Whinge bags? Are they not American? Americans, we don't say whinge.

Oh, this is interesting. What are you onto here, Maria? They don't say whinge bags?

We don't say whinge. We say whine.

Exactly.

Oh, maybe I wrote

Oh. Smashing Security, episode 117. Swats on a Plane with Carole Theriault and Graham Cluley.

it down wrong.

Hello, hello, and welcome to Smashing Security episode 117. My name is Graham Cluley.

And I'm Carole Theriault.

Hello, Carole.

Hello.

Can I grab the microphone for a second?

Yes, if you wish.

Now, before we introduce our amazing guests, I made a bit of a boo-boo last week. I was talking about Mondelez, the food giant.

Oh, yes.

And we were talking about cybersecurity in general. Insurance, but they actually didn't have cybersecurity insurance. They had property insurance.

Oh, so they had insurance with Zurich, but not cyber insurance.

So some of the machines, of course, got damaged by the NotPetya virus.

Yeah.

And they are trying to claim that on their property insurance. Now, this is all according to a guru of the insurance world, Martin Overton. I spoke to him earlier today. I recorded that conversation, and I'm going to put it at the end of today's show.

Ooh.

So watch this space. And sorry, guys. Sorry, everybody.

Thank you for that. And we'll look forward to that at the end of the show. And we're also joined this week by special guest Maria Varmazis. Hello, Maria.

Hello.

Ah, Maria. Now we can smile. All the bad stuff's out of the way.

I'm happy to follow the errata.

Do you have anything to apologise for, Maria?

Oh, well, don't even get me started. It's a whole other podcast.

I claimed last week that Rugby was in Yorkshire, which got me a little bit of hate mail when apparently it's in Warwickshire.

Shame on you.

Probably on similar kind of level as the insurance thing, I would think.

Much, much worse.

What have we got coming up on the show this week?

Oh, we have a fun one this week. How could you not have a fun one with Maria, the Queen of Comedy, on the show?

What?

Now, Graham, you're hitting Tampa, Florida, and delving into hacked Twitter accounts. Maria is going to talk us through her month off Facebook. Did she actually make it in the end? Don't tell us to the very end of your story. And I'm talking about a sneaky, nasty scam lurking on LinkedIn. All this and more coming up on Smashing Security.

So, so, so, so, chaps, I have a strange story, and the further I looked into it, the weirder and more bizarre it became. The story begins last week. Bob Buckhorn is the mayor of Tampa, Florida.

Okay.

And he was away on a hunting trip in South Carolina, out of reach of the internet, unable even to get a cell phone signal. He was enjoying the wilds. And why shouldn't he be? Because he actually is aware that his term as mayor of Tampa is coming to an end, and there will soon be elections for a brand new mayor. So he doesn't have much to worry about, does he?

Oh, okay.

I guess not. I guess he's going to think about putting his feet up and play some golf.

Well, no, you're wrong, Carole. He does have a lot to worry about because his Twitter account got hacked while he was out on that hunting trip around about 4 o'clock in the morning local time.

Every hunter's worst nightmare right there.

Is your advice going to be never leave your Twitter account ever?

I can see where this is going.

That is the policy I've been taking for a while.

I know.

Now, when his account got hacked, the juvenile miscreant who hacked his account changed his Twitter name from Bob Buckhorn to, can you guess, changed one of the letters.

Robert?

No.

He changed it to Bob Cuckhorn. Could have been worse, of course.

Did he do that? Are you trying to be polite or?

No, it wasn't Fob Buckhorn. It was Bob Cuckhorn is what his name got changed to. And his profile was replaced by one which said City of Tampa's Mayor, white supremacist, hater of fuckers. And his avatar was switched to a version of the alt-right meme, Pepe the Frog.

Oh no.

Your own side. Exactly, exactly. Now, this is of course when his Twitter account began to spew a series of racist, sexist, and oh my goodness, disturbing messages. For instance, the Twitter account tweeted to Tampa Airport saying, "I've hidden a bomb in a package somewhere. Looking forward to seeing some minorities die."

That's awful.

I know, but part of me is thinking, as soon as you saw that coming from the mayor's Twitter account, you would know he was hacked. No?

Well—

You never know nowadays.

I can see where you're coming from, Carole. You're thinking, why would a political figure in the United States use Twitter to spread some sexist, misogynist, or racist, or just truly bizarre. No one would dream of using two-factor authentication.

It's not a dig on Tampa, 'cause you're gonna get some hate mail from Tampans. And that's probably not the right word.

Another message came along saying, "Emergency alert, ballistic missile thread." I think they meant threat.

Threat.

Rather than a thread. "Inbound to Tampa Bay area. Seek immediate shelter. This is not a drill." And another one said, "City of Tampa staff, you are full of SJW whinge bags."

Whinge bags? Are they not American? Americans, we don't say whinge.

What do you—

Can I just say, this is very good for my pick of the week.

Breaking news. Breaking news. What are you onto here, Maria? They don't say whinge bags?

We don't say whinge. We say whine.

Exactly.

Oh, maybe I wrote it down wrong.

I was gonna say, that's straight up—

Fake news. Fake news from Smashing Security. Another erratum. You're 2 to 1.

I hope the rest of it I've got right. It continues saying, "Time you fuckers were brought down a peg or two. It'll be sweet victory when I bring my AK into your offices later today. #BeWarned." So can I ask, how far apart are these messages?

How far apart are these messages?

Well, these messages were being posted over the course of a few hours before anyone in Tampa woke up in some position of authority. And the mayor, of course, he didn't have any internet connection. He didn't even have a cell phone signal.

Does he have a secretary?

So he wasn't aware of what's going on. Even if he did, Carole, there he is in the outback or whatever it's called, you know, hunting wildebeest or whatever, you know, people do when they go hunting.

I suppose that clears his name of doing it himself. What are you suggesting? Well, I'm just saying, if people are obviously confused that this could be actually him at the time by receiving it, I'm just thinking as soon as you saw that, you'd say, okay, he's got hacked.

