Listen early, and ad-free!

374: Microsoft’s Recall controversy, and the North Korean insider threat

With , ,
May 30, 2024
Read the transcript

Microsoft gets itself into a pickle with a privacy-popping new feature on its CoPilot+ PCs, the FTC warns of impersonated companies, and is your company hiring North Korean IT workers?

All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by author, journalist, and podcaster Geoff White.

Warning: This podcast may contain nuts, adult themes, and rude language.

Episode links:

Sponsored by:

  • Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get 10% off!
  • Kolide – Kolide ensures that if your device isn’t secure it can’t access your cloud apps. It’s Device Trust for Okta. Watch the demo today!
  • Kiteworks – Step into the future of secure managed file transfer with Kiteworks.

SUPPORT THE SHOW:

Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.

Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!

FOLLOW US:

Follow us on Twitter at @SmashinSecurity, or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.

THANKS:

Theme tune: "Vinyl Memories" by Mikael Manvelyan.

Assorted sound effects: AudioBlocks.

Privacy & Opt-Out: https://redcircle.com/privacy

Transcript +

This transcript was generated automatically, and has not been manually verified. It may contain errors and omissions. In particular, speaker labels, proper nouns, and attributions may be incorrect. Treat it as a helpful guide rather than a verbatim record — for the real thing, give the episode a listen.

GRAHAM CLULEY. You may be wondering at this point if there are any privacy implications of what Microsoft's doing.

GEOFF WHITE. Thought never crossed my mind.

CAROLE THERIAULT. I think there are, I think there are.

UNKNOWN. It clearly didn't cross the mind of Microsoft. Smashing Security, Episode 374: Microsoft's Recall Controversy. The North Korean Insider Threat with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 374. My name's Graham Cluley.

CAROLE THERIAULT. And I'm Carole Theriault.

GRAHAM CLULEY. And Carole, we're joined by a very special guest this week. It's author and journalist Geoff White. Hello, Geoff.

GEOFF WHITE. Hi, thanks for having me.

CAROLE THERIAULT. Oh, Geoff, it's wonderful having you back. How long has it been? At least 6 months.

GEOFF WHITE. It's got to be, yes. Yeah, yeah, yeah, yeah. Maybe even a bit more.

GRAHAM CLULEY. And the exciting news is that you've got a new book about to come out. Of course, you wrote Crime.com, you wrote The Lazarus Heist, and now this new one. What's that all about?

GEOFF WHITE. Exactly, yes. It's sort of going on from The Lazarus Heist. So as well, people might remember The Lazarus Heist, the podcast and the book, were about North Korea and its suspected hacks on financial institutions. And through that, I got interested in money laundering, 'cause actually—

GRAHAM CLULEY. Because the books did so well, you mean?

GEOFF WHITE. Or is that just— The unsurprising answer to that is no, that is not why I got into money laundering. That's not why anybody gets into writing books. 'Cause half the story of The Lazarus Heist wasn't actually about North Korea hacking at all. It was about laundering money through casinos and stuff. And so I was like, okay, well that's interesting. So the new book, "Winston," is out in June, June 13th, and it's all about that topic, money laundering, and particularly how technology is changing the world of money laundering. It's rocket fueling, I think we describe it in the blurb, the industry of money laundering. So that's what that's all about.

CAROLE THERIAULT. Brilliant.

GRAHAM CLULEY. Ah, it's interesting side of the discussion, isn't it? It's the other side of the equation. You've got the money, now what on earth are you going to do with it?

GEOFF WHITE. And this is the mad thing. I go to these financial crime conferences and look, obviously cybersecurity conferences, I know lots of the companies, obviously know lots of the speakers a lot of the time, you know, folks yourselves. Financial crime conferences, I go along, I don't know any of the companies, I don't know any of the speakers, but then they start talking and it's suddenly, oh, you're just at the other end of the pipe. Yeah, okay, you're just the other side of the equation here. So I really think there needs to be more, hopefully more collaboration, cooperation between cybercrime and financial crime. I think that'll be a healthy thing to do is my conclusion from this work that I've done.

GRAHAM CLULEY. Fantastic. I look forward to reading the book.

CAROLE THERIAULT. Yes.

GEOFF WHITE. Before we get started, there is something that's been bugging me a bit about your podcast. Oh, hello.

GRAHAM CLULEY. Watch out.

GEOFF WHITE. Which is this. As Carole's pointed out, I've been on before a few times. It's been great. And, you know, I was looking forward, obviously, to meeting you guys in real life, IRL, as the youth say.

GRAHAM CLULEY. Ah, I know what this is going to be about.

GEOFF WHITE. Well, yes, Graham, I have bumped into at a fair few conferences. And, you know, is Carole— oh, Carole's busy and stuff. And I've invited you along to a couple of events, and you're like, oh, I'm busy. 'Oh, I can't really come,' and stuff. And I thought, you know, fine, Carole is busy, but it just happened a few too many times. And so here's my hunch.

My investigative journalist spidey senses have been tingling, right? Rewind a few years and multiple podcast awards, right? Graham Cluley thinks I want a hit podcast. But Graham is, you know, male and British and middle-aged and by his own admission, 'commodiony,' I think is the correct word.

GRAHAM CLULEY. Yes, yep, sounds good.

GEOFF WHITE. I need a co-host who is, you know, at the opposite end of the curve. —commodity spectrum. Ideally somebody female, maybe somebody from another country, different accent.

And this is mulling around in Graham's head. And then he's flicking through the TV stations late at night, and he comes across the classic '80s sci-fi romp, Weird Science, and realises that he can create his— I put it to you, Carole Theriault, you are an AI chatbot created by Graham. Even now, am I seeing a picture of Carole? No, I'm seeing a picture of Graham. I'm not seeing a picture of Carole. And if I was, I would be counting the fingers, ladies and gentlemen.

CAROLE THERIAULT. Okay, so I'm going to say I'm not at all insulted that you think I'm a figment of Graham's imagination at all. That doesn't bug me at all.

GEOFF WHITE. You've got a very well-programmed Graham. Did you rehearse that answer there, or—

GRAHAM CLULEY. She's so much more obedient than the real one, you know.

