON. I've started wearing them in the last couple of years. I think, to be honest, having spent, you know, spending this amount of time on a laptop and monitor screen, it's going to happen. So, you know, and, you know, there's no shame in it. It's just I am looking into LASIK, but at the same time, this very idea of someone cutting into your eyes or lasering them out is, is Such an anathema. I'll live with the glasses, thanks.
GRAHAM CLULEY. Carole, do you have to wear glasses for the computer screen?
CAROLE THERIAULT. No.
GRAHAM CLULEY. No?
CAROLE THERIAULT. Oh. No. I've had glasses since I was a teenager.
GRAHAM CLULEY. But not for the computer.
CAROLE THERIAULT. They were for distance, yeah. I don't have nearsightedness issues yet, 'cause I am younger than you, Mr. Slightly.
GRAHAM CLULEY. But you know what, Carole? That might've been a very sensible decision not to wear glasses at the computer screen, because there lies a danger.
CAROLE THERIAULT. Tell me everything.
GRAHAM CLULEY. Which boffins —at the University of Michigan, who've teamed up with their counterparts at the Zhejiang University in China. They have been exploring the security risks associated with wearing glasses at a computer. Okay. And specifically, they have found that you could be unintentionally leaking information through the— No, I know it sounds weird, but he's spot on.
IAIN THOMSON. This is absolutely true.
GRAHAM CLULEY. Yep. Through the reflection on your glasses when you're on a Zoom call or Google Meet session or something like that.
CAROLE THERIAULT. It's— So, okay, okay. My mind has just gone somewhere very— Okay. Yeah. So, for example, if you had maybe something not safe for work in the corner of your screen, your boss would be able to see it through your glasses.
GRAHAM CLULEY. Yes. In mirror vision. Potentially. Or if the thing you were looking at on the screen was moving in a particular way, that may indicate what sort of action you were watching. There's all sorts of— Oh my God. All sorts of possibilities. It's a pogo stick. Yes.
IAIN THOMSON. Tell us more. Sell it to the judge.
GRAHAM CLULEY. They're just playing leapfrog.
IAIN THOMSON. Exactly. But I mean, this is serious because they found that even a standard, you know, 720p camera, you can get, you know, text font sizes at about 50, 60 pixels. Now, if you're looking at 4K camera, then you could potentially get down to the kind of font sizes used in documents, not just in headings, but, you know, in the actual text itself.
GRAHAM CLULEY. This is the thing. So there's this paper that's been released. It's called Private Eye: On the Limits of Textual Screen Peeking Via Eyeglasses Reflection in Video Conferencing. That's the name of the paper. And yeah, as Iain says, around about 75% accuracy on reading some screen text. Now I have to say some screen text. First, okay, some caveats. A few caveats.
CAROLE THERIAULT. Yeah, I'd like to know the caveats.
GRAHAM CLULEY. Yeah. Right, okay. So the technique varies in effectiveness depending on the curvature of your lens. So if you have prescription glasses, that apparently works better than if you have those, you know, those blue light blocking glasses some people like to use, you know, where if it's late at night or something to help them go to sleep. So those don't work so well. And the other thing, as Iain says, is the quality of the webcam as well. So they reckon they can read on-screen text that have heights as small as 10 millimeters. With a 720p webcam.
CAROLE THERIAULT. Now that's kind of big. 10mm is 1cm.
GRAHAM CLULEY. Ah, yeah. But that, and that is on the reflection. That's not on the screen. So what they've done— So what they've done—
CAROLE THERIAULT. We hear the science here. Yeah.
GRAHAM CLULEY. What they've done is it tends to work on quite big text. Now I've put a link in the show notes.
CAROLE THERIAULT. Okay. Oh, God.
GRAHAM CLULEY. I've put a link in the show notes, which goes to a Twitch page. Where you'll get an idea of the size of text which they can pick up. All right. Okay.
CAROLE THERIAULT. All of you looking at fonts at 48p and above, you guys with glasses, you guys are the ones in trouble.
IAIN THOMSON. I mean, I mean, we mock, but at the same time, technology advances, you know, stuff that was theoretical, you know, breaking hashing functions that was, you know, considered theoretical at the time. Now we can do it with ease.
GRAHAM CLULEY. Yeah. So, Carole, you click through on that Twitch link, which I've put in the notes just to see. Now, can you by any chance make out with your squinty little eyes, can you see what they're saying on that webpage?
CAROLE THERIAULT. Where it says, 'Twitch is where millions of people come together.' That one? No, no, no. Above that. Above that.
GRAHAM CLULEY. Oh, 'We saved you a seat in chat.' Can you just about see that text? Just. So I was right.
CAROLE THERIAULT. It is about 48 to 56 point font. It's huge.
GRAHAM CLULEY. It's absolutely huge. I've never seen a webpage with such large fonts as this one.
CAROLE THERIAULT. I've never even seen a presentation given have it in a PowerPoint with this sized font.
GRAHAM CLULEY. But, but as Iain says, if you had a 4K high-definition webcam, which more and more people are beginning to do because they want to look their best when they're doing their video conferencing, then the potential does begin to creep in. And this technological advance, I mean, this isn't the first time that we've seen reflections leaking information. Back in 2019, I wrote about an obsessed fan of a J-pop pop star. And what he did was he assaulted her after he worked out where she lived by zooming in on reflections.
IAIN THOMSON. I remember that case. That was creepy as all hell. Yeah.
GRAHAM CLULEY. He zoomed in the reflections of her eyeballs in selfies she'd posted on social media. And obviously she'd used a good camera to look good, or a fancy smartphone. And from that, he was able to work out where she lived.
CAROLE THERIAULT. Jesus Christ, you cannot win. You cannot win. You use your eyeballs. They're using your eyeball reflections. You wear sunglasses. Glasses with mirrors, well, you're screwed there too. You have glass with reflections.
GRAHAM CLULEY. Well, it turns out you can win. It turns out you can win. Because there is a mitigation. There is a mitigation, right? Okay. Although these boffins have worked out, well, they can read some text, and at the moment it has to be quite big text, but that may change in the future. Although they are able to identify, they reckon 94%, with 94% accuracy, the top 100 websites you may have open on your computer. What they cannot cope with is a feature which is available in Zoom, but isn't available in Skype and Google Meet.
IAIN THOMSON. You know, there's a way you can blur out your background. Indeed.
GRAHAM CLULEY. Yes. Add funny effects. It's like a filter.
IAIN THOMSON. Very, very useful. Yes.
