Listen early, and ad-free!

294: The Virgin trains swindler, cyber clowns, and AirTag election debacle

With , , ,
October 20, 2022
Read the transcript

Someone's election-fiddling is uncovered with an Apple AirTag, a cyber scandal rocks Germany, and a swindler steals a fortune due to trains being delayed.

All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by runZero's Chris Kitsch.

Plus don't miss our featured interview with Akamai's Patrick Sullivan talking about how retailers can better thwart bots this holiday season.

Warning: This podcast may contain nuts, adult themes, and rude language.

Episode links:

Sponsored by:

  • Kolide – the SaaS app that sends employees important, timely, and relevant security recommendations concerning their Mac, Windows, and Linux devices, right inside Slack.
  • Bitwarden – Password security you can trust. Bitwarden is an open source password manager trusted by millions of individuals, teams, and organizations worldwide for secure password storage and sharing.
  • Akamai – Make the most of Cybersecurity Awareness Month by connecting with Akamai’s experts on how you can achieve unmatched security. Where else can you take advantage of insights from 7 trillion DNS queries per day?

Support the show:

You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.

Become a Patreon supporter for ad-free episodes and our early-release feed!

Follow us:

Follow the show on Twitter at @SmashinSecurity, or on the Smashing Security subreddit, or visit our website for more episodes.

Thanks:

Theme tune: "Vinyl Memories" by Mikael Manvelyan.

Assorted sound effects: AudioBlocks.

Privacy & Opt-Out: https://redcircle.com/privacy

Transcript +

This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

GRAHAM CLULEY. Let me get my head around this. So there is this nonprofit group called Cybersecurity Council of Germany, which isn't to be confused with the Cybersecurity Council of Germany.

CHRIS KIRSCH. Exactly.

GRAHAM CLULEY. Right. So there's two of them.

CHRIS KIRSCH. They have dashes in different places.

GRAHAM CLULEY. So Protelian, they're members of the Cybersecurity Council in Germany as well.

CAROLE THERIAULT. Yeah, but they're not part of the Cybersecurity Council in Germany.

GRAHAM CLULEY. No, no, don't get it confused with Cybersecurity Council of Germany. And there's this bigwig who Who somehow set up the Cybersecurity Council of Germany, not to be confused with the Cybersecurity Council of Germany.

CAROLE THERIAULT. Actually, I think he's part of both.

UNKNOWN. This is very confusing. Smashing Security, Episode 294: The Virgin Trains Swindler, Cyber Clowns, and AirTag Election Day Bargain with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 294. I'm Graham Cluley.

CAROLE THERIAULT. And I'm Carole Theriault.

GRAHAM CLULEY. And who have we got joining us this week, Carole, on the show?

CAROLE THERIAULT. We have the CEO of RunZero, Chris Kirsch. Welcome to the show, Chris.

CHRIS KIRSCH. Hello, and thanks for having me.

CAROLE THERIAULT. Now, last time you were on, Chris, you were the CEO of a differently named company. What's happened?

GRAHAM CLULEY. Yeah, why did you lose your job, Chris?

CAROLE THERIAULT. What happened?

CHRIS KIRSCH. It's always nice to have softball questions like that, right? No, we changed the company name from Rumble to RunZero. There is another company called Rumble that we thought would never, you know, cross our paths because they're in a very different space and they decided to go public on the NASDAQ. So we decided to rename and we're now RunZero.

GRAHAM CLULEY. So they were the right-wing porn video site or something. Is that right? Or you didn't want to be associated with them?

CAROLE THERIAULT. You said that, but it's business as usual for you guys other than the other name.

CHRIS KIRSCH. Yes, absolutely. Yeah.

GRAHAM CLULEY. And RunZero is a great name. Thank you.

CHRIS KIRSCH. Yeah. It was bloody hard to find a good name. I actually wrote a blog post about that just for any founders out there who want to, who are trying to figure out how to name their company. Um, you can find that up on our blog.

GRAHAM CLULEY. Oh, links in the show notes.

CAROLE THERIAULT. But you know what, boys? I think we digress. I think we need to kick this show off. But before we do that, we need to thank this week's sponsors, Bitwarden, Akamai, and Collab. It's their support that helps give you the show for free. Now, coming up on today's show, Graham, what do you got?

GRAHAM CLULEY. I'm going to ask the big question, the big question being, am I a bit of an ass?

CAROLE THERIAULT. Okay, done. Okay, next. What about you, Chris?

CHRIS KIRSCH. I've got a new Cold War story for you.

CAROLE THERIAULT. Ooh, okay. And with me, we are going to be jumping on a train and hoping it arrives on time. Plus, we have a featured interview with Patrick Sullivan. He is CTO of Security Strategy at Akamai. So all this and All that and much more coming up on today's episode of Smashing Security.

GRAHAM CLULEY. Now, chums, chums, I feel like I've already shot my load on this one, but I'm going to ask the big question. Am I? No. Am I a bit of an ass? I think I might be. I think. What do you mean, yes?

CAROLE THERIAULT. I can't believe you've mentioned ass and shooting your load at the same time.

GRAHAM CLULEY. I mean, Chris, you don't know me that well. I mean, you've just heard me on the podcast. Do you think I'm a bit, you know, am I?

CHRIS KIRSCH. I do want to get invited back to the show.

GRAHAM CLULEY. Let's move on. Anyway, I'll tell you a story. I'll tell you a story about something that was happening to me a few years ago. A few years ago, I was living somewhere else and I'd take the dog out for a walk and, you know, there we go. La di da, you know, it's wonderful. And I'd go past the village notice board and there was something tacked onto the village notice board which I didn't like. I thought, I don't like that.

CAROLE THERIAULT. You're not going to tell us what it is?

GRAHAM CLULEY. All right, I'll tell you what it was. What it was was an invitation for people saying, are you interested in philosophy and economics? It said, would you like to come along to a friendly get-together where we'll have tea and coffee and cakes and we'll talk about philosophy and economics?

CHRIS KIRSCH. Do they also serve Kool-Aid?

GRAHAM CLULEY. Well, well, exactly, Chris. Exactly. I recognized what group had actually put this together.

CAROLE THERIAULT. Okay. It's not that all philosophers are Kool-Aid drinkers.

GRAHAM CLULEY. No, necessarily not. I was just making sure.

CAROLE THERIAULT. Yeah. Okay.

GRAHAM CLULEY. But I'd read a book back in the 1990s written by a couple of investigative journalists about this innocuous sounding group, which claimed to be a school of economic science. And I didn't really like what I read. And I was reading this pamphlet on the noticeboard and I thought, that's from this group. I thought, they're just claiming to be handing out orange juice and talking about philosophy, but I know it's something else. So I thought, right, I'm going to take down that poster because I don't want anyone going along to that meeting. So I would take it off the noticeboard, right? And then I'd go by again a few days later with my dog and the person had put up a new poster and stuck it on. Maybe they used staples this time. And I think, right, I'm taking that down, right? So I'd rip it off, I'd shove it down the front of my trousers, and off I'd go on my dog walk. And I'd do this every few days. I'd see another one. So there was this battle going on.

CAROLE THERIAULT. So you're wondering, because you were deciding for everybody else that this was inappropriate and you were taking it down, and it was obviously pissing off the original person, and they didn't know why you were taking it down because you hadn't contacted them to tell them anything.

GRAHAM CLULEY. I hadn't. No, 'cause I was scared.

CAROLE THERIAULT. Okay, and you're asking if you're an ass, right? Is that the question? Yes, I'm an ass. Okay, okay, okay. Yep, yep, carry on, carry on, yep.

GRAHAM CLULEY. Well, so do you think I am or not?

CAROLE THERIAULT. Graham, you're putting us in a very difficult position here. I purport to be a buddy of yours. Yes, this is the wrong show.

GRAHAM CLULEY. Well, come on. Yes, but as my buddy, you can tell me if I've been inappropriate. Anyway, I don't know whether I was right to do it or not. Yes, of course I was right to do it. But I was reminded of what I'd done when I read this story on Forbes this week about signs that some people had put up in their front gardens.

CAROLE THERIAULT. Okay.

GRAHAM CLULEY. And that evaporated. They disappeared. So, we have to travel over to North America.

CAROLE THERIAULT. Okay.

GRAHAM CLULEY. Where there is apparently an affluent suburb northwest of Philadelphia where hundreds of political campaign yard signs have been going missing. People have their yard sign up in their front garden. We don't do it as much over here in the UK. I mean, we do a bit.

CAROLE THERIAULT. We do a bit, but we tend to put them inside windows because our houses are much closer to the roads in cities, certainly.

