Originally, he was writing for a website. Are you familiar with urinal.net?

Surprisingly, no.

Smashing Security, episode 408: A gag order backfires, and a snail mail ransom demand. With Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security. Security Episode 408.

My name is Graham Cluley, and I'm Carole Theriault.

How you doing, Carole?

I'm doing very well, but I have a house packed with people. They're all in the other room, told to hold their breaths while we record, so I'd love to get the show on the road. Are you cool with that?

That's fine with me.

Okay, but first, let's thank this week's wonderful sponsors: 1Password, Tripwire, and Palo Alto Networks. It's their support that helps us give you this show for free. Now, coming up on today's show, Graham, I'm going to be talking about the Cyber Streisand effect. And I have snail mail with a twist. All this and much more coming up on this episode of Smashing Security.

Now, chums, I'm a bit of a Barbra Streisand fan. I don't know if I've mentioned it on the podcast before.

Yes.

Well, I've loved her since I saw her munching on a breadstick in What's Up, Doc? Or flirting over a piano with Burt Bacharach for many years. I had a picture of her on my wall until my girlfriend told me to take it down.

Oh, really?

Yes.

Actually, I wouldn't that. It depends. Was it a saucy picture?

No, no, of course not a saucy picture. No, it's the goddess Barbra. You don't defile her with sauciness. Anyway, I lost the picture from my wall. To be honest, I should have kept the picture and got rid of the girlfriend. But anyway, I am a fan of Barbra, and I'm not the only one. Some people can be a little bit obsessed with Barbra Streisand. I don't know if you're aware of that. She's a funny girl. She— well, she has had quite an effect on people over the years. I don't just mean people getting a little bit trembly of the knee at her in A Star Is Born or hearing her sing The Way We Were. I am talking about the Streisand Effect. And I know many people listening to this will have heard about the Streisand Effect, but if you have not, let me quickly remind you what it is. Back in 2003, Babs, understandably in my view, wasn't very keen on having her privacy invaded, and she was reported to have tried to suppress the publication of a photograph showing her clifftop mansion in Malibu.

Well, right. She was kind of saying, hey, this is my business, not yours. Why are you allowed to take a picture of my house? I'm going to put a stop to this.

That's right. And despite what some people think, it hadn't been taken by paparazzi, this photograph. It was actually a photographer working on a project measuring erosion along the Californian coast. So they were taking lots and lots of photos of the cliff tops, which included her pad in Malibu. And her lawyers attempted to sue the photographer because they wanted the photograph taken down. And the lawyers attempted to sue the photographer for $50 million. Seems a little bit excessive to me.

She was just embarrassed at how lavish her lifestyle was. She was kind of saying, you know, I'm just you, you know, just got a voice and—

There's nothing just about Barbra Streisand. She ended up losing the case. She had to pay costs to the photographer. And it was journalist Mike Masnick, who often writes for Tech Dirt. He ended up calling it the Streisand Effect. He's the one who sort of adopted that, which has now become a huge thing on the internet. And the name stuck. Originally, he was writing for a website. Are you familiar with urinal.net?

Surprisingly, no.

It's a website devoted to loos and images of urinals, and Masnick was writing on it, and he was bemoaning that lawyers hadn't realized that the simple act of trying to repress something they didn't online was now likely to be seen by many more people. And he dubbed it the Streisand Effect because of what happened with Barbra Streisand. And in her 2023 biography, by the way, which I do recommend, and I think Zoe Rose recommended as a pick of the week, back in the day. Barbara explained that her issue was never actually with the photograph of her mansion. It was more about her name being attached to the photo. She said, look, you can take a photo if you want, just don't tell people it's my place.

Yeah.

