Listen early, and ad-free!

314: Photo cropping bombshell, TikTok debates, and real estate scams

With , ,
March 22, 2023
Read the transcript

It could be a case of aCropalypse now for Google Pixel users, there's a warning for house buyers, and just why is TikTok being singled out for privacy concerns?

All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by Thom Langford.

Warning: This podcast may contain nuts, adult themes, and rude language.

Episode links:

Sponsored by:

  • Bitwarden – Password security you can trust. Bitwarden is an open source password manager trusted by millions of individuals, teams, and organizations worldwide for secure password storage and sharing.
  • Kolide – Kolide ensures that if your device isn’t secure it can’t access your cloud apps. It’s Zero Trust for Okta. Watch a demo today!
  • Drata – With over 14 frameworks including SOC2, GDPR, HIPAA, and ISO 27001, Drata gets you audit-ready for crucial security standards needed to scale your business. As a listener to Smashing Security you can save 10% off Drata and have implementation fees waived.

Support the show:

Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.

Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!

Follow us:

Follow us on Twitter at @SmashinSecurity, or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.

Thanks:

Theme tune: "Vinyl Memories" by Mikael Manvelyan.

Assorted sound effects: AudioBlocks.

Privacy & Opt-Out: https://redcircle.com/privacy

Transcript +

This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

GRAHAM CLULEY. They've actually created a website where you can upload images taken on your Google Pixel device and see what image may still be remaining there.

CAROLE THERIAULT. Thom, are you still there? Are you busy right now?

THOM LANGFORD. I'm busy contacting all my friends on Android, pointing and laughing.

UNKNOWN. Smashing Security, episode 314. Photo cropping bombshell, TikTok debates, and real estate scams. With Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 314. My name's Graham Cluley.

CAROLE THERIAULT. And I'm Carole Theriault.

GRAHAM CLULEY. And Carole, we are joined this week by a special guest, very special.

CAROLE THERIAULT. None other than Host Unknown's—

THOM LANGFORD. Sole founder.

CAROLE THERIAULT. I was going to say, yes, I was going to say main host, one of the hosts from Host Unknown, Thom Langford.

THOM LANGFORD. That's right, it is me. This is not Javad Malik or Andrew Agnes. This is Thom Langford, sole founder. I know you don't have the other two on very often because they're a bit crap. But I'm back.

CAROLE THERIAULT. They just have jobs. They're busy. They're very busy people. You know, we screwed up last week. I got a few emails from irate Canadians complaining that you don't know where Vancouver is.

GRAHAM CLULEY. Oh.

CAROLE THERIAULT. Because you said East Coast instead of West Coast, and I didn't spot it even in the edit. So apologies to all my people. I just don't listen to Graham very often.

GRAHAM CLULEY. I just— Yeah, there were some complaints from my end. Of course I know it's on the West. I can't believe I said East.

CAROLE THERIAULT. Yeah.

THOM LANGFORD. Vancouver sounds like a Dutch vacuum cleaner. So it's in the cupboard, isn't it?

GRAHAM CLULEY. Oh my, so corny. The dad jokes galore.

CAROLE THERIAULT. Before we kick off, let's thank this week's sponsors, Bitwarden, Kolide, and Drata. It's their support that helps us give you the show for free. Coming up today's show, Graham, what do you got?

GRAHAM CLULEY. Oh, I'm going to be telling you all about the Acropolis.

CAROLE THERIAULT. Ooh, okay. And Thom, what about you?

THOM LANGFORD. Well, I'm going back to an old favourite, TikTok. Woohoo!

CAROLE THERIAULT. Oh, good. And I'm going to be talking about how to buy a house in Lakewood, Colorado. All this and much more coming up on this episode of Smashing Security.

GRAHAM CLULEY. Now, chums, chums, it's 1974.

CAROLE THERIAULT. No, it's not.

GRAHAM CLULEY. It's the middle.

CAROLE THERIAULT. It's really not, Graham.

GRAHAM CLULEY. It's the middle of the Watergate crisis. You are Richard Nixon. And you have been ordered to produce transcripts of all the secret tapes you've been recording at the White House. But you've got a problem. You've got a problem. Lots of rude words being used in the White House. It turns out when people, you know, there's a lot of, you know, chuffing this and Jimmy Carter that. Libbity-jibbit. Yep. Belgium. Holy Zarquons singing fish. All kinds of stuff is coming out. And oh, it's going to be so embarrassing if that gets out into the public domain, all those or that rude word. So what did they do? They deleted the expletives. "Expletive deleted" was the phrase.

CAROLE THERIAULT. Redacted.

GRAHAM CLULEY. They redacted. And in the transcript, wherever it was a rude word, they didn't write the rude word. They wrote "expletive deleted" is what they wrote.

CAROLE THERIAULT. Someone should write a rap song with that. That's great.

GRAHAM CLULEY. Yeah, you could do, I suppose. And as governments, agencies, businesses around the world, they all realise if you don't want a sensitive or embarrassing or awkward piece of information to be shared, in a document that you're posting online, redact it, right? You should always be careful about what you share.

CAROLE THERIAULT. Yes.

GRAHAM CLULEY. And sometimes the redaction goes wrong. So I remember a couple of times I've written about this, the UK's MoD, Ministry of Defence, have accidentally leaked secrets about radar defences and nuclear submarines because they publish PDFs online. And the way in which they did them was they placed a little black bar over the words they didn't want there. And unfortunately, with a PDF editor, you could go in—

THOM LANGFORD. Delete the black bar.

GRAHAM CLULEY. And delete the black bar and see the words beneath.

CAROLE THERIAULT. Select all. Can you do a search and replace for the black bars?

GRAHAM CLULEY. Maybe you can.

CAROLE THERIAULT. Replace with nothing.

