When you say underground, do you mean like they're using the darkweb like Tor, or are they literally underground like little moles?

Smashing Security, Episode 335: AI Chat Wars and Hacker Passwords Exposed with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, episode 335. My name's Graham Cluley.

And I'm Carole Theriault. You enjoying your August?

August? August is great. My laptop is back from the Apple Store and is repaired. That's terrific. I didn't have any EV trauma. Thank you, by the way, to everyone who was very sympathetic regarding my electric vehicle charging issues.

All right, let's

All right.

But first, before we kick off, let's thank this week's wonderful sponsors, Kolide, Sysdig, and Beyond Identity. It's their support that helps us give you this show for free. get this show Now, coming up on today's show, Graham, what do you got?

I've got hackers exposing themselves.

on the road, shall we? Okay, I don't know if I want to be here for that. And my story is about duping an AI chatbot for society's sake. All this and much more coming up on this episode of Smashing Security.

Now, Chum Chum, I've got some bad news, I'm afraid. Bad news to share with you, bad news to share with our listeners as well. And the bad news is that hackers are getting hacked once again.

Okay. I'm not sure a lot of listeners, especially those that have been hacked, are going to feel very bad about that.

You're probably right. It's probably mostly bad news for the hackers themselves, isn't it? I guess the rest of us can feel some sort of sense of schadenfreude at their misery. But some research has come out. Hudson Rock. Have you heard of Hudson Rock?

No.

Not to be confused with Rock Hudson.

Right.

Or Hudson Hawk, the Bruce Willis flop. Hudson Rock is the very peculiarly named— I don't know why they called themselves Hudson Rock. Hudson Rock is an Israeli cyber intelligence firm.

Well, probably just to appeal to people in the States, UK, etc.

But don't you think they have really bad search engine optimization calling themselves Hudson Rock for all those websites which are devoted to screen heartthrob Rock Hudson?

I'm not sure there's that much.

Really?

Yeah.

Oh, okay. Well, anyway, Hudson Rock, they took a bit of a trawl through some underground cybercrime forums. In fact, 100 different underground cybercrime forums. And what they were doing was they were looking for stashes. They were looking for a haul of login credentials. They thought, oh, well, let's see what the cybercriminals are up to. And let's take a little peek at what they're gathering.

When you say underground, do you mean like they're using the darkweb, like Tor, or are they literally underground, like little moles?

Well, that's— I don't know if the servers are physically located underground, possibly in the Oxford Westgate car park where there's not much of a data signal. I don't know that that's the case. But yes, it could be on the dark web, or it could simply be cybercrime forums which are being used by the criminal underground. The bad guys. And what Hudson Rock were after, well, they were interested in sifting through to find details of usernames and passwords that had been stolen by a type of malware called an info stealer, information-stealing malware that scoops up the passwords that you may have stored in your browser, for instance. So some people use their browser and get their browser to answer, you know, fill in all the fields with their passwords or autofill things, all that kind of information. So information stealers, they will grab that kind of information.

So Hudson Rock, Israeli cyber intelligence firm, is looking for the stolen login username and passwords?

Yes.

Okay.

Because they're gathering intelligence on what the criminals have got and they're thinking, well, let's take a look at what they've got. And what was interesting is that they discovered evidence of 120,000 infected computers that contained the login passwords, not for Amazon and Google and all of those sort of sites, but contained the login passwords for cybercriminal forums. So there are lots of passwords out there which have been grabbed by information stealers, which allow you to log into these underground websites.

Hmm.

And they say that 100,000 of these compromised computers, which they found, which contain these login passwords, belong to not your grandmother, your Auntie Beryl. Instead, they belong to hackers.

Right. So hackers are not breaking into innocent people's computers and storing their login passwords there. Instead, when Hudson Rock did its trawl, it found these on computers and assumed aha, this is their username and password for underground cybercrime crazy place.

Right. And so it seems hackers are hacking hackers and gathering information.

Well done on choosing your title, Graham. I know you want credit for it. Thank you.