CHRIS KIRSCH. Yeah, you don't really have a front lawn, right? Yeah.

CAROLE THERIAULT. Yeah. Yeah. Or a very small one compared to America. Yeah.

GRAHAM CLULEY. But over there in this rather schmutzy neighborhood.

CAROLE THERIAULT. Leafy.

GRAHAM CLULEY. Yeah, it's probably delightful. People put out their little things saying who they want people to vote for. They go to bed and it's still there. They wake up in the morning, it's gone. It's vanished. And some of the people who noticed that their signs had disappeared were contacting the cops to file a report saying, "Hey, you know, wait, this thing has disappeared from my front lawn." And obviously the cops leap into action. Yeah.

CAROLE THERIAULT. If you were a police officer, you'd be like, "Yes, yes. Okay, that is priority. I have a few murders, but you know what? Let me put them on ice and I'll come and deal with this." We won't worry about the Philadelphia Strangler.

GRAHAM CLULEY. He's— Yeah. We're not gonna worry about him or anything else that's going on. This is— We're gonna send some cars around. They fingerprint the place.

CAROLE THERIAULT. Yeah, priority number one. We'll be there in 5 minutes.

GRAHAM CLULEY. Yeah, yeah. Well, anyway, when people filed report, the cops said, oh yeah, yeah, we know where they are.

CAROLE THERIAULT. Oh.

GRAHAM CLULEY. Yeah. What you gotta do is go to the local strip mall, and you know where the nail bar is? Well, go behind the nail bar, and there you'll find this large dumpster. And that's where all the signs are.

CAROLE THERIAULT. Said the cops.

GRAHAM CLULEY. Said the cops. They knew where they'd gone. Not because the cops had put them there, but because someone else had already found out about them. And this information went to 75-year-old Arlene Talley, who's a member of the Chester County Democratic Committee. She was interested as to what happened to the signs. She went to where the police said. She found the dumpster, and she found 118 stolen political signs. All of them supporting Democratic candidates.

CAROLE THERIAULT. Of course.

GRAHAM CLULEY. All those you know, horrible progressive causes like reproductive rights and Black Lives Matter, or really offensive stuff. We should definitely want to clear up a sign if it was proposing that sort of— oh goodness me! Anyway, so all these signs which were obviously, you know, sort of slightly left of— well, left of right. Now, how did the cops know they were there? Well, it's because one victim had had the foresight to attach a $30 Apple AirTag to their sign, perhaps realizing—

CAROLE THERIAULT. There's the technology angle I was waiting.

GRAHAM CLULEY. Perhaps realizing that they might be stolen. Yeah.

CHRIS KIRSCH. So you remember, I think it was last time I was on, I brought you the story of how somebody sent a letter to the German intelligence services and unmasked their location and like who was connected to whom and so on, right? So guess it works all around.

GRAHAM CLULEY. That's right.

CHRIS KIRSCH. But my question though is like, if the police knew knew that they were in that dumpster, why didn't they just hang out by the dumpster and wait for somebody to come by to drop them off?

GRAHAM CLULEY. Because they're very busy dealing with the Strangler. I mean, it's not their— obviously their top priority. Seriously, Chris, if you were in charge of the cops, they could have gotten their nails done at the nail salon at the same time.

CHRIS KIRSCH. You know, like, it's not— it's not a hardship posting.

CAROLE THERIAULT. Exactly. And, and also, what's irritating about all this is the cops say, oh yeah, we know where they are, they're in the dumpster on 49th and 50th, or whatever, wherever it is. But then you have to go get them yourself.

CHRIS KIRSCH. Yeah.

CAROLE THERIAULT. Right? You're not—

GRAHAM CLULEY. Well, you think you should send a squad of police cars, right? And how are they going to know who to deliver them to?

CAROLE THERIAULT. Oh, I just think they— Do they know who is behind it?

GRAHAM CLULEY. They haven't found out yet. They are apparently examining CCTV footage, but so far it hasn't caught any of the troublemakers. They think— The police theory is it's mostly kids, as some homes also had their mailboxes damaged.

CAROLE THERIAULT. I can't believe someone's Google Nest or whatever, you know, Amazon Ring doorbell didn't catch these idiots.

GRAHAM CLULEY. Yeah, well, it would be good if they had, wouldn't it? It'd be good if they had. So we're all familiar with this idea of AirTags being used to help find lost items like bikes, lost luggage, and of course being used to track and stalk people, or that story which Chris gave us before, an extraordinary story from Germany about finding out where top secret apartments may actually be based. But, you know, these AirTags can be used in all kinds of ways. So my son, it turns out, I didn't know this, my son has got an AirTag. He's got it on his phone or his school bag or something. And so they built into AirTags this means by which you can be warned if a tag is following you. Yeah. So if someone's planted one, so if someone's planted one in your car, for instance.

CAROLE THERIAULT. Exactly. We've done that story before as well. Yeah.

GRAHAM CLULEY. And then it'll go bleep, bleep, bleep, bleep. So I'm finding this really annoying because I'm obviously carting my son around all the time with his school bag, getting him to school or, you know, to his tutor or something. And all the time I'm getting these messages popping up on my phone saying, "Ooh, there appears to be an AirTag which is tracking you. It's been traveling around with you." It's like, well, yeah, I know it's been, this is my, and I've got no way of saying, "Well, don't bug me about that one. Stop bleeping at me all the time." Because—

CAROLE THERIAULT. Oh, really?

GRAHAM CLULEY. You see?

CAROLE THERIAULT. No, there must be a way. There's gonna be a listener who's gonna get in touch.

CHRIS KIRSCH. You could get an Android.

CAROLE THERIAULT. No, no, that is not the, that's not what you should do.

GRAHAM CLULEY. Are you crazy?

CAROLE THERIAULT. I think you need to Google how to stop an AirTag blinking at me. I'm doing it right now for you.

GRAHAM CLULEY. Right, well, yeah, well.

CAROLE THERIAULT. Go to Settings, Bluetooth, and turn Bluetooth on. Go to Find My app, tap the Me tab, turn on tracking notifications, and turn on airplane mode. Done.

GRAHAM CLULEY. Oh, all right, I'll give that a try.

CHRIS KIRSCH. Yeah, just put your phone in airplane mode all the time. You'll also have fewer scam callers, you know.

CAROLE THERIAULT. I do it, I do it a lot.

GRAHAM CLULEY. Melissa Schusterman, she is a state representative hoping to be reelected in next month's midterms. And she's one of those who had her signs stolen. She has said she's blaming it all on MAGA, Make America Gruesome Again. She says, we will not let the radical MAGA right intimidate us. Double the amount of signs taken will go back up. Now that seems to me like we could end up with an exponential rise. Of signs on people's front lawns if this keeps on happening. And what, I don't know what's gonna happen with the dumpsters either, but it's just gonna keep on and on.

CHRIS KIRSCH. Yeah, but you know, like you also took down that sign on the, you know, on the notice board all the time. So I'm, you know, that seems like—

CAROLE THERIAULT. We know what camp you're in, Graham.

CHRIS KIRSCH. Escalation that doesn't help either side.

GRAHAM CLULEY. Do you think they should have kept on putting up two signs for the cult up on the side and then four just to keep me busy?

CHRIS KIRSCH. Just make them really big.

GRAHAM CLULEY. My trousers would be bulging from the number I've stuffed into my pockets.

CAROLE THERIAULT. You could have done two things, I think, that would have been better. One, you could have put up your own sign explaining what that sign meant and why you thought it was a bad idea. Oh yeah. And gotten a little bit of controversy going on in town.

CHRIS KIRSCH. Oh yeah.

CAROLE THERIAULT. Right? Or you could have gone to the local newsletter, newspaper, whatever, and said, this is why I think this sign should be taken down.

CHRIS KIRSCH. Oh yeah.

CAROLE THERIAULT. You should have talked to me.

CHRIS KIRSCH. Yeah, that's a great idea.

CAROLE THERIAULT. Thanks, Chris.

CHRIS KIRSCH. But the real question— Yeah, the real question though is like the UK is like the capital of the CCTV surveillance, you know, system. So I can't even find people who pick up signs all over the city and put it in a dumpster. Oh, this was in the US, right?

CAROLE THERIAULT. I'm completely off.

GRAHAM CLULEY. Yeah.

SPEAKER_03. Yeah.

CHRIS KIRSCH. Yeah.

CAROLE THERIAULT. Yeah.

GRAHAM CLULEY. Yeah. Yeah.

CAROLE THERIAULT. Yeah.

CHRIS KIRSCH. This is great stuff for you to cut out of the podcast.

CAROLE THERIAULT. Of course.