GRAHAM CLULEY. Maybe you can. Maybe there's an unredact option. So yeah, so if you redact the wrong way, that doesn't work very well. Not a great idea. And of course, it's also relevant for screenshots. It's not just documents. So a lot of people will pixelate out things, but black boxing—

CAROLE THERIAULT. This is nothing new. I had friends in high school that used to do this. There'd be something on the bathroom wall about them, and they would be trying to erase it by using a marker or some pens or something on top of it. And you could always often see through.

GRAHAM CLULEY. It makes perfect sense.

CAROLE THERIAULT. Yeah. Liquid paper was the stuff that you would—

THOM LANGFORD. With some determination, Carole, you could always find that phone number you were looking for.

GRAHAM CLULEY. If you were using liquid paper or Tipp-Ex on the computer monitor, Carole, that would obscure it for you, but not for other people. Just so you know, doesn't quite work like that.

CAROLE THERIAULT. Okay, thanks.

GRAHAM CLULEY. But some people try and pixelate, don't they? They pixelate the text. But boffins have created tools that can take pixelated images and unpixelate. They can work out what the words are likely to be underneath. So those tools exist. So you should never really blur or swirl text.

CAROLE THERIAULT. If you want to overwrite it in an image, you should, because it could always be unswirled.

GRAHAM CLULEY. It could be unswirled. And so much better, I would think, to cover it with random generated noise or just to cover the text with an opaque black bar in an image. And then obviously don't save it as layers. So if it's a merged down flat image with a black bar and then no one can see what's going on underneath, right?

So if you do that, if you overwrite something with a black bar in an image, or if you crop out sensitive parts of the image. So imagine, Thom, you have an image of yourself. Maybe you're a client. Maybe you want to show off your manly chest. You've been pumping iron.

THOM LANGFORD. It has been known. My pink hairy vest with the two buttons.

GRAHAM CLULEY. And you know, you're pretty proud. Right, and you happen not to be wearing any trousers, okay?

THOM LANGFORD. Often, oftentimes. I mean, it's what, Tuesday today? So yes.

GRAHAM CLULEY. So you take a selfie. So you stick up your smartphone up in the air, you know, to give it—

THOM LANGFORD. Glad you qualified that.

CAROLE THERIAULT. Because you want—

GRAHAM CLULEY. You want an image from a good angle. It's not, you don't want to show any sort of— You never want to take an image from below your chin, do you? You want to have it above your chin.

CAROLE THERIAULT. You're doing the princess style face, you know, face down, eyes up, chin down.

GRAHAM CLULEY. So you're taking that image, but afterwards you think, oh, I have left a little bit too much in the image. So what I'll do is I'll crop it, I'll crop it at my belly button, and then they'll just see my manly chest. They won't see anything which is going on beneath.

CAROLE THERIAULT. They won't see Mr. Pee-wee, right? Okay.

GRAHAM CLULEY. You would think that sharing that picture would be safe, wouldn't you?

CAROLE THERIAULT. Now, can I just ask where you're cropping this picture? So is this on an iPhone or it doesn't matter?

GRAHAM CLULEY. In this particular case, and this is why it wouldn't be Thom, because I know Thom absolutely loves Apple hardware. In this particular case, it's happening on an Android Google Pixel smartphone using the default markup tool.

THOM LANGFORD. Oh my God. It doesn't keep it in the metadata or something, does it?

GRAHAM CLULEY. Well, well, well.

THOM LANGFORD. Holy moly.

CAROLE THERIAULT. Okay, keep going. Tell us, tell us, tell us.

GRAHAM CLULEY. So.

CAROLE THERIAULT. I think someone in the show is sweating and it's not me. So, boffins.

GRAHAM CLULEY. That's brilliant. Discovered that there is a flaw in the standard tool used to edit images on Google Pixel phones. That makes the seemingly impossible be possible. So this flaw, which they have called Acropalypse, which I think is— Got it.

CAROLE THERIAULT. Very cute.

GRAHAM CLULEY. Let's give it a clap, right?

CAROLE THERIAULT. Yeah.

GRAHAM CLULEY. Hand clap. It's pretty good.

THOM LANGFORD. Yeah.

GRAHAM CLULEY. So it has made it possible to take a previously cropped image posted on the internet and at least partially recover what was cropped out of it.

CAROLE THERIAULT. Based on the metadata?

GRAHAM CLULEY. Not on the metadata.

CAROLE THERIAULT. No?

GRAHAM CLULEY. No, not specifically.

THOM LANGFORD. But some embedded data somewhere, right?

GRAHAM CLULEY. Exactly, exactly. So the metadata normally is the EXIF information as to when and where it was taken and what kind of camera and all of that guff, which we all know about. But in this particular case, what markup does is if you edit an image and then resave it, the way in which it resaves its data is it says, is this new image shorter or taking up less data than the previous image? And if that's the case, it won't truncate the entire file. It keeps whatever was there at the end still there. It's not visible in the image viewer. So you think everything is fine, but there's still—

CAROLE THERIAULT. Right, and you're thinking, here's a hot picture of me or titillating, you know, not, oh God.

GRAHAM CLULEY. So this works both with cropped images and also images where you've changed the image. For instance, and this is what these two boffins, Simon Ahrens and David Buchanan, they are the ones who found this vulnerability. They took an image which they found on Discord of someone who posted up a picture of their credit card saying, hey, look at me, I've got this new credit card. And they'd blacked out the entire credit card number.

CAROLE THERIAULT. Right.

GRAHAM CLULEY. And they were able to recover it, find out what the credit card number was. And they've actually created a website where you can upload images taken on your Google Pixel device and see what image may still be remaining there.

CAROLE THERIAULT. Thom, are you still there? Are you busy right now, or?

THOM LANGFORD. I'm busy contacting all my friends on Android, pointing and laughing. And then, what is it, the— That emoji with the purple fruited emoji.

CAROLE THERIAULT. The aubergine.