And she says that she assumed her lawyer had done what she had asked for and simply asked to take the name off the photo rather than hitting someone with a $50 million lawsuit, which then of course got everyone talking about Barbra Streisand's place in Malibu. The point is that when lawyers kick up a stink and try to hide something, it can end up with many, many more people learning about it. And this happens in the world of cybersecurity as well. There's been many examples. A couple of years ago, a mobile app called Free Hour, an app which is used by students in Malta, it had a critical security flaw in it, which effectively made every user an admin. And 4 university students discovered that the app's backend had been left in a sort of default insecure state, meaning that they, and indeed anyone else, could access other users' data, their email addresses, their locations, even meddle around with their calendars. So you could put in calendar entries or remove them. You could see what people were up to. And this was a huge privacy flaw. And a risk for 40,000-odd users of the Free Hour app. Now, they did the right thing. They disclosed the vulnerability responsibly to the CEO of the Free Hour app. And they urged a rapid fix. And they said, look, we're giving you 90 days, and then we're going to go public with the details.

Right. OK.

Fairly normal kind of thing. And in the email, they innocuously also inquired, if they might qualify for a bug bounty reward. They didn't name a price. They just said, you know, is there any kind of bug bounty, you know, available? And what the app's CEO did, he didn't respond to them. He called the police saying that they were being extorted. And next thing you knew, Maltese Cybercrime Police arrested 3 of the students in dawn raids. They seized their computers and phones and even strip-searched. These students— Jeez! It seems a little over the top, doesn't it?

Yeah.

These students, literally, they followed best practices. They disclosed privately, they gave ample time, they politely asked if a bounty was possible. And later on, Free Hour's CEO, by his own admission, he said, look, I contacted the authorities for advice, he said. I was told to treat the email as a potential threat due to the words payment and ultimatum, which was the 90-day deadline. And the students said, all we wanted to do was help.

Yeah, but come on, come on. If someone did that to me in some capacity, I might go get advice before I do what I'm told. I don't see there's a problem calling the cops and going, look, we're in this situation. What do you reckon? What you'd like the authorities to do is go, why not comply and fix the flaw in your software?

Clearly, there was some breakdown in communication somewhere, whether it was with the app developers themselves, how they told the police or whether it was the police's response, it wasn't joined-up thinking, was it? And the company later acknowledged that the students had acted in good faith, but only after the story had gone public and there was lots of backlash. And he said, look, I would be prepared to work with you in the future going forward. Well, that was a problem for a couple of years ago. Dear, oh dear, it's happened all over again because there is a private healthcare giant here in the UK They're called HCRG. They're formerly known as Virgin Care.

Oh, okay.

Yeah, they're a company who look after people. And they have been threatening journalists who were reporting on the ransomware attack, which they suffered a couple of weeks ago by the Medusa ransomware gang.

Okay.

And the Medusa gang managed to take from this company, HCRG, customers' names, dates of birth, addresses, phone numbers, medical information, copies of passports, driving licenses, identity cards, national insurance numbers, financial documents.

I think it's the worst when it's the healthcare sector because you are mandated to hand over all this very private, sensitive information in order to get care. And what do they do? They can just turn to their customers and go, oh, sorry, we goofed.

Right. Well, in this particular case, HCRG, reportedly the Medusa gang, have demanded a $2 million ransom. And they claim to have stolen over 50 terabytes, not megabytes, not gigabytes, not just bits, not just nibbles, no, 50 terabytes of data. And the lawyers for HCRG have been unleashed. They have been unleashed on a website called databreaches.net, which is a great resource run by a journalist who goes by the pseudonym of Dissent Doe.

Mm-hmm.

And the law firm says that if databreaches.net does not take down two articles that talk about this ransomware attack, the site will be found in contempt of court and may result in their imprisonment, a criminal fine, or having their assets seized.

So lawyers being rather heavy-handed with their request.

Yes.

Yeah.

Especially when you consider that when you read these articles on databreaches.net, it says no more than what I've already said so far.

Oh, well, expect a letter in the post soon, Graham, or an email.

It just says this is the type of information that's been stolen. There's no even redacted screenshots up there of the data. So the law firm is claiming, and by the way, it went to an actual court, right? They went to the High Court. They've got an injunction, which they've then told databreaches.net about.

Oh, well, then they should just do what they're told, no?