CHRIS KIRSCH. Just cut out all the stuff where I say dumb stuff. Right?

GRAHAM CLULEY. We do that with Carole every week. Wow.

CHRIS KIRSCH. Wow.

GRAHAM CLULEY. I am an arse, aren't I?

CAROLE THERIAULT. Yes.

GRAHAM CLULEY. Chris, what have you got for us this week?

CHRIS KIRSCH. So I live in the US, so it's not as close to me as it is to you. But there is this thing going on with Russia and Ukraine and everything right now. So, you know, like—

CAROLE THERIAULT. We've heard.

CHRIS KIRSCH. Things have cooled off a little bit with Russia and they're not invited to the party anymore. And there've been some weird things happening in Germany, for example, like the German railway system was halted for 3 hours earlier this month due to a failure of the digital train radio system. They chalked that up as sabotage and, you know, maybe that's Big Brother Boris meddling with things, right? Just to set the scene for—

GRAHAM CLULEY. Oh, that Boris. Sorry. Sorry. When you're British, we had a horrible flashback to another Boris.

CHRIS KIRSCH. Should we call him Ivan? Vlad? Yeah. Anyway, so the, the story I'd like to tell today is one about a German software company called Proteleon. They're based in Berlin. They make all sorts of things like VPNs, endpoint security. I think they have a managed detection and response service. So kind of like finding anomalies on your network. And they're the typical kind of like small or medium-sized German company selling German software to German enterprises and, you know, sometimes around the world. And so this German TV station looked at them. They had, uh, like a, a lead somewhere and they saw that the Protelion software was also sold by a company in Russia called Infotex. And so they're like, hold on, this is a little weird. Like, shouldn't that be under sanctions? And, you know, is that still allowed? And so they wanted to phone them, but they thought, no, no, we'll just go by their offices and, you know, ask them in person, you know, and tell them like, hey, the, the Russians are You know, have pirated your software. They're selling that in Russia and trying to figure out what's going on. So when they arrived at the offices in Berlin to warn them that their software was being sold in Russia, the Protelion doorbell says, please ring the bell for Infotex. So that's a bit weird.

GRAHAM CLULEY. The name of the Russian company.

CHRIS KIRSCH. The name of the Russian company. This is, I think, another callback to the, to the story I told last time. It's kind of like, What is it with people who are trying to hide their tracks that they are in the same building and kind of like referencing each other's bells? You know, tradecraft's really gone downhill. So, um, also what was weird is that if you look up the CEO of Protelian, he is, uh, formerly the head of Infotex Germany. So they actually just rebranded Infotex Germany as Protelian.

GRAHAM CLULEY. Ah, you've got to be careful of these companies which rebrand. Yourselves, don't you, Chris?

CAROLE THERIAULT. There can be difficulties.

GRAHAM CLULEY. Who knows what they might be hiding?

CHRIS KIRSCH. Damn, I've been caught.

GRAHAM CLULEY. Okay. Yeah.

CHRIS KIRSCH. And by the way, the German army was also in their building, in that same building, which is also a tad weird. So it turns out Infotex is not reselling the German software. Infotex is the original equipment manufacturer of the Protelian software. It gets more interesting. Infotex also supplies the software to the FSB. And the Russian intelligence services also helped develop the encryption algorithms for that software. Doesn't that make you feel warm and fuzzy?

GRAHAM CLULEY. Hang on, but this is VPN software and endpoint security software is what we're talking about here.

CHRIS KIRSCH. Excellent, right? Awkward.

CAROLE THERIAULT. Excellent.

CHRIS KIRSCH. Yeah. Yeah. The founder of that company is actually an ex-KGB officer.

CAROLE THERIAULT. Of course he is.

CHRIS KIRSCH. Who recently got a medal from our friend Vlad.

GRAHAM CLULEY. Stop.

CHRIS KIRSCH. For, for over 10 years of excellent services to the country.

CAROLE THERIAULT. So, um, this is another sticky pickle.

CHRIS KIRSCH. Oh my God. Yeah. There, there is so much more to unpack though, Carole.

CAROLE THERIAULT. Okay. I'm listening.

CHRIS KIRSCH. Okay. So, Prothelion is also a member of the, and repeat after me, Cybersicherheitsrat Deutschland e.V. So, the Cybersecurity Council of Germany.

CAROLE THERIAULT. Okay. Cybersecurity Council of Germany. Okay.

GRAHAM CLULEY. That's easy to repeat. Yeah.

CHRIS KIRSCH. So, There is a Cybersecurity Council of Germany, Cybersicherheitsrat, which is part of the German Ministry of Defense, but it's not that one. So, we'll do a little pub quiz, Carole and Graham. You know, you're used to pub quizzes, right? Like in the UK, you're asked like, you know, who won the Eurovision Song Contest 1974 or something like that?

GRAHAM CLULEY. ABBA, Waterloo at Brighton.

CHRIS KIRSCH. Yes, exactly.

GRAHAM CLULEY. Wow.

CHRIS KIRSCH. I am impressed. So, In Germany, our pub quizzes aren't as much fun. Like, our pub quizzes are more like, what does E.V. stand for?

GRAHAM CLULEY. E.V. Oh, this is part of their name.

CHRIS KIRSCH. Part of their name, yeah.

GRAHAM CLULEY. E.V. of the Cyberstiftung Deutschland. E.V. I have no idea. Does it mean not really, or we're actually Russian, or something like that?

CAROLE THERIAULT. Fake, fake.

CHRIS KIRSCH. So it's the— It means eingetragener Verein, which means it's a non-profit. Right? So it's not part of the government.

CAROLE THERIAULT. Today we learned. Good. Yeah.

CHRIS KIRSCH. Ah, so it's actually a private lobbying group by the same name of the Cybersecurity Council of Germany as part of the Ministry of Defense. So no room for confusion at all there. Right?

CAROLE THERIAULT. Right. And they, yes, they're not taking advantage of that confusion either.

CHRIS KIRSCH. No, no, no.

GRAHAM CLULEY. They wouldn't. They wouldn't. Of course they wouldn't. So Chris, Chris, when you had this sort of name dilemma yourself with your company where your name was also being used by this company, you just changed your name. Whereas This organization appears to almost be exploiting the fact that they have—

CHRIS KIRSCH. You might say that. Yes, you might say that.

GRAHAM CLULEY. Right.

CHRIS KIRSCH. So this lobbying group, there's a few of those in Germany, and they typically include both vendors of security solutions and very large enterprises, and they kind of collaborate and they try to influence government legislation and hold events and all of that jazz. So same with this group here. Some of the very large German enterprises were in there. And, uh, it's very hard, as you said, to distinguish the two cybersecurity councils of Germany.

GRAHAM CLULEY. Yeah.

CHRIS KIRSCH. For anybody in Germany or even abroad.

CAROLE THERIAULT. Right.

CHRIS KIRSCH. Especially because their founding president is a gentleman by the name of Arne Schoenboom. Now, Arne, he's the son of a German, former German minister, um, also coincidentally the, uh, person who was the, the first commander who integrated the East German army into the West German army, the Bundeswehr. So, you know, somebody with, with has a lot of political clout and former ties to Russia, maybe, I don't know. And so his son Arne is now the current chief of the BSI, which is the German intelligence agency for cybersecurity.

CAROLE THERIAULT. Yeah.

GRAHAM CLULEY. Okay. The real BSI.

CHRIS KIRSCH. The real BSI, right?

GRAHAM CLULEY. The BSI is quite respected, isn't it?

CHRIS KIRSCH. I mean, yes. It is respected. Like, it's a, you know, very decent agency and they collaborate a lot with industry and so on to keep industry safe and, you know, provide guidelines airlines and so on. So it's, it's a, you know, respectable agency. He himself, not so respected in the industry. He's got no background in information security to the point that he got dubbed as the cyber clown by German media.

GRAHAM CLULEY. No.

CAROLE THERIAULT. So he's only there because his dad was powerful.

CHRIS KIRSCH. I would think so.

GRAHAM CLULEY. Yes.

CHRIS KIRSCH. And so, so he founded this lobbying group and Then, you know, when it came out that, oh, Protaeon had these ties to Russian intelligence, he, you know, wrote a little note, uh, to his employees at the BSI and said like, oh, any BSI employees shouldn't attend any events by the Cybersecurity Council.

CAROLE THERIAULT. He's trying to divide the group saying like, let's not intermingle.

CHRIS KIRSCH. Let's not intermingle. And by the way, his successor also was interviewed on TV that, oh, you have to to stay in touch with all of the relevant players in cybersecurity, and that includes the Russian and Chinese intelligence services.

CAROLE THERIAULT. What?