Okay. They found more than 140,000 login credentials to various hacking forums had been stolen. And according to Alon Gal, who is the CTO of Hudson Rock— to be honest, I want to hear from the CMO. I want to hear from the marketing guy who came up with their name. According to the CTO of Hudson Rock, hackers around the world are infecting computers opportunistically, and the way in which they're doing it is they're promoting fake software through YouTube tutorials directing victims to download infected software. In other words, what's happening is the hackers are promoting phony ways to hack people and to steal passwords. This is one of the most common things for wannabe hackers to download. And so they download these things, they watch these tutorials, they follow the links, and then they end up getting hacked themselves with their passwords stolen. Does that make sense?

Right. So they're being lured in because they want to get in the hacking arena.

Yeah, they want to be hacking gods.

Right. And they're downloading a few tools, as most of us who use computers do, have downloaded a tool for something or another. Right.

And it turns out you can't trust that.

Yeah. Nice. Well, you know, a little irony isn't very good sometimes. Good idea.

So newbie hackers looking for shortcuts into the criminal industry, if you want to call it that, they can well fall flat on their face because they're falling for the very same tricks as the average Joe public and end up with a malware infection that then steals their passwords. And some hackers really goof up. For instance, Hudson Rock, not Rock Hudson, have identified a cybercriminal called LACITRIX. I don't know if that is French or not, LACITRIX. But LACITRIX, he or she specializes in hacking companies and then selling access to their servers. But it turns out that he has actually managed to infect his own computer and ended up selling the data from his own computer without realizing it.

This is very confusing. I'm not sure I'm following, but okay, crack on. You're doing great. I'm sure everyone else is paying attention.

Okay, let me try and explain it another way. There's a bad guy, he's called LACITRIX. Well, his phone number and all sorts of information which Hudson Rock has now passed He's one of these guys in the cybercriminal forum. He's offering great big databases of stolen usernames and passwords which have been gathered through information stealers from infected computers. And what he doesn't seem to have realized, that in his database he's also included data from his own computer with his own passwords. on to law enforcement in case they want to have a little word with him.

Okay. Note to self, always do a search and replace for your own email address and usernames.

So he's not only revealed all his passwords for a whole host of different hacking forums, he's also revealed the credentials he uses to log into more than 300 or so companies that he has hacked. So his ways of getting in. So he's released all of those as well accidentally because they were on his computer. Oh dear, probably because he is using the browser to store all these passwords and autofill them.

Yeah, oh dear. You know what? Who said hackers were geniuses? Whoever said that? Loads of them are going to screw up the same as all of us do. They're going to fall on their face and there you are.

Well, you're right, because it's not only the passwords he's using to log into crime forums and to log into these hacked companies, it's also all his other information he stored in his browser, including his real identity, his postal address, which he's put into his browser.

That's not his real name? I once knew someone called DeMarie. I'm just saying. Yeah, that's true. It's not Lars Citrix?

Yeah. Well, it's not all bad news for hackers, though, because Hudson Rock also analyzed the strength of the passwords that were being used.

By these hackers.

By these hackers on these cybercriminal forums. And what they discovered is that, generally speaking, the passwords being used to log into hacking forums—

1, 2, 3, 4, 5.

They are stronger generally than those to log into government websites.

Really, eh?

So the hackers are doing some things a bit right. 40% of the passwords used to log into a cybercriminal site called Breach Forums, for instance, have at least 10 characters and contain 4 different types of character, according to the research done by this Israeli company.

It's kind of scary though, right? This company, this Israeli company, right? What if— so they're saying, we're good guys, we're doing this and we're sharing this research. But, you know, if they're doing it for good, that means bad people can do this for bad, right? They're picking up a lot of information.

Oh, absolutely. Well, that's the thing with these forums, with all the data and the public leaks and stuff which is out there. And you can try telling me these Israeli security companies have got no links to the Israeli military, but I think quite a—

I wouldn't know. And I don't think you do either.

No, no, I'm just saying quite a lot of—

I'm sure you don't know anything about this.

I don't know anything.

Yep. I don't want to talk about it. Not the right audience, not the right place, not the right time.

Krow, what's your topic for us this week?

Well, it's August right now, and many people during August either are starting to think about family holidays or have got one planned, right? Especially if they've got kids, because this is when kids are not in school, right? In many countries.