Yeah, of course they would. But that doesn't mean that the threat is necessarily nonexistent. It could be some sort of Christian Slater-style bad guy in a movie, right, who's hacked into an account and he's using it as a platform to spread the message and spread concern.

Okay.

Now, some of these messages, I mean, those were just the messages I was comfortable mentioning. There were others which were much, much worse.

You sounded very comfortable with them, concerningly so. Now, some of those tweets tagged other Twitter users. For instance, PewDiePie.

Again with the PewDiePie.

And a YouTuber and Redditor called Ice Poseidon, who I hadn't previously heard of, but appears to be quite a big deal. You know of him, do you, Carole?

Yes, but I don't know why I know him, but I know that name.

Well, he's no stranger to controversy. Back in April 2017, he was permanently banned from Twitch, for instance, after he was swatted while actually on an American Airlines plane in Phoenix.

Did you say— you said swatted, not spotted? Yes, that's right. He was swatted.

Swatted on a plane.

Yes, is when someone contacts the authorities and claims there's some madman in your house. They give the police your address and the police go round with weapons.

Nice.

Because they assume it's going to be an incident. They have to err on the side of caution.

That's not a boring day.

And they arrest you.

Great.

This sort of thing has happened to people like the founder of Mumsnet. It's happened to Brian Krebs. It's a trick which basically 15-year-old boys do against other YouTubers. And they watch it live on stream because Ice Poseidon is a live streamer, right? He's all the time posting messages on video saying, here I am on my plane in Phoenix. And then some nerd thinks it's really hilarious to call the police pretending that there's some kind of bomb threat. And they called in under his name.

I've had enough of these motherfucking SWATs on this motherfucking plane, said the movie.

Samuel L. Jackson.

SWATs on a Plane.

SWATs on a Plane.

Thank you.

That's the episode title. Now, Ice Poseidon got banned from Twitch because he was giving out his real address all the time, making it too easy for folks to swat him. He actually seemed to be quite enjoying it in a way. He sort of reveled in the notoriety.

He is getting probably more followers as this happens, which is why he may be making it easy to be swatted.

Perhaps. It's a peculiar thing, though. And what do you think was happening as Mayor Bob Buckhorn's Twitter account was being hacked? Ice Poseidon was being swatted again. So he was being tagged in the messages and he was being swatted. Now, in response to this, he's made his Reddit community private. He's very active on Reddit and you now have to ask to be allowed in. Presumably he's keen for things to cool down a little bit, but it seemed strange coincidence that all these things were going on and it's like that someone has a vendetta against him. But anyway, anyway, anyway.

Okay, so you now have an itch and you're hoping our listeners are going to scratch it for you.

Maybe, or maybe I just don't want to know at all. I'm not sure. Sometimes that happens with an itch as well, doesn't it? It's like, it's itchy there, but I don't really want to get the mirror out to go and have a look and see what's going on down there. What? Right?

You're on your own on that one.

But why should anybody care about this stuff? What's the deal? So some dude got swatted.

Yeah. Well, some dude got swatted and a politician got his Twitter account hacked as well. The mayor's election is due to take place on Tuesday, March 5th, next Tuesday as we record this.

Okay.

Bob Buckhorn says he doesn't care very much. He's not up for reelection, but he's involved the authorities. The mayor's office say they've strengthened their defenses to make it harder for hackers in future. But what has become clear over the last few years is that many politicians and corporations are struggling to properly protect their social media accounts. And I think the reason is, even though two-factor authentication is available, it doesn't work very well when you have multiple people looking after the account.

Don't we know it?

Mm-hmm.

Right.

Yeah.

Because you don't all have access to the mobile phone, for instance, or your authenticator apps are out of sync. And so, you know, if you have to confirm your identity, it's really tricky. Now, I think that some people have taken that challenge and they've decided, well, we just won't bother having two-factor authentication. It's too hard, right? And that's why these accounts keep on getting hacked or phished and people break through. Now, although Twitter doesn't make it terribly easy for teams to share an account, there is a feature on TweetDeck, which is owned by Twitter, which allows different users to share a team account.

Yes, it's very handy.

Right, you know about this, cool.

Yes, very handy.

So with this teams feature, you can have your own personal Twitter account, which has two-factor authentication, and from that you can have access to do various things with a sort of team account as well.

Yeah. I've used that with clients before and it's great Smashing Security.

Right, without having to share a password with other people.

Mm-hmm, good advice.

So I'll put a link in the show notes, 'cause I really think there's probably a lot of organizations which aren't using this, and it's going to be a better way to protect your Twitter account, whether it be from YouTubers or 14-year-old boys or swatters or whatever. Properly defend yourself, get strong passwords, get two-factor, and don't ignore these things just because you're trying to get multiple people to run your Twitter account.

Yeah, I really doubt that mayor had anybody running his account but him, though. I really doubt it.

Perhaps not. Yeah, probably not.

I don't know.

It depends how old he is and how comfortable he is with Twitter.

He is quite old.

I've seen a number of people basically call it Tweeter. If you're out there, you know who I'm talking about.

Maria, what's your story for us this week?

Well, last time I was on the podcast, if you want to do the do do do do do do do do do flashback sounds.

Oh, yeah, yeah. Well, let's go. Let's go back. Let's listen to what happened. Why not go cold turkey right now? Yeah, Maria, but maybe going cold turkey is too difficult. Maybe just like some folks are giving up drink or stopping smoking for a month. Maybe there should be a month when everyone tries to get past without logging Facebook.

Yeah, just deactivate and see how long it takes you before you activate again. I am sure it is so slippery to.

No Facebook February, make a commitment.

Interesting.

I could try that. I could give that a shot. So last time I was on the podcast, you put a challenge to me to not use Facebook for a month and see what would happen. I know, Carole, in the intro for this episode, you said I would reveal it at the end of my segment, but it's kind of impossible for me to talk about it without revealing it up front. But still, any guesses on how it went from the two of you?

You lasted 3 hours.