GRAHAM CLULEY. Well, it turns out it does have a use because there is a feature to add cartoon glasses to yourself, which are opaque, like cartoon sunglasses. Oh my God.
CAROLE THERIAULT. And that— You see, I don't know.
IAIN THOMSON. I don't know. Isn't that going to turn people off? Because, you know, if there's one thing about video conferencing, it's eye contact.
GRAHAM CLULEY. And, you know, it's very important, so. That's true.
CAROLE THERIAULT. What if you wore those glasses with the fake eyes on them? Little pieces of cardboard you used to get. Oh, yes. You know, they had little pinholes in the middle, so you wouldn't be able to, you know, they wouldn't be able to read your face. You would look natural.
GRAHAM CLULEY. You'd look completely normal, yes. You'd look completely normal. Well, the Boffins reckon that in time, maybe the video conferencing manufacturers will do some sort of artificial intelligence, work out where your eyes are, your glasses are, and apply a Gaussian filter to blur out that area. But I can understand if a politician were using these services, you might want to do that. But do the rest of us have to really worry about this?
CAROLE THERIAULT. It depends how much pogo sticking you work.
IAIN THOMSON. That's your excuse and you're sticking to it, isn't it?
GRAHAM CLULEY. Iain, what have you got for us this week?
IAIN THOMSON. Okay. Well, it's a doubleheader, really. Last week, Uber suffered yet another data breach, and I was talking to an ex-Uber security person, and they were just saying, we warned them about this in 2017. We warned them about this in 2020. And no, you know, basically, apparently, and I can't confirm this, but the person who was responsible for dealing with the earlier big breach is now the global head of PR. And, um— That's a lateral move. Oh no, but in terms of sort of the communications of the last data breach, he's now the global head of PR for the company. And the tactics haven't changed. It's basically say nothing other than, you know, we've had a bit of a problem. Everything's fine. Wall Street, calm down. And—
GRAHAM CLULEY. Really tight smile. Yeah. I have seen on LinkedIn that they are currently looking for a large number of people to join their security department.
IAIN THOMSON. Yeah. I mean, it's, it's the classic horse stable gate situation. And to be honest, with those job adverts, I think it's more down to the insurance company is insisting that they hire more people rather than they've suddenly found a, you've got a newfound interest in security. But yeah, they're just, I mean, there was that. And then yesterday we had Rockstar and Grand Theft Auto and somebody grand thefted them. And it's apparently the same person. Now, we all know online personas can be entirely made up from whole cloth, but the fact that both Uber and Rockstar are saying it's the same person is really rather interesting. Yeah. In terms of the actual data itself, there doesn't appear to have been any ransom demand, or at least they haven't mentioned any ransom demand in neither of the companies. So is this just somebody pranking around or— I mean, if I was at the SEC, I'd be looking into who's got you know, share trading options on both of these companies. I had a quick look at the stock price. They've only dropped a couple of dollars because Wall Street's used to this.
GRAHAM CLULEY. But yeah, the motivation is weird. So maybe the hackers haven't thought of a way to actually monetize it. Maybe they can't think, well, who would we sell this data to? But isn't it fun? It's a bit like the old LulzSec days, isn't it, of doing it for the laughs and embarrassing the big corporation, which might suggest it is kids or people at least who have an immature attitude rather than a more entrepreneurial streak in them.
CAROLE THERIAULT. Just because they don't ask for cash?
GRAHAM CLULEY. Well, at the very least, you'd think normally a criminal hack like this, they would attempt to extort some money, but maybe they're more—
CAROLE THERIAULT. Maybe they're in the beta phase.
IAIN THOMSON. Well, I mean, if maybe that maybe they're just trying it out, but I've got to say, that's two very high-profile targets and a lot of heat to bring down on the back of your neck. And so, you know, if you're just doing this for the lulz, then it's going to be a very short career path.
GRAHAM CLULEY. I mean, so do we know that, uh, they were hacked in a similar fashion? Because as I read it, Uber, one of the methods which was used was a sort of barrage of push, uh, 2FA notifications going to maybe someone, uh, one of their employees who eventually got their account hacked.
IAIN THOMSON. An external contractor, in fact. Yes. Oh, was it? Right. Yeah. So basically they got into the contractor's account and then used that to, to get it, get past two-factor and get into the network and look around that way. Yeah. That's at least what Uber is saying at the time. So, I mean, there was that and there's a strong element of social engineering in all of these attacks, right? Um, I mean, we remember Kevin Mitnick, and one of the strongest things in his arsenal was social engineering, and it appears this has been done in the same way. But at the moment, you know what these companies are like, they're not going to tell anything because they're under liability, you know, actual liability at the moment.
GRAHAM CLULEY. Um, but what we do know is there's a lot of information which— I mean, certainly the Uber database, I think, has been offered for sale on underground forums, although I don't know if anyone's going to buy it or not. But The Grand Theft Auto thing, that's interesting because it appears that maybe code and video source code. I mean, that's like, yeah, that's a, that's a game, a video game, which hasn't come out yet, isn't it? But it's obviously going to be a big deal when it eventually does come out. And it seems to have been leaked online. And so all the gaming mags are now talking about it.
IAIN THOMSON. Yes. I mean, the, it's one of those franchises. It's sort of, it was a fantastic game just before the internet and then it's really glommed onto the internet and become this huge thing. So there's a mass amount of interest, which again brings me back to why are they not trying to monetize this? Is this really kids? It's with the Uber thing. The most worrying thing for me out of that, I mean, yeah, everyone's going to get hacked. Don't worry about it. But apparently it was 1.1 petabytes of data that they got a hold of. Now, how the hell do you get that amount of data out of an organization without them noticing? You know? Yeah, it's kind of scary. You can't call up IT and say, 'Oi, Bob. Yeah. I'm just doing a quick backup. So then this network channel is going to be needed for the next, you know, couple of days. It's just insane. That is extraordinary, isn't it?
CAROLE THERIAULT. So customers of Uber, right? People like the millions and millions of people who have the apps on their phone and have— they've shared their billing information. Are they at risk in any way?
IAIN THOMSON. It doesn't appear so at this stage. And I was feeling kind of smug because I have never and will never use Uber. But yeah, the customer information appears to be okay. So they're safe. Well, what they said in the initial statement was location data hadn't been lost. Payment information at this stage doesn't appear to have been lost. But with that amount of data, there's going to be an awful lot of leakage if somebody has the time, patience, and, you know, desperation to actually go through it.
GRAHAM CLULEY. And hard drive space as well, of course. Where are they going to store the information?
IAIN THOMSON. That's the other challenge.
GRAHAM CLULEY. Crowe, what have you got for us this week?