THOM LANGFORD. Aubergine, thank you. I could only think of the name that I was thinking of it of. But yeah, I'm just tweeting that to them.

GRAHAM CLULEY. So just imagine, right? It may not be that you're redacting your phone number. It may be that you've got a saucy snap.

THOM LANGFORD. Yeah.

GRAHAM CLULEY. It happened in an Austin Powers movie where Liz Hurley is there with a couple of watermelons. And Austin Powers has a great big teapot. And they're positioned in particular—

THOM LANGFORD. And then a sausage, and then whatever it was. Yeah.

GRAHAM CLULEY. A cushion and a—

CAROLE THERIAULT. Redact the teapot.

GRAHAM CLULEY. Well, no, you may have taken an image, an amusing image with an inflatable item or with a teapot or a chipolata or whatever it may be, covering your modesty. And you could have shared it with someone. Isn't this funny? They can't see anything really. But now they could take that image and see what was there before.

THOM LANGFORD. Wow.

GRAHAM CLULEY. Ouch.

THOM LANGFORD. That does remind me a little bit of, you know, the Samsung moon shots that they do, the advert that's on telly at the moment. You can take these most amazing moon shots.

GRAHAM CLULEY. I don't know, what's all that about?

THOM LANGFORD. Yeah, so there's a Samsung advert on your mobile phone, you can take these amazing moon shots, and people who've got, you know, proper cameras and telescopes are saying, oh, give me your photo because it's so much better. And it turns out that actually the moon shot that you took is basically artificially generated. And they proved this by putting a blurry photo of the moon in a dark room taking a photo of it and getting a perfectly crisp picture of the moon back from the camera.

CAROLE THERIAULT. Wow.

GRAHAM CLULEY. Because they know what the moon looks like.

THOM LANGFORD. The moon looks the same wherever you are in the world, right? It doesn't spin. So yeah, great. Take some great shots of the moon, but they weren't taken by you.

CAROLE THERIAULT. Wow.

GRAHAM CLULEY. Unbelievable. Well, this flaw has existed on the Google Pixel phone with this markup tool for about 5 years.

THOM LANGFORD. Oh, there's a treasure trove out there. Are you sweating yet, Thom? No, I'm an iPhone guy.

GRAHAM CLULEY. Exactly. So the good news is Google's March 2023 security update fixes the flaw. The bad news is that they haven't issued their March 2023 security update for some Pixel users yet, for some particular Pixel devices. And people are already waiting for that update because there's another problem at the moment with Android.

Whereby if you know somebody's mobile phone number, that can be enough to hack their phone on particular devices because of the modem chipset. So you do want to update your Google Android device. The worst news of all, though, is, as Thom suggested, Google hasn't invented a time machine to go back 5 years.

CAROLE THERIAULT. That's what I was just going to ask. Of course, they're not going to retro— yeah.

GRAHAM CLULEY. Because there's all those images out there already. It's too late. It's no longer under your control.

CAROLE THERIAULT. Well, I just want to shout out to all the people right now who are owning Google Pixel phones and are madly going through their pictures, deleting any that may—

THOM LANGFORD. I'm just reminded of that Simpsons character.

CAROLE THERIAULT. Ha ha! Oh. Not very friendly at all.

GRAHAM CLULEY. You saw all the grief we got from Canadian listeners last week. Now you've angered all the Android users.

CAROLE THERIAULT. They were right, come on. They were right, and it's more embarrassing for me than you, trust me.

THOM LANGFORD. Give me a coffee, guys. I agree.

GRAHAM CLULEY. Thom, what's your story for us this week?

THOM LANGFORD. So my story, we are going back to TikTok yet again. I mean, this seems to be the story that doesn't go away. So TikTok, as I'm sure you will all know, is the favourite social media app of teenage children and middle-aged men, it would seem, mainly because the algorithm constantly delivers everything you want based upon what you watch. So if you like, you know, nubile young people dancing and jiggling, then that's what you're going to get for the rest of your life until 3 AM when you start questioning your life choices, Javad and Andrew.

CAROLE THERIAULT. But I've heard that— I've heard in America alone, this is on New York Times podcast, The Daily, they are saying that 1 in 3 devices have it installed in the US.

THOM LANGFORD. Yeah, doesn't surprise me.

CAROLE THERIAULT. It's insane to me.

GRAHAM CLULEY. I've never used it.

THOM LANGFORD. No, I'm not.

CAROLE THERIAULT. Me neither.

THOM LANGFORD. I've never used it, partly because I don't have to. I get all the best content reposted onto my WhatsApp group with Jav and Andy mainly. So, you know, I get the curated format, but it's insanely addictive.

I know my kids are on it and they use it, not to the extent that, you know, middle-aged men do, I must admit, you know, staying up until stupid hours. But nonetheless, it's a very successful platform.

It's, you know, lots of people have monetized on it and made a lot of money out of it, etc. And of course, it's owned by a company in China, ByteDance, which makes that very, very sensitive.

Now, there have been a number of stories like this, but the most recent one, which I actually think is the company in question using a little bit of a diversionary tactic myself, is the BBC. They have instructed all of their staff to remove TikTok from their company phones.

Presumably in response to the UK government saying all civil servants and anybody who works for UK government to remove TikTok from their company or organizational phones because there's this big thing about China snooping and using the app to track people, to track habits, to gather data, etc., etc., none of which has actually been proven. In fact, you know, apart from the standard social media thing.

Now, the thing that gets me here, and I said, apart from the BBC's timing of let's put this out so that people will stop talking about Gary Lineker, but apart from the timing, it makes me feel— and we talk about this on the other security podcast, but the fact is TikTok is probably more benign than say Facebook and Instagram. And Facebook and Instagram have been caught, well it's the same company, Meta, right?

And even, you know, Google generally and, you know, even LinkedIn, etc., etc. They have been caught multiple times with their hands in the tills of people's private data.