Well, databreaches.net says, no, no, no, we're not going to do that. We're not prepared to do that. Even though their web domain registrar has been contacted as well. Said, you know, these articles aren't removed within 24 hours, the entire website is going to be suspended. But here's the thing: databreaches.net had not only not published any of the leaked data, but it is a US-based website run by someone with a US address, and a UK court injunction means diddly squat to him if he's not operating under UK or High Court jurisdiction.

Right.

So, of course, this kind of behaviour, though, is going to put off other journalists from reporting news like this, which I would argue is definitely in the public's interest. Because if you go to HCRG's website, you will find no mention whatsoever of them having had a data breach. So someone's got to tell the public that this has happened and that kind of information which has been breached.

This is maybe where newspapers have alliances with other countries, and they're like, I'll report this one because I'm out of the jurisdiction. You report that one.

Yes. Wow. Yes. We'll go to Greenland. We'll set up our website there. Works up for the moment anyway. So we've talked about organizations in the past taking action against innocent people, threatening them with legal action. It's obviously a very uncool thing. I think particularly when it's a health sector firm, which has been security breached in this way. And we've talked about this on the podcast in the past, back in episode 182, of Smashing Security, I tell the story of how a British cybersecurity firm called Keepnet Labs threatened me with legal action because I blogged about its security breach, which meant anyone could access lots of their customer data. And Carole, I don't know if I can take you back in time, take you back 18 years to 2007, when we used to work together at a certain cybersecurity firm called Sophos. And do the words EduGeek ring any bells to you?

Yes, yes, yes. I remember this.

Well, EduGeek is an online community for people who work in IT at schools and universities, colleges, that kind of thing. And as the Register reported at the time, Sophos had a spot of bother with them because a user of EduGeek was, how can I put it politely? He was rather disappointed with version 5 of Sophos's software. And he had a good old rant, including some fruity language on EduGeek's message boards. And the next thing that EduGeek knew was they got a letter from Sophos's legal team threatening action and demanding that the guy's posts were pulled. And you and I knew nothing about this because first we knew about it was when journalists began to ring us up asking why we were trying to silence our customers from describing their experiences with our software. We ran up to the legal department. It turned out a member of staff had seen the messages and taken it into his own hands to ask his buddy in the legal team to send a threatening letter.

It was just a day in a week of the years we worked there.

Just a day, just a day. But none of them considered the possible ramifications on our company's reputation, obviously. I remember I had to give a quote saying, you know, we might have overreacted somewhat, and we were inappropriate with how we'd responded. So we had to publicly apologize. I'm rather like Barbara, you know, I didn't know anything about it. I didn't know it was all going that far.

I think it sounds as though you're like, hey, no one should ever get lawyers to do anything for them, because sometimes people are in a serious bind, and, you know, some legal help will give them assistance, whether they're a corporation or an individual, right?

Sometimes, though, if you've goofed up, it's good to put your hands up and admit it, isn't it? Rather than try and silence the discussion entirely.

Oh, 100%. That has legal ramifications, though, right? Because they admitted blame, let's sue them.

Carole, what's your story for us this week?

Okay, so throughout history, several notorious imposter scams have been recorded. So if we go back 100 years, back in 1925, Victor Lustig posed as a French government official and convinced scrap metal dealers that the Eiffel Tower was slated for demolition. I mean, he sold the rights to salvage the metal, collected substantial sums of money, and vanished. And apparently, he attempted this scam twice.

With the Eiffel Tower both times?

Yes!

Oh my goodness.

Apparently, his nickname is the man who sold the Eiffel Tower. And much more recently, you have things like Ruja Ignatova, aka the Crypto Queen, right? Bulgarian-born German entrepreneur who launched OneCoin in 2014.

Yeah.

Promoting it as a revolutionary cryptocurrency poised to surpass even Bitcoin. And the scheme, of course, attracted millions of investors worldwide, amassing $4 billion.

I feel a little bit more sorry for the victims of that than I do people who are trying to buy the Eiffel Tower. You think that you're going to buy the Eiffel Tower for scrap?