CAROLE THERIAULT. Well, gentlemen, it is Cybersecurity Month in October, so it's almost upon us. And since 2004, the President of the United States and Congress have declared October to be this month, helping individuals protect themselves online as, you know, threats to technology and all this become more commonplace. And, you know, we are always talking on this show about threats that are happening right now, like the Uber hack, for example. We talk about crypto scams and ransomware and massive data leaks. So I thought I would have a snoop around to see if anyone has recently posted a kind of crystal ball article to warn us what's around the corner. And lo and behold, I found one written by Danny Palmer at ZDNet. So I wanted to see if you two— actually, we could start a game. What do you think is on the list? I've got 4 items on this list.
GRAHAM CLULEY. What, these are sort of new threats or things which are going to become a big deal?
CAROLE THERIAULT. Yeah, technologies that we're looking at that could be used for bad purposes, and we can see angles as to why that might be.
GRAHAM CLULEY. So would things like deepfakes, would that be a new thing?
CAROLE THERIAULT. Yes, let's start there.
IAIN THOMSON. I think that's your starter for 10, to be quite frank. Let's start with deepfakes.
CAROLE THERIAULT. It's on the list. OK, so of course, we've already seen these in use. We've seen them used in political misinformation campaigns and pranks to fool politicians, and fraud attacks with cybercriminals using deepfake audio and even video to convince employees to authorize significant financial transfers to the accounts owned by the attackers. And they're getting more difficult to spot all the time. Like today, if one of you had a boss and you got a call from the boss in their actual voice telling you to do something, would you do it? And the answer is probably yes.
IAIN THOMSON. Well, I don't know. I, I, okay. The Reg is, is highly security conference and we've got a great IT manager. When I just, just after I joined, I left my laptop, uh, somewhere at the RSA conference, ironically enough. Um, and freaked out. Exactly. Seriously, a month, a month into the job, I was freaking out big style. Um, anyway, so I call, I basically sent an email to our IT manager saying, I've lost my laptop, locked down all my accounts, the rest of it. Got an email back, not a problem, done. However, I would then went back, found the laptop. I'd left it at the EFF stand of all places. And they were just like, we were expecting you. Here you go. It was, oh wow. Got in contact with the IT manager and he was just like, look, it's, I can't reactivate you because I've only met you once. I don't know the sound of your voice. You're going to need to go into the office and speak to, you know, speak to our then editor, rig, and he's gonna have to call me because I know who he is. It's that level of security. And it seems these, you know, companies aren't taking this seriously.
CAROLE THERIAULT. He's one in a million though. That's rare. Oh, it seems very good.
IAIN THOMSON. Yeah, he was— yeah, Marco, perfect example of a security manager, you know, hates people, just sits in his apartment in Italy and manages the RIT network tour like a dream. Wow. That is—
CAROLE THERIAULT. well, high five to Marco. But we can see that deepfakes are probably likely become a big problem, especially misinformation. Yes. Right. For politicians. Yeah.
IAIN THOMSON. It's really scary, particularly with, you know, we're heading up to an election here in the US and the midterms are going to be very interesting. And this kind of stuff. Yeah. Terry Pratchett had the wonderful phrase, you know, a lie can go around the world 3 times before the truth's got its boots on. You know, I mean, it's like these things are becoming more and more convincing. And it's not just business email compromise, it's political campaigning.
GRAHAM CLULEY. Yep. Manipulated media. Yeah. Yep.
CAROLE THERIAULT. Alright, so we try for another one. What else is on the list? We've had deepfakes.
GRAHAM CLULEY. I said deepfakes, Iain, so it's your go.
CAROLE THERIAULT. Yes, okay, 1 point to you, Graham.
IAIN THOMSON. Yeah, okay. I was gonna say, so, I don't know. I think business email compromise should— If it isn't on the list, it damn well should be.
CAROLE THERIAULT. Well, it's more technology, so— Oh, I would say—
IAIN THOMSON. Ah, in that case. I would say biometrics.
CAROLE THERIAULT. Interesting, not on the list. Really? So, sorry.
IAIN THOMSON. We've been able to recreate fingerprints for, you know, plastic fingers from fingerprints for years now.
CAROLE THERIAULT. How is that? Yeah, that's true.
GRAHAM CLULEY. That's a very— Come on, Dani, why didn't you mention this in your article?
CAROLE THERIAULT. Well, I'll give you guys one for free, another one. So, another obvious one is IoT, right? Oh, okay, yeah. And it's more about the networking of IoT as well. So, you know, we have this massive race to connect all our devices, you know, our homes, our workplace networks, and this increased level of networking also creates a larger attack surface for criminals to exploit.
IAIN THOMSON. And a huge botnet potential as well in terms of, you know, you don't have to take over anyone's computer, you just take over their so-called smart device.
CAROLE THERIAULT. If you think about it, and you think of all the manufacturers from, you know, smart washing machines to ping pong sticks, you know, they get smarter at including more robust security features into their devices, but there's There's millions and millions of IoT devices out there that lack security. What's a ping pong stick? Oh, I meant pogo stick. I was basically being polite for vibrator.
GRAHAM CLULEY. I think— But I said ping pong.
IAIN THOMSON. I thought I was going to be too rude for this show, but no. Once again, Carole has trumped us.
GRAHAM CLULEY. Okay, excellent. Okay, so do you need a third one? I've got a possible one. Yeah. I'm just thinking of the whole clusterfuck, which is NFT, cryptocurrency, cryptocurrency blockchain bollocks? No.
CAROLE THERIAULT. No, that's not there? Yes, it is, but in a different way. It's under quantum computing.
GRAHAM CLULEY. Oh yes, quantum computing. Yes, yeah, yeah, yeah. Potential threat, yep, I understand that.
CAROLE THERIAULT. Let me take a few minutes just to explain it, 'cause it is fairly new technology, but it seems we're at the cusp of quantum computing, right? So Bob Souter, and check out this guy's job title, Chief Quantum Exponent at IBM.
IAIN THOMSON. I'm sorry, the minute you hear a title like that, you just think wanker.
CAROLE THERIAULT. And he says, quote, quantum computing is our way of emulating nature to solve extraordinarily difficult problems and to make them tractable. So basically, quantum computers come in various shapes and forms, but they're all built on the same principle, that they host a quantum processor where quantum particles can be isolated for engineers to manipulate. And what makes this super sexy for people is that quantum particles can hold immense potential for processing super large amounts of information. And we're like talking like in a few minutes answering the problems to today's most powerful supercomputers can't do in 1,000 years, ranging from modeling hurricanes all the way to cracking the cryptography keys protecting the most sensitive government secrets.