CAROLE THERIAULT. I'm going to kick this show off. But first, let's thank this week's wonderful sponsors: Collide, KiteWorks, and Fanta. It's their support that helps us give you this show for free.

Now, coming up on today's show, Graham, what do you got?

GRAHAM CLULEY. I'm going to be talking about a privacy nightmare which might be coming to a PC near you soon.

CAROLE THERIAULT. Okay. And what about you, Geoff?

GEOFF WHITE. I'll be talking about the ultimate insider threat, North Korea.

CAROLE THERIAULT. Ooh. And I'm talking about top impersonated companies out there when it comes to scams. All this and much more coming up on this episode of Smashing Security.

GRAHAM CLULEY. Now, chums, how good is your memory?

GEOFF WHITE. Not good. Not good at all. I can't remember yesterday.

GRAHAM CLULEY. Yeah, that's the thing, isn't it? As we get older, our memory— well, my memory seems to deteriorate. Apparently it's something called the hippocampus, the area of your brain governing memory.

It can shrink slightly, and maybe that makes you more forgetful with age. It's not just age though. All of us, I think we naturally prioritize what we need to remember, right? So I need to remember where I live so that if I get off the bus, I know whether to turn left or right. That's kind of important.

CAROLE THERIAULT. Yeah, top headlines of the Daily Mail. Yeah.

GRAHAM CLULEY. I need to remember events like who my partner is so I don't, you know, end up in the bedroom with the wrong person. That sort of thing is important.

But the humdrum day-to-day stuff, like what I ate for lunch last Friday, no chance at all. And I've had my memory tested from time to time. Years ago, over 30 years ago, in fact, I was interviewed by police about a murder.

They turned up on my door. Yeah, it was— let me stress, I didn't commit the murder, at least not as far as I remember. But these police turned up on my door one night unexpectedly, knocked.

GEOFF WHITE. It's not a brilliant answer, is it? So far as I can remember. Kind of thing that would stand out in your mind, taking another person's life.

GRAHAM CLULEY. Was this like 2:00 AM?

It was about 9:00 at night on a dark— Oh dear. Scary night, yes, that would not be good for me.

And they knocked on my door and the house was a bit of a mess, to be honest. From the initial impressions, I might have come across as a bit of a serial killer, 'cause it was untidy.

And I said to them, "Look, I'd have tidied up if I knew you were coming." And they said, "We don't tend to pre-announce our visits, sir."

But they wanted to know where I'd been on a particular night the previous year.

GEOFF WHITE. Oh, that's my nightmare. Previous year?

GRAHAM CLULEY. Oh God, yes. So I said, "Well, I've got no idea."

And they said, "Well, it was the night of this big football match," and they named this couple of teams. And I said, "Oh, I cannot stand football," I explained.

And they went into the room where I had my computer. And you remember how you used to get those cover discs on the front of magazines with free games and things?

And I've got this computer magazine, and there on the cover disc was this football simulation game. And they picked it up, kind of went, "Uh-huh."

And I just thought, ah, and I was feeling so guilty. I thought, oh my goodness, this is going to be a miscarriage of justice.

I was just picturing myself in my typical operatic dramatic style, imagining this was the end of Cluley as we knew it. Because I would've found it really hard to put together an alibi.

'Cause who knows what I was up to or what I did, you know? I definitely didn't do it as far as I remember.

GEOFF WHITE. Again, with the "as far as I remember" thing, even now, Graham. That's a good point, I don't know why he's doing that.

CAROLE THERIAULT. Surely he does know whether he's done it. Allegedly, reportedly, I didn't do it.

GRAHAM CLULEY. That's what people will say at the government inquiries, don't they all? You know, if you're a president, if you took the witness stand—

If you're guilty! Yes, well, yes, okay.

Anyway, so I now try to make a note of anything that I should remember. You know, I keep my passwords in a password manager, securely locked away.

I bookmark my favourite websites so I can remember what websites I like to go to. I use a calendar to record where I'm supposed to be and when, and family birthdays.

GEOFF WHITE. Every time you murder someone, you make a quick note, you know.

GRAHAM CLULEY. Right, right, yes.

GEOFF WHITE. Did a murder today, you know, rough time, that kind of thing. Yeah, yeah, I get you.

GRAHAM CLULEY. I put a notch on the bedpost or something like that. I've got a tag around my neck saying, please look after this bear. Thank you. In case I get lost, all those sort of things, the essential things to look after myself.

And of course, on my computer, I've archived thousands of files and emails and photographs containing information. And this, it feels to me, is one of the biggest problems with computing today, is that one of the things that we think has been solved hasn't really been solved that well.

I mean, we have search engines which to a better or worse extent, help us find stuff on the internet. I'd say in some ways they may have reached their zenith and have fallen a little bit because there's so much junk and SEO poisoning and garbage sites now in search engines.

But it's a fairly easy way to find information is through a search engine, at least until they plug artificial intelligence in. But that doesn't help me find information on my computer.

Anyway, there is now a new startup company called Micro— Micro— Micro— Microsoft. Microsoft, right?

Little-known company. They lost the browser war, and everyone else so far, they failed to make much of a dent into Google in the search engine war.

But this month, Satya Nadella, the CEO of Microsoft, he announced a new feature being built into their new AI-augmented Copilot Plus PCs, a feature called Recall. Have you heard about Recall?

GEOFF WHITE. Mm-mm. I have, and yes, I know where you're going with this.

It's controversial, but— It is rather controversial.

CAROLE THERIAULT. Okay, tell me, tell me.

GRAHAM CLULEY. Well, at its most basic, what Recall does is not that revolutionary. What it does is it records everything you do on your computer, taking screenshots, constant.

Okay, great.

CAROLE THERIAULT. Voluntary bloatware. Fantastic.

GRAHAM CLULEY. Right, exactly. Yeah, good.

Everything you type, everything you look at, every webpage you visit, every app that you open, every photo that you edit, Microsoft's Recall feature built into these new PCs, it sees and records it. And I said, not that revolutionary.

And you said as well, because bloatware, malicious spyware has been doing this on your PC for years and years.

CAROLE THERIAULT. Yeah, that Microsoft has access to, presumably.

GRAHAM CLULEY. Well, this is what we're going to come to. Okay, tell me.