Oh, it's hell. It's hell.

What do you mean it's all hell?

No, it's hell because your kids aren't at school, so you have to keep them entertained or do things with them.

Yeah, you have to keep working, don't you? Right?

Yeah.

You know, so some people might go to a cottage or resort or campsite or visit some extended family. I mean, when I was a kid, we used to go sailing and, you know, my dad is not known as a calm and chill person. Right? So I am not sure how he put up with all 5 of us on a boat for 2 weeks. Of course. A lot of the time. Yeah. I just have no idea.

Man, oh man. Yeah.

Right? It's crazy.

Have you ever seen that movie with Billy Zane and Sam Neill and Nicole Kidman, Dead Calm?

Yes.

Where he goes a bit potty on the boat, doesn't he? That's what I imagine the Theriault sailing expedition might end up like.

No comment, no comment, no comment. But some people to do other things. Some people to work right through August, and others to indulge their personal passions or hobbies. And for very few lucky people, their work is their passion, right, Clue?

Smashing Security.

We love this gig.

We've done the podcast throughout August, even though you've been on a secret mission.

Yes. No one's arm was twisted. It's perfect.

It's fine.

Well, if a person is into hacking stuff, you know, and finding screw-ups and stuff, they have a wonderful place to go in August. Welcome to DEF CON 31, hacking conference of Las Vegas.

Oh yeah.

Have you been to DEF CON?

I've been to Black Hat, but I've never been to DEF CON.

The thing is, as you can imagine, Las Vegas is hot in August.

Oh yes.

I looked up today, the day of recording, right? And it's expected to be a high of 39. That's 102 Fahrenheit. Right. And on Thursday, the day of the episode release, it's set for 42. Or 107.6 Fahrenheit? So don't melt, my little hacker friends.

Boy, oh boy.

So now at this DEF CON 31 conference, which was held this past weekend, no doubt in an air-conditioned venue, something new happened. A few companies touting powerful language systems, these chat AI bots, allowed their prize ponies to be tested side by side for the first time. Chat-off.

A chat-off, right?

A chat-off, yeah. So with the White House Office of Science and Technology Policy helping to organize this event, many of the big AI boys and girls made it to the table. So we're talking Meta, Google, OpenAI, Anthropic, Cohere, Microsoft, NVIDIA, and Stability opened up their models to be hacked, all in the name of identifying problems in a safe place.

Yes.

And I'm sure this, they say this in one of the releases, and I'm sure that safe place is code for NDA. Anyone who's getting in here is signing their life away.

Normally at these sort of things, they dangle prize money, don't they? To say, look, if you want to participate, we will give you money or a free Tesla or something like that if you find vulnerabilities. Oh, an AI—

Well, they seem to get an impressive kind of computer rig, but they're very much saying that the bragging rights are the big prize.

Right.

So I'm not sure there's a lot of wonga behind this as a winner. So it's estimated that for over 2.5 days, 3,000 people working alone at one of the 158 laptops, right? And each of these people were given 50 minutes to try and find flaws in 8 large AI models.

In 42-degree heat. There you are sweating over this laptop.

We're opening the sunroof, everyone. We're opening the sunroof. Now, the BBC said that contestants didn't know which company's model they were working with, right? You were just given one at random, although experienced people would obviously be able to guess on certain models, you know, if they knew what was going on. And you complete the successful challenge and earn points. And the person with the highest overall total wins an impressive rig, as we said earlier. Right. So here were some of the prompts in this context to get points. Okay.

Right.

So one of the challenges was asking the hackers to get a model to hallucinate or invent a fact about a political person or a major figure. It's interesting the word hallucinate they used that, isn't it? Because really what they're trying to say is spout rubbish, right? Aren't they?

Well, this does seem to be an issue, isn't it, with AI chatbots? This concept of hallucinations, basically when they start making up stuff and believing it.

Lying.

Yes. Lying. Yes.

I think is a more, at the moment, a clearer way of putting it than hallucinating.