Twitter, for instance, gathered, this is a number of years ago, gathered everybody's mobile phone number under the premise of we will use this for two-factor authentication, we won't share it with anybody, this is purely for your security, and then sold those phone numbers and your personal data to third parties quite blatantly, paid the fine, moved on. Nothing, nothing.

CAROLE THERIAULT. 100%. But do you think, do you think it has anything to do with the political climate?

THOM LANGFORD. I think it's got everything to do with the political climate. Now I also think actually instructing people to remove TikTok from a company phone, there's nothing wrong with that.

Nothing wrong with that. You know, it's a company phone. You really should not be looking at all of that.

GRAHAM CLULEY. Well, it's a big waste of time, isn't it?

THOM LANGFORD. It's a waste of time. You should be looking at all that jiggly wonder on your work emails.

GRAHAM CLULEY. But some companies would think that.

THOM LANGFORD. Yeah, I would be very, very keen to find out if they're also saying you must also remove LinkedIn and any Google product. And yeah, Facebook and Instagram and all that sort of thing?

I would put money on the fact that the vast majority of them don't. You know, to be blunt, this smacks of politics generally and racism at the end of the day. If it's not to do with the fact that they are a Chinese company, then why are you removing it when there are other products that are gathering the data far more openly and far more egregiously. It's purely because they're a Chinese company.

CAROLE THERIAULT. Okay, so my view is slightly different. I wondered whether or not it was because of the political, you know, Xi Jinping and Putin hanging out a little bit, right?

GRAHAM CLULEY. And are they making TikTok videos, the two of them? It's rather like Huawei, isn't it, where there wasn't really any evidence—no, not at all. But something could happen. But what's strange to me is that people are saying, "Well, you can't use these apps anymore because they're written in China." It's like, well, the device you're running these apps on, your smartphone, where was that manufactured?

THOM LANGFORD. Yeah, exactly.

GRAHAM CLULEY. And hello, hello, House of Commons, your CCTV cameras, where do you think they were made? I mean, all technology comes from China, doesn't it?

CAROLE THERIAULT. Yeah, it's like Pinky and the Brain. I've had you at my sides for 40 years.

THOM LANGFORD. But here's the thing, I literally spent—I looked up the first article on the BBC website, and you'll see in the show notes there's a whole series of links there from the BBC website. I scrolled to the bottom, and you know how they have related articles. This was 2 minutes, and I immediately found straight after the BBC's article, down the bottom, the UK government says stop using it. And then you go to the bottom of that one, the Welsh government says remove TikTok go further down, Danish journalists told to remove TikTok.

Then the Canadian government is saying they have to remove TikTok. European Commission saying you have to remove TikTok. And then US is trying to ban it countrywide. It probably won't go through, let's face it, but nonetheless, that's the kind of knee-jerk reaction. And yet Facebook is doing far more, egregious data harvesting, probably doing far more in your opinion—well, what about the—

GRAHAM CLULEY. You don't know.

CAROLE THERIAULT. You don't know though. You don't know. I'm just saying they got caught a few times.

THOM LANGFORD. A few times? They get caught constantly.

CAROLE THERIAULT. Yeah.

THOM LANGFORD. And also, who was it who influenced—

CAROLE THERIAULT. I'm not advocating for Facebook.

THOM LANGFORD. Which platform influenced the US election more? TikTok, with its jiggly, bouncing, nubile young people in it, or Facebook and Cambridge Analytica? You know, those platforms are far more dangerous, but because they just happen to be American or on American soil, that's perfectly all right. And yet that data is being sold as well.

GRAHAM CLULEY. Thom, it would be remiss of me not to ask, are you getting a backhander from TikTok?

CAROLE THERIAULT. Yes, it sounds like all this new jiggling you keep on advertising.

THOM LANGFORD. No backhanding, no, nothing like that. Reach around in, nothing like that whatsoever from TikTok. I just think if we're going to ban TikTok, let's at least use the same measure. The threat and the risk of TikTok is the same, if not potentially less, than Facebook, Instagram, and all of the others. And yet they seem to be absolutely fine. And, you know, it does—

CAROLE THERIAULT. They're in jurisdictions, I guess, where the powers that be feel that they can have some kind of oversight or some—

GRAHAM CLULEY. Well, I'm pretty sure China thinks it can have some oversight over ByteDance, who are running TikTok as well. Without a doubt.

THOM LANGFORD. So yes. Yeah. And that was this week's rant of the week.

CAROLE THERIAULT. Yeah. Jesus.

THOM LANGFORD. Okay.

GRAHAM CLULEY. Wasn't it just—keep taking the blood pressure tablets. Carole, what's your—not pick of the week. What have you got for us this week?

CAROLE THERIAULT. Well, let me take you to Lakewood, Colorado. It is said to have breathtaking views. Close to 100 parks for residents to enjoy. It's about 8 miles from Denver, right near the Rocky Mountains. Just giving you a visual here so you can kind of feel it out.

GRAHAM CLULEY. Yeah, it sounds beautiful. Yeah, yeah, right?

CAROLE THERIAULT. Sounds idyllic, doesn't it? I mean, you can hike or camp or ski in the mountains, make friends with the local black bears and mountain lions that roam the place freely.

GRAHAM CLULEY. Okay, maybe not.

CAROLE THERIAULT. Or you can go into Denver, right? Eat at hippie eateries and go to the theater and all that. So it's no surprise residents Vicky and her daughter, Sarah Ragle, thought this was the place to be. Now, Vicky is 69, spent 42 years as a middle school teacher, retired this July, right, this past July. And she and her daughter made a plan that they would find themselves a dream home in the city of Lakewood, where Vicky would be able to enjoy her retirement.

GRAHAM CLULEY. Lovely.

