[SPEAKER_01]: a bit in a rant somewhere as we're going to call it. [SPEAKER_01]: That's right. [SPEAKER_01]: By the way, I'd suggest a different rant name if you tell what. [SPEAKER_02]: Well, we've already got a bit in a coin, so... Oh yeah, that's true. [SPEAKER_02]: That's how you pay for your bit in a rant somewhere. [SPEAKER_02]: Smashing security. [SPEAKER_00]: Episode 442. [SPEAKER_00]: The hack that messed with time.
[SPEAKER_01]: Hello, hello and welcome to Smashing Security Episode 442, my name is Grant Kluley, and I'm Dave Bittner. [SPEAKER_01]: Dave, welcome back to the show, was fun to have you on Smashing Security. [SPEAKER_01]: Well, I appreciate it, and I'm happy to be back. [SPEAKER_01]: Well, I'm really grateful this week in particular because I'm actually on the road right now. [SPEAKER_01]: I am at the Nisk Conference in Glasgow, Scotland.
[SPEAKER_01]: I'm doing some speaking here and, well, I'm sort of the MC of the event. [SPEAKER_01]: Wow. [SPEAKER_01]: I've got my work cut out this week. [SPEAKER_01]: I'm running here doing this, doing that, I love doing events and things. [SPEAKER_01]: But doing that and getting a podcast out the door is always a bit hairy. [SPEAKER_01]: Yeah. [SPEAKER_01]: Who wasn't available so they had to call you? [SPEAKER_01]: Well, there's at least one friend of the show who is showing up.
[SPEAKER_01]: Jeff White is going to be here of the Lazarus-Hist. [SPEAKER_01]: Oh, good. [SPEAKER_01]: It's doing a talk. [SPEAKER_01]: Yeah. [SPEAKER_01]: So he hasn't got here yet, but we'll be- Oh, the other thing which is a company me is there actually doing some roadworks just outside my hotel window. [SPEAKER_01]: So I do apologize. [SPEAKER_01]: Oh, there is a man with a pneumatic drill who's been at it for hours and is showing no signs of stopping her.
[SPEAKER_02]: Jack Hammers, chainsaws, and leafblowers are the natural enemies of podcasts. [SPEAKER_02]: It's true. [SPEAKER_02]: Sure. [SPEAKER_01]: Well, before we kick off, let's thank this week's wonderful sponsors, Dan Tadrata and Material. [SPEAKER_01]: We'll be hearing more about them later on in the show. [SPEAKER_01]: This week on smashing security.
[SPEAKER_01]: We won't be talking about how three alleged members of them infuse a stealer malware gang have been arrested by the authorities. [SPEAKER_01]: What's unusual about that? [SPEAKER_01]: It's a Russian malware gang, and they've been arrested by Russian authorities. [SPEAKER_01]: How a new wave of mobile malware in Eastern Europe is exploiting Android's NFC payment features to relay and clone contactless transactions. [SPEAKER_01]: And we won't even mention.
[SPEAKER_01]: How a technical goof revealed the personal information of players of the UK's People's Postcode Lottery to complete strangers. [SPEAKER_01]: Now Dave, what are you going to be talking about this week? [SPEAKER_02]: I've got a couple of ransomware negotiators who have turned to the dark side. [SPEAKER_01]: And I'm going to be telling you about some state-sponsored hackers who tried to hijack time itself.
[SPEAKER_01]: All this and much more come up on this episode of smashing security. [SPEAKER_01]: Okay, before we go any further, I need to share a quick word with you about one of our sponsors today, Vanta. [SPEAKER_01]: You know how everyone's gone AI system these days. [SPEAKER_01]: Well, imagine one that doesn't just write high coos about zero-dane vulnerabilities, but actually does your audit work for you. [SPEAKER_01]: That is Vanta.
[SPEAKER_01]: It connects to all of your tools, gather's evidence, tracks, compliance, and quietly helps you prove that yes you do take security seriously. [SPEAKER_01]: Vanta automates all of that. [SPEAKER_01]: It pulls everything together, keeps an eye on your systems and basically make sure you're ready for an audit at any time, which means no last minute panic for screenshots and policies.