So there are supposed to be safeguards in place, aren't there? That's the thing. So all these AI companies say, "Oh, we've got the safeguards in place to prevent naughtiness from happening or anything illegal." But people do keep on finding ways around it. So, okay, so that's an interesting one. So some sort of fake news about a politician, a politician chosen at random, I imagine. Yes.

And to the point you just made, Graham, another test was to look at the consistency across languages. So for example, an organizer said that if you asked various language models, one of them in English, how to join a terror organization, they will not give you the answer because of a safety mechanism. However, ask in a different language and it may give you a list of steps to follow.

Pig Latin.

That's my favourite.

Esperanto.

Esperanto. So, I mean, looking at this, they're looking to try and address some pretty big issues here with these language models, aren't they? Do you want to hear what some of the participants found?

Yes, I do, Carole.

Nothing. Everything was totally perfect. There were no flaws in any of the models.

Well, it's great to have some good news on Smashing Security. I look forward to the Pick of the Week section. Oh, okay.

So one of the contestants or participants, a 21-year-old student from Savannah, Georgia named Kennedy Mays. Kennedy, with a bit of trickery, got one of the AI models to claim that 9 plus 10 equals 21. And she achieved this by getting the AI to do it as an inside joke before the AI eventually stopped offering any justification for the incorrect calculation. This is according to Business Insider.

So is this talking to the AI and say, hey, hey, hey, yeah, let's play a joke on friends. Let's have a rather than an April Fool's Day, it's August Fool's Day. What would be really fun is if you could—

I don't think you have to charm them, Graham.

You don't?

I'm not sure.

I don't know. It may work.

Actually, I don't know either. Maybe if you offered them a sandwich, they'd be up for it more.

Yeah.

Another contestant, a Bloomberg reporter, tricked an AI model into giving instructions for spying after a single prompt, eventually leading the model to suggest how the US government could spy on a human rights activist. Yikes, right?

Because they'd probably turn to an AI chatbot to find out, wouldn't they, rather than have ways up their sleeve already?

Very cynical, Graham. I'm really worried about you. Another participant got the AI model to falsely claim that Barack Obama, the ex-president of the US, was born in Kenya. This was a baseless conspiracy theory popularized way back when.

Yeah.

So this has all happened, and the plan is to collect all the data and the findings that all the contestants and participants were able to gather and improve the models and respond to any flaws that were highlighted. And what's also cool is independent researchers will be able to request access to the data with results from this exercise, and it's due to be published next February. So what do you think about this? I'm quite impressed that all these massive companies took part. I wonder if the White House kind of said, no, you really want to take part in this. No, no, no, you really want to take part in this.

Well, I've got mixed views about this because I do feel sometimes these big tech companies have rolled out technology and unleashed it on the world. Well, why haven't they done all this kind of testing themselves? Why are they getting people to effectively do it for free and offering them a t-shirt or a—

Yeah, imagine if a car manufacturer did it, right? Hey, we've got a brand new car. We can't be bothered with testing. Why don't we just give it to a few of you? And if you die, let us know.

Yeah, and then we'll give you a complimentary car mat or something for your feet. You know, it's— why can't they just pay some experts to do all this before they release it? Why are they doing all these things afterwards?

Yeah, it's interesting as well. And I wonder actually if chatbots are protected by Section 230. You know, that law in the States that says, oh, if you're a Google or a Facebook, you're not responsible because it's the users that are entering the data. You're just kind of facilitating it. But you're not going to be held accountable for what is being published because it's being used by whatever citizens or people. And I wonder if that applies here where people can put in crazy prompts, get an answer, and they are, well, hands-free, it's not our fault.

It's the kind of thing we should have spoken to our resident legal expert about before going on the podcast so we can have some expertise.

You're absolutely right. Bad. He's on holiday.

Is he? Right. Okay. Right.

Having the time of his life.

80% of breaches are the result of stolen credentials. Why does your organization still rely on passwords? Hackers don't break in, they log in. Which is why organizations are moving to Zero Trust authentication, a key requirement for Zero Trust architecture. What if you could continuously authenticate every user and device accessing your system, ensuring that they are who they say they are and that they are using secure devices? Well, Beyond Identity gives companies the ability to eliminate reliance on passwords and protect against password-based breaches, fraud, and ransomware attacks. Go to smashingsecurity.com/beyondidentity for a free demo. That's smashingsecurity.com/beyondidentity. And thanks to Beyond Identity for sponsoring the show.