CHRIS KIRSCH. Which I thought was a little bit weird.

GRAHAM CLULEY. Okay, let me get my head around this. So there is this nonprofit group called Cybersecurity Council of Germany, which isn't to be confused with the Cybersecurity Council of Germany.

CHRIS KIRSCH. Exactly.

CAROLE THERIAULT. Right?

GRAHAM CLULEY. So there's two of them.

CHRIS KIRSCH. Yeah, they have dashes in different places.

GRAHAM CLULEY. So Protelian, Protelian, who clearly have Russian links and Russian intelligence services helped develop their encryption algorithms and they supply software for the FSB, FSB, et cetera, et cetera. They're members of the Cybersecurity Council in Germany as well. Yeah.

CAROLE THERIAULT. But they're not part of the Cybersecurity Council in Germany.

GRAHAM CLULEY. No, no, don't get it confused with the Cybersecurity Council of Germany. And there's this bigwig who's a clown who somehow set up the Cybersecurity Council of Germany, not to be confused with the Cybersecurity Council of Germany.

CAROLE THERIAULT. Actually, I think he's part of both.

GRAHAM CLULEY. Oh, is he on both? Is he in both the cyber— This is very confusing. What's going on here? What's the end game here, do you think, Chris?

CHRIS KIRSCH. I don't know. I think it's intelligence services, you know, obviously creating software that might be backdoored, might have weak encryption algorithms and so on, right? So the FBI is also investigating Infotex and not just, it's not just an issue in Germany. So this is actually, should be relevant to a lot of your listeners, but you know, More importantly, look at your vendors and figure out if they are of good provenance. Maybe drive to their offices, look at the doorbell.

GRAHAM CLULEY. Yeah, ring the doorbell, see what it says.

CAROLE THERIAULT. Yeah, do your supply chain due diligence, right?

GRAHAM CLULEY. And if you are a Russian company working undercover, effectively not advertising the fact that you are a Russian company, perhaps maybe don't advertise it quite so brazenly and so incompetently. Yeah, it was a lot for their security, does it? Yeah, OPSEC is pretty bad.

CHRIS KIRSCH. Their OPSEC was really, really bad. I mean, having the same CEO of the German subsidiary, you know, like it's, it's just boggles my mind that, that this really worked. And by the way, the, the head of the BSI is now, um, probably getting fired, uh, per a message of the German interior minister. Um, so that's gonna put an end to that. So no more clownery in German, uh, cyber.

CAROLE THERIAULT. Uh, we found though, we found due to our recent politics that sometimes the replacement or incumbent can be, uh, I don't know what the word is.

CHRIS KIRSCH. You have a point, Carole.

GRAHAM CLULEY. You have a point. Yeah.

CAROLE THERIAULT. Watch this space is maybe better.

CHRIS KIRSCH. Yeah. All right. Carole, what do you have for us?

GRAHAM CLULEY. Wait, that's my bit. Oh.

CAROLE THERIAULT. Oh, sorry.

GRAHAM CLULEY. Crow, what have you got for us this week?

CAROLE THERIAULT. Okay, so we often talk about scammers breaking into computer systems by either using stolen credentials or social engineering tactics or taking advantage of vulnerabilities. But let's not forget about employees, some of which can get up to no good in plain sight and no one's the wiser. Meet Shahid Anwar. He is a 36-year-old from Rugby, England. And yes, that is apparently where the game of rugby was first conceived.

CHRIS KIRSCH. How clever.

CAROLE THERIAULT. So there's another little fact for you for your pub quizzes.

GRAHAM CLULEY. Yeah.

CAROLE THERIAULT. And that is the sport where players get cauliflower ears. And I just wanted to give you a screenshot of a bunch of cauliflower ears in the notes.

CHRIS KIRSCH. Yes, I was very much wondering what you were sending us here.

CAROLE THERIAULT. They're pretty outrageous looking, aren't they? You'd think there'd be plastic surgery for something like that.

CHRIS KIRSCH. Wow.

GRAHAM CLULEY. It can be a pretty rough game.

CAROLE THERIAULT. Yes.

GRAHAM CLULEY. Rugby. Yeah.

CAROLE THERIAULT. Now, as far as I know, Shahid did not play rugby or have cauliflower ears, but—

CHRIS KIRSCH. Okay, then why this intro, Carole? I'm really curious.

CAROLE THERIAULT. Because he's from Rugby. Because he lives in the same town.

GRAHAM CLULEY. Wow.

CAROLE THERIAULT. Yes. You learned a lot of good facts when I put my stories together. You're very welcome. And he was a customer resolution specialist within an agency within within Virgin Trains.

GRAHAM CLULEY. Customer resolution specialist. What's a good job title?

CAROLE THERIAULT. Yes.

GRAHAM CLULEY. Does he just work in the complaints department? Is that what it means?

CAROLE THERIAULT. Kind of. You might— Chris might not know this, but UK trains have a reputation of not always being on time.

GRAHAM CLULEY. I have to say, when Chris said that the German train system had been disrupted for 3 hours, I just thought, quite a good day. Yeah, not bad at all.

CHRIS KIRSCH. I moved from Switzerland to the UK at one point, and I had lived up in the Alps, and we had a very good train system there. Then I moved to the UK, and I think the British rail system divides snow into 4 categories, and they can't operate in 3 of them.

GRAHAM CLULEY. If you think the snow's bad, just wait until leaves fall off trees.

CAROLE THERIAULT. So do you want to take a guess at what percentage of trains are delayed in the UK? This is based on the last recorded 6-month period.

CHRIS KIRSCH. It's probably not as bad as we are saying. Don't come with facts. We like our stereotypes.

CAROLE THERIAULT. I'm coming with facts. What do you think?

GRAHAM CLULEY. What does delay actually mean? How do they define delay?

CAROLE THERIAULT. They delay it by being a minute or more late.

GRAHAM CLULEY. Oh my God. I'm going to say 80%.

CAROLE THERIAULT. They claim 25%, 1 in 4.

GRAHAM CLULEY. Yeah, right.

CAROLE THERIAULT. And apparently, so I thought, Chris is on the show. Let me just compare this to Germany, because in 2021, they were boasting that 82% of their trains were on time. But apparently due to your crazy flooding and strikes and issues that you've had, your numbers are now in the same boat as ours this year.

CHRIS KIRSCH. Don't come with facts, I love the stereotypes.

CAROLE THERIAULT. And because of these frequent delays in the UK, train services like Virgin Trains have a scheme available to offer commuters in the UK, uh, what they call a pay and delay scheme, which is a really weird name. But basically it means that you can apply for refunds if a is canceled due to strikes or it's late or whatever. And according to money-saving experts, people are not actually applying for these refunds to the tune of £100 million.

CHRIS KIRSCH. Hmm.

CAROLE THERIAULT. So back to Shahid. Now, Shahid, remember, works in the department. What department, Graham?

GRAHAM CLULEY. The customer resolution thingy.

CAROLE THERIAULT. Customer resolution. Yes, that's where he works. And he's looking at all this stuff and looking at all this money. That is not being claimed.

GRAHAM CLULEY. This is genius.

CAROLE THERIAULT. And something that you may not know, because I didn't share it, other than he lives in Rugby, is that he's facing personal financial difficulty.

GRAHAM CLULEY. Oh.

CAROLE THERIAULT. So he's looking at all these cash, right? And because he works in customer resolution, he's all seeing that these legit claims are not being made. And maybe this is where he decides to do something about it. So this all kicks off in 2016. He starts submitting false refund claims. Some of his tactics include creating photoshopped tickets. He created over 100 PayPal accounts and multiple email aliases to manage this racket. He managed to pull off more than 1,500 refunds by taking advantages of design weaknesses in the pay and delay scheme. Some were as small as £9.10. The biggest one I could see was £746. Wow. That's what he was able to claim. In all, he did this for 3 years and amassed £116,000 in this time.

GRAHAM CLULEY. Oh my goodness.

CAROLE THERIAULT. And he was working on a further £50K at the time of his arrest. And apparently when arrested, he said he was so relieved to be finally arrested because he felt he'd gotten addicted to this window washing. So, two things which blew my mind, which I haven't mentioned.

GRAHAM CLULEY. Yeah.

CAROLE THERIAULT. One is during this swindle, he actually left Virgin Trains, so was no longer working within the department, but he carried on ripping them off.

GRAHAM CLULEY. We didn't need to work with him anymore, I imagine.

CAROLE THERIAULT. He just could guess what trains were late.

GRAHAM CLULEY. What?

CAROLE THERIAULT. He just would guess. Yes, he just would go, I know the train from Birmingham to London at this time is always late. I'm just gonna submit a refund request for it with a fake Photoshop ticket.