There's some controversy about this. So right now, if you know where to look on the web, it doesn't even have to be on the dark web.

These things have been openly advertised. There's plenty of software you can grab and install and plant on your partner's PC to do just this, to surreptitiously watch everything that they're doing, who they're talking to, what they're looking at.

It's a kind of spyware. It's loved by stalkers and abusive partners.

But of course, they have to go onto your PC and install it in order to spy on the person of interest. Right.

But what Microsoft is planning to do is to build this into their PCs, which you can preorder right now. So this feature will be there and it's just a question of turning it on.

So your partner won't have to— your jealous partner won't have to go and grab the software and install it. They've just gotta grab your computer for 3 seconds and turn on this feature.

CAROLE THERIAULT. Can it be password enabled or? Probably.

So you're saying they could turn it on without you knowing, and I'm just wondering if they could demand an admin password, but actually a partner often knows that anyway.

GRAHAM CLULEY. Often they know, or if they're an abusive partner, they may have insisted that you hand over your password to your computer anyway to look up what you are doing and occasionally check your messages, or whatever. You can imagine those kind of scenarios. And with this recall feature enabled, at a click of a button, you will be able to rewind a PC back in time.

You could go back to, say, you know, last November 23rd at 5:15 PM, and find out what happened then.

CAROLE THERIAULT. Oh God, I did kill that guy.

GEOFF WHITE. I forgot totally. I've got a screengrab of me killing him. Oh, that settles it then.

GRAHAM CLULEY. It's a fair cop. And what's more, it classifies everything that you see, making it instantly searchable. So if you happen to go to a webpage which contained a photograph of a leather bag, even if it doesn't have the words leather bag on it, you would be able to search for leather bag.

I saw something about a leather bag. It would find that webpage.

CAROLE THERIAULT. This is my nightmare because I've basically been playing the game for the last 15 years of computing of, well, hey, if I can't find it, no one else can. So wherever, it's somewhere. It's on there somewhere.

If I really have to find it, I'll spend 24 hours and find it. It's needle in the haystack work. But it just classifies stuff based on file size, type, kind, everything. And what it's seen.

GRAHAM CLULEY. And what's more, it's not going to hide information such as your passwords. What?

GEOFF WHITE. I was just wondering about that. Yeah.

CAROLE THERIAULT. Passwords. So I type in my— Fair game.

GEOFF WHITE. They're gonna grab that. I presume if the website has one of those things where it blanks your password out as you type it in. That wouldn't show because it's screen grabs.

But if there's lots of websites where you can either choose to reveal, show your password in plain text, or it just, when you type it in, it appears in plain text.

GRAHAM CLULEY. Or you open your password manager on the screen and the screen is recorded. But you know, there are login forms where you have to manually type it in rather than paste it in. And so you put it up in one window and then may transfer it by hand because those irritating sites which don't allow you to do it.

So, you may be wondering at this point if there are any privacy implications of what Microsoft's doing.

GEOFF WHITE. Thought never crossed my mind.

CAROLE THERIAULT. I think there are. I think there are.

GRAHAM CLULEY. It clearly didn't cross the mind of Microsoft because there's been a little bit of a fallout over this. Some people have gone, excuse me, this doesn't sound entirely brilliant as you seem to think it is. Yes, you've fixed the whole searching problem of finding information on your computer.

But now, if people log into their online bank, this feature is going to record their account numbers, their bank balances, their purchases. It's all going to be available for anyone who has access to that computer to look up.

CAROLE THERIAULT. You see, this bothers me a bit because I can't believe that someone didn't bring this up in the beta phase. I can't imagine someone in one of the meetings didn't bring this up, but I have a feeling that this, "Let's go AI, let's go. We don't wanna be late. Let's go quick, quick, quick," kind of mentality means we're skipping serious things.

If Microsoft does this on a security front, it's pretty serious.

GRAHAM CLULEY. But this is what happens inside companies all the time, isn't it? Someone comes up with a harebrained idea and everyone's too scared to say, you're not wearing any clothes, mate.

GEOFF WHITE. I just think technology companies have this idea that everything they do is brilliant and fantastic and positive. Nobody will misuse it. It can't be misused. Nothing can be bad. And I think if you are a person in a technology company who has that view, you probably don't last very long.

Because you're just seen as a bit of an obstacle and a bit of an Eeyore character. So that's how they come out with this nonsense, 'cause nobody goes, "Hang on a second." And the person who does that gets fired.

CAROLE THERIAULT. Well, in my experience, people do say it, but they just go, "Shut up, George." You know? It's always George, isn't it?

GEOFF WHITE. Damn him. Is all of this data held and only accessible locally, i.e., on that piece of tin? 'Cause there would be some way to get at it, presumably remotely. And as soon as that happens, then the privacy nightmare kicks in for me.

GRAHAM CLULEY. So I think many people instantly thought, oh my flipping god, you've got to be kidding about this, because if you're uploading all this information to the cloud, even if Microsoft's protecting it, then that's a problem. So Microsoft says, well, you don't have to worry because it's all being stored safely, they say, and securely on the local computer.

It's not using the cloud in any way, at least at the moment it isn't, right? Who knows what feature they might roll out in the future, which is, oh, now we've given you this cloud option too.

GEOFF WHITE. Yeah, but now it's all in the cloud.

GRAHAM CLULEY. Yeah, but as Eva Galperin, who's Director of Cybersecurity at the EFF, says, there's a big difference between creating a situation where someone has to go find a remote access tool and install it or buy a keylogger and install it and simply logging into someone's computer and turning on an option. So they're not storing it in the cloud, but of course a hacker could remotely infect your computer with malware.

And just like they can steal other information from your computer, like the passwords from your browser or databases, they could just as easily steal or access this database, which recall has very helpfully been collecting for months and months and months about everything you did on your computer.

CAROLE THERIAULT. What are Microsoft saying to all these people kind of pointing these non-trivial problems out there?

GRAHAM CLULEY. I think they're still trying to work out what they should really be doing about this because it seems that everyone's kind of got a point. They're trying to argue, oh, but you know, that's just an edge case.