It's a lot of scrap metal if they're going to tear it down and build a new one. Well, it's a lot of money, isn't it? But I mean, really, if you've got that much money, haven't you got a little bit more sense? 100 years ago, Graham.

Well, yes, it's still— yeah, but it's still not two francs 50 cents, is it? You could go back in time. You could go tell them off. Les idiots! Imbeciles!

But investigations, including those by journo, author, and friend of the show Jimmy Bartlett, later revealed that OneCoin lacked genuine blockchain and held no real value.

Yep.

And my whole point is imposter scams are nothing new. And these days, the most common variations involve scammers calling or texting or emailing their victims, posing as a trusted, I don't know, government agency or organization. So the FBI, IRS, or the Postal Service, or big companies like Amazon or Netflix or wherever you put your money. And the scammers then, under a wide variety of pretenses, demand payments, maybe by gift cards or crypto or credit card or wired funds. So let's pivot to this article, which I've linked in the show notes, an article from Forbes talking about the FBI warning of a new scam claiming to be the work of Russian ransomware gang Bianlian. Do you know Bianlian?

Bianlian? Yes, I've heard of them. I may not be doing it justice. Apologies if I am not.

Okay.

So this gang developed ransomware that was deployed against numerous companies for the last 3 years. And these guys are definitely serious about ransomware and have evolved. So, for instance, an updated security advisory from the US cybersecurity agency CISA explained how the infamous Bianlian had stopped deploying encryption services to their victims, instead choosing to exclusively exfiltrate the data or hoover it up.

Okay, so they're not locking up any computers anymore. They're just saying, we've taken your data.

Yeah, they just take their big digital straws out, suck everything up, and they go, okay, give us money if you want it back.

Okay.

Or if you don't want us to put it out.

Yep.

TechRadar called them one of the nastiest ransomware groups around. Now, Graham, you're pretty au fait with security.

Thank you.

In your opinion, in your expert opinion, let me say that. Would it be weird for this group, Jian Yan, to do another weird U-turn in their ransomware strategy and start relying on snail mail as an infiltration method?

As an infiltration, a way of infecting companies?

Well, no, as a way of wiggling their way into the organization and making their demands.

Oh, oh, so they're saying we've taken your data. And they're gonna send the ransom note via post.

Yeah, yeah. You basically are opening your mail at your company, and this is the letter that you open. So I've put it there in the show notes so you can look through it and see what you find interesting.

Let me have a look. Okay, so we've got an envelope saying, "Time sensitive, read immediately." All right, little stamp on it.

Right, you'd think you'd email it.

You wouldn't trust it with the post, would you? Okay, so, and it says, "Dear blah, I regret to inform you we have gained access to your systems, and over the past several weeks have exported thousands of data files." Oh no, they've taken our ID. Social security numbers, payroll, or sensitive HR documents. Okay. This looks a regular ransom note, but this is one that's been sent through the post, and they're asking for bitcoin.

Yep, and they're explaining how it happened, how they were able to infiltrate their network by saying it was insecure.

Yes.

They want bitcoin payment. They even have a QR code inside.

Yeah, and there are links, you know, for people to follow to go and make the payment.

"As proof that we are serious, below is our website with published data from prior victims who did not comply with our demands. If you do not pay us on time, all the data in our possession will be leaked to the public to abuse." And then they give a Tor project link.

Why are they sending this via post, which costs money, as opposed to email, which doesn't really cost money, does it?

Well, do you wanna know what Guidepost security firm found out?

Go ahead.

Because they got a few reports about this. And they pointed out that communication of a ransom demand via the postal service is not something they had previously observed from any legitimate ransomware group.

Right.

The other weird thing they point out is that the wording and content of the message is inconsistent with the ransom notes that they have observed from Jian Yan in the past. Because it contains nearly perfect use of English and features longer, more complex sentence structures. I'm thinking, okay, they used AI, big whoop. The letter does include links to sites on the dark web where the real Jian Yan has leaked data. But these links are kind of meaningless as the addresses are commonly known.