CAROLE THERIAULT. And after some searching, they land on this cute little townhouse within their budget. But it wasn't Vicky's entire life savings. And the thing is, the whole house buying process is complicated. I mean, it's full of formalities and paperwork. And, you know, it's very clear for those who run the transactions, estate agents and lawyers and lenders. But I think it's daunting for the purchaser or the seller.

GRAHAM CLULEY. Yeah, yeah. Well, yeah, I think so. Yeah, can be.

CAROLE THERIAULT. I mean, especially if you haven't moved in decades and don't know, you know, you're not used to it.

THOM LANGFORD. Yeah.

CAROLE THERIAULT. So we have Vicky and Sarah Ragle, and they've gone through the whole process of buying and purchasing the house. They even start getting new furniture for the place. Two days before the closing date for the property, the mother and daughter duo get an email from the title company, and they write, "Hi, Vicky and Sarah. I went ahead and prepared the closing documents and closing statement with the closing date of Friday, the 3rd of March." Great. Attached, please find the final closing statement. The amount due to close is $198,662.81. Polite reminder, it then says, as we require funds to be remitted 48 hours prior to closing, kindly advise when you will be ready to remit the closing funds so I can forward the title instructions for your action. Okay.

GRAHAM CLULEY. Okay.

CAROLE THERIAULT. So, okay, so Vicky and Sarah, they don't want to lose this house.

GRAHAM CLULEY. Doesn't normally your solicitor handle all this, the money side of things? You give the money to the solicitor rather than—

CAROLE THERIAULT. Well, I don't know how it works in the States, actually. I know how it works here.

THOM LANGFORD. Yeah, I get it's slightly different there, but yeah.

CAROLE THERIAULT. Yeah, but they are a bit perturbed because previous conversations said that they would need to transfer the funds at the day of closing. Yeah.

GRAHAM CLULEY. Right?

CAROLE THERIAULT. Yeah. But Vicky responds saying, "Okay, I'll call in an hour and we can do that." And the title manager emailed back saying, "Don't call because I'll be in a closing, but here's the information," and provides all the details for the transfer of funds, right? So they give the title company the near $200,000, right?

And then they get an email saying, "Hi Vicki, we have just confirmed receipt of the funds pending. I will send an escrow confirmation receipt once recorded." So a few days pass.

Now Friday, day of closing. Vicki and Sarah go in to finalize the paperwork and pick up the keys for their brand new home.

They're greeted warmly. Vicki said in media, she said, "We went to the closing on Friday. Everyone was laughing and excited. We signed acres of paper. And then the title lady said, let me check your funds."

And the title lady comes back looking perplexed and asked Vicki and Sarah, "Where did you send the funds to?" And Vicki says, probably wide-eyed, "Send them to you." And the response is, "We don't have them," says the title lady.

GRAHAM CLULEY. Yeah.

CAROLE THERIAULT. So this is what I would say is a business email compromise. But I think a lot of people kind of think, "Oh, business email compromise, I don't need to worry about if I'm an individual, or I don't need to look out for those things. I'm not a business."

THOM LANGFORD. Yeah.

CAROLE THERIAULT. Exactly. It's not individual email compromise, right?

THOM LANGFORD. Exactly. So just to recap for some of our listeners, business email compromise, or BEC for short, it's what we call it in the trade. It's where criminals send an email message that appears to come from a known source making a legitimate expected request. So in this case, the scammers purported to be the title company, and it would easily dupe the person who's expecting to pay that kind of money for a house.

GRAHAM CLULEY. You see, I'm buying a house at the moment, and I had to engage solicitors and things, and they went out of their way to warn me of these type of scams. And they sent—

THOM LANGFORD. Oh, that's good. That's good.

GRAHAM CLULEY. And in the paper, not only in my conversations with them, but also in the pack of information they sent to me through the post, which they said, "Well, we're not going to send to you electronically. We need to check that you're not a rotter as well. We need to send it to your address." And there was all kinds of verification they had to do on my identity.

But there was this bit which said, "Watch out for scammers." They said it's very common for people to get, for criminals to get involved in the house buying process in an attempt to trick you into transferring the money into the wrong account. And so they said, "Look, we're not going to tell you that our account details are going to change or anything like that. You know, you're only ever going to deal with us. And if you have any questions, ring us on this number."

CAROLE THERIAULT. Yeah, that's great. Isn't that great?

THOM LANGFORD. Yeah. That does make a difference, doesn't it? But I think part of it is sometimes the criminals just know that you're buying a house because you've posted it on Facebook or wherever, or Insta or whatever, and they just sort of chance their arm with a dodgy email, as it were.

CAROLE THERIAULT. 100%.

THOM LANGFORD. But then in other cases, and certainly over here, many solicitor companies that handle the house sales are small companies and they're out. Their IT is either outsourced or they've got the brother Dave runs it or whatever.

And so it's very easy potentially for their networks and for their email accounts to be compromised. And the emails actually come from the correct domain name and they've read through the emails and they've got the tone of the people who are talking to you and they've got all the relevant personal details and the actual things that aren't necessarily in the documents, you know, that they— you like being called Thom and not Thomas, for instance, and stuff like that. Because for a start, if somebody emailed me and said, hello Thomas, I immediately think, well, you're either my mother or you're a criminal, right?

CAROLE THERIAULT. Yeah, because I call you Thom-ass.

THOM LANGFORD. Yeah, exactly, exactly.

CAROLE THERIAULT. Well, it's—

GRAHAM CLULEY. It—

CAROLE THERIAULT. The shitty bit of this, right, is that 69-year-old Vicki, right, she said, all I could think of is now I'm homeless and broke. I'm 69 years old and now I'm broke and homeless.

Because the title managers aren't going to go, oh, poor you, you paid the wrong account, here's money. Exactly, right? Let's just go get the house. And it's unclear at this time how the scammers managed to infiltrate the communication chain. But she contacted the FBI in Colorado and the Lakewood Police, who I'm sure are all over this.

THOM LANGFORD. At least she didn't have to call Action Fraud.