GRAHAM CLULEY. Oh my goodness, that's ballsy.

CAROLE THERIAULT. Two, okay, so I did the bit of the maths on the money, okay? So let me just get this out to you guys right now. So basically say let's round it to like you made about 100K in 3 years. So let's say like 33K a year. So 2.5K a month or about 600 a week, okay? Those are your numbers. So 600 a week. Week. So one of his claims when he got arrested is what they were saying, well, what did you spend the money on?

CHRIS KIRSCH. Train tickets?

CAROLE THERIAULT. No, that would have been so good. No, he spent it on groceries, he claims.

CHRIS KIRSCH. Cauliflower?

CAROLE THERIAULT. Yes, that's how we get back to it. No, he, he spent it at his two preferred UK food stores, Graham, in the UK. £600 a week for him and his wife, right?

GRAHAM CLULEY. Yeah.

CAROLE THERIAULT. Can you guess what the two shops were?

GRAHAM CLULEY. Waitrose, because that's quite expensive.

CAROLE THERIAULT. Yes.

GRAHAM CLULEY. Waitrose and Lidl? Aldi?

CAROLE THERIAULT. How did you guess? I can't believe you guessed. The second one is Iceland.

GRAHAM CLULEY. Iceland. Same kind of thing.

CAROLE THERIAULT. So I found that hilarious. Waitrose and—

GRAHAM CLULEY. Yeah.

CAROLE THERIAULT. You know, what was he buying those things for his other family members?

GRAHAM CLULEY. You have the Iceland stuff.

CAROLE THERIAULT. We're getting the really nice rack of lamb and the—

CHRIS KIRSCH. So Waitrose is high-end and the other one is low-end, or—

CAROLE THERIAULT. oh yeah, well, Iceland is considered maybe more cost-effective.

GRAHAM CLULEY. Waitrose is lovely. You'll get a little thigh massage when you go in there. It's gorgeous.

CAROLE THERIAULT. And then a bill for £150 for a shop that should cost you £40. But it is a lovely experience, right?

GRAHAM CLULEY. Oh yeah, it's gorgeous.

CAROLE THERIAULT. So, so, uh, Shahid has been lucky, however, because he got a suspended sentence. The judge was unhappy that he had been arrested in 2019 but only charged 2022, which, you know, that's a long stress period for not knowing if you're going to be charged or not.

CHRIS KIRSCH. Yeah, it's the pay and delay scheme.

CAROLE THERIAULT. But, and I wonder if the fact that he'd spent the money at supermarkets and that he was very apologetic rather than buying a flashy Maserati and a gold medallion worked in his favor as well.

GRAHAM CLULEY. He helped the economy. He was leveling up.

CAROLE THERIAULT. Stop. Exactly. So best takeaway here is if you are in the UK and you find yourself on a delayed and canceled train, even if it's due to strikes, which we've had a lot of recently, go check up on how you can reclaim a refund. These details are in the episode webpage on Smashing Security.

GRAHAM CLULEY. Because train fares are expensive. I mean, it costs a fortune.

CAROLE THERIAULT. Yes.

GRAHAM CLULEY. In this country to be transported like a piece of cattle. Yes. In cramped— I mean, they wouldn't actually transport cattle in as inhumane conditions as they do people. People on trains in this country. So, but yeah, it's, it's, it's a good idea. Good tip, Crow.

CAROLE THERIAULT. You're very welcome.

GRAHAM CLULEY. You're very welcome. Every day, billions of people around the world connect with their favorite brands online through shopping, gaming, banking, learning, and more. Every second, the internet gets more chaotic, more cyber threats. Securing entire ecosystems, clouds, apps, APIs, and users, that grows more complex. Causing friction that slows innovation and hampers agility. With Akamai, cybersecurity can become an engine for innovation and growth. Whether you want to achieve unmatched security with Akamai's suite of app and API protection, or embrace a zero-trust architecture, Akamai can help. With insights from the world's most distributed compute platform, Akamai delivers unique security research on the latest attacks and trends on everything from ransomware as a service, gangs like Conti, DDoS attacks, phishing attacks, to help you protect your business. Where else can you take advantage of insights from 7 trillion DNS queries per day. Learn more about Akamai and their security research. Visit their website, akamai.com/smashing. That's A-K-A-M-A-I.com/smashing.

CAROLE THERIAULT. Bitwarden's open source password manager that is trusted by millions of individuals, teams, and organizations around the world has just announced its October release. And it is chock full of goodies. Features, which include password-protected encrypted export, which allows you to export your vault in an encrypted format using the password of your choice. Plus, there's the mobile username generator. It's finally here. They also have DuckDuckGo email aliases available. And here's a little insider scoop for you: they're working with DuckDuckGo to get macOS browser integration in the forthcoming DuckDuckGo macOS browser Want to try these features out? I don't blame you. Visit bitwarden.com/smashing. That's bitwarden.com/smashing. And thank you to Bitwarden for sponsoring the show.

GRAHAM CLULEY. If you're considering a third-party audit like SOC 2 or ISO 27001, then you should be prepared to answer some tough questions about endpoint security. Auditors want to know that you have a system in place to monitor and maintain compliance across your fleet, which means showing that your staff are using things like disk encryption, screen locks, password managers. If you're not quite sure how you'd go about proving all that, then you need Collide. Collide's an endpoint security tool for Mac, Windows, and Linux devices that gives you the visibility you need to meet your third-party and internal compliance goals. Best of all, Kolide doesn't resort to spying on workers or locking down devices. Instead, it works with end users to resolve issues and relies on their cooperation and informed consent. You can meet your security goals and pass your audit without compromising on privacy. Visit kolide.com/smashing to find out how. If you follow that link, they'll also give you a goodie bag just for activating a free trial. That's K-O-L-I-D-E dot com. Smashingsecurity.com/smashing. And welcome back. Can you join us at our favorite part of the show? The part of the show that we like to call Pick of the Week.

CAROLE THERIAULT. Pick of the Week.

CHRIS KIRSCH. Pick of the Week.

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security related necessarily.

CAROLE THERIAULT. Better not be.

GRAHAM CLULEY. Well, my pick of the week this week is slightly security related because that is allowed under the rules of pick of the week. Doesn't have to be security related. Oh gosh.

CAROLE THERIAULT. Just because I did it last week, honestly.

GRAHAM CLULEY. I'm sure you've been following the Fat Bear Tournament, the competition.

CHRIS KIRSCH. Hold on, hold on, Graham. I thought we had a strict no tautology rule on this podcast. I'm throwing out really fancy grammar— is it grammar terms?

GRAHAM CLULEY. Oh, so you think saying fat bear is saying—

CHRIS KIRSCH. Fat bear, yeah.

GRAHAM CLULEY. Is unnecessary.

CHRIS KIRSCH. I mean, there is a bear week in Provincetown, Massachusetts. You know, close to where I live. And do you know what they mean by bears?

CAROLE THERIAULT. I do. I married one.

GRAHAM CLULEY. Is this big cuddly men? With a beard?

CHRIS KIRSCH. Big cuddly hairy men.

GRAHAM CLULEY. Yeah.

CHRIS KIRSCH. Yeah.

CAROLE THERIAULT. Go listen to Sticky Pickles' last episode if you want to learn more about them.

CHRIS KIRSCH. So it's an aesthetic. It's one that escapes me a little bit, but it's an aesthetic. Yeah, it's gorgeous. Carole, thanks for saving the day.

GRAHAM CLULEY. I am talking about real animals. That type of fat bear. That's what's kind of— the grizzlies.

CAROLE THERIAULT. Is this because it's the— it's because they're about to go into hibernation, so they're all eating tons right now?

GRAHAM CLULEY. Well, look, you know, obviously the bears are gorging around. They're finding any food they can, they can get hold of. The ranger's not going to like it, but if they steal a little ham— I used to watch TV a lot. I used to watch Yogi Bear and Boo Boo. I know all about bears at Jellystone Park. And so I know, I know the antics which they get up to. And apparently the rangers at Katmai National Park and Reserve, they have been holding for some years now Fat Bear Week. Where they try and work out what the most popular bear is. And they've been running this online as well. You can vote if you want. A few Sundays ago, there was a semifinal round between a roly-poly bear, which they've nicknamed Holly, codename 435. So they've all got numbers. And there's also an airplane-sized bear called 747. And you had to decide which was your favourite fat bear. Now you're wondering, why am I mentioning this? Well, the reason it came to my attention is there has been some election fraud going on.

CAROLE THERIAULT. Oh dear.