No Facebook February. I think you probably did reasonably well, but you had to sometimes drop in.

Yeah, actually, Graham, you're pretty much right on the money for that. So congratulations. So my hope for the month was that by the end of the month I'd be completely extricated. My account would be deleted. I'd be done. I'd finally freed myself from this stupid site I can't seem to exit. And I actually did pretty well for myself. I didn't post a single update the whole month. Good. Go me. Not even a meme shitpost as per my usual. I long ago deleted the Facebook app off my phone. So that wasn't hard. I didn't have any phone app to check and didn't reinstall it or anything.

That's a fantastic first step. I remember when we first talked about how to quit Facebook, that was one of your recommendations.

Get it off the phones.

Good way to wean yourself off the habit, isn't it?

Honestly, that was probably the bigger step than trying No Facebook Feb. That was much bigger. And this was practically a piece of cake. So my fear, Graham, as you noted and correctly predicted, was that outside forces would keep pulling me back in kicking and screaming. And unfortunately, that is exactly what kept happening to my great annoyance. So I took some notes during Feb because I was really curious to see what exactly is happening to me. Why is this? Why are my efforts being thwarted at every frickin turn? So first week of February alone, I had to log back into Facebook because of a local political action group posting about efforts to save a local neighborhood farm down the street from me. A big deal. And all the notes about that are posted on Facebook, nowhere else.

That's very interesting, because I've run into that before as well, and I've resisted so far. But that is— local politics are always on Facebook.

Local politics are always on Facebook. Second thing, local parent school group posting about updates about organizing at city council meetings regarding controversial plans to build a new high school in our city. So again, more local politics. This is local politics, school/parents stuff. Number 3 was community art coalition I'm a part of that was organizing and requiring RSVPs on Facebook to an event that was private. So you had to RSVP so they knew how many people to expect and you had to do it through Facebook. That was the only thing they were using. Yep. And number 4 was friends messaging me on Facebook Messenger to comment on threads saying, commenting about my availability for lunch and then neighbors messaging me about—

Commenting on your availability? On my availability for lunch. Are they asking you or are they just going, oh, you don't look very available.

No, we're basically saying, hey, let's meet up for lunch. Right, 3 days that are available. I know there's things like Doodle, but my friends don't use them. They all use Facebook, right, kind of stuff. So we've tried Doodle and it just doesn't seem to work. And then I also had neighbors messaging me about clothing swaps for little children, that kind of thing. So neighborhood clothing swap stuff. So that was just in the first week of February alone. So yeah.

And the thought of swapping clothing might be something which actually draws me back to Facebook if I could get involved in a group like that.

Oh yeah, there's a lot. Dress up like Graham Cluley, everybody. We're starting a swap for Smashing Security.

Fashion security.

Fashion security. That would be a weird, weird segment. I'm in for that though. Yeah, speaking of naked and Smashing Security episodes— no, we're not doing that. Never mind. Anyway, so all these things in the first week of Facebook were all posted in private groups.

Right.

That information isn't posted anywhere else. These are all run by volunteers where it's important that organization is quick and that it has some modicum of gatekeeping and some sort of level of social trust that the person is who they say they are. We can reasonably trust that they are. We actually have some trolly neighbors that sometimes troll some stuff that we do. So we actually have to know who's joining. Yeah, some of these political things are kind of heated. I live in a town that's sort of divided politically, so there's actually an element of gatekeeping that's necessary. And for things like marketplace type stuff or clothing swaps, which is very popular with parents of young kids, you want to know that the person you're going to be swapping things at their house is an actual real person and not a creep.

Better be Burberry.

Yeah, no, not in the town I live in. So yeah, anonymity is explicitly not wanted and emails are just a pain in the ass to maintain and nobody wants to be the mailer demon maintainer. This is really interesting.

Interesting to me because these were all things that I never actually did on Facebook. I never joined groups, or I was very just a lurker for a bit and I got off. But I can now understand that those are difficult. How do you get around those barriers if you decide not to do Facebook?

Yeah, you can't lurk.

Fuck you, Mark Zuckerberg!

My thoughts exactly!

I think particularly when— I mean, Maria, you've got a young child, and I remember that was something which actually brought me back to Facebook for a while, was I had a kid going to school and I had to sort of know the other parents and things. So I wouldn't blank them all the time and not know whose kid was whose. And well, there was one situation where I—

Has your kid quit school already?

Well, no, no, no. There was one situation where I sort of kidnapped a child. It was an accident. I was taking someone—

Totally reasonable. Yeah.

This child—

Good thing, tell everyone.

I had to take, I had to transport some children. I didn't know which child was which. One ended up in the car. He was a little bit enthusiastic. I was driving down the highway and it turned out his parent was expecting to pick him up. Anyway, it was all fine. It was fine.

This is going to be used as evidence in the deposition. You know, you were an adult.

No, he said to me, you're taking me back to your house. And I said, okay, come on then.

You took the word of a 5-year-old. And so— Didn't think of checking in with mom.

No question.

They don't lie at 5, right?

Never.

No. I didn't

No.

But anyway, that was one of the reasons why I was briefly back on— I'm not on Facebook any longer. It is difficult. Yeah. Whines. And I think particularly for young parents who are exhausted anyway and trying to have a life outside of their four walls, Facebook is a bit of a lifeline in a way, because everybody's there. There are events going on and you do begin to feel like you're missing out a bit, don't you, if you're not involved in some of these groups?

eat any cookies. What is this, you pretending to be empathetic?

I'm trying to be empathetic to Maria, yes.

Oh, I appreciate that. When I was reflecting on how badly my month went, I was thinking, yeah, the time of my life right now is not helping. And admittedly, it's also because I like to be involved in real life community things. I don't attend a religious organization where maybe I'd be seeing people in person. So online community tends to be what I rely on. Sure, I could not be involved in local politics or trying to save my local neighborhood farm, but these are things I actually care about. So if I just said, you know, fuck the world, I'm just gonna play video games all day and just whatever and order takeout and never leave my house.