But I don't think it is an edge case because there are, of course, countries in the world which don't have the sort of glorious, beautiful, sunlit uplands that the United Kingdom has. And may have totalitarian governments, they may have overreaching intelligence agencies, may have law enforcement who, once they've got access to a computer which has this turned on, will be able to delve through it or indeed remotely hack something and turn on these kind of features. So I think it is a privacy and security nightmare and it's really going to bite people in the bottom.

GEOFF WHITE. It's funny you should mention countries overseas because Microsoft has in this regard been comprehensively scooped on this particular innovation by no less than North Korea. Which, at one stage, was revealed to have installed spyware on, I think it was phones and tablets being shipped into the country, that did exactly this, stored screenshots. The thing that bit North Korea on the bum about it was that the phones was constantly storing these screenshots, and the memory filled up.

So the phone stopped working. People took them to the shop, and the shop said, "Oh, the memory's full." "Oh, it's full of everything that you've ever done." And so they got found out. Microsoft following in the footsteps, no less, of Kim Jong-un is not exactly a brilliant model, I'd say.

GRAHAM CLULEY. And this may end up being an argument as to why people actually want to store this information in the cloud, which would be less secure. So Microsoft reckon that by default, they're going to store around about 3 months' history of what's been happening on your PC. They reckon they're going to take up 25 gigabytes of space on a device.

CAROLE THERIAULT. Who's asking for this other than you, the potential murderer?

GRAHAM CLULEY. If you have a 256-gigabyte drive, they reckon they're going to take about 10% of it to store this information. Are they in cahoots with the hard drive manufacturers? I don't know. Are we all going to need even more space?

GEOFF WHITE. That is just— I run light. I try to have bugger-all on my computer. It makes it run fast and light. I don't have to worry about things. That's just— Look, can you switch it off? That's the key thing. Can you— is it switched off by default when it's arrived?

GRAHAM CLULEY. That I'm not sure about. Some people have suggested maybe it is on by default, but regardless, someone else could turn it on or you may not realize the implications or you may think, oh, this is so cute, I'll keep this going because it was helpful that one in a million times when you can't find the file any other way.

GEOFF WHITE. When I updated my operating system, the Windows operating system, and Microsoft Edge appeared on my toolbar at the bottom again and again and again. So that's not—

GRAHAM CLULEY. It's like the U2 album appearing on iPhones. So get rid of the bloody thing. Anyway, the ICO says that it's investigating, and I imagine others will be investigating around the world either to try and put a stop to it or maybe positively encouraging Microsoft because it will help their investigations into people who are of interest to them.

GEOFF WHITE. Terrifying. Well, yes, I'm not a fan. Gets a no from Geoff for that one. Not just because my murder slate is clean, Graham. I'm not yours, at least as far as I can remember.

GRAHAM CLULEY. Geoff, what have you got for us this week?

GEOFF WHITE. Well, I've already mentioned North Korea once in this podcast, as I'm contractually obliged to do. But so this is an astonishing story, which I've been told about by a security researcher who's been looking a lot into this, a guy called Michael Barnhart at Mandiant, which is part of Google now, the cybersecurity bit of Google. He's been talking about this for a while, and suddenly we get this US Department of Justice indictment, a criminal complaint, which maps out what he's been talking to me about, and it's this. It's effectively infiltration of big US companies by North Korean spies, effectively, computer hacker spies. But I'm going to try and tell the story in the sort of Graham Cluley style. So I'm going to say—

CAROLE THERIAULT. Oh, we already have one of them.

GEOFF WHITE. Imagine you're on LinkedIn, and you get an offer of some work. Somebody approaches you and says, "Hey, you know, can you help me?" Now, on LinkedIn, you are a web developer, and so you've got IT experience. The person who approaches you says, "Hey, I really need your help. I want to get a job at a big US company, but I'm not in the US, and I don't think I can really manage to get the job myself. Can you help me get the job? When I get it, I will split my salary with you." So you think, "Oh, it's okay. I'm gonna help this person get a job. They're overseas somewhere."

CAROLE THERIAULT. Do they want to use your name, your identity, or no?

GEOFF WHITE. Well, no. Then they come out with the next bit of the plan, which is they want you to help them procure people's identities. These are real people living in the US. Steal their identities and use their identities to apply for the job.

GRAHAM CLULEY. Still keen to take part? I'm a little bit more hesitant now, to be honest.

CAROLE THERIAULT. Yes. Graham, free money. Come on. You'll be like, "Yeah, yeah, yeah, yeah." I didn't kill anyone, promise.

GEOFF WHITE. Let's imagine you followed it thus far. The next stage is you actually are successful, the scheme is successful, and you manage through working with this person overseas to get them the job at this US company. The US company, because remote working is a thing, sends out a laptop that they want this new employee to use. But of course, the new employee is overseas, so they can't send laptops.

So they send the laptop to your house. And then the person overseas says, "Oh, right, could you plug that in, keep it connected to the internet?" install remote access software on it, and just allow me to remote into that laptop in your house so I can then work for that American company. It's like the red lights are a-flashing. I would've dropped out at various points.

GRAHAM CLULEY. But all you're doing is plugging a laptop in. You're getting paid for— Oh God. You know, it just sits in the corner of the room. It's paying for the electricity, isn't it?

GEOFF WHITE. Okay, all right. Final one then for you, Graham. It turns out that the people abroad are actually North Korea.

GRAHAM CLULEY. Still keen? Oh, don't be racist. I mean, a lot of people in North Korea are hard up for a bit of cash. They can't necessarily afford to eat well. I mean, we should— it's not their fault, is it, that they're in North Korea and just looking for a harmless job? Are they really doing any harm?

GEOFF WHITE. You raise a good point, Graham, and there are people in North Korea who are starving and the government forces them to do these things. But you have at this point breached international financial sanctions.

CAROLE THERIAULT. Yeah, I was gonna say, there's a little pickle. A little sticky pickle of international law.

GEOFF WHITE. She might. Well done, Carole, crowbarring in the name of the podcast there. So this is apparently, allegedly what happened. A woman called Christina Chapman in the US, and we should say this is an accusation by Department of Justice. She has not been tried. I haven't heard her side of the story. But what they say is she was approached on LinkedIn by these people who turned out to be North Koreans.