GRAHAM CLULEY. There has. This is the word from Katmai National Park. They detected attempted election fraud in the poll between these two bears. They said that we have discarded the fake votes. So apparently they were avalanched with emails, lots and lots of emails coming from several IP addresses, which were all voting for Bear 435, who did win, to her credit, in 2019, the Fat Bear Week Championship. Yeah. But they said, no, no, no, a lot of these were actually fake votes. So someone has been trying to rig the Fat Bear competition. And I think that is a warning for all of us.

CAROLE THERIAULT. Is there a prize? Do you get to ride the bear? No, come on.

GRAHAM CLULEY. You know what a bear is.

CAROLE THERIAULT. You don't trust— Yes.

GRAHAM CLULEY. Have you not seen that movie with Leonardo DiCapuccino? You don't mess with a bear.

CAROLE THERIAULT. I, I have stayed in Canada, in, on Vancouver Island, and the place I was at had a hot tub, and in, right beside the hot tub was this long bear stick. But so if you're sitting there in the soup looking delicious, like little dumplings for a bear, you could try and poke it off with this stick. It's ridiculous.

GRAHAM CLULEY. How did that work out for you?

CHRIS KIRSCH. Is that how you met your husband?

CAROLE THERIAULT. Yes, I lampooned a great one.

GRAHAM CLULEY. No poking in the hot tub.

CAROLE THERIAULT. I think we've had enough of that.

GRAHAM CLULEY. That's like Chris's type of bear, I think. Anyway, they have now added a CAPTCHA to their systems to try and weed out fake votes.

CHRIS KIRSCH. Capturing bears in the wild. Oh God, another one to cut out.

GRAHAM CLULEY. Anyway, I think, well done to that. I like the idea of them having this fat bear competition and raising awareness of the bears. It's a little bit of fun, but you know what? Why on earth was someone trying to rig the vote? What is going on?

CAROLE THERIAULT. I wonder if any bear-like men could go there during this week and just wander around the park and try and get captured, you know, and actually have men compared, you know, versus bears in it.

GRAHAM CLULEY. I'm sure there's a website for that, Carole. I'm sure.

CAROLE THERIAULT. Rule 34.

GRAHAM CLULEY. Why is someone throwing all this spam at bears as well? What's going on? It's very, very strange. Anyway, what's your pick of the week?

CHRIS KIRSCH. All right, my pick of the week is pimEyes.com. So some of you might know that I have like an interest in OSINT, open source intelligence, which is basically, you know, using public sources to figure out stuff about companies, people, etc. And on Twitter, I saw somebody, you know, posting a list of, hey, here are some cool new OSINT sources, and pimEyes was one of them. And it's a reverse image search engine. So you can where you can put in a picture instead of typing out a term like you do on regular Google. You put in a picture and then it shows you other places where that picture is from or similar pictures and so on. And PimEyes has a particular flavor of reverse image search, which includes face recognition. So you can put in somebody's picture and it'll find other pictures of the same person just through face recognition.

GRAHAM CLULEY. Oh my goodness.

CAROLE THERIAULT. Are they using the Clearview AI to do this?

CHRIS KIRSCH. Carole, you're not wrong. Like that, that's exactly the same kind of application, right? Same kind of technology. And I actually tested that and I tried to, you know, get onto the Clearview platform and I couldn't get in. So that was actually, you know, like reasonable protection. It's still, you know, concerning from a privacy perspective and so on, but at least it wasn't available to your average Joe. Joe. Now, PimEyes, on the other hand, is available to the average Joe at a bargain basement price. So I wanted to try out the platform. It's $30 a month for the lowest tier. There's also like a free search, which means you only see like other pictures, but you can't click through to the sources, and they're only the face with everything else pixeled out. So I gave it a test drive, and it works surprisingly You can add 1, 2, or 3 pictures or more to improve the quality of the search. And then you get across the internet all publicly available pictures of that person.

GRAHAM CLULEY. While you've been speaking, Chris, I have uploaded a picture, a face to it. I chose the face of someone called Carole Theriault. So I've just uploaded her picture. And it has found a number of other pictures of Carole. And what was in— which I thought, well, maybe they've worked out that that is Carole Theriault in the picture, maybe they've done with. And so they then searched for Carole Theriault. But they've also found pictures of someone who looks very much like Carole Theriault. I have to say—

CAROLE THERIAULT. My doppelganger?

GRAHAM CLULEY. She does look equally sarcastic in this photograph. I have to say, she does look very, very unimpressed. It's quite extraordinary. I'll just put it in the show notes. Carole, there you are. That looks like you. I've just Googled. I don't know if you can see that, but they There you are.

CAROLE THERIAULT. Oh, it's coming.

GRAHAM CLULEY. Oh yeah.

CAROLE THERIAULT. Oh yes.

GRAHAM CLULEY. Like Carole Theriault. You can, you know, but—

CAROLE THERIAULT. I need to find her.

GRAHAM CLULEY. I've also seen something which is tagged as a potentially explicit result. I can tell PimEyes, that most definitely is explicit. It's not potentially explicit.

CAROLE THERIAULT. It's quite revolting.

GRAHAM CLULEY. No, I'm not gonna share that one. My God. Anyway, but yeah, it's extraordinary.

CHRIS KIRSCH. Also, I looked at some sites where they found somebody's and it did not have the person's name on it. So that shows me that they really do face recognition and don't just pivot over the name that they might find somewhere. But it does also, and you've just proven this, Graham, it does also have quite a lot of false positives. So the further down you get in the search, the probability of this being the same person goes down. And when you get towards the end, a lot of adult sites and a lot of et cetera, right? There's so many things that can go wrong with that technology. So for example, you might, as an employment screen, put somebody's LinkedIn picture in here, and you might find some false positives, right? Where you think, oh, this person had some other parts of their career that's not on LinkedIn. Or you might find some revenge porn out on different sites. That's become unfortunately very common now. Now. And so, you know, just from a professional profile to going to false positives and real leaked nudes is very, very fast now. But also, if you think about a stalker just out in the public, if they snap a picture of somebody, that means that they can now probably find their Facebook pretty quickly and identify who that person is. And And, you know, that could increase stalking. On the flip side, you could also take a picture of a stalker and identify who they are. You could also think of Charlottesville, January 6th, you know. Yeah. All of these events where people were trying to figure out who somebody is online.

CAROLE THERIAULT. And often getting it wrong.

CHRIS KIRSCH. And often getting it wrong.

CAROLE THERIAULT. And vilifying people.

CHRIS KIRSCH. Even with that website, there is no guarantee that they will get it right because they're false positive. So there is also a whole lot of—

CAROLE THERIAULT. And are they going to be held accountable if someone is misidentified and there is some kind of weird— and you go to them and they'll go, hey, it wasn't us. We just scraped the web. We're just providing this service. Nothing to do with us, gov.

CHRIS KIRSCH. I'm sure they have plenty of disclaimers.

CAROLE THERIAULT. But they're charging for that service.

SPEAKER_03. Yeah.

CHRIS KIRSCH. Yeah.

CAROLE THERIAULT. Anyway, yeah, I feel iffy about this.

GRAHAM CLULEY. Yeah, I think it's— well, it's the kind of thing you only really want people maybe in law enforcement to use and with an understanding as to the consequences. I'm now searching for a photo of myself and I'm finding an alarming number of photos of me. Thankfully I—

CAROLE THERIAULT. Any naked?

GRAHAM CLULEY. Well, not yet, but—

CAROLE THERIAULT. Because there is one that someone took under a toilet stall once.

GRAHAM CLULEY. Let's not talk—

CAROLE THERIAULT. Maybe you should load up that picture and see if it's online.

GRAHAM CLULEY. This is— now, Chris, I've seen that there is the option to opt out, but in order to opt out, it says you have to upload a clear photograph of your face, which presumably they then are going to add to their database.

SPEAKER_03. Yeah.

CHRIS KIRSCH. Yeah.

CAROLE THERIAULT. And not let you see it. Yeah. Well, thanks for that Pick of the Week, buddy.

GRAHAM CLULEY. Blimey. Carole, what's your Pick of the Week?

CAROLE THERIAULT. I have a spooky Pick of the Week in honor of our upcoming Halloween season. Now, before I get to that, have either of you ever seen the original Exorcist?

GRAHAM CLULEY. No.

CAROLE THERIAULT. From 1973?

CHRIS KIRSCH. I'm not good with scary movies.

GRAHAM CLULEY. No?

CAROLE THERIAULT. God, it is extremely scary. And it was directed by crazy director William Friedkin and written for the screen by William Peter Blatty, who actually also wrote the book. So if you don't like scary movies, maybe you like scary books. 1971 Exorcist, the book. I watched it when I was quite young, and I had nightmares for weeks afterwards. The little girl that's fully under the control of evil forces haunted me. It was awful, but it stayed with me. It's like considered, I think, one of the scariest.