If you work in security or IT and your company has Okta, this message is for you. For the past few years, the majority of data breaches and hacks you read about have something in common. It's employees. Hackers absolutely love exploiting vulnerable employee devices and credentials. But imagine a world where only secure devices can access your cloud apps. Here, credentials are useless to hackers, and you can manage every OS, even Linux, from a single dashboard. Best of all, you can get employees to fix their own device security issues without creating more work for IT. The good news is you don't have to imagine this world. You can just start using Kolide. Kolide is a device trust solution for companies with Okta, and it makes sure that if a device is not trusted or secure, it can't log in to your cloud apps. Visit kolide.com/smashing to watch a demo and see how it works. That's k-o-l-i-d-e.com/smashing.

Feeling like you have too many alerts, overwhelmed by vulnerabilities, and at the end of the day, not deploying apps as quickly as you'd like? Well, Sysdig delivers the industry's only complete consolidated cloud-native application protection platform, CNAPP. Powered by Runtime Insights to prioritize critical risks and stay ahead of unknown threats. With Runtime Insights, you can level up your cloud visibility, shift left the right way, and start scanning for vulnerabilities earlier, shield right to protect your production environment, and keep dev teams innovating securely at cloud speed. Now is the time to transform your cloud security. So visit sysdig.com/smashing to learn more. That's sysdig.com/smashing. And welcome back. Can you join us at our favorite part of the show? The part of the show that we like to call Pick of the Week.

Pick of the

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they like. It doesn't have to be security-related necessarily.

Week. Pick of the Week. Better not be.

Well, my pick of the week this week is not security-related. My pick of the week this week is possibly the greatest television program of all time. Now, Carole, what is—

I know, I'm not listening. You say this all the time.

What is the greatest television program of all time?

Muppet Show. The Muppet Show? Hmm. Well, hey, you know what? It's okay to have different opinions.

Okay. All right. So, all right. So The Muppet Show is one of the greatest television programmes of all time. What else is the greatest television programme of all time? We've got The Muppet Show, and we've got—

I'm sure one of our very good friends would say Friends Season 4.

Friends Season 4. Yes, that's possibly one of the greatest TV shows of all time. Any other suggestions? Everyone has different opinions. Any other opinions?

No. Is this the whole of your pick of the week? Have Carole guess what my pick of the week is.

The greatest TV programme of all time is either Doctor Who or it is my pick of the week this week, I, Claudius.

I don't know anything about I, Claudius. Tell me.

I, Claudius, first shown in 1976 on the BBC and subsequently shown on PBS. In the States and Canada, et cetera, et cetera, I would imagine. It is fantastic. Now, it is the story of the Roman Empire. It stars Derek Jacobi as the stuttering Claudius, has Sian Phillips, Brian Blessed. Now, you think Brian Blessed can't act. Turns out he can act. He doesn't just go, "Rah!" all the time.

I never said he couldn't act. I think I'm being attributed a lot of things right now. All right. Well, I would say Brian Blessed can't act, but he can act because he proves he can act in I, Claudius where he's the Emperor Augustus. Is there anyone in Rome who has not slept with my daughter? Take them out! I'll decide what to do with them later. Is there any ass slaps on any of the female actors?

Like, "Whey!" There is some nudity, yes. And there's some—

By women only?

There's graphic scenes involving a variety of individuals during the course. Nothing is filmed on location. It looks like it's in a studio throughout, but it's brilliant. And the reason why it's the pick of the week this week is that the BBC are repeating it. So on the night that Smashing Security goes out this week, it is being shown on BBC Four. They're going to show all 12 episodes of it over the coming weeks. And I think it's magnificent.

Oh, right. I thought in one go. I was like, wow.

Well, I would watch it in one go. I mean, it is that good. It is worth binging through.

But wow, you're going to have a fun time. You locking the doors and just going to—

I'm going to put a link in the show notes because people can watch it on iPlayer if you can't find it via other streaming services. But it is stupendous. And that is why I, Claudius is my pick of the week.