GRAHAM CLULEY. Yes, which would be bad. Which would be bad. Because obviously we are all well-vested in current encryption and cryptography, and we don't want people being able to unlock that. However, how successful have we been so far in building quantum computers? Have we really made any progress on that?
CAROLE THERIAULT. We have made a lot of progress on it, but it is still extremely expensive. And there's still a lot of expertise required to develop, you know, it's restricted to basically large tech companies, research institutions, governments.
GRAHAM CLULEY. Because if no one's done it yet, if no one's actually cracked the encryption of all these things that we rely upon yet, then I could have suggested as, oh, I'll tell you a threat in the future, Kieron, and that is magic. I am going to invent a device which can just do magical things which break security. I'm not saying that they won't be able to do this, but until we actually see someone do it—
IAIN THOMSON. I mean, maybe I'm not being quite empathetic enough, but I'm guessing you're a sceptic on this, Graham.
CAROLE THERIAULT. He mostly moans these days, so.
IAIN THOMSON. Well, his private life is his own concern, but I mean, no, I mean, it's, no, I mean, at the end of the day, I am a quantum skeptic to the extent that I've been barraged with press releases about this for the last 5 years. Yes. And we're always a few years away. It's like fusion, but on a shorter timescale.
CAROLE THERIAULT. But if someone could get access to a quantum system, right? Okay, this is an if, this is a big if, and say then decided to plant crypto mining malware on one of these machines, coins, they could get very, very rich very, very quickly at almost no cost to themselves. That's one of the arguments made in the article.
GRAHAM CLULEY. Well, if— Oh yeah, of course if, sure. If these things existed, if I had a magical ping pong stick, I could go around the world or something. I mean, it's— I just want to see it. I just want to see it.
IAIN THOMSON. You know, I mean, it's It's one of those things which I honestly think will come but isn't even close to being there. I think the real power from a security perspective with quantum computing is in point-to-point communications that are absolutely secure because if anybody tries to get into those, it immediately changes the flow of data and it's instantly noticeable. So that kind of thing I can, I can get behind. But all this quantum computing is gonna break all the encryption algorithms, show me the money. Money. And the fact is, okay, you know, it's like, and the people who— honestly, it'll happen, and it'll happen a couple of years before anyone knows about it because, yeah, the NSA, the Chinese, the Russians, the British, yeah, they're not going to be advertising. No, exactly.
GRAHAM CLULEY. They'll be able to break into your computer to stop you from reporting about it. That's the thing.
IAIN THOMSON. Well, I did go— I've— Google reminded me of a photo from a few years back when we did work in the office. I'd gone away on holiday, uh, left my laptop in the office, my work laptop in the office, locked down, came back, and somebody had written NSA was here underneath laptop, so when I moved it, it was just—
CAROLE THERIAULT. Hey, actually, sorry, I'm changing the subject slightly here, but Iain, you are right, actually. My last point does include business email compromise. So well done. And that's under the heading of machine learning and of course the infamous AI. So we talk a lot about that stuff, so we're not gonna go into any background, but the idea is that once AI becomes more widely available, what would cyber criminals perhaps wanna make use of it for? And Miko Hipponen, Hip hip.
IAIN THOMSON. Absolute badass. Finn. He's a marvelous bloke, isn't he? Yeah.
CAROLE THERIAULT. So he was quoted as saying, Miko, hip replacement.
GRAHAM CLULEY. Ouch.
CAROLE THERIAULT. We will start seeing malware campaigns rants where operations and phishing campaigns being run totally automated by machine learning frameworks. So like think about what about a text based generation algorithm to send out and reply to common spam emails or becs Business email compromise campaigns.
IAIN THOMSON. Yeah, it's, it's going to be a huge issue. And I think we're also missing out on the personal side of it. I think a lot of people are going to be targeted if you've got a lot of video online. It's like the sextortion campaigns all over again. It would be relatively— if somebody, you know, with the generation that's now putting their entire lives online, that data could be used to build a deepfake and then blackmail that person, particularly if they're, you know, high-earning Instagram influencer or whatever. Whatever the job title is these days for being a public person.
CAROLE THERIAULT. Well, the good news is the U.S. government is spending billions and billions on cyber. There are all these bills in to provide more funding for it, and according to Hacker News, collectively the current bills that are making their way through the House allocate a staggering $15.6 billion to cybersecurity spending. Yes, I'm— there's a few winners here.
IAIN THOMSON. Yeah, uh, what the— with the big winners of the security industry, the big losers are be the actual end users, because I honestly don't think this is going to do a thing. I mean, we saw Mudge's testimony about Twitter, uh, in Congress last week, and basically the most telling thing for me that— for the— from that was that companies, yeah, they talk the security game, but for them, you know, if the SEC comes calling or the FTC, it's a cost of business issue if they, if they suffer a security failing. One of the things he said They were terrified of French regulators because they followed up, but with American regulators, no teeth, nothing. So I think this is a huge government boondoggle to the security industry and the tech industry in general, but I can't see it improving things until regulators get some teeth.
CAROLE THERIAULT. Yeah, but I think it does mean that there's going to be a lot of hiring out there, and any company obviously already authorized to sell services and products to the government are going to have— are in for an excellent 2023 and '24, I'm guessing.
IAIN THOMSON. Well, Kind of. There was an executive order and a follow-up piece by the US government saying if you're selling to a federal agency, you need to give us an assurance that all this, you know, your software is patched. If there is a problem, you know, you have a remediation strategy in place. And if you're using open source software, it has been independently checked by a third party to make sure it's secure. So they are spending the money. They are being a little smarter in how they spend it. You know, you've got to insist on a certain level of security. But at the end of the day, until companies are forced by regulation to actually sort this stuff out, then it's just gonna be window dressing.
CAROLE THERIAULT. I agree. And anything that helps us navigate this new quantum-y, IoT-riddled, deepfake-rich world that we're screaming towards is good for me. I mean, a quick question.
IAIN THOMSON. Do either of you have smart, so-called smart devices in your home? I do now.
GRAHAM CLULEY. I do, yes. Yes. Really? Yeah.
IAIN THOMSON. Okay. You gave in. Do you have any? Oh God, no. Nothing like that. You know, it's— No, man. Nothing.
CAROLE THERIAULT. Yeah, I have one that I can think of, actually.
IAIN THOMSON. I mean, it's always— I mean, I even have voice activation on my phone turned off.
GRAHAM CLULEY. Oh yeah.