And you wake up one morning, there's a bulldozer in your front garden about to smash your house down 'cause you've missed out what the local developer did.

On the council meetings and the plans were very clearly posted. And guys, guys, guys, are we doing this? I'm totally in for it. I'm doing this.

Guys, don't stay in the lavatory.

I gotta go get my towel.

Beware of the leopard.

Maria, isn't there another option though? Couldn't you just kind of wean them, educate them on the problems with Facebook? It's not like these people aren't reading a paper and you can get them set up on something else.

So I was actually at a meeting last Wednesday and we were talking about how to RSVP to events. And when somebody said, how are we going to organize for this next event? Everybody got really quiet. Everybody looked at each other. Someone else said, ugh, Facebook. And the whole room groaned. Everyone went, oh God, I hate Facebook. I really wish I wasn't on that stupid thing. But what's our alternative? Yeah, I know. I mean, it was literally this whole conversation. And this is a bunch of artists, by the way, people who are not usually thinking about security stuff. They all hate it too. And everybody feels the same way. We're freaking stuck with this thing. What's the better option? We could try to do email. Yes, that is a thing. But then somebody has to maintain it. Maintain an email list and nobody wants that responsibility.

Google Plus, Google Plus.

So I can't completely deplatform myself even though I've actually actively tried unless I want to cut myself out of real world communities that I'm a part of. And then it occurred to me as I was talking to my husband about this, he doesn't use Facebook anymore, but I'm sort of doing it for the two of us because these are community things that he also cares about and I sort of relay the details to him. So I wonder how many folks, ahem, ahem, might have a spouse picking up the slack.

Not in my house.

Not in my house. Yeah, I'm just throwing that one out there.

I think you're right though.

Because it's like somebody has to answer the phone, right? I don't want to do it, but somebody's got to do it. Otherwise the phone's going to keep ringing, I suppose. I don't know, bad analogy. Anyway, so I, for my own work, have been looking into alternative social media for a Naked Security article. And Graham, I know you know about Mastodon because you and I are both on an instance out there, the InfoSec instance. And there are a number of interesting alternatives out there like Diaspora and a whole bunch of Mastodon instances, and they're very user-friendly, which is great. It's not like trying to tell somebody how to log into IRC, you know, which isn't the hardest thing, but Grandma might have a hard time. And they're not as confusing as maybe Second Life was. You guys remember Second Life? But I can't go to these meetings and say, hey guys, let's log into a federated social media instance, because when you look at the top instances, have you guys looked at these things?

No.

Okay, they're, how do I put this? People who are looking for a safe place for their seedy interests have found a haven by making their own, say, Mastodon instance. So I saw one of the top Mastodon instances, which over 10K users, had something to do with baby bottles and diapers. And I thought maybe it was like a new parent group, but it wasn't. I'll just leave it there. And I really left that one quick. So I don't think I'm going to be recommending that one to the PTA parents.

You know, years ago, I ran a personal website where I had a little photo gallery and there was a picture of me as a young boy eating an ice cream on a beach. And I had sort of ice cream smeared all over my face. One day I noticed in my web stats that there was a third-party website which was hotlinking to that image. So I was paying for all the bandwidth and it sounded like, whoa, what's all this going on here? And when I checked out the URL that was taking the image, it was a site called something like Boob Mania.

Yeah.

Oh my God, I remember this! I remember this!

You're around, you were around.

I was around. Oh my God, I remember this discussion. Oh geez, I totally blocked that from my mind.

But yeah, I'm sorry, I've brought it back to you now.

Yes, I think I've seen the photo in question actually.

Oh well, yes, I'll post it up on Twitter. Why not?

Let someone else—

Twitter can pay for the bandwidth this time.

Oh my God. I'm so glad I opened that door. I'm so, so glad I brought that back up. Yeah. So TL;DR, really frustrating month. Really frustrating. I'm still unmeshed. If I had deleted my account, I would have had to just re-up it within a week anyway. I don't think Facebook would even get rid of my data if I told them to delete it. I've noticed a lot of people I know similarly deplatforming. I'm using that badly, but sort of backing away from it, not posting updates, just on occasion logging in saying, hey, it's been a month since I've been on Facebook. I'm just checking. And I'm going back to not being on Facebook. That's sort of how a lot of folks I know are using it now, which is great. But we're not deleting our accounts, which is not so great.

And meanwhile, you're creating a little world on Second Life where you're going to encourage all of these people.

I can't wait to see your avatar.

You know, Second Life is still around, right? It's still going strong. The furries love Second Life. It's a thing. So how do you know that, Maria? Oh, it's a well-known thing. I'm not a furry. Let me quash that one right now. I am not a furry. I know some furries, but I'm not a furry.

He's just— wow. No, no, he's not a furry. He's just furry.

And I think it was— yes, there was He's very furry.

Yeah. Yes.

Okay.

He doesn't need an outfit. That's all I'm saying.

All right. Well, I couldn't conclude my segment without defending myself for having a rotten time in No Facebook Feb.

some sort of fetish sort of site where

So there's a link if you guys want through the show notes by a reporter, Kashmir Hill, who tried to live at least a day, if not several weeks, without Amazon, Facebook, Google, Microsoft, and Apple products. And she says of the experience, and I quote, "It was hell." So maybe we could do a No Civilization September for a future segment if we want to try and replicate that.

they like eating children.

But I don't know, it's really damn hard to do this kind of thing.

You might try again next year, Maria, and get yourself, you know, wean off just a little bit more.

If there's a stronger, if there's an alternative that people are willing to use, if people are saying, you know what, I'm willing to go back to email.

What about AOL? Is AOL still going?

Are they still sending those CDs? CompuServe? MySpace? Yeah, I feel going backwards is not the solution here.

Carole, what's your story for us? Well, this segues beautifully from Maria's story.

Oh, it's I planned it.

Yeah. So I want you both to fess up. Other than the people living in your household, how many people that For real? Yeah. You have half a dozen friends? you would call friends have you seen face to face in the last week?