Now, what's amazing about this is dozens of US citizens' identities were harvested. To apply for the jobs. We're talking dozens of companies who were infiltrated by these new job applicants. They send out laptops to Christina Chapman's house, is the accusation. She sets them up. These hackers from North Korea were remote accessing into the laptops and using the VPN to get into the company.

Now, not only did they make money out of this, about $6 million of money they made out of these various companies they were working for, of which the accusation is Ms. Chapman got a cut. That money goes back to North Korea. Now, again, to your point, Graham, sending money back to North Korea might be helpful for people there, but it is also breaching international sanctions.

Okay, okay. Really worrying. But I mean, first it's murder, Graham, and then it's sanctions busting. This podcast is outrageous.

No, guys, just— But so the other thing that happened, and this is the really terrifying bit, is that not only were they working for these companies and getting money in breach of sanctions, they were also apparently stealing data from inside these companies. Effectively, you've got the ultimate insider threat, somebody you've given a job and a laptop and remote access to.

And so, I mean, these are Fortune 500 companies. I do not have the names of the companies, much as I'm trying, but one of them is a big automotive manufacturer in Detroit. Another is a big clothing company based in California. So you start to put two and two together.

These are big companies and they got infiltrated by apparently North Korean hackers. It's an astonishing campaign, this one. And just to bring this to a close as well, what I've been told is that this is just one case of one person in the US.

There are multiple cases of people around the world, including, I've been told, the UK, where there are similar operations being run. And that would involve probably infiltrating UK companies. So this is just the opening salvo in what might be a slew of court cases trying to bring these things to justice.

GRAHAM CLULEY. So this could be a way not only to make money through the salaries, but you're also potentially stealing data. You could also be taking intellectual property. You could be installing ransomware, all kinds of nastiness.

GEOFF WHITE. Exactly. And I think that the really big thing, and we came across this when we did the book and the podcast about this sort of infiltration type stuff, 'cause crypto companies were being subject to this, you know, North Korean hackers accused of getting jobs at crypto companies. All of those attendant risks of data theft and stealing money.

The thing that really kept people awake at night was what if this person who I've hired to do computer coding for my company has introduced some kind of logic bomb or vulnerability that they haven't told me about, obviously, and then years from now, it could even be years from now, they trigger it and drain my bank accounts or break in all over again if they left backdoors all over the place. So that's the really big worry, but it's an astonishing campaign.

There was a Department of Justice indictment against Christina Chapman. Just have a read through it. It's absolutely remarkable, the accusations they've made.

GRAHAM CLULEY. Because they say she had an actual laptop farm. It's not like a couple of PCs. It's alleged that there were scores and scores of them. A bit like a server farm mining cryptocurrency, but they were all being used by people over in North Korea.

CAROLE THERIAULT. Because I'm kind of thinking she's probably small fish compared to the honchos who are running this whole scheme.

GEOFF WHITE. Probably so. I mean, I say it's told me they've recruited multiple people around the world. Now she's, you say small fry, yes, she's sort of a small cog, but a small cog servicing multiple dozens of people. So a small but vital cog at the center of this is the accusation. Again, we wait to hear her argument on this. Yeah, but just astonishing case.

GRAHAM CLULEY. Yeah. So I've seen that the FBI, they're now warning firms and recruitment agencies to be on the lookout for North Korean IT workers, you know, freelancers who may obviously not realize that they're based in North Korea. They're telling them to look out for things if someone's working odd hours. Yes. If you're obviously, if you're working into the North Korean time zone. But then, of course, programmers, they do work odd hours anyway, don't they?

GEOFF WHITE. Exactly. But what's interesting is the crypto company infiltration stuff was interesting because they pay their employees in crypto. So for crypto company, you've got almost no way of verifying this employee. But these are standard non-crypto companies that pay into bank accounts. So part of this again was setting up the fake ID to get the job, 'cause the company would say, "Well, great, you're hired. Where do we pay you? What's your bank account details?" Well, then you've got to give bank account details that ideally match up with the person who's just got the job. Or maybe you set up a company instead of a bank account as a company. There's a whole financial crime aspect to this of sort of laundering the money back. One of the parties that's prosecuting this woman is the IRS, the Internal Revenue Service in the US. Because of course, you know, tax has been paid and tax has been dodged on these things. So there's a whole sort of network of financial charges and wrongdoing attached to all of this. It's all spiralling out of the part of the case.

CAROLE THERIAULT. Really, really interesting. I'm so gonna read this. Make sure we put them in the show notes, the XStation.

GEOFF WHITE. Well worth having a read through.

GRAHAM CLULEY. Carole, what's your story for us this week?

CAROLE THERIAULT. So we're looking at a report issued by the Federal Trade Commission, the FTC. This is the US federal agency that enforces, you know, civil antitrust laws, promotes consumer protection, that sort of stuff. Now, they put out some research and analysis on scam reports that it received during 2023. And there are two things I thought we could guess about with respect to impersonation scams. So what's changed, if anything, since 2020? And what companies are impersonated the most in the US? So which are the ones that are kind of being flagged the most, looking at all the reports that came into the FTC last year?

Okay. All right. Yeah. So impersonation scams. This is where scammers pretend to represent a well-known or trusted business or a government agency.

Apparently there were 500,000 reports of impersonation scams, two-thirds business impersonation, one-third government impersonation. It's a hard word to say, impersonation, combined losses of these scams topped a whopping $1.1 billion in 2023.

Right. And that's 3 times more than what it was in 2020. So either impersonation scams are a big growing business or people are reporting the scams to the FTC and reporting their losses more often, or a combination of the two. Right. Could be either.

GEOFF WHITE. What sort of scams is this? Is companies being impersonated to con people out of money? Is that the idea?

CAROLE THERIAULT. Okay, there are five types of impersonation scams. So one of them would be copycat account security alerts. So messages about supposed activity, like suspicious activity or unauthorized charges. So, you know, you're already alert that these things can go wrong. You get a message saying, "Oh yeah, you have been scammed," or it's a bank and there's a phone number and they ask you to text back yes or no. And these, you know, basically they're scammers trying to fix a problem that doesn't exist, to fix a fake problem.

There's phony subscription renewals. So this looks like routine email notices claiming to refer to an account you never opened but is about to auto-renew, maybe a gym membership or something like that.

GRAHAM CLULEY. Yeah. So we're about to charge your credit card this amount.