IAIN THOMSON. Yeah, so do I. Every time you said okay and the phone lit up and it was just like, oh, for God's sake, stop listening.
CAROLE THERIAULT. He uses an Android, everybody.
GRAHAM CLULEY. Show sponsor Penterra is taking a whole new approach to penetration testing, allowing every organization to continuously test the integrity of all cybersecurity layers, including against ransomware and leveraging leaked credentials by emulating real-world attacks at scale all day, every day. This approach helps security teams across the globe to cope with one of today's top security challenges: the growing digital footprint of the enterprise. To help out, Penterra security experts are sharing with us a few tips on how to identify your exploitable attack surface. So here is tip number 1. Penterra recommends always taking the adversarial perspective. The best way to find exploitable vulnerabilities is to, well, exploit them. From here, security teams can hand over remediation requests to IT that are based on true business impact. Find out more by going to smashingsecurity.com/penterra. That's smashingsecurity.com/penterra. And thanks to Penterra for sponsoring the show.
CAROLE THERIAULT. Smashing Security listeners, did you know that Bitwarden is the only open-source cross-platform password manager that can be used at home, on the on the go or at work? Bitwarden's password manager securely stores credentials spanning across personal and business worlds, and every Bitwarden account begins with the creation of a personal vault, which allows you to store all your personal credentials. These are unique and secure passwords for every single account you access, and it's easy to set Set up, it's easy to use. I honestly love Bitwarden. I use it at home, use it at work, use it on the go. Get started with a free trial of a Teams or Enterprise plan at bitwarden.com/smashing, or you can even try it for free across devices as an individual user. Check it out at bitwarden.com/smashing. Smashing Security. And thanks to Bitwarden for sponsoring the show.
GRAHAM CLULEY. Kolide sends employees important, timely, and relevant security recommendations for their Linux, Mac, and Windows devices right inside Slack. Kolide is perfect for organizations that care deeply about compliance and security, but don't want to get there by locking down devices to the point where they become unusable. So instead of frustrating your employee, Kolide educates them about security and device management while directing them to fix important problems. Sign up today by visiting smashingsecurity.com/kolide. That's smashingsecurity.com/kolide. Enter your email when prompted, and you will receive a free Kolide goodie bag after your trial activates. You can try Kolide with all of its features on an unlimited number of devices for free, no credit card required. Try it out at smashingsecurity.com/kolide. That's smashingsecurity.com/kolide. And thanks to Kolide for supporting the show. And welcome back. Can you join us at our favorite part of the show? The part of the show that we like to call Pick of the Week.
CAROLE THERIAULT. Pick of the Week. Pick of the Week.
GRAHAM CLULEY. Pick of the Week is This is the part of the show where everyone chooses something like, could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish. It doesn't have to be security related necessarily. Better not be. Well, mine is not security related this week. Not really. I was sat down, my son was, he said, "Oh, I wanna watch something on TV." And I said, "Okay, what do you wanna watch?" He said, "Oh, I wanna watch the new Lord of the Rings show on Amazon." I said, "All right, yeah, okay." That's fine. And so he starts watching this Lord of the Rings. Oh my God. Have you ever— have you watched it?
IAIN THOMSON. No, absolutely not. Blimey. It's that bad? Oh, it's so bad.
GRAHAM CLULEY. I think it's the most— I think it's the most expensive TV show ever made. You'd have thought they could have afforded someone to actually write a script. It is so— it's the most tedious, boring thing imaginable. Anyway, after about 3 and a half episodes, and I noticed He was beginning to eat the carpet just out of boredom. I said—
CAROLE THERIAULT. Oh, he found it boring as well?
GRAHAM CLULEY. Oh yes, yeah, he found it boring. He was going, "Oh, it's so boring." And I said, "Look, look, why don't you stop watching it if it's boring and find something else you'd rather watch?" Oh, was it hard being around someone who was moaning? Cheeky. And what we did was we came across a show, a film, a movie I believe they're called, on Netflix called The Mitchells vs. the Machines. Which is much, much better than the new Lord of the Rings TV show. Okay. And The Mitchells vs. the Machines is one of these animated comedy movie things for all of the family. It's just standard robot apocalypse, putting the brakes on a family.
IAIN THOMSON. Standard robot apocalypse. Fun for all the family.
GRAHAM CLULEY. Well, the family in this case, the Mitchells, they're on a cross-country road trip. And the robot apocalypse gets in their way and tries to ruin it for them. And it's actually pretty funny. And I enjoyed it greatly. It features a generation gap between a dad who's useless with technology and hates screens and his daughter, who of course loves them. And there's a pug dog as well.
IAIN THOMSON. We all like pug dogs. Some people do.
GRAHAM CLULEY. This one is quite adorable, to be fair, Iain. I think you have to see the movie first. There's an Elon Musk, Steve Jobs-like character at the heart of it cool. And the robots obviously take over. Anyway, it's great fun. Has a lovely message behind it. It was very funny. And I think most people haven't heard of it. So I would recommend— Oh, it also has the Furbies.
IAIN THOMSON. Remember Furbies from the— Oh yes. They were a security risk at one point. You remember? They were banned. Stupid security risk. But even so, I mean, if Snowden can get data out of the NSA with a Rubik's Cube, then a Furby is the least of your problems.
GRAHAM CLULEY. Anyway, I would recommend to people of all ages, if there's a child inside you, if you're a child at heart, this, you may enjoy this. My son said he enjoyed it and I enjoyed it. The Mitchells vs. the Machines on Netflix is my pick of the week.
SPEAKER_03. Cool. I'll check it out. Marvellous.
GRAHAM CLULEY. Iain, what's your pick of the week?
IAIN THOMSON. My pick of the week is, okay, tangentially security related, but at the same time, I'm a huge space geek. And this is a really, really exciting story. Okay. Okay. Allow it. Um, NASA is about to smash a spacecraft into an asteroid in the next— in 6 days' time. The DART mission. Um, basically it's a test to see whether we could deflect a planet-killing asteroid, uh, that we knew was approaching the Earth. So they've sent out the spacecraft, the DART spacecraft, and, um, they're going to— it's got— carrying a CubeSat sat on its back. So the spacecraft will accelerate towards this asteroid, which is a really weird system. It's a big asteroid. If it hit Earth, we'd have a major problem, but it's orbited by a very small moon. Oh yeah, about, you know, 500 feet across, which is another asteroid which has glommed around it and is now orbiting it. So NASA's plan is fire the spacecraft into this small moon, leave a CubeSat behind to record what happens, and see if you can deflect an asteroid and how much power and how speed you would need to nudge it.