So acquaintances?

Are we counting week as in 7 days or week as in since? Yeah. Okay, maybe 2.

Maybe 2. Okay, I'm gonna blame— I've seen about 10. So I've decided, because I'm not on Facebook—

Well done, you've won. Thank you very much.

I feel garbage. Thanks.

Thanks. Thanks very much. Yeah, I know, you went last and you get to choose a bigger number.

In my defence, I'm an introvert, so I hate people.

Me too.

Fuck off. I would say that a lot of people are hanging out less with friends because of all the digital stuff that we tend to do.

Yeah. Netflix, honestly, is the— I blame everything on Netflix. Umbrella Academy is amazing. So is Russian Doll. Why do I need to leave the house?

Despite all these toys that we have, lots of people are feeling much more stressed out by just day-to-day life. And one of those big problem areas is jobs, right? According to Forbes, half of US employees last year admitted to looking for a new job.

That's a low number. You think?

I thought I was finding that quite impressive, half of all employees.

Oh no, I think it's much higher than that. Way higher. Oh yeah, yep.

And the fact is, most of us are pretty lazy, right, Graham? Sloth level. Can't change the TV channel 'cause I can't find the remote.

What do you mean, right, Graham?

You know what I mean, right? And where do the lazy go to job hunt?

LinkedIn.

LinkedIn. It's the digital market where personalities go to die. I mean, honestly, it's where terms like leveraged idea showers— idea showers— hard stop— yep, hard stop— and 360-degree thinking are used without an iota of embarrassment. Terms that in any other context would give off a serious whiff of tosserdom. And that's a very serious medical condition.

You've been to an American business environment, right? Like, yeah, you know these terms get thrown around without any shame.

And then I, and then I swathe my hand under my nose and I go, what is that? Oh, tosserdom. Tosserdom, that's what it is. And America's going— now my guess is that if half U.S.

Oh, do I have to give

employees are admitting to looking for a job last year, we can basically say, yes, people are going on LinkedIn and they're looking for that great job, the one that says, hey, you're wasting your time at Company X, come work here and you'll make more money, we'll love you more, etc., etc. So imagine that you receive a LinkedIn invite from Bobette at Company Blah, and she says something like, hey, we at Blah have a cool position for you, I think you'd be perfect for it, and the pay's better than where you are now, I'm sure of it.

you a number because it's rather

Let's connect and I'll send you the deets.

embarrassing? Maybe half a dozen.

So what do you do? Do you connect? You hit connect, right?

I'd be quite wary. Oh, I see.

It should be a girl, and I thought Bobbett. Yeah. Okay.

Did you say it's Loretta

Now I think, Graham, you would also say connect, wouldn't you? Because I think you famously told me many times, I just connect with everybody on LinkedIn. Just connect.

Connect. I do these days. Now, now I work for myself. Yes, I will just accept absolutely anybody. Oh, you're going to regret saying that. Bobbitt who'd sent me this request?

Well, bong!

You guys, wrong answer. Oh, you know what you just did? You just opened the door to a wily little phisher hellbent on infecting your device with the More Eggs malware. What? More on that in a second. But this is how the phishers get their foot in the door. They basically need to become part of your network connection. Okay, that's step one. But you don't know this yet, right? You're kind of sitting there going, oh, I'm really excited to hear about this job. A few days go by and you don't hear anything and you're a little disappointed because you were kind of looking forward to it. But a week later, you get a message from your new connection and they say, "Hey, here's a link to the cool job description I was talking about." And when you press click, of course, the URL is a malicious one and it tries to initiate a download of, get this, a Microsoft Word file that requires macros. Macros! It's the '90s again, just like shoulder pads and sports slacks. It's coming back to haunt us.

In my defense, I accept, I accept a LinkedIn invitation from anyone, but it doesn't mean that I read any of their messages whatsoever, because I do get a lot of junky messages. They just go straight in the trash.

Okay, if someone in an infosec role opens up that link and goes, oh yeah, I'm going to enable macros, they should get instantly declined from that job. The job, the recruiter should go, nah.

Yes, okay, and I understand that, but they're not just focusing on the security guys, right? Yeah, yeah. Now if you of course click on enabling macros, the More Eggs malware will try and sneak onto your device as quiet as a little mouse, you know. Yeah, so More Eggs, basically More Eggs is a— it's a lot of sugar I've had. More Eggs—

You're a more egg! I got Graham to chuckle. That was a good chuckle. All right.

He was so grumpy before we started, and look what you've done.

When the moon hits your eye, it's a big pizza pie. That's a Morag. That's a Morag. That's a Morag. Oh, good. I love it.

We're going to have to sing us out of the show tonight. Okay, so basically, Morags is just a malicious backdoor. Easy peasy. But what it does is if it gets installed, it can be used by the bad guys to install all kinds of other bad stuff on your machine, like maybe a keylogger one day or a ransomware the next. Now maybe, maybe if you were a little smart and you did a little digging before you added them as a connection or opening their attachment, you might have done some digging around checking out, well, who is this company? And they actually did create websites and a little professional-looking logo to dupe you even further. Okay. So all this research is from Proofpoint who are saying that large-scale spray-and-pray campaigns are no longer the thing du jour. Bobbett. I was— So we're looking at much more targeted attacks where they're spending a lot of time learning about what you do, what your interests are, so that they can kind of lure you out of your shell and into letting them join your network. Shell, Morag, yes. This campaign is primarily targeted at US companies, but various industries are being targeted. So retail, entertainment, pharmacy. Oh boy. So we need a bit of advice here for our listeners. I put down Bob.

Okay, good. So what do we think?

So what, just lie on LinkedIn?

Don't enable macros in Word documents. Welcome to 1995.

I know, it's amazing, isn't it? Oh gosh.

But I mean, obviously they could deliver it in ways other

But I think the reason they're using macros is because maybe it's just fallen out of the press, right? And if you're, you know, I don't know, if you were 25, 30, you may not even know what a macro was.

than through a poisoned Word document using macros.