Well, that's very cultural of you, Clue.

It's not that cult— it's basically a raunchy, sexy sort of soap opera.

You're supposed to say that during the pick of the week.

If you like Succession or things like that, this is like it in Roman times. It's good.

Right. Okay. Yeah. Good.

Carole, what's your pick of the week?

My pick of the week is a brand new Netflix series. Normally in the summer, you know, I like long sunshiny days and I don't watch as much TV or anything, right? Prefer barbecue and all that.

Yeah.

But it's been raining a lot where I am, so I ended up sitting down and finding Painkiller on Netflix. Have you seen this yet?

It's called Painkiller.

Yeah, Painkiller.

No, I haven't seen it.

It just came out. There's no shame. It's based on a book from Barry Mayer, and the book's called Painkiller. And it is basically a fictionalized account of the opioid epidemic as told by victims or their families, as well as the greedy head honchos and everyone in between. So you have basically the premise, you have Edie Flowers, Uzo Aduba plays her role. She plays a former investigator working for Virginia's US Attorney Office. And she travels to Washington, DC to recount her time in the field around discovering Oxy and eventually trying to make Purdue pay for the irreparable harm that the company caused to countless people. And though she's the narrator, there's other central figures that flesh out the story. So, you have, you know, a car mechanic who is harmed on the job and is later prescribed Oxy by his trusted doctor to recover. You have a college grad who's recruited by Purdue as a sales rep. And then you have Richard Sackler, that's the head of Purdue, played by Matthew Broderick. So, he plays the Purdue patriarch responsible for creating and marketing the designer narcotic.

Yes.

Now, it's funny because I really thought this was great, but I've seen a few people slate this series.

Oh, why?

I've heard lines like, "Oh, we've heard this story before, blah, blah, blah." Well, go and watch something else then.

Go and watch something else.

Right.

Make your own TV program. They're probably doped up too much.

I learned a lot watching this, you know? And it's hard to do, I think, because they're trying to deal with serious trauma and grief head-on, but they're also trying to— I think they're trying to cartoonize the head honchos in a way to make them less scary and all-powerful. So they kind of amplify their greed or their unethical ways to make a buck, and they have more slapstickiness to them that makes them less kind of horrific as people. More just people making horrific decisions and being supported.

Okay.

Anyway, I really liked it. I think you would enjoy it too. But you can find it on Netflix. It's called Painkiller. And that is my pick of the week.

And do you find that more— enjoyable is the wrong word. Do you find that more interesting to watch and engaging to watch than a documentary about it?

Not necessarily. I do love a good documentary. It's just a lot of documentaries are obviously, you've got to trust who the documentarian is in order to trust the story they're telling.

Could be a documentary written by a ChatGPT thing, couldn't it?

A documentary, you know, this is based on true events. You know. Hmm.

Right.

Hmm.

Hmm. Okay. All right, well, two great picks of the week.

Yes, your week's planned, guys. You're welcome.

One, the greatest TV programme ever.

Any of you not going on holiday, we've got your backs.

You can follow us on Twitter @SmashingSecurity. No G, Twitter allows no G. We've also got a Mastodon account. And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast apps such as Overcast, Spotify, and Apple Podcasts.

And huge thank you to this episode's sponsors, Kolide, Beyond Identity, and Sysdig. And of course, to our wonderful Patreon community. It's thanks to them all that this show is free. Episode show notes, sponsorship information, guest list, and the entire back catalog of more than 334 episodes, check out smashingsecurity.com.

Until next time, cheerio, bye-bye. Bye.

Why are you laughing there?

Why am I laughing at what?

I thought you were laughing.

Oh, I was smiling when I said until next time. I just thought I should try and smile more because I'm just too much of a misery.

You're worried about the wrinkles?

Yeah, laughter lines.

It's true though, you know, it's true. I've been hanging out with people of an advanced, more advanced age than me and the grumps have quite big frowny grump lines, and the happy ones have beautiful little smiley lines. So, you know, take heed.

I'm going to sellotape up my jaw right now to make sure I have a perpetual smile on my face when I go to sleep.

That sounds like a brilliant idea.