GRAHAM CLULEY. You've never been the same, have you? It scarred you.

CAROLE THERIAULT. Now, English film critic, acclaimed Mark Kermode, has named The Exorcist his favorite film of all time. Time. Now, my pick of the week is not The Exorcist, but Mark Kermode's 1998 documentary on the movie, which has been re-released on iPlayer in full, and it's called The Fear of God: 25 Years of The Exorcist.

CHRIS KIRSCH. What is iPlayer?

CAROLE THERIAULT. iPlayer is kind of, uh, kind of like, like Netflix but for BBC programs.

CHRIS KIRSCH. Is it available internationally? Do you know?

GRAHAM CLULEY. There are ways of accessing it.

CHRIS KIRSCH. I mean, obviously, who knows what they might There's this great German company called Proton that offers a VPN service that might be able to help with that.

CAROLE THERIAULT. Yes. Now, I just watched this documentary. All I can say is flippin' heck. Like, A, it is a top, top, top documentary with jaw-dropping moments. Like, the amount of information that Kermode was able to get out of all the interviews is gobsmacking. And he manages to interview almost everyone who is either directing, writing, or acting in the film. Film, including an actual priest who is based in New York. Now, I know you guys haven't seen the film, but they've— there's a lot of words like I've read and heard about how this movie was cursed, right? Which is great kind of PR for the film itself to think that. But after you watch this documentary, you sure as heck believe it. Okay, a few things I will cover without ruining the documentary is that, of course, because this was filmed way back in— when was it? Uh, '73?

GRAHAM CLULEY. 1970? Yeah, about then, I think.

CAROLE THERIAULT. '73. There's a lot of stunts. There's a lot of things that happen in the film, right? And they're obviously not digital. And you have the person explain how we decided to do the stunts. And he had to just create and rig up these insane contraptions to throw people around or, you know, to yank them or bounce them or topple them over. And it's so disgusting how little care was given to the young, especially the young girl who's playing the main girl. People in it.

GRAHAM CLULEY. So I think I've seen— I think I've seen a documentary about The Exorcist before. It may even be this one that I saw. It was quite some time ago. And the director was bonkers, wasn't he?

CAROLE THERIAULT. Yes, yes. Friedkin comes across as extremely bonkers. Now, he's quite respected. He did The French Connection, very, you know, big acclaimed film. There was a lot of deaths on set during the production, like way, way, way, way, way, way, way too many to consider anything close that could normally happen in any kind of situation.

GRAHAM CLULEY. People Died while they were making the movie.

CAROLE THERIAULT. Yes. And more than one. Like many more than one. And Kermode goes through them all and explains what happened. As far as they know. Yeah. Friedkin and the writer are both really intense and passionate people and they come across as people that would stop at nothing to get what they wanted. And that's the problem, is that everyone else paid the price and he goes down in the hall of fame because now it's an acclaimed film. Film. Anyway, the documentary is just astounding. I love, love, love, love, loved it. Um, so I would recommend that you try and watch The Exorcist first before you watch the documentary to get a better sense of everything if you can, but it is scary. But the documentary again is The Fear of God: 25 Years of The Exorcist, currently available on BBC iPlayer and maybe even available for sale in other places. Um, but that is my spooky pick of Cool.

GRAHAM CLULEY. Thank you very much, Carole. Now, you've been chatting to the folks at Akamai this week, haven't you?

CAROLE THERIAULT. Yeah, I spoke with Patrick. Great interview. We talk all about retail and bots and what you can do to stop them. Check it out. Well, listeners, today we have Patrick Sullivan. He is CTO of security strategy at tech giant Akamai. Now, Patrick has nearly 30 years of tech experience under his belt and is also a bot expert. And he's going to help us understand how retailers, as they gear up for the holiday season, can better thwart the bot problem. Patrick, first, welcome to Smashing Security. Delighted you're here.

SPEAKER_03. Yeah, thank you for having me.

CAROLE THERIAULT. Fantastic. Now, honestly, I have never thought about bots in terms of the retail industry. It's because I've never worked in it, I guess. And I know that Akamai has done a lot of research on this last year. But first, I thought maybe you could just define what a bot is. I mean, are they inherently bad? Just for us to all visualize it?

SPEAKER_03. Yeah, that, that's a great question. So the, you know, a bot is just a bit of automation that's performing a task on behalf of the bot operator and the bots themselves, obviously, they're not benevolent or malevolent by nature. They really kind of take on the motivation of the operator, right? So it's really the humans that kind of define the motivation. And to your point, we see, you know, very benevolent, you know, bots that help us crawl the web to search out. And when we, you know, commit a search, it helps us find a relevant web page, right?

CAROLE THERIAULT. Right.

SPEAKER_03. I know on one of your shows you mentioned, you know, people leveraging bots to thwart fraudsters, you know, coming to dating sites and that type of thing.

CAROLE THERIAULT. Yeah, it was a few weeks ago.

SPEAKER_03. Yeah, hilarious. And, you know, on the other end of the spectrum, you know, we see them leveraged pretty heavily for fraud. Unfortunately, they're part of the toolkit for fraudsters. And then between those two extremes, there's a whole kaleidoscope of, you know, shades of gray that that are maybe not 100% good or 100% bad. It's a matter of perspective, some somewhere in between.

CAROLE THERIAULT. Do we have any idea about how many bots are out there versus people? Is that even a question I can ask in terms of like legit accounts?

SPEAKER_03. It is. So we see, you know, on a daily basis we're seeing about 40 billion requests from bots. So it's, uh, the good news is, you know, that, that's a staggering total, but, but that's still, you know, a minority request. Most interactions are still driven by human beings, you know, on their phones all day or, you know, on their laptop. But it's— that is a massive volume for website operators to deal with.

CAROLE THERIAULT. Absolutely. Okay, so now we know how these things can be used. Maybe you can share some of the research findings that Akamai were able to sniff out in their research and just help us understand what retailers are facing in this space.

SPEAKER_03. Yeah, absolutely. So, you know, a lot of areas when you're sort of deep into the domain, you know, there are people that live near the Arctic Circle that have dozens of names for snow to describe sort of the different consistencies. It's very similar with bots. We've got all kinds of different names for various types of bots, but maybe in retail, there's probably 3 big categories we could talk about. You know, one would be scrapers that are coming through and pulling down all the information from the site. State, there's a category of bots that are really heavily focused on fraud. So there we see account takeover as an area of focus. And then maybe the one that's most visible to sort of the casual web user is what we would call inventory grabbing bots. And you're confronted with these bots when you try to purchase anything online where the inventory is limited, right? So if you're trying to buy concert tickets or, you know, a fancy pair of shoes or a handbag, or these days even much more mundane things You know, in the physical world, when demand exceeds supply, you get a queue. In the online world, when that phenomenon of demand exceeds supply, you get bots and sort of an arms race to see who can consume that inventory most quickly.

CAROLE THERIAULT. So what would happen in that instance would be I'd be trying to get my hands on this ticket, the bot would beat me and get there first, and then what, try and resell them to me at a premium price perhaps? Or I would be more motivated to pay more 'cause there's no supply anymore?

SPEAKER_03. Uh, correct. So, so the, uh, you know, there are entire industries, you know, there are people that operate these bots that, that go to work in an office every day. Uh, but if you think about sort of the arbitrage opportunity for sneakers, that's probably the most visible. Uh, there are really, really limited inventory, uh, extremely popular sneakers. And if, if you're able to buy them from the retailer, you can instantly sell those on an exchange at a massive markup.

CAROLE THERIAULT. Right. So this annoys the retailers, of course, but it also annoys the consumer because they've got a to shell out a lot more cash to get their, you know, their kids that special Christmas present that they're looking for this year.

SPEAKER_03. That's right. Yeah, so it does impact the consumer experience, and you're exactly right. The retailers care deeply about this, right? I mean, obviously either way they're making a sale at the full price, whether it's a bot or a consumer. But within the retailers, there are some of the brightest people in security focused on thwarting these bots and helping to ensure a human being has the best shot possible of buying that, one of their legitimate loyal consumers. That's who they want to be able to purchase these things. They really don't wanna see this secondary market where their loyal customers have a bad experience. That's the worst thing possible for a retailer.

CAROLE THERIAULT. Yeah, of course. And of course brand reputation might be impacted there as well, of course. Okay, okay. I think I've got the picture now. So this is Cybersecurity Month. We're still in October and maybe we need to go down the route of what people can do to try and fix this. So should we start start with retailers in terms of them and what, how they can help manage this?