CAROLE THERIAULT. But it might be to the tune of hundreds of dollars. So you call to sort it out. And they say to you, "Well, we need to connect to your computer in order to process the refund." Once in, they make it look like too much money was refunded and demand a return by buying gift cards, da da da da da.

GRAHAM CLULEY. It's a fairly elementary scam, but it can afford to be elementary because it works. It's so successful. It's something which humans respond to, isn't it? It's like, "Oh, you're going to charge me, therefore I have to deal with that right now." And so you've sort of cut off your regular common sense at that point.

CAROLE THERIAULT. Plus you're grateful, right? Because they've alerted you to something going wrong. So you're like, "Thank you very much." Another category is fake giveaways, discounts, or money to claim. So discounts from your internet provider or giveaway from a big retailer or sweepstakes winnings, that sort of thing. Number four is bogus problems with the law. So pretending to be government agents saying that your identity has been stolen or been used to commit a serious crime.

GRAHAM CLULEY. That's why they knocked on my door and accused me. Thirty years, and I've only just twigged it was a scam. It was all a scam.

CAROLE THERIAULT. They don't normally claim murder. They normally claim money laundering or drug smuggling. But hey, maybe you were the outlier. Did they try to help you fix the problem? Did they say, "We'll help you clean up the murder"? Is that what— did they say that? Because that's apparently what they do. They offer you help to fix the problem, which always involves them telling you to move money, right?

GEOFF WHITE. Did they have— Graham, just one quick question on those police officers. Did they have Velcro trousers? Because they could have been strippers. Just raising that as a possibility. Sounds like the world's worst strippers. I don't think you should tip them. Cops or strippers, that's always— yeah. Oh, dear.

CAROLE THERIAULT. And then, of course, there's messages like package delivery problems. We've all heard of those. US Postal Service, UPS, FedEx, problem with the delivery, includes a link, but it doesn't go to the real website.

So all these we kind of know, but they do say there's some differences, there's some changes in what's going on. So way back in 2020, phone calls were big business, right? Scams would start with a phone call, but this type of scam has plummeted in the last three, four years. Yet we're seeing an increase in text or email scams.

GRAHAM CLULEY. Is the problem that no one actually answers the phone any longer? Because if I don't recognize the number, I will not answer it. That's what I do too.

CAROLE THERIAULT. So yeah, probably.

GRAHAM CLULEY. And if someone fails to leave a message, there's no way I'm calling them back. So it hits.

CAROLE THERIAULT. Okay, so bank transfers and cryptocurrency outrank every other payment method. That's not a surprise to me. This is how they want their moolah, the scammers. So, okay, I've got a list of the top 10 companies in the US that are used or impersonated. This is from the FTC. And they issued it just last week. So I want to see how many you guys can get.

GRAHAM CLULEY. Okay, so we'll just shout out some names, shall we?

GEOFF WHITE. They've got to be companies that target people who might fall for a scam, right? So, you know, yeah, Mensa or The Economist are unlikely to be in there, are they? I'm making value judgments there.

CAROLE THERIAULT. I'm glad I'm a subscriber of one of those.

GRAHAM CLULEY. Well, yeah, it's going to be somewhere that—

GEOFF WHITE. Somewhere big and somewhere people put money through.

CAROLE THERIAULT. Going to be number of reports that they get. Google.

GEOFF WHITE. Yes, that's good.

CAROLE THERIAULT. Good thought. Google is not on the list, interestingly.

GEOFF WHITE. Amazon would be my key one.

CAROLE THERIAULT. Amazon. Yes, Amazon is number 2.

GEOFF WHITE. This is like Family Fortunes, isn't it?

CAROLE THERIAULT. I know. You're welcome. PayPal.

GEOFF WHITE. PayPal, number 3. Are you cheating, Graham?

GRAHAM CLULEY. No, I'm not.

CAROLE THERIAULT. Okay, good. What about Target?

GEOFF WHITE. No. Oh, I thought it'd be number 1. Pornhub.

CAROLE THERIAULT. No, no. Okay. What about banks, financial institutions? Bank of America?

GEOFF WHITE. Yes. Bank of America is number 9.

CAROLE THERIAULT. 9? Oh, okay. UPS. What about UPS? That is the postal people.

GRAHAM CLULEY. Yes. And FedEx and—

CAROLE THERIAULT. Yes.

GRAHAM CLULEY. No, they are not there. Government organisations like the IRS?

CAROLE THERIAULT. No. Do you want me to read you the list?

GRAHAM CLULEY. Yeah, come on. We're not doing very well.

CAROLE THERIAULT. No, no, you're doing quite well. Yeah, yeah, I think you're doing quite well. So Best Buy and Geek Squad are the top ones.

GEOFF WHITE. Oh, yes, you see. Best Buy.

CAROLE THERIAULT. Oh, Geek Squad.

GRAHAM CLULEY. They're the people who fix your computer when it hasn't got a virus on it. Is that right?

CAROLE THERIAULT. Well, they are often impersonated. Amazon is second. Third is PayPal. Fourth, Microsoft. Five, Publishers Clearing House. Do you know what this is?

GRAHAM CLULEY. Oh, I don't know. What's that?

GEOFF WHITE. Sounds like I should do as an author. What is this? Where I get money? Yes. Is it book laundering?

GRAHAM CLULEY. Is that what they do?

CAROLE THERIAULT. According to Wikipedia, it's an American company founded in the '50s as an alternative to door-to-door magazine subscription sales. It offers bulk mail direct marketing of merchandise and periodicals. And get this, it's most widely known for its sweepstakes and prize-based games, which were introduced. Oh, nice. But they were subject of legal actions regarding whether consumers were misled about the odds of winning. So by 2010, the company had reached settlements with all 50 states. And in 2023, the FTC ordered this house to overhaul its sweepstakes process.

GRAHAM CLULEY. So— It sounds like there might be a lot of vulnerable people who might fall for an email or text from them.

CAROLE THERIAULT. Exactly.

GEOFF WHITE. Yes, it sounds like you've won a sweepstakes, you've won the lottery kind of things. That's a classic coming from them, yes, or coming from someone impersonating them.