So these companies haven't necessarily had any of their data taken at all. It's a scam.

Correct.

And they're putting this in the post because they didn't have any carrier pigeons available, presumably.

Yeah, are they script kiddies?

Oh, what?

What is it? They've written a letter. There's no evidence of any computer jiggery-pokery going on.

Are the FBI now analysing the saliva on the back of the envelope where they've stuck it down? Have they written the address in crayon? Or have they printed it out?

Weirdly, the note does not contain any contact information, which is usually—

Oh, how disappointing.

No, but typically you would be able to contact the ransomware group to start the negotiations on the ransom. And there's nowhere for anyone to do that, which GuidePoint Security point out as an interesting thing to note.

Oh, I see. Yes. So it's just a case of you can see past victims here, which presumably goes to the shall we call them the legitimate ransomware gang, but they just want you to drop a whole load of bitcoin into their wallet.

Yes. The FBI does, of course, have recommendations, right? Even though they assess the letter as an attempt to scam organizations into paying a ransom, the letter contains a US-based return address of Bian Yan Group originating from Boston, Mass.

Okay.

And the FBI say, we've not identified any connection between the sender and the widely publicized Bian Yan ransomware and data extortion group. So they basically just say notify corporate executives and organizations of the scam for awareness, which is what I've just done.

Well done.

You're welcome, FBI. Done my job. I've told our world.

I just hope this fake Bian Yang gang don't set their lawyers on you, Carole, for publicizing their attack method, which is ruining their business.

Well, I hope so too. I hope so too. Links in the show notes if you want to see where I got my information. If you've been in the cybersecurity industry for a while, chances are you've already heard of Fortra's Tripwire because they've been setting the standard for integrity monitoring tools for more than 25 years. What you might not know is just how much of your environment Tripwire can monitor.

That's right. Tripwire Enterprise gives you context for suspicious changes across your servers, network devices, applications, databases, file systems, desktops, and more to give you the real-time awareness needed to stop breaches before damage is done. It also automates compliance enforcement with the industry's largest policy library.

So visit tripwire.com/demo to set up a personalized demo session with a cybersecurity expert and learn how Tripwire can be your integrity management ally. And thank you to Tripwire for sponsoring the show. We've got some eye-opening cybersecurity stats for you today. Palo Alto Networks say that attacks are happening 250% faster, with 86% causing direct business disruptions.

Scary stuff. Yeah, it's clear that staying ahead of the threat landscape is more important than ever.

That's why we are excited to tell you about the 2025 Unit 42 Global Incident Response Report from Palo Alto Networks.

Now, this report is packed with information about the latest trends and attacker techniques, as well as real-world case studies from top threat intelligence experts.

So whether you're a seasoned pro or just starting in cybersecurity, this report is your ultimate advantage in combating rising threats. And let's face it, we could all use a bit of future-proofing in our security strategies.

So what are you waiting for? Head over to smashingsecurity.com/unit42 to download the report. That's smashingsecurity.com/unit42. And thanks to Palo Alto Networks for supporting the show.

Do your end users always, and I mean always without exception, work on company-owned devices and IT-approved apps? I didn't think so. So my next question is, how do you keep your company's data safe when it's sitting on all those unmanaged apps and devices?

Where 1Password Extended Access Management helps you secure every sign-in for every app on every device because it solves the problems traditional IAM and MDM can't touch.

1Password Extended Access Management is the first security solution that brings all these unmanaged devices, apps, and identities under your control. It ensures that every user credential is strong and protected, every device is known and healthy, and every app is visible.

So secure every app, device, and identity, even the unmanaged ones. Go to 1password.com/smashing. That is 1password.com/smashing. And welcome back. Can you join us at our favorite part of the show? The part of the show that we like to call Pick of the Week.

Pick of the Week.

Pick of the Week. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security-related necessarily.

Better not be. Well, my pick of the week this week is not security-related. In fact, my pick of the week this week is not a pick of the week. Oh dear.