GRAHAM CLULEY. Small mercies, right?

CAROLE THERIAULT. But as a silver lining— Yeah, as a silver lining to all this, Vicky's friend and coworker started a GoFundMe page. And as of today, it's currently at $132,600, which is pretty amazing and heartwarming. And it's good to know that there are some lovely people out there.

GRAHAM CLULEY. So I'm just going to go and create a GoFundMe page in her name now and see if I can put a link to it in our show notes.

CAROLE THERIAULT. Ah, sheesh, Graham, you're so heartless.

THOM LANGFORD. These houses don't buy themselves, you know.

GRAHAM CLULEY. Any company can say they're trustworthy, but with this week's sponsor, Drata, you can prove it. With over 14 frameworks including SOC 2, GDPR, HIPAA, and ISO 27001, Drata gets you audit ready for crucial security standards needed to scale your business.

Automated controls, over 75 integrations, and 24-hour monitoring keeps your company in compliance without manual work. And with a new open API and plenty of customization, you can build your program your way. With over 360 5-star reviews, Drata is the highest-rated cloud compliance platform on G2. Countless security professionals from companies like Notion, Lemonade, and BambooHR have shared how crucial it's been to have Drata as their trusted compliance partner. So listeners of Smashing Security, you can get 10% off Drata and waived implementation fees at smashingsecurity.com/drata. That's smashingsecurity.com/drata.

CAROLE THERIAULT. Our sponsor Collide has some big news. If you're an Okta user, then you can get your entire fleet to 100% compliance.

GRAHAM CLULEY. How?

CAROLE THERIAULT. If a device isn't compliant, the user can't log into your cloud apps until they fix the problem. It's that simple. Kolide patches one of the major holes in Zero Trust architecture: device compliance.

Without Kolide, IT struggles to solve basic problems like keeping everyone's OS and browser up to date. Insecure devices are logging into your company's apps, but there's nothing there to stop them.

Kolide is the only device trust solution that enforces compliance as part of authentication, and it's built to work seamlessly with Okta. The moment Kolide's agents detect a problem, it alerts the user and gives them instructions to fix it.

If they don't fix the problem within a set time, they're blocked. Kolide's method means fewer support tickets, less frustration, and most importantly, 100% fleet compliance.

Wanna learn more? Of course you do. Visit kolide.com/smashing. That's kolide.com/smashing. And thanks to Kolide for sponsoring the show.

GRAHAM CLULEY. Our friends at Bitwarden have been busy this month, adding some fab new features to their open-source password management solution. Now, did you know that you can log into Bitwarden using a secondary device instead of your master password?

Well, now you do. Logging in with a device is a passwordless approach to authentication. It removes the need to enter your master password by sending authentication requests to other devices you're currently logged into for approval.

With Login for Device, it can be initiated on the Web Vault, browser extension, desktop app, mobile app, and you can approve access on your mobile and desktop app version of Bitwarden. Very, very cool.

And the Bitwarden team has hardened the security of its vaults, protecting new vaults with 600,000 iterations by default. And of course, existing accounts can also update themselves to the same level.

These and many other great security features are incorporated all the time into Bitwarden, keeping your passwords secure from hackers. Learn more, try Bitwarden for yourself at bitwarden.com/smashingsecurity. That's bitwarden.com/smashingsecurity.

And welcome back. Can you join us at our favorite part of the show? The part of the show that we like to call Pick of the Week.

CAROLE THERIAULT. Pick of the Week.

THOM LANGFORD. Pick of the Week.

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app.

Whatever they wish. It doesn't have to be security related necessarily.

CAROLE THERIAULT. Better not be.

GRAHAM CLULEY. Well, my pick of the week this week is not security related. This weekend, I took some friends and family out to the theater because a birthday was being celebrated.

Not mine, identity thieves, not mine. And we went to go and see a show in London called The Play That Goes Wrong. Have either of you seen The Play That Goes Wrong?

THOM LANGFORD. So good. They also do The Show That Goes Wrong and stuff like that.

They've got a series of— they have some TV shows. Brilliant. Brilliant.

GRAHAM CLULEY. It's absolutely— have you actually seen the stage show, Thom, or just—

THOM LANGFORD. I haven't seen the stage show, but I think they've had two seasons of stuff on The Show That Goes Wrong.

GRAHAM CLULEY. That's right. It's called The Goes Wrong Show. It's on BBC.

THOM LANGFORD. Yeah, that's it. The Goes Wrong Show.

GRAHAM CLULEY. Which I would recommend. You may be able to find it on iPlayer or maybe on Amazon Prime. I particularly love the one where I should explain first of all, that The Play That Goes Wrong and The Goes Wrong Show is about—

THOM LANGFORD. Clue's in the name.

GRAHAM CLULEY. Yeah, the clue is in the name. It's meant to be like an amateur theatrical group where everything goes wrong. They're trying to do a play and the props go wrong. They forget the words, disasters befall them.

THOM LANGFORD. They're also not very good, are they?

GRAHAM CLULEY. They're not very good as actors, but it's hilarious. Misplaced props, they forget lines, miscues, everything. I think the funniest one of the TV show, I think the one I liked the most was the one where they accidentally built the set at a 90-degree angle. Oh yeah, that's right, that's right, Bruce! But they carried on, so they moved the cameras to make it look as though it were horizontal, but of course it was really vertical and they were all sat at this table and people were delivering—

THOM LANGFORD. Clinging on for dear life.

GRAHAM CLULEY. It was clinging on for dear life. It was the most hilarious thing imaginable.

CAROLE THERIAULT. Anyway, is this current now or no?

GRAHAM CLULEY. Yeah, last few years it's been on the BBC and the play is playing right now in London. In fact, it's been London's longest running comedy, I believe, that is going. It's probably been going for about 10 years. I've actually seen The Play That Goes Wrong now 3 times.