CAROLE THERIAULT. Yeah, so the top three are Best Buy Geek Squad, Amazon, and PayPal. But the ones— Verizon? Verizon's not there. You got Wells Fargo, you got Apple, you got Comcast, Norton and LifeLock.

But interestingly, it's Microsoft and the Publishers Clearing House that have the best ROI, which means they have capped the biggest amount of money per transaction. They account for $110 million combined in 2023. So I guess at the end of this, it's what advice do we have for people?

So you have people basically taking advantage of people like us that say, hey, beware out there. A lot of these scams are telling them, hey, something's gone wrong and we're here to help. Is our advice no one helps you? You're screwed?

GEOFF WHITE. My advice to people always is, if you get something that appears to come from a company, rather than replying to that text message or that email, go to the company's own website or its own phone number. Don't go through the channel through which you've been approached. Go independently to the company direct. That's always been my approach.

CAROLE THERIAULT. It's as easy as that, guys. I don't know what everyone's freaking out about.

GEOFF WHITE. One, two, three. Yeah.

CAROLE THERIAULT. When it comes to ensuring your company has top-notch security practices, things can get complicated fast. Vanta automates compliance for ISO 27001, SOC 2, GDPR, and more, saving you time and money.

With Vanta, you can unify your security program management with a built-in risk register and reporting, and proactively manage security reviews with AI-powered security questionnaires. Over 7,000 global companies like Alsation, Flow Health, and Quora use Vanta to build trust and prove security in real time. Smashing Security listeners get 10% off Vanta at vanta.com/smashing. That's vanta.com/smashing for 10% off Vanta.

GRAHAM CLULEY. Long-term sponsors Kolide were acquired by 1Password earlier this year, and both companies are leading the industry in creating security solutions that put users first. Kolide Device Trust helps companies with Okta ensure that only known and secure devices can access their data, and that's what they're still doing, but now as part of 1Password.

So if you've got Okta and you've been meaning to check out Kolide, now's a great time. Kolide comes with a library of pre-built device posture checks, and you can write your own custom checks for just about anything you can think of.

Plus, you can use Kolide on devices without MDM, your Linux fleet, contractor devices, and every BYOD phone and laptop in your company. Now that Kolide is part of 1Password, it's only going to get better. Check it out at kolide.com/smashing to learn more and watch the demo today.

That's K-O-L-I-D-E.com/smashing, and thanks to Kolide for supporting the show. Legacy managed file transfer tools are dated. They lack the security that today's remote workforce demands.

Companies that continue relying on outdated technology put their sensitive data at risk. Well, this podcast is sponsored by KiteWorks, who enable organizations to effectively manage risk in every send, share, receive, and save of sensitive content.

To do that, they've created a platform that delivers content governance, compliance, and protection to customers, tracking, controlling, and securing sensitive content as it moves within, into, and out of organizations, all while ensuring regulatory compliance on all sensitive content communications. KiteWorks provides the industry's first private content network for protecting risky third-party communications with secure email, secure file sharing, secure mobile, secure web forms, managed file transfer, and governed SFTP servers.

Visit kiteworks.com to get started today. That's kiteworks.com, and thanks to them for supporting the show. And welcome back. Can you join us for our favorite part of the show? The part of the show that we call Pick of the Week.

CAROLE THERIAULT. Pick of the Week.

GEOFF WHITE. Pick of the Week.

GRAHAM CLULEY. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security related necessarily.

CAROLE THERIAULT. Better not be.

GRAHAM CLULEY. Well, my Pick of the Week this week is not security related. I have been playing around with AI music, which you may think is a diabolical invention.

CAROLE THERIAULT. I remember you trying to play the piano. Have you given up?

GRAHAM CLULEY. If you're referring to my How to Play the Piano in 5 Weeks book, which I got about 5 years ago, I'm still working my way through it.

GEOFF WHITE. Okay. But I've got all those people to murder. I've got no time. God. There's sanctions to breach. He's a busy man.

GRAHAM CLULEY. So obviously the whole idea of AI music is completely terrible. It's as terrible as having an AI-written book or something like that. But it is quite remarkable what you can do. I've been using a service called, I don't know how to say it. Is it Udio or Udio? It's U-D-I-O is the name of this particular service. And all you have to do is give it a little bit of text. And say, can you write a song? And it goes away, and 30 seconds later it comes back with a music and all the words. It's been trained on a vast collection of diverse musical styles.

CAROLE THERIAULT. I bet John Lennon's rolling in his grave.

GRAHAM CLULEY. Well, what you're not allowed to do, and it stops you from doing, is saying, can you do music in the style of this artist? I imagine they've already predicted the lawsuits which are going to happen. But what you can do is you can say, can you do this in the style of a jazz pianist or some electro punk or something like that? And it's quite remarkable. And of course, as this is an audio podcast, there's only one real way to demonstrate how remarkable this is. Just before we recorded this podcast, I went up to Udio And I said, can you write me a song about our guest this week, Geoff White, and his new book about money laundering? Oh, good. Okay. So here is— yep. So here is Rinsed, the song.

CAROLE THERIAULT. I've got secrets I must hide. All this cash, let's take a ride through through the maze of hidden threads, Geoff White's words fill up our heads. Take the bills, make 'em clean, rinse said Geoff, it's pristine. Take, spin the wheel, which it turned, the game of green. So much to learn, Geoff White's tales. They got our hands rinsed, he says, in foreign lands.

GEOFF WHITE. Rinsed! Woo! That's actually quite astonishing, isn't it? Excellent. Yeah, yeah.

CAROLE THERIAULT. It's better than anything you could write, really.

GRAHAM CLULEY. Through the tail. Now you can go in and edit the lyrics, and they will sing different lyrics. Absolutely astonishing. Yeah, you can say, "Oh, I don't like that outro," or, "Can you create another verse?" or, "Can you put in a longer instrumental at the beginning?" You can do all things like that. And it does it. And all kinds of different styles as well. I chose a sort of swingy, jazzy kind of upbeat style, but it could just as easily have sounded a bit like Leonard Cohen or some sort of—

CAROLE THERIAULT. You can't say that though, right? You'd have to describe his music very, very well. You'd probably have to go to, yeah.

GRAHAM CLULEY. A moody Canadian style, I could say, something like that. That could be my style. But it's really fun.