GRAHAM CLULEY. What could possibly go wrong here? What? No?
IAIN THOMSON. Are we all right? Oh, no, no. I have spoken to someone on NASA. They are hypersensitive about this because in PR disaster terms, that's the killer. It's just like, yeah, we did this thing and now you're all gonna die. But no, no, they're very careful about it. But it's crucial because we are going to get hit by a very large asteroid at some point in the next, you know, 100 million years or or so, statistically. And if we're looking to build a long-term civilization, I mean really long-term, then you've either got to get populations on other planets. Well, you have to get populations on other planets because sooner or later the Earth is gonna get hit. And this is a really important test to see whether we could deflect this stuff. I mean, I hated Armageddon. Armageddon is one of my all-time hated, most hated films. But, you know, there is a serious issue behind this. Incidentally, NASA uses Armageddon as part of its interview training, and they ask people to look for scientific inaccuracies in the film. My understanding is the record at the moment is 168. Wow. That's cool.
CAROLE THERIAULT. So you're gonna be glued to this next, in 6 days' time.
IAIN THOMSON. Well, we're gonna get images back, but because of the distances involved and the hardware involved— Oh, of course. It's going to take weeks or months before we get the video back. That's gonna be absolutely on tenterhooks.
GRAHAM CLULEY. He's not actually gonna be glued to it. No, Carole, just to be clear.
IAIN THOMSON. Well, breathing might be a bit difficult, but you know, compared to the standard United Airlines seat, then that would be, you know, somewhat luxurious.
GRAHAM CLULEY. Fantastic. So that's NASA's DART mission. People can read up more about that in the show notes. Carole, what's your pick of the week?
CAROLE THERIAULT. I have a very unusual one this week. So I was in the Cotswolds recently. This is a lovely part part of England near Oxford, and I was on a hike, and we were walking by a number of bus stops, as one does, and every single bus stop in the area had a defibrillator in the bus stop. Really?
GRAHAM CLULEY. Yeah. Is that because people would have a heart attack if a bus actually showed up in the Cotswolds?
CAROLE THERIAULT. Defibrillators save lives, right? The latest research showing that accessing these devices within 3 to 5 minutes of a cardiac arrest increases the chance of survival by 40%. That's pretty good odds. That's good. 3 to 5 minutes though is pretty short, right? That ain't long. So say you or a loved one has a— gets into a cardiac pickle, wouldn't it be great that there was one nearby? So I started wondering, is there— where's my nearest defibrillator? Oh yeah. Well, I have one about 3 minutes of walk away, but it's inside a store, not outside. So as long as someone has a cardiac event during business hours, this could be okay. Though perhaps they may restrict it to customers only, like a parking spot. I'm sorry, have you, can I see proof of purchase?
GRAHAM CLULEY. A bit like going to the loo, you mean. Yes. Could you buy a coffee first?
CAROLE THERIAULT. Yes. Anyway, so I looked around my neighborhood, didn't see any external defibrillators. Defibrillators anywhere. That doesn't mean there isn't one, but I certainly couldn't find one. So then I thought there must be a service online, which there is, and it's called Circit in the UK. And this is like a map service where you can find out where the closest defibrillator is working right now, like available to you right now, because some are in stores, so they're only available during certain hours. Right. Now the problem is that lots of people apparently have defibrillators, businesses and organizations and even individuals, but they're not registered. Registered. So if they're not registered in the UK on circuit, then there's no logging defibrillator information available in the systems. So this is where I am now. I'm thinking, how do I get one for my local community? Right? So of course, any advice from listeners greatly appreciated, because I do have a lot of old neighbors around here, some of them in pretty poor health, and this could be a serious lifesaver. So apparently you can apply for a community public access defibrillator, which is what I think they have in the Wales. It's called a CPAD. And this is available to members of the public 24 hours a day. And there's a fee, but it looks like you can get a pretty good discount through the British Heart Foundation charity. Prices for buying one of these things seems to range between like 600 and 1,500 quid. No idea if the price difference means one saves you better than the other. No idea. But I don't understand why there isn't one on every block in UK cities. I mean—
IAIN THOMSON. Yeah, I mean, I'm kind of, I'm kind of I'm kind of, I'm on the fence about this because I'm probably the only person on the podcast who's qualified to use one of these things because I've had to do training on it for, I'm a member of the emergency response team here and they do take training to use. Having the defibrillator itself is not enough.
CAROLE THERIAULT. Well, the CPAD ones seem to be like, they will, they can be run by any individual, right? And they have like spoken instructions. Instructions as they go through.
IAIN THOMSON. Oh, spoken instructions. Okay.
CAROLE THERIAULT. I hadn't heard about those. And they can't, you know, they will detect the anomaly before anything happens. So it's not like you can just go and charge it and run it on anybody. They are smart, almost like smart seatbelts. Internet connected. I have no idea. I have no idea. But yeah, so there's like, anyway, I have to do more research on this, but it It just seems to me this is a cost-effective way, and if we had one nearby, so I'm gonna look into it and let you know how I get on. And that's my tip of the week.
GRAHAM CLULEY. Defibrillators. Oh, interesting. So Carole, you've been speaking to one of Bitwarden's customers this week.
CAROLE THERIAULT. Yes, I spoke with Sal Aurigemma from the University of Tulsa. Fascinating chat and guy, take a listen. So gorgeous, wonderful listeners of Smashing Security, we have the faculty director of the University of Tulsa's Masters of Cybersecurity degree program. What a title. Sal Aurigemma. Welcome to the show, Sal.
SPEAKER_03. I'm really glad to be here. Thanks, Carole Theriault.
CAROLE THERIAULT. Could I say your last name properly?
SPEAKER_03. Help me. Not even close.
CAROLE THERIAULT. Aurigemma. Aurigemma. Yeah. Aurigemma. See, now we, we should start with your background, Sal. So maybe we should introduce you to all our listeners. So how did you end up at the University of Tulsa? Tell us about your background.
SPEAKER_03. Oh, okay. Well, uh, I didn't plan on getting there. Uh, I joined the Navy right out of my undergraduate. I have an undergraduate degree in nuclear engineering. It's not a growth industry. So I graduated University of Florida, nuclear engineering degree, went into the Navy as a submariner. Uh, spent about 10 years on active duty and then I transferred over to the intel community. Security, and then I was a reservist for another 10, 11 years. And as I left active duty to go into civilian life, I went and got my master's in information systems so I could transition in the IT field, thinking, well, that's a job that's never going away. And I was right on that one prediction. Pretty much if you're in IT, you have a job until you die, although it could be the reason you die. After I worked for about a decade in IT, and I did a things, system architecture, project management, ended up doing a lot of network and security-related projects and items. I actually was deployed to Afghanistan for a year. I didn't love it so much. When I came back, I said, you know, I'm gonna, I'm gonna do what I always wanted to do is go get my PhD. I did that at the University of Hawaii and graduated 2013, and then I went to University of Tulsa, which is well known for their cybersecurity education. I was really excited to join the faculty there, and that's where I've been since. And I just transitioned to the faculty director for our online master's cybersecurity program.