You may not even have had— Wait, what? Right, Maria?

There's other tricks they could do. Yeah, there's different ways for sure.

As a 25-year-old, I take offense to that.

Human error is at the root of 95% of all security breaches. It's all too easy for any of us to make a mistake that lets hackers win. Download a free cybersecurity awareness training kit from Mimecast, which will help your staff learn about threats like data leaks, ransomware, business email compromise, and phishing, and much, much more. Grab it for yourself at smashingsecurity.com/mimecast. And thanks to Mimecast for supporting the show.

Hey, what's your password for your email? Do you even know it? I don't. I trust LastPass Enterprise to remember it for me. Because it's so long, so complex, and so unique, I couldn't possibly remember all my passwords for all my accounts. Let LastPass Enterprise do the hard work for you, because they take security seriously, and they're really responsive. Check out LastPass Enterprise at lastpass.com/smashing. On with the show.

And welcome back, and you join us for our favorite part of the show, the part of the show that we like to call Pick of the Week.

Pick of the

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Your pick of the week doesn't have to be security-related necessarily. Definitely not this week. Well, mine definitely isn't security-related this week. Good.

Week. Pick of the Week.

My pick of the week is something called Perfect Night In. And— Netflix and chill? It is Amazon Prime and sexy time.

I've never heard that one. Ice cream and beer. Just the essentials.

Easily pleased.

Is that a euphemism? No, ice cream and beer literally are just the essentials as far as I'm concerned.

If you go to perfectnightin.tv, you will discover a podcast and a kind of video as well, run by a guy called Neil Perryman. Now, Neil Perryman is a bit of a Doctor Who fan. That's how I know him. He had a fantastic blog and series of books called Adventures with the Wife in Space, where he took Sue, his long-suffering wife, on a long odyssey through every single episode of Doctor Who from 1963.

Oh, good Lord, really? Are they still married?

Yes, yes, they've gone on to Blake's Seven even. And she would write, they would write about each and every episode, and I used to religiously follow this blog, and it's now a series of books. Anyway, Neil's latest project is a podcast and kind of video called Perfect Night In, where they interview somebody about their ideal night of television, which often revolves around old 1970s British TV shows like Colditz or the Tripods or Sandbaggers. And—

You could have just said to me, "Nyeh, nyeh, nyeh, nyeh." Yeah, I was like, "Are those— That sounds like fake TV names to me." Like names that you put as a placeholder for like real names will go here later.

Well, way to go choosing your audience with two non-Brits.

Fawlty Towers. Fawlty Towers, right?

I've heard of that one.

You've heard of Fawlty Towers?

I have heard of Fawlty Towers, yes.

So that would be an example of a show which someone chose. Or someone chose Hockey Night from Canada and things like that, right?

Hockey Night from Canada. Generic hockey. Way to be racist, Graham, against Canadians. Anyway, we're unaffected.

I find, apart from the Canadian hockey thing, I find it really quite nostalgic and rather charming. The video is like a slideshow sometimes, so it will come up with different— So it's not a proper video. It's really a podcast with a video format as well. It's really enjoyable, and I like it, and I wanted to give it a little bit of airtime, and that is why my recommendation is Perfect Night In.

Listeners, don't rush at the same time. We don't want to bring down the site.

Hey, bitchy.

Why is that bitchy? It'll stay up. It'll be all right.

We have a lot of listeners, Graham. I don't think you've checked the numbers recently. Smashing Security, popular.

Maria, what's your pick of the week?

Well, my pick of the week is a game I have not been able to stop playing, and it's going to sound very familiar to hopefully everybody. It's Tetris.

Oh, I love Tetris. See, that's— you're talking now my language.

Yes, and it's Tetris with a twist. So the game is actually— the game is called Tetris 99. It just came out a week or two ago. It's for the Nintendo Switch platform.

So is it?

Yes. And if you are a subscriber to the Switch Online service, it's free because it requires—

Sorry, I'm going right now. You finish off the podcast without me.

I sold Graham on it already. Yeah, so for anyone who hasn't heard about it, run, don't walk to your Switch, basically. I agree with Graham. It's online co-op Tetris, and it's super easy. You literally just play Tetris, but when you eliminate lines, they kind of get blasted to other players and they build them up from the bottom. So yeah, the concept is very simple. It's if you know how to play Tetris, you can play this game. It is phenomenally fun. I've been playing it non-stop since it came out, and like all of us who grew up on Tetris, which is so many of us, it's like we've been waiting our whole lives for a game like this. Competitive Tetris, you guys! Yeah, it's so fun. Okay, now I have a problem.

I don't know which—

You need to— but okay, that is a problem. You need to get a Switch, Graham. You really do.

You're my great bud, right?

It's not your birthday for a while.

Well, you were wrong about the LinkedIn approach, so you might want to say sorry, and I know a way you could do it, just saying.

You should get a Switch. I can't believe your husband hasn't played Breath of the Wild yet.

Well, he may have played it. I don't know. He's not at my house all the time. It's like 100+ hours to play Breath of the Wild. You can't go over to a friend's house and play it in the afternoon. Oh, bring it back. So why is it called Tetris 99, do you think? And yeah, it's super fun. I can't recommend it enough. It's a great little time waster.

Love it. Seriously, could we hurry up? Because I want to finish the podcast and go download it.

Can I have an invite maybe to come play FaceTime?

Sure. If you're on the Switch, presumably we could play against each other.

Well, I could come over and play it first and decide, you see.

I showed you Bertram Fiddle. I can't believe that wasn't enough to get you to buy a Switch.

But I played it at my brother's. I was at my brother's and I played the whole game there. So I did that.

I don't think there's a versus mode for Tetris 99. This is literally— it's a group of 99 people, whoever are online, and that's it. And you're just competing.

Oh, like Splatoon or something like that, right?

Yeah, yeah. I don't think you can say I want to specifically kill Carole, although that would be funny. And I actually kind of hope that happens because then I totally want to play against you two if that happens. That would be super fun. But right now, I'm good at Tetris. That would be Smashing Security plays Tetris. It'd be great.