GEOFF WHITE. It's funny you say that because one of the conferences I'm speaking at, Money 2020, which is in Amsterdam later in the year, in June, sent me a sort of gift. And I was like, "Oh, is it?"

It's usually chocolate or biscuits, which is great. Though this was a poem generated about me and my talk by Woodsy and YA, two award-winning poets who use AI to write the second half of the poem. So it's interesting that I'm getting this from all angles of people throwing content at me. Amazing. I thought it was incredible. Yeah, absolutely incredible.

GRAHAM CLULEY. Use it as you wish, Geoff. If it helps promote your book, it's time.

GEOFF WHITE. Yes, I really appreciate it. Thank you. It's very touching, Graham. I really appreciate it.

Geoff, what is your pick of the week? My pick of the week is slightly less cheery, but it is important. And I really, really, really want to flag this book up. It is a book, not mine, is by a woman called Annie Jacobsen. And it is simply called, and this will give you a clue as to what's in it, Nuclear War.

Whoa. This book is astonishing. It is a hypothetical minute-by-minute play of what happens if North Korea launches a nuclear weapon. What? The research in it is amazing.

It's meticulously researched. Because there are all these hidden arcane systems that kick in all around the world within seconds of anything, that they've got radars trained, satellites trained on everything. And as soon as this happens, there's a whole chain goes into effect.

What's amazing about the book is, on the one hand, it's extremely detailed is actually what it is in terms of who decides what and so on. But because it's a hypothetical scenario, the author, Annie Jacobsen, occasionally throws in a curveball, an event happens that takes things off in a new direction, a new slightly terrifying direction.

I know there's this cliché of, I was so engrossed in it, I missed my tube stop or train stop, whatever. I did. I actually missed the stop and got off the wrong stop because I couldn't take my nose out of this book.

I know it's a really serious subject, and it is particularly in our current world, I'm sure, not one that people want to dwell on too much. But this book, honestly, it's just amazing. And you come out of it with a new appreciation of the weapon that we have built and how incredibly stupid it was for us to do it and how dangerous it's created the world for us all to be.

It's called Nuclear War, Annie Jacobsen. I cannot recommend it highly enough. I think everybody, particularly children at school, should read this.

CAROLE THERIAULT. Oh, and I mean, she's written loads. She's super prolific. This is really not an area that I've read a lot of stuff about. So have you read her other books as well? I have not.

GEOFF WHITE. It's the first I'd heard of Annie Jacobsen, but I'm going to be pursuing her work. Oh, well, she's got quite a few. It's my summer sorted.

GRAHAM CLULEY. Fantastic. Nuclear War by Annie Jacobsen. Hopefully not the nuclear war, but the book is by her. Wow, interesting. Carole, what's your pick of the week?

CAROLE THERIAULT. I have a televisual series for you this week. It's called The Patient, and it's a pretty tense 10-part American psychological thriller, created by Joel Fields and Joe Weisberg. It's not new, it came out in 2022, but I just saw it, so, and I found it super gripping, so that's why it's my pick of the week.

But effectively, the gist is this: you've therapist Alan Strauss, played brilliantly by Steve Carell. And this therapist is being held prisoner by a patient who has revealed himself to be, shall we say, not a super great guy. Read into that what you will.

And Sam has some unusual therapeutic demands, right? This is our patient Sam, for our therapist Alan. Curb his urges.

So as he's there, he's a prisoner, he's kind of kidnapped, and he's tasked with unwinding this patient's disturbed mind. But the patient refuses to address critical topics like serious mom issues and that sort of stuff.

But in parallel, we have this therapist ruminating over his own life and decisions because he's now trapped and he's got a lot of bored time. And I was totally sucked in. It was really, really good.

Graham, I recommend it highly, particularly to you. I don't know if Geoff, this is your thing, but— Sounds good.

GRAHAM CLULEY. Yeah. Is it funny like Geoff's nuclear war book, or is it a bit serious?

CAROLE THERIAULT. No gags? I don't know what kind of mood you'd be in if you were kidnapped.

GRAHAM CLULEY. So I think, imagine that. Steve Carell, he's the guy from The Office, right?

GEOFF WHITE. Well, yeah, that's what I was thinking.

CAROLE THERIAULT. Yes, he is from The Office, but he can also, it turns out, do some more serious roles. Okay. I thought he was quite gripping.

He was quite good. Yeah. So that's my pick of the week this week.

It's called The Patient, starring Steve Carell, and it's available on Disney and I think Hulu.

GRAHAM CLULEY. Cool. Super.

Three interesting picks of the week this week. And that just about wraps up the show.

Geoff, I'm sure lots of our listeners would like to follow you online, find out what you're up to, and maybe learn more about Rinsed. What is the best way for folks to do that?

GEOFF WHITE. Very kind. Thanks, Graham.

Probably on LinkedIn, if you look up Geoff White, Geoff with a G and white like the color.

GRAHAM CLULEY. And you can follow us on Twitter @SmashingSecurity, no G, Twitter won't allow us to have a G. And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.

GEOFF WHITE. Carole can now power down.

CAROLE THERIAULT. But first, I'd like to thank our episode's sponsors Vanta, KiteWorks, and Kolide, and of course to our wonderful Patreon community. It's thanks to them all that this show is free.

For episode show notes, sponsorship info, guest list, and the entire back catalog of more than 373 episodes, check out smashingsecurity.com.

GRAHAM CLULEY. Until next time, cheerio. Bye-bye.

CAROLE THERIAULT. Bye. Bye.

Geoff, you know, I virtually went to one of your events, your book events. I did, during lockdown.

GEOFF WHITE. Yeah, yeah. What was that one?

Wasn't that your house party?

CAROLE THERIAULT. No, no, no, no, no, we did that, but we also had your book. I think it was your second book, and you chatted with your co-author, talked about the pod.

I was there. Graham was not.

GRAHAM CLULEY. Oh, okay, okay. At least the bot was.

The bot was there. Still not convinced, Carole.

GEOFF WHITE. Still not convinced.

CAROLE THERIAULT. Well, that's the way I like it.

GEOFF WHITE. One day, one day you'll prove me wrong.

CAROLE THERIAULT. Come to Oxford anytime.

-- TRANSCRIPT ENDS --