And my nitpick of the week this week is the phrase public school. Now, in most parts of the world, a public school is exactly what it sounds like, a school funded by the public, for the public, which anyone can attend. Seems simple, doesn't it? Very, very simple.

Mm-hmm. But no, not here in the UK, because here in the UK, public school means something entirely different. Here in the UK, a public school is actually a private school. No, not in this country.

No, it's bonkers, isn't it? So everyone understands that private schools means a school that isn't funded by the state. But here in the UK, where public schools are private, private schools are also private. And then there's also this delightful term independent school.

You know, I would say though, I've been living here a number of decades, and I would say a lot of things that seem to have come from perhaps higher classes throughout the decades have a natural way of trying to obfuscate themselves to be so complex and nonsensical that the average puncher wouldn't be able to figure out the rules. So there's twists and bends and complete complexities because it shows if you don't know all those, you're not part of the elite crowd. So it's a way of keeping out the riffraff.

So you live, for instance, in Oxford, right?

I do. And what river runs through Oxford? The Thames. Only for those people that have very poor geography.

Well, I remember that there was an ISIS cricket team, and I think there was some concern as to who its members may have been made up. Anyway, there's also this delightful term independent school, which, as you've just pointed out, seems to be a fancy way of saying private school without the baggage of sounding exclusive. So I think you're absolutely right. Just as with— there's Magdalen College, which is actually spelled Magdalen.

Maudlin. Maudlin. I don't know if I'm going to sign up to that. I—

What?

I'm kidding.

Krow, what's your pick of the week?

My pick of the week. Actually, let's start with this. You know when you have to do something so boring and repetitive and you need to do it, let's say, every day and you just wish you could get someone else to do it for you so that you wouldn't have to go through the drudgery of it all.

Magdalen College. Exactly, that's Magdalen. Okay, yeah.

This is effectively the premise of Severance. This is an Apple TV+ show that recently launched season 2. Did you see season 1?

What am I saying? Magdalen. I don't have Apple TV, but I've had so many people in the last couple of weeks recommend to me that I should watch Severance. Have I got it wrong? Anyway, my nitpick of the week is the term public school.

I agree, I agree. So basically, the premise is that, you know, it balances the real and the surreal, and the show follows 4 employees who effectively sort numbers floating on their computer screens. And they're in this huge room, and there's these 4 desks and these 4 people working. You have no idea what they're doing. It makes not much sense to you as a viewer. And early in season 1, you learn that they all have chosen to have a chip put in their brains that cuts their memories in half. So they kind of divide it as innie and outie.

Let's start right here, only calling public schools public rather than private schools public. Thank you very much.

So the working part, the part working inside the office, is called the innie. And it has no knowledge of who they are beyond the walls of that company. And the outer part, the outie, has no memory of the working day. And what their innies are working on, on these numbers going in, seems to be very, very important to this big company, Lumon. But no one really knows why or how or who's gonna benefit or what's going on. So problems ensue, of course. The show's creator, Dan Erickson, was inspired by wishing that his tedious office temp job could zoom by so that he could get back to screenwriting. Anyway, so Series 2 has just come out. Some series shake up things pretty radically between seasons. You know, you just have no reference point. But this is a seamless continuation. So, we basically pick up 5 months after the cliffhanger event from Season 1. I'm not gonna give any highlights 'cause, Graham, you haven't watched Season 1 yet. But you will love it. Acting is stellar. Characters become weird family members. And you don't really know who to root for. It's delicious. So my pick of the week is Severance Season 2. Don't miss Season 1 though, and find it on Apple TV+.

Wonderful. Well, that just about wraps up the show for this week. You can find Smashing Security on Bluesky, unlike Twitter, which wouldn't let us have a G. And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts. And huge, huge thank you to our episode sponsors, Tripwire, 1Password, and Palo Alto Networks. And of course, to our wonderful Patreon community. It's their support that helps us give you this show for free. It's actually more than 407.

Oh, there you go.

Until next time, cheerio. Bye-bye.

Bye.