CAROLE THERIAULT. Are you kidding me?

GRAHAM CLULEY. My son adores it and it is, I've never seen him laugh so hard at anything. If you like the TV show, this takes it to a whole other level and you just cannot believe what is happening on the stage with the stunts and the humour. It is bonkers. People get knocked out, so people are removed from the stage. Anyway, all kinds of shenanigans go on.

THOM LANGFORD. We said that, or I said that the actors are not very good. The actors are amazing at playing actors who aren't very good.

CAROLE THERIAULT. Yes.

GRAHAM CLULEY. Yes. And the physical comedy and the imagination which is used in this show is quite extraordinary. Anyway, so my recommendation, I believe it may be also on a US tour at the moment. You can probably go and find out. If you are based out in the States, you may want to check it out. But otherwise, you can catch up on Amazon Prime or BBC iPlayer. So, my pick of the week this week is The Play That Goes Wrong. Really recommend it, hilarious. Thom, what's your pick of the week?

THOM LANGFORD. So I've got two, one very quick one and then a proper one.

CAROLE THERIAULT. You did this last time.

THOM LANGFORD. Many years ago when I first started work and we had Windows, I think it was 3.1 and then maybe just onto Windows 95. There was a little executable that was doing the rounds called PooTimer.exe. And when you ran it, this was before, you know, cynicalness crept in and you had to make sure—

GRAHAM CLULEY. Sounds like a Trojan horse, Thom, I have to say. It's not something I'd run.

THOM LANGFORD. Yeah, but it wasn't. It may have been technically a worm because you sent it to everybody you knew as a result. But you see, you ran the app and it asked you your salary and, you know, either per year, per month, per week, asked you what percentage tax you pay. You type that in and up it came and a button that basically said, I'm going for a poo. So you click that when you went for a poo. This is at work, obviously. And then when you came back from work, from a poo, you click the button again, and it told you how much you got paid while you had a poo.

GRAHAM CLULEY. So let me get this straight, Thom. You're unhappy with companies banning TikTok, but you're quite comfortable running this poo timer programme inside your organisation?

CAROLE THERIAULT. Would you hold it in, Graham?

THOM LANGFORD. Is one not allowed to poo on company time? I'm going to have a word with HR.

GRAHAM CLULEY. Is this sensitive data being uploaded to the cloud somewhere in China, and they're making use of it?

THOM LANGFORD. But anyway, I've been searching for this, you know, a long time ago because I've got Parallels on my Mac. I could run this again.

GRAHAM CLULEY. Right.

THOM LANGFORD. But it doesn't exist as far as I can make out. But there is a new website called poopies.com. And it's actually an app for your phone.

CAROLE THERIAULT. Available on Google Pixel.

THOM LANGFORD. Comes out. Yeah, exactly. Only on Android at the moment. I guess they're trying to work on the iPhone thing. It's not Rate My Poo, I just want to be clear, that's a very different thing entirely.

CAROLE THERIAULT. But blast from the past, literally.

GRAHAM CLULEY. That is a different site, yes.

THOM LANGFORD. Yeah, but I'm just saying you can soon work out how much you earn while going for a poo. So that was the quick one. So the other one, and this is the real one.

GRAHAM CLULEY. Yeah, give us your number 2 now, Thom. Yeah, yeah. Oh man.

THOM LANGFORD. That was good. That was good. So the real one, I have this wonderful little portable espresso maker, which I have with me because the coffee in the office I either have to pay for, or it's this horrible stuff out of an urn. And so I have a little portable espresso maker by a company called Wacaco.

And they do a range of these, and the one I have is called the Minipresso NS2. I did have the Minipresso NS as well because I like my gadgets, as you both know.

And what this one does, it's called the Minipresso because it uses the Nespresso pods, the ones you can buy in the shops. So I think Starbucks have got their own and Tesco's and etc., etc.

You pop this into the machine, screw the bottom on it, open up the top, pour in hot water, and then a little plunger comes out and then you pump it. And then it basically acts like an espresso machine and gives you a perfect espresso shot of coffee from your Nespresso pod.

CAROLE THERIAULT. And you like the pods because?

THOM LANGFORD. Because they're easy, convenient, and I get them for free in my hotel.

CAROLE THERIAULT. Oh, but your hotel machine doesn't make good enough coffee?

THOM LANGFORD. No, no, my hotel machine makes great coffee, but in the office I don't get access to that unless I pay for it.

GRAHAM CLULEY. So you're pinching these capsules from your hotel?

THOM LANGFORD. No, I'm paying for them.

GRAHAM CLULEY. Well, well—

THOM LANGFORD. I'm paying for them. Just like I pay for all the shampoo, the tea bags, and the conditioners.

GRAHAM CLULEY. Oh my God. And the dressing gown, the mattress, the pillows.

THOM LANGFORD. Ah, you see, no, I don't pay for those. I rent those. That's the difference.

CAROLE THERIAULT. How many hotel slippers do you have in your house?

THOM LANGFORD. Oh, none. But I've got a whole bunch of British Airways business class bags. Do you know what I mean? The little— and first class ones, actually.

CAROLE THERIAULT. Graham and I went and visited a friend's apartment once, and he lived in a very cosmopolitan city, so he had a very kind of bijou apartment, right? On the very high floor. And he had a very small bathroom, compact, bijou, and this ginormous fishbowl full of hotel shampoos.

THOM LANGFORD. Yes.

CAROLE THERIAULT. You couldn't actually have a waz on the loo without bending forward because it was a fishbowl, right? It was ridiculous. So you're one of those?

THOM LANGFORD. Yes, although actually it's now my daughter because she likes the shampoo and conditioner. And let's face it, I don't have a lot of use for shampoo and conditioner, in fairness.

But I do have a lot of use for good coffee, and I would highly recommend this. It's great for camping trips as well. So if you're going camping, if you're going out for the day, you know, all that sort of thing, you just have to take a thermos of hot water.