We could take on the cyberware at Tetris.

I'm really good at T-spins now, so you know, it's a thing.

She has the lingo and everything. I only understand about 95% of what Maria says anyway. She's way more— yes, I do have a great pick of the week, and I've made it into a game. Okay, right now this comes from my lovely friend and editor-in-chief at Naked Security, or rather the person who took over at Naked Security me, Anna. Hi, Anna! And this is going to be educational, but we want education to be fun, hence I've gamified it. So back in 2016, UKers were asked by Ofcom on what their opinions were on certain bad words.

Oh my goodness. Oh no. Is that— is cockwomble? Hold, hold.

Cockwomble? No. Cockwomble. Graham, I haven't forgotten you. There are 150 words on the list. These include general swear words, okay, words linked to race, ethnicity, gender, sexuality, body parts, health conditions, religious insults, and sexual references.

This is so fun. This game's gonna be so fun.

There are 4 categories. 1 is mild, 2 is medium, 3 is strong, and 4 is strongest.

It's like how we rate peppers in the States. Yes.

Okay, now there were 150 words that were provided to the British public.

Won't take long.

Now, I have chosen a few of them. Some of them were not in the list. I've thrown them in there, and you, first thing you have to do is say yes, it was in the list, or no, it wasn't, for a point.

Oh my God, I'm sweating.

The second thing you need to do is you have to say whether it's mild, medium, strong, or strongest. So 1 to 4, scale of 1 to 4, with 1 being mild, 4 being strongest. Okay, okay.

I'm at a distinct disadvantage here.

That's why I said it was going to be educational for you. You're going to learn the words we use. Okay, ready? Number 1.

Yes. Bint. Oh, I love that word. Bint.

Is it on the list? Is it on the list?

Oh, oh, oh, that can't be on there. That's such a mild one.

It's fairly mild, that. No, I don't think so. Yes, it is on the list. It is on the list.

It is on the list, Graham. You get a point.

But it's a 1. It's a 1. It's not offensive.

I agree. It's a 1. You're wrong.

You're wrong. It's a number 2.

Medium. It's a number 2.

We have more. We have more.

I disagree with the British public. Sorry. Yeah.

We're getting a sense of their scale now. Okay.

Number 2 is feck.

Is this like smeg? Is that sort of like a Red Dwarf-y swear? F-E-C-K.

It is on the list. It is on the list.

I don't think it's on the list. Is that really real?

It is on the list. It is on the list. Where is it? Yeah. 1, 2, 3, or 4?

I would say, well, it's 3.

It is not strong. It is medium. Number 2, just like bint. Oh, okay. Okay. What about gunt?

That sounds like a medical condition. I don't think that's a real swear.

I know it is. Well, it's not a swear.

Is it really? Can you explain it to me? It's okay, Graham. I don't know if I really understand what it is. Can you explain it? Please, please explain. I want to hear this. Go for it, man.

It's a sort of portmanteau word, isn't it? Because it's more ways than one.

Okay, I can guess the second part of the portmanteau, but what's the first?

The G? Gut is the first bit, I believe.

Ew. Okay, that's gross. Not offensive, but imaginative gross. Swamp thingy.

I think that's got to be at least a 3.

That's like a 3, yeah. It's definitely a 3.

It's not on the list.

Ah, you got us!

What about nonce?

Oh, it's like Shakespearean, isn't it? That's—

Nonce would be on the list.

Yeah, probably like a 1 though.

It's ruder than bint. Is it? Do you think? Yeah. Oh, I would say so.

School kids use that word all the time around here because we hear it when we study Shakespeare in high school and just think it sounds like dunce, so nobody knows what it means.

Oh well, maybe

Well, nonce is on the list and it's a 1. Okay, we got a few more, we got a few more. We're doing—

I got a point, I'm just noting. Yeah, you're doing great.

Oh my God, I hope someone's keeping score. they don't know

Ginger. All right, also pronounced ginger.

No. Oh, now I understand. So things sort of like David Caruso, Sarah Ferguson kind of thing.

H.R. Giger? No, no, we're not—

what it means. What?

So someone with red hair?

I know, I know what that. Not, not the spice.

Not the spice. A 1. Yes. How did you— you knew it was going to be on the list. You really assumed it was going to be on the list.

Oh yeah, I assumed it was gonna be on the list. Yeah.

Okay, 2 more, 2 more. Excellent work, guys. 2 more. Beef curtains.

Right, right. I don't think that's on the list.

This isn't on the— this is you, Carole.

You've added this on the list, and I'm now going to prove it to you by giving you the link.

Don't tell me it's a 4. It's not. It's a 3. Are you serious? Come on, Gunt is a whatever.

Gunt isn't on there. That was it.

Okay, whatever. It was a Gunt even. I've just given you the list.

Okay, you guys can go take a quick look at the full list, but Beef Curtains is there as a new entry at number 3 in 2016.

Okay, let's see. Strongest. Okay, I agree with those.

Yep. Oh yeah, the strongest ones are quite strong.

Okay, some of these—

Are you shocked that beef curtains is there? I was shocked. And then I had my final one, Graham, which was cockwomble.

Your favorite word on the list? No, it's totally charming. It's used as an endearment.

It would be a 0.5, wouldn't it, if it were there? Now, if you out there would like to play this game with your adult friends, make sure the children are safely tucked into bed and check out the link in the show notes. Enjoy. My pick of the week.

I think this would be fun as a sort of Bruce Forsyth higher, lower kind of game. You say one and the next one you have to guess whether it's higher or lower. That's like hot or not.

You could do an app for it. Let's do it. Yeah. And you could just swipe left. Swipe right.

TM Graham Cluley. Actually Krill.

No, no, no, no.

No, no, no, no, no, no.

Well, on that very literary note, we're just about wrapping it up. But don't forget, after our closing music, we have the extra special bonus interview where Carole is going to talk cyber insurance with someone who knows about cyber insurance.