[SPEAKER_01]: It also plugs into the tools you're already using and flags up issues before they become a right-old mess. [SPEAKER_01]: So if that sounds like something that might save you from a few sleepless nights, check out vantar.com slash smashin. [SPEAKER_01]: And if you use that link, you'll get a thousand dollars off. [SPEAKER_01]: So don't forget vantar.com slash smashin, and thanks to vantar for sponsoring this week's episode. [SPEAKER_01]: One with a show.
[SPEAKER_01]: Now, Dave, I've got to ask you a personal question. [SPEAKER_01]: Hmm, do you have a feel like time is kind of out to get you? [SPEAKER_01]: Oh, every day. [SPEAKER_01]: More and more, because I'd be worrying about you. [SPEAKER_01]: I think many of the listeners just cite the war and how can humans have been worrying about you as well. [SPEAKER_01]: You seem to have this sort of on-going battle with time. [SPEAKER_01]: What are you saying, Graham?
[SPEAKER_01]: Well, you know, about days are coming round quicker. [SPEAKER_01]: Your hair line is retreating. [SPEAKER_01]: Maybe you're a little bit confused as to which podcast you're recording from day to day, you know, it happens to us all day. [SPEAKER_01]: Don't worry about it. [SPEAKER_01]: No, no, it's true. [SPEAKER_02]: I, well, look, there's the old joke about how youth is wasted on the young.
[SPEAKER_01]: Yes. [SPEAKER_02]: And I would love to have the wisdom that I have today that has been hard earned through the years with the lack of an achy body that I had in my place. [SPEAKER_02]: I'd love to be able to sit down without having to announce it with a [SPEAKER_02]: You know, all those kinds of things, like I noticed that I have knees. [SPEAKER_02]: When I was a young man, I never noticed that I had knees.
[SPEAKER_02]: You know, they just kept to themselves and did what they were supposed to do. [SPEAKER_02]: Yeah. [SPEAKER_02]: Now they, they, they had to draw attention to themselves, especially when I met a conference or something. [SPEAKER_01]: They did, and they, yeah. [SPEAKER_01]: Those are very philosophical words, I think. [SPEAKER_01]: I think that's a lot of wisdom which you've shared with us there.
[SPEAKER_01]: And if I had one piece of wisdom, I would like to share with you, it's that no good comes from turning back the clock. [SPEAKER_01]: Things can go badly wrong. [SPEAKER_01]: If you do accidentally return to your youth, I can imagine you there, you were in the 1950s, inventing rock and roll, bumping into your teenage mother, I've seen the movie.
[SPEAKER_01]: Yes. [SPEAKER_01]: but it hasn't stopped some people from messing around with time from time to time, like for instance, there was a highly organised state-backed hacking group who for two years was creeping into part of a nation's most critical pieces of infrastructure, not a nuclear reactor, [SPEAKER_01]: Amazon customer service trying to get a cool backest team. [SPEAKER_01]: Why haven't you delivered me this?
[SPEAKER_01]: You claim you've delivered it, but you haven't in reality. [SPEAKER_01]: Nothing like that. [SPEAKER_01]: Something far more sneaky. [SPEAKER_01]: And someone argue even more essential. [SPEAKER_01]: They went after time. [SPEAKER_01]: itself. [SPEAKER_01]: So let me tell you what these guys did. [SPEAKER_01]: So there are agencies around the world and this particular hacked agency their job was to keep their country's clocks in sync.
[SPEAKER_01]: So they were generating the official national time. [SPEAKER_01]: There's was the clock which everyone else was judged by. [SPEAKER_01]: which use for everything from telecoms and stock markets to the electricity grid defense systems. [SPEAKER_01]: Trudy essential, you all want to know exactly what the right time is. [SPEAKER_01]: Otherwise, you've got a problem, haven't you? [SPEAKER_01]: Mm-hmm. [SPEAKER_02]: Yeah, I mean, to think about how GPS doesn't work without precise time.
[SPEAKER_01]: Yeah. [SPEAKER_01]: So, if the time signal goes wrong, if it's messed with everything from bank transfers to power stations, everything could potentially go kaput could misfire. [SPEAKER_01]: And it's basically the pulse that can help keep a whole country alive and somebody tried to hijack investigators say that the attackers spent months.