If you go to the website, you'll see they do other ones where you put ground coffee in. You don't have to use the capsules. You can get ones which you put just regular ground coffee in.

Really, really good. Not shockingly expensive, you know, it is an investment, not shockingly expensive, and everybody loves it, especially when you offer to make them a cup of coffee.

CAROLE THERIAULT. Oh, I see. It's a bit like having a lighter in the 1950s.

THOM LANGFORD. Yes, that's right.

GRAHAM CLULEY. I'm watching a video of the pump action. It looks a little bit like milking a cow. It sort of squirts out of the bottom, doesn't it?

THOM LANGFORD. So you're squeezing the side of the thing and it pours out the bottom.

GRAHAM CLULEY. You're right.

THOM LANGFORD. It's a little bit of a workout. Right. You know, if you're out of shape, you might start sweating. So, okay, you know, it could be a salted coffee if you're not careful.

But I'm getting uncomfortable.

CAROLE THERIAULT. Why am I getting uncomfortable?

THOM LANGFORD. I don't know.

GRAHAM CLULEY. Carole, what is your pick of the week?

CAROLE THERIAULT. Okay, we're back in safe territory, everybody. My pick of the week is a podcast called Restart.

So published by BBC Radio 4 Extra in September last year, and the plot is quite cute. Okay, there's a facility in the middle of New Mexico desert designed to cure kids with video gaming addiction.

GRAHAM CLULEY. Right.

CAROLE THERIAULT. And so lots of parents send their kids there because they're obviously completely addicted to video games. And are they really a facility designed to cure the kids? Or is it something more sinister?

GRAHAM CLULEY. No.

CAROLE THERIAULT. So, they call it a mind-bending thriller. I would agree. I had a great time listening to the 8 episodes, getting deeper and deeper into the conspiracy, all while trying to answer the question, just what the heck is going on?

And I'm not a gamer, right? Everyone knows I'm not a gamer. So, you don't need to be a gamer to enjoy this audio drama.

But I would recommend it. I think, I don't know if you listen to audio dramas, Thom.

GRAHAM CLULEY. Graham, I know doesn't.

THOM LANGFORD. But I tend not to, I must admit. But I have been encouraged to listen to a few. But this looks good. As soon as I see the link, I might give it a go.

CAROLE THERIAULT. It's cute, this one. Yeah, it's— I think it's really cute. You might enjoy it.

I thought this would be a good one for you as you were coming on the show. So my pri— I was gonna say my prick of the whole thing.

THOM LANGFORD. That's no way to talk to your guests. This is outrageous. If I was wearing a wired microphone, I'd tear it off and walk out now.

CAROLE THERIAULT. Don't you think we should start doing that? We could have a little bit— we'd have nitpick of the week, prick of the week.

THOM LANGFORD. Then you could get Javad on.

CAROLE THERIAULT. Are we gonna bleep out their names every time they come on just to irritate them? So my pick of the week is Restart, podcast from the BBC starring the makers of The Cipher, starring Armin Karima from Sex Education, for those that know it. So find it wherever you get your pods from.

And that's my pick of the week.

THOM LANGFORD. Nice.

GRAHAM CLULEY. Super. Well, that just about wraps up the show for this week. Thom, I'm sure lots of our listeners would love to follow you online. I don't know why.

CAROLE THERIAULT. I'm sure they would.

THOM LANGFORD. Why are you laughing?

GRAHAM CLULEY. What's the best way? What's the best way for folks to do that?

THOM LANGFORD. You can get me at ThomLangford.com. That's Thom with a TH. But that's also Thom Langford on Twitter, Thom Langford on Mastodon. Yeah, you can also find us at podcast.hostunknown.tv.

CAROLE THERIAULT. He's very available.

GRAHAM CLULEY. Terrific. And you can follow us on Twitter @smashingsecurity. No G, Twitter allows to have a G. Smashing Security also has a Mastodon account. Easiest way to find us is at smashingsecurity.com/mastodon and check out the Smashing Security subreddit as well. And to ensure you never miss another episode, follow Smashing Security in your favorite podcast apps such as Apple Podcasts and Spotify.

CAROLE THERIAULT. And huge, huge thank yous to this episode's sponsors, Bitwarden, Drata, and Kolide. And of course, to our wonderful Patreon community. It's thanks to you all that this show is free. For episode show notes, sponsorship info, guest list, and the entire back catalog of more than 313 episodes, check out smashingsecurity.com.

GRAHAM CLULEY. Until next time, cheerio. Bye-bye.

THOM LANGFORD. Bye. Stay secure, my friends.

GRAHAM CLULEY. Stay secure.

CAROLE THERIAULT. I used to say that. I used to say that. Remember, it was stay secure.

GRAHAM CLULEY. You used to say it before Host Unknown used to say it.

CAROLE THERIAULT. I know, we've done everything before Host Unknown.

GRAHAM CLULEY. Now they've stolen everything. Yes.

THOM LANGFORD. Yes. We got it off Jav. We just do it to wind him up.

GRAHAM CLULEY. He stole it.

CAROLE THERIAULT. We had it at Sophos podcast about 15 years ago.

GRAHAM CLULEY. Yep. I know from that. 20 years ago, I'd say.

CAROLE THERIAULT. Yeah, whatever it is.

GRAHAM CLULEY. Yeah.

CAROLE THERIAULT. And it was stay secure. We were making jokes at the end. Stay secure, people. Stay secure. Anyway, no, I'm just kidding. I don't know if he knows. It's pretty easy.

GRAHAM CLULEY. Copyright. Copyright.

CAROLE THERIAULT. Copyright.

GRAHAM CLULEY. Yeah.

CAROLE THERIAULT. Copyright.

THOM LANGFORD. You're copyrighting the words stay and secure. Aah!

-- TRANSCRIPT ENDS --