Yeah, I get an education. Wow.

Live on air. Maria, lots of folks want to follow you around, I'm sure, but you would rather that happened on social media rather than in real life. What's the best way for folks to do that?

Yeah, I don't see people in real life, so don't even try it. Yeah, you can follow me on Twitter @Maria Varmazis.

Have fun spelling that. And you can follow us on Twitter @SmashingSecurity. No G. Twitter wouldn't allow us to have a G. And also, why not follow us on Reddit? We have a subreddit up there. Quickest way to get there is go to smashingsecurity.com/reddit and join in the conversation.

Slap your hands together for this week's sponsors, LastPass and Mimecast. Their support helps us give you this show for free. And high five to all of you, our wonderful listeners.

Yeah, thanks very much. And check out smashingsecurity.com for past episodes and the details of how to get in touch with us. Until next time, cheerio, bye-bye, au revoir, bye-bye.

We thought it was worth including the phone call I had with Martin Overton earlier today, so here it is without further ado. Hi, it's Carole Theriault.

Yeah, maybe we

Thank you so much for doing this. So last week I did this story, as you know, and you got in touch with me saying, hey, maybe there's a few things you need to clarify. And I've asked you to come on so that all our listeners can get it from the man in the know, the man in the know.

don't know what it means.

Well, I wouldn't go that far, but yeah.

So I was talking about Mondelez and I was talking about cybersecurity insurance and I was putting into question whether or not the Zurich Insurance should have paid out. I was assuming, of course, that it was a cyber insurance policy, but I was wrong, wasn't I?

Well, all the details I have is that it was a property policy, which means normally buildings. Yeah, so, and those, they don't have what we call affirmative cover for cyber as a rule unless they're put in the terms and conditions. So what normally happens is that, you know, let's say somebody's building burns down, they're covered. Yeah. Now if somebody's hit by a cyber attack there, it depends on their policy details. If it's a property policy, they're probably not going to be covered, especially if there is seen as an act of war, which is what Zurich is saying.

So they're saying it's an act of war, and therefore they don't need to pay out on the property insurance. And that's something that we've seen many times before.

Indeed, yes. And you know, so if it was like a terrorist act or an act of war, it wouldn't normally be covered. And we've seen examples with that with, you know, the aviation industry where, you know, planes have been crashed, and sometimes they haven't paid out because they said, well, it was a terrorist on board or an act of war, that's quite normal. So the trouble is with a lot of policies out there at the moment, companies believe they're covered under their property or their casualty policies because it's what we call silent cyber. So they assume there's some cyber coverage there. Now it may or may not be there written as an extension to that particular policy, but really the only way you're gonna get paid out on, normally on most of these policies, is if you have a dedicated cyber policy. I work for a large cyber insurer myself, or a large insurer actually helping customers with cyber insurance. And I know everyone I've actually been involved with, we've seen massive payouts. So, you know, even with the likes of WannaCry, NotPetya, or other malware attacks, or insider misuse, or malware attacks, you know, other types of hacks, they've all been paid out.

Right. So from your point of view, the payouts are happening. What I guess makes this case interesting is two things that I see. One is that Mondelez are using a property policy to— and they're trying to crowbar in a cyber incident, which normally wouldn't happen. But because NotPetya actually created physical damage to machines, they feel like they can put that in. And they have a fight on their hands. They have something to fight for. On the other hand, Zurich Insurance are saying, hey, look, it was an act of war. Sorry that your stuff, your property got damaged, but we don't have to cover that.

Yeah, I mean, the interesting thing with this, this goes— when this goes to court is actually proving attribution. I know the UK government and the US government have actually said it's definitely Russia that's behind it. However, you know, Russia has said no, it's not us. Right. This is a problem with cyber attacks, you know. It's very easy to throw false flags in there or, you know, make it look like the attacks come from a different attacker. So it's very, very difficult. So with the best will in the world, I think they're on a very, very sticky wicket here. I think they're going to find it very difficult to prove, you know, to the courts' absolute certainty that it was definitely done by those, even though, you know, we've got intelligence agencies who are clearly saying it has been. It's going to be difficult. This will have repercussions. I'm sure it will have repercussions even for cyber insurers, because some of the cyber insurers out there still have fairly limited wording, which means they actually have certain restrictions in place where others actually have what we call quite broad coverage and broad wording, which is, it's non-specific. So basically we'll cover pretty much anything with sort of cyber attack, with certain exceptions. Normally it's around things what we call cybercrime. So let's say they have a business email compromise where their account details were stolen, but there was no hack involved with their infrastructure. So none of their infrastructure was actually hacked. That wouldn't be covered by a cyber policy, that would be covered by a crime policy instead. But it may not allow them to recover the actual stolen funds. So let's say that I'm a bad guy and I've actually done a business email compromise, so I've taken over a transaction, hacked somebody's email, got somebody's email address, sent them an email saying, I'm sorry, but we changed our bank account, please send the payment to here now, because, you know, that's where we moved it to. Okay, if they do that, that wouldn't be covered under a cyber policy unless the actual infrastructure was hacked.

So if you get duped, if you get duped by a social engineering tactic, no matter how advanced or not, it may fall outside the loop of their coverage.

It would probably cover— it would normally fall outside of a cyber policy. That's what, from my understanding with working in insurance for a number of years, it would be covered normally by a crime policy. However, that would not normally— it may not include the recovery or the refunding of the stolen funds.

Do you know, I gotta tell you, I think I speak for a lot of us out there when we say insurance sounds just a little complicated. It is complicated, I know. And to be honest, the whole issue around silent cyber is a big one. So I wasn't then wrong at the end of last week's segment in saying just read your policies very carefully, make sure it fits your model and it's covering what you expect it to cover. Indeed, you know, make sure it's fit for purpose. It's the same with anything else you buy. You know, if you buy a car, you expect it to work a particular way. Don't expect to have fire insurance unless it explicitly says there is fire insurance. Got you.

Well, thanks for running a really nice show. I really enjoy actually listening— Ah, boom!