SPEAKER_03. Absolutely. So, so I think what we're confronting here is, you know, a very determined adversary, these bot operators that are very well resourced, right? I mean, we, we kind of touched on the profit motive. So, so there are very, very clever people building these bots. So, uh, to your point, if you're operating a website, you know, there's a couple steps that you need to do. I mean, first and foremost, you need to be able to detect, is this a human being or is this a bot on the other end? Uh, and there's a lot of technology technology that we've developed over the years here, everything from, you know, looking at passive data to active detections of, you know, is the physics of the way the keyboard is being used and the mouse, the way that the phone is being oriented, you know, does that appear to be human as we model that, or does that appear to be, you know, automation, right? So there's a lot of work there in detection. And then the next step is categorizing, right? We've talked about all these different types of bots. Obviously, you want, your Google bot, you know, that's searching the site to get right through to help your search rankings. The fraudsters, you want to deceive them, maybe send them a misleading message, but you could block them if you wish. And then the gray bots, you know, we see things like airlines where every bot that comes in costs them a little bit of money because they have to go have a paid query to a reservation system. So maybe there you serve them some information that's slightly stale so you don't incur the cost, but the bot gets what they want as well. You know, so you think about sort of that detection categorization and then have a menu of responses available to you.

CAROLE THERIAULT. So you actually use subterfuge basically with gray bots.

SPEAKER_03. Yeah, it, and I think for the really malicious bots, you really wanna confuse them, right? So a lot of what they're doing is they're testing credentials to see if they can take over somebody's account. So if you detect that it's a bot, even if they put in the correct incorrect credentials for one of your users, you don't wanna tell them, you know, that we're blocking you. You would just say these credentials don't work. You give them the exact same message that you would give them if the credentials were invalid, right? To confuse them.

CAROLE THERIAULT. Yeah, so you're trying to waste their time a bit so they don't just create a new account and go attack in a different way.

SPEAKER_03. Correct. And also maybe you can drive up their costs. There are things that you can do that will cause them to burn more CPU and memory to drive up their cost. And frustrate them further, right? Maybe they would go to another site that's less expensive for them. If they're operating these botnets at the scale of millions of requests and you're causing their compute cost to go up a bit, you know, that may be the most damaging thing you can do to them because it gets to the economics of what they're trying to pull off.

CAROLE THERIAULT. And so, and customers that have, that are working with Akamai in order to detect these bots and to categorize them to allow the good ones in and to thwart off the bad ones and to kind of obfuscate the gray ones so that they run around chasing their tails. Are they seeing cost savings? Are they seeing streamlining? Because it's such a big deal, they're seeing huge advantages.

SPEAKER_03. Yeah, there, there's, uh, I mean, obviously the, it starts with the, the user experience that you touched on, right? You, you know, you, you wanna make sure that your legitimate loyal customers have the best possible experience online. That's vital for a retailer. Uh, but certainly there are IT cost savings, you know, if if you're having to kind of fight the bots, you know, a human defender versus a manual bot, that's really expensive because it takes a lot of humans, you know, so there are costs there. But, but, you know, like the, for a busy period, like, you know, if you're having a limited inventory launch, or if it's, you know, the peak sales period around Cyber Monday, Christmas, which is coming. Yeah, the last thing you want is, you know, a crush of humans and bots to bring your site down, right? I mean, so obviously, if you you can pull these bots out of the, that demand cycle, and it's, it's not consuming resource within your data center or your cloud compute. That ensures uptime and good experience for your legitimate users.

CAROLE THERIAULT. And is there any way for retailers who, not sure they have a bot problem, like, is it really clear when they have one, or can it be so sneaky that it can actually bypass them and they have no Yeah, that's a great question.

SPEAKER_03. You know, we often see this phenomenon where, you know, a very clever bot operator can operate for a long period of time without being detected. And then often you'll get a maybe more of a clumsy bot operator that comes in and they're extremely noisy and they're impacting the availability of the site. So we go in there and, you know, targeting the very noisy bot. But then once you have kind of the precision tools to look, you'll see under the covers, hey, there was, you know, several other operators that been visiting your site and conducting bot activity below the noise floor for some period of time, right? And those are, you know, typically more sophisticated, more of a cause for concern than the really noisy bots that are out there. So that happens all the time where it will be sort of below the radar.

CAROLE THERIAULT. And what about consumers? So, you know, a lot of people are gonna be spending hundreds, if not thousands, in the new holiday if they've got the spare cash to buy gifts for their loved ones. How do they avoid getting into a tangle where they lose out on something that they really need or wanna get.

SPEAKER_03. You know, one of the things we touched on briefly was the, the fraud use of these bots, right? And we call that credential stuffing where basically, you know, you have an engine that's, that's these, you know, bots that somebody either rents or, or buys or they build themselves. And then the fuel for that engine is, is sort of credentials from breach sites. So everybody listening today has, has seen, you know, some site that they visited and establish a login get breached, you know, over the last 8, 9 years. Well, what happens is those credentials on those sites are resold, right? So there are researchers say there's about 25 billion credentials up for sale that you can go purchase. And then, you know, that becomes the fuel for these bots where they just test those credentials to see if people have reused their credentials from one site to the next. So the probably the primary thing that, that we can do as consumers is to use a unique password for every site, right? That, that will really limit your exposure to to, you know, somebody breaching one site that you visit and then attempting that same credential pair across every other site on the internet, you know, billions of times a day. And then, you know, to help facilitate that, you know, a password manager could be helpful. There are a number of things you can do there. Avail yourself of MFA if that's an option on the site. All of those things make it more difficult. But if there's one takeaway, it would be, I know password hygiene is annoying, But unique passwords are probably the number one thing that we could do to thwart kind of the mass-scale automated credential stuffing that we see out there.

CAROLE THERIAULT. Yeah, fantastic. Is there anything else you'd like to add before we close, Patrick?

SPEAKER_03. No, I think that was, you know, sort of the key piece. I mean, I would say, you know, it may be frustrating as a consumer, you know, when you're impacted by these bots when you're trying to purchase an inventory, but I can assure you there are people working very hard at retailers to, to try to give, you know, humans their very best shot at, at purchasing, you know, these things. It's, it's not a cynical effort on the part of the retailers. They're working very hard to, to give humans their very best shot, you know, relative to these bots that are out there.

CAROLE THERIAULT. Amazing. Now listeners, especially those of you in the retail space, I am sure you wanna learn more about Akamai and their security research and their services. And you can do this for free by visiting akamai.com/smashing. That's Akamai, A-K-A-M-A-I,.com/smashing. And Patrick Sullivan, CTO of Security Strategy at Akamai, thank you so much for sharing your insights with us.

SPEAKER_03. Thank you.

GRAHAM CLULEY. Great stuff. And that just about wraps up the show for this week. Chris, I'm sure lots of our listeners would love to follow you online and find out what your company's up to. What's the best way for folks to do that?

CHRIS KIRSCH. So if you want to follow me personally, Chris_Kirsch on Twitter, and runzero.com if you want to check out the cyber asset management solution. We have a free version for companies under 256 assets, so check that out. Thank you.

GRAHAM CLULEY. Super duper. And you can follow us on Twitter at Smashing Security, no G, Twitter must have a G. And we also have a Smashing Security subreddit, and don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Google Podcasts.

CAROLE THERIAULT. And massive shout out to this episode's sponsors, Bitwarden, Akamai, and Kolide. And of course to our wonderful Patreon community, it's thanks to them all that this show is free. For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 293 episodes, check out smashingsecurity.com.

GRAHAM CLULEY. Until next time, cheerio, bye-bye, bye, auf Wiedersehen.

CAROLE THERIAULT. Um, Graham, you know how you were looking at that, what was it called, Pim Eyes or whatever whatever it was. And you were looking at pictures of me. And then you made a comment that there was something really naked and nudie. Can you just confirm it was not me?

GRAHAM CLULEY. Oh yeah, it wasn't you, Carole. Well, I don't know. I mean, it's a bit difficult to tell.

CAROLE THERIAULT. Graham.

GRAHAM CLULEY. From that angle.

CAROLE THERIAULT. Graham. It was categorically not me.

GRAHAM CLULEY. It categorically was not you.

CHRIS KIRSCH. Yes.

GRAHAM CLULEY. I'm pretty sure. Yeah.

CAROLE THERIAULT. Thank you very much.

GRAHAM CLULEY. Just to stress.

CAROLE THERIAULT. Just making, underlining and bold.

GRAHAM CLULEY. And neither was it me, because possibly it wasn't just one person involved.

-- TRANSCRIPT ENDS --