CAROLE THERIAULT. Wow. Okay. So, so now at the University of Tulsa, like, and you're working in cybersecurity, what are your main focuses? I just love this inside look, you know?
SPEAKER_03. Well, we have faculty that cover the entire spectrum of cybersecurity research. I primarily focus on behavioral information security. Smashing security, I really want to understand from the employee or the end user, like every, you know, you and I, what motivates us to actually take those security actions that we know we should, or what stops us from doing it when we know we should. Now, if we don't know we should, that's, that's a different scenario. That's an education and awareness thing. But if we're getting that education awareness or reading it in the news, why aren't we taking the steps that, you know, should should be universally understood as necessary to protect ourselves. And then we have other faculty in a program, like I said, that, you know, everything from blockchain to network security to cybersecurity economics. We've got a very diverse, excellent faculty at the University of Tulsa.
CAROLE THERIAULT. Okay. So, human behavior. Tell me about human behavior and the disconnect that we might have with technology. Have you seen any of those in your research? Well, sure.
SPEAKER_03. And you know, what it comes down to is, is I can pretty much predict what a computer's going to do because I can tell it what to do. And then if it doesn't, I could reprogram it, right? Or if it really, really doesn't do what it's supposed to do, I throw it away and get a new one. Um, cannot do that with humans. That's illegal. Also, there's a whole lot more factors on the human perspective that, that aren't, you know, inputs, outputs, and processing like you have for a computer. There's just a whole bunch of different variables that from different parts of that end user or employee's life that can impact their ability to follow through on security-related actions. I mean, you know, probably the biggest thing we hear when we talk to folks about, hey, so we just trained you on this use of, let's say, a password manager, two-factor, or some other security tool. How come you didn't use it? And almost, I won't say almost universally, I'll say very high up on the scale, right? So I didn't have enough time to do it. And you go, well, are you sure you didn't have enough time to do it? They're like, oh yeah, I didn't have enough time to do it. Well, you were at work and they paid you to do it. And then when it's an end user, like especially my students in my classes, I go, hey, why didn't you do it? Oh, I didn't have enough time. Oh, let's take time right now in class to do it. And when you take away that, that I'll call it an excuse of not enough time, then you start to get into, well, when I say I didn't have enough time, what I meant was, I really don't know how to do it, or I'm not confident in this technology that this is something I should spend my time doing. And now you're getting into different types of reasons other than I don't have enough time. Now, that said, if your cybersecurity technology takes an awful lot of effort and time for the end user to bring into their life, well, that's a big problem. Right. Yeah. You've made it so hard no one wants to adopt it. That's a you problem as a technology.
CAROLE THERIAULT. Yeah, there's only so many hoops that we're all willing to go through.
SPEAKER_03. Yeah, exactly. And, you know, there's the younger generation. So we're talking like the college-age students, stuff like that. When, when I hear that they say, well, I don't have enough time, typically they have more of something what I call high-threat apathy. And so what that means is they don't have the time to do something. They don't think it really is important to them. In other words, like, yeah, I've heard about the threats out there, maybe even had some accounts compromised or heard bad things of other people, but whatevs, you know, I'm not going to do anything about them because it's just not really that pressing a matter. And those that do feel like something bad can happen to them, you know, they're like, well, I'm too insignificant a target for cybercriminals to come after. If I got hacked, well, what are they going to get? My Insta account, my email? But, you know, we know what to tell those people. The problem is we have to understand That's part of the reason why they're not adopting this technology so we can formulate our messaging better, right? And if we ignore our demographic, if we just do the same old cybersecurity training we do at every organization I've ever been at, from the military and the government to my university, where we just go, here's your training, it's good enough for everybody, and we check the box, well, then we're never really going to make progress. I think we need to understand our target audience and then tailor the message to it. And it's not really that hard. I mean, we do if-then statements in our programs all the all the time. Why can't we do that in our training?
CAROLE THERIAULT. You know, it's okay. This is fascinating because I'm a huge password manager fan, have been for 10 years, and it's basically because I don't remember tons of passwords that are different from each other. I just don't have the skill. Like, and I have a lot of different accounts.
SPEAKER_03. And you're not alone. Like, science has proven that we humans, except for that small percentage of savants out there, we can't create random passwords, and we sure as heck remember them.
CAROLE THERIAULT. Right? And then, so you've got people like me saying, oh, make sure every password is unique on every account. And someone who is not using that kind of tech will be like, well, uh, how? Have you looked into that? What are your findings on that?
SPEAKER_03. So there's, there's a couple of fields of psychology, you know, like there's negative biases that go into what people do based upon what they already know or what they think could possibly happen, right? We discussed a few of those things. What we're focusing on lately is trying to build up more on the positive psychology side where we're trying to build up the skills and resilience of end users to say, hey, if there's a problem, do I know what to do about it? Am I optimistic that I can overcome this? Because if the answer is, if I sit down with someone who's a retired couple and they're like, you know, I just don't understand the computer well enough, this isn't going to work for me. Well, you know, maybe a password manager isn't the ideal thing for you, but maybe writing it down in a book is, if you have that book available to you. But that's not the majority of people out there today, right? So really what we're trying to do is find out for different, again, different demographics and different user bases. Okay, are you a constant user of technology? Then we know password managers, we are 100% certain password managers can work for you. We just gotta get past the hurdles to get you to do it. To do it. And part of that is showing how easy it is to use. And then when there's a problem, do you have somewhere to go to? Do you have someone to talk to, to help you get through that problem? And that's, you know, that's part of the challenge too, right?
CAROLE THERIAULT. I mean— Yep. 100%. Yeah.
SPEAKER_03. So, so it sounds kind of wishy-washy, but I'll just say that first and foremost, if you don't understand the audience you're talking to, whether it's your employees, and I'm not just saying, okay, these are the people in the accounting department. I'm talking about of the people in the accounting department, what are the individual factors? What is it about those as individuals that is either going to help or hurt them in adopting these security technologies? Well, then you haven't done the proper work to understand what your messaging should be so that it will get through and then provide them the resources they need to succeed. And that's why I like tools like Bitwarden, where, you know, hey, it's open source, but they have really great user manuals. Manuals online and then they have videos that kind of help people walk through it. And whether it's that or it's two-factor authentication, I'm a huge fan of a couple of different technologies. I don't know if I'm allowed to say them on the podcast. Am I?
CAROLE THERIAULT. You can say whatever you like.
SPEAKER_03. Go for it. I love YubiKeys, right? I really do love YubiKeys because it's, once you get them set up, then they are easy to use. Now you have to get past the whole, well, especially with college students, I would actually give them out. They'll be like, well, if I don't have my keys with me, I'm like, well, when you're an adult, that problem will solve itself because you'll need to get in and out of things easier. But, you know, with the password manager thing, we have it on our phones. Well, do they know that that's available to them? Do they know how seamless it works? So when you can show people how it works, but more importantly, don't just lie about the technology and say it solves all your problems. Show what problems it solves. Show what problems it maybe doesn't solve completely. But it's better than it was before. And then I always at the end come back to, well, if you're not going to use something like a password manager to deal with all of these hundreds of accounts you have, what else are you going to do? Because the bad guys will easily figure out if you reuse a password or if you use some awful, you know, pattern based upon, you know, be careful.
CAROLE THERIAULT. 10 years ago I used a pattern.
SPEAKER_03. Yeah. Oh, I did I did too. So here's a real life story. When I was in the, I was working for the Department of Defense. It was a long time ago. I'm sure it's been fixed. I had hundreds of systems that fell under me as a supervisor and my technicians, right? So, and we're talking about systems on different classification levels. And then the DOD kept coming out with more and more ridiculous password change rules. Like, first it was 90 days, then it got all the way down to 45 days, and then 24 characters can't change. So what are you doing? You're creating a pattern and you're going going to computer number 2 and adding a 2 to the end, right? And then you go down, right?
CAROLE THERIAULT. I did. Mine was, mine was, I live on blah blah street, right? So it would be like, I live on Google Street. And then it was, I live on Google 1 Street. I live on Google 2 Street. Literally, like, and I was a security professional. Well, yeah, embarrassing.
SPEAKER_03. Another thing that gets to another point. You're a security professional. This thing that kind of like security overlooks We've understood it's been a problem for a while for those of us in security, but now I'm starting to see like 18, 19-year-olds or 60-year-olds telling me that, you know, they're just getting security overloaded. And I'm like, wow. So there's so many things they have to be concerned at when they go online that, you know, they just get overwhelmed and you get to the point where you're like, well, is it even worth doing anything? If the bad guys have so many ways to get me, right? And, you know, I look at it like this. There's only a few things that you or I as individuals can do to protect our data and access to our data. Everything else is up to the service provider, right? Like LinkedIn, if LinkedIn gets hacked and all the passwords get stolen, like in 2013, there was nothing we could have done about that. What can we do about it? Well, we make sure we have unique passwords, that they're strong, wrong. We're not reusing them, things like that. And we can't do that without a tool to help us, right? Um, so use a password manager or at least have a very good password management mechanism so that you do all the things a password manager does. But I can't imagine living without it now. I mean, all the services on my phone and my computer, there's just no way. I know 5 passwords in my memory most days, but I have like 600 accounts in my password password manager.
CAROLE THERIAULT. How old are you, Sal?
SPEAKER_03. I'm 312 years old. Oh, but you know, of those 600 accounts, let's be honest, 400 of them I had to sign up to get a discount. Right. But still, you know, there's still dozens, if not 100 accounts I might use a year. And you know, if my password is, uh, I love Smashing Security, 1 bang, bang, 3 bang, you know, after a while, the attackers only need a couple of those accounts to figure out my pattern. Right?
CAROLE THERIAULT. Is there anything you want to add before we close off?
SPEAKER_03. Well, here's what I'll say. Like, if you are not using a password manager, if you're on— are not using two-factor authentication, if you are not patching your systems, those are the three things that you can do to protect yourself. I say number one, the number one thing is out of all the things we've talked about, there's only one security tool that ever pays you back in the long run. And that's a password password manager. Because while it is effort to set up, I have saved— I'm, I'm gonna say thousands of hours in the last 12 to 15 years using a password manager, because I didn't have to remember things, I didn't have to figure out a password, and more importantly, it logged my stuff in immediately. So there's no other security tool out there that saves you time as an individual like a password manager. So please look into it, and I do recommend Bitwarden.
CAROLE THERIAULT. Yes, so do I. So if you want to learn more about password managers and how to secure your private information— and I agree with Sal 100%, like, once it's set up, it's gold— okay, visit bitwarden.com/smashing. That's bitwarden.com/smashing. And Sal Aurigemma— did I do well there? Great job. Thank you. Faculty director of the University of Tulsa's master's cybersecurity degree program. I wish I could make that tighter. Thank you so much for coming on the show.
GRAHAM CLULEY. It was a total pleasure to speak with you.
SPEAKER_03. Well, after the hundreds of shows I've listened to in the past, I'm super excited to have been part of your show. Oh, what an answer.
GRAHAM CLULEY. Thanks, Sal. Great stuff. Well, that just about wraps up the show for this week. Iain, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that?
IAIN THOMSON. Oh, I'm old school, I'm afraid. So I'm Twitter, @ianthompson on Twitter. And it's a really odd spelling because my parents are bastards, but we've had words about this. So it's I-A-I-N and then Thomson without a P. And believe me, the jokes that were made at school about Thomson without a P is really quite savage.
GRAHAM CLULEY. And you can follow us on Twitter. Twitter @SmashingSecurity, no G, Twitter won't allow us to have a G, and we also have a Smashing Security subreddit. And don't forget, to ensure you never miss another episode, I recommend following Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Google Podcasts.
CAROLE THERIAULT. And huge, huge thank you to this episode's sponsors. This is Kolide, Pantera, and Bitwarden. And of course, to our wonderful Patreon community. It's thanks to them all that this show is free. For episode show notes, sponsorship information, guest list, and the entire back catalog of more than 289 episodes, check out smashingsecurity.com.
GRAHAM CLULEY. Until next time, cheerio. Bye-bye.
IAIN THOMSON. Bye. Bye.
CAROLE THERIAULT. Oh, Iain, it was so great having you on. Great chatting to you. Enjoyed it.
IAIN THOMSON. I mean, it's, it's been years since I've seen you. I mean, I think decades actually. God, yes, it is. Yeah, it is over a decade.
CAROLE THERIAULT. Fuck, we're old, right? Speak for yourself.
-- TRANSCRIPT ENDS --