[SPEAKER_01]: In preparation, exploiting a vulnerability in a phone messaging system to compromise, employees smart phones and, of course, once they did that, they got hold of the workers logging credentials, their passwords, and they quietly slipped into this agency's network.
[SPEAKER_01]: And over the next two years, starting in March 2022, the hackers allegedly deployed an entire arsenal of [SPEAKER_01]: From the 42 customized specialist hacking tools each tool had a specific job probing escalating privileges, exfiltrating data borrowing deeper into the internal systems with one golden insight their goal was to reach the heart of the system, the ultra precise piece of infrastructure that generated their countries official time.
[SPEAKER_01]: And if the hackers had succeeded, as I said, the results. [SPEAKER_01]: Could have been catastrophic, could have been network outages. [SPEAKER_01]: Stock exchange, mess ups, power failures, traffic chaos, self-driving cars turning up before their passengers. [SPEAKER_01]: Netflix thinking it's 2016, your fit bit thinking you're 137 years old. [SPEAKER_01]: everything could go bonkers.
[SPEAKER_01]: Sure. [SPEAKER_01]: It's bad enough when we change the clocks, which we've just done here in the UK. [SPEAKER_01]: Yes, us two over the weekend. [SPEAKER_01]: I'm bent out of shape about it. [SPEAKER_01]: Because you feel like we're hanging on it. [SPEAKER_01]: It hasn't gone back an hour. [SPEAKER_01]: Oh, forward an hour. [SPEAKER_01]: It went back to me. [SPEAKER_01]: Yes, we're in the far back.
[SPEAKER_01]: You know, you feel like, oh, I've, I've somehow lost 14 years or something. [SPEAKER_01]: Oh, I feel like I've won up in a coma. [SPEAKER_01]: I'm totally in a fully confused now. [SPEAKER_01]: Officials say the hackers operated mainly between midnight and dawn. [SPEAKER_01]: Bats in their attacks through servers in the United States and Europe and Asia to hide their origins.
[SPEAKER_01]: They baked digital certificates to bypass security defenses and anti-virus programs and they used strong encryption. [SPEAKER_01]: because they did not leave any breadcrumbs. [SPEAKER_01]: I've left breadcrumbs late at night in the past. [SPEAKER_01]: He's got me to also trouble, so I don't think he wants to do that.
[SPEAKER_01]: Eventually, the authorities claimed that they spotted the attack, cut the command and control links, upgraded their defenses, neutralized the threat, and the good news is, they say, don't they've sorted out, and they say they have iron-clad evidence, link in the hack, [SPEAKER_01]: to a foreign intelligence agency. [SPEAKER_01]: Aha! [SPEAKER_01]: Yes! [SPEAKER_01]: I always love a bit of attribution, don't you?
[SPEAKER_01]: Well, I'd love a bit of a finger pointing inside the security. [SPEAKER_01]: It's not always reliable, though, is it? [SPEAKER_01]: No. [SPEAKER_01]: There's been a long history of people pointing the finger in the wrong direction and making mistakes. [SPEAKER_01]: But you know, I like this. [SPEAKER_01]: I think there are certain countries who are naturally point of fingering. [SPEAKER_01]: So China, Russia, Iran, North Korea, those sort of people, right?
[SPEAKER_01]: The usual suspects? [SPEAKER_01]: The usual, they are the usual suspects. [SPEAKER_01]: And perhaps you're thinking this attack was on the UK's National Physical Laboratory, or maybe the US Naval Observatory's Master Clock, or in Germany they have these PTB atomic clocks. [SPEAKER_01]: But here's the thing, the country claiming to have been attacked. [SPEAKER_01]: is actually China, and the alleged attacker, Dave Bittner, of Mary Lunar flight, here it comes.
[SPEAKER_01]: It's apparently the United States of America. [SPEAKER_01]: The NSA, the National Security Agency, has been fingered by the Chinese as being the culprits. [SPEAKER_01]: So put it to you, Dave Bittner, those rascals. [SPEAKER_01]: Here I am in old blighty. [SPEAKER_01]: I'm not responsible for this. [SPEAKER_01]: You've been trying to mess around with China's time.
[SPEAKER_01]: Sure. [SPEAKER_01]: So according to China's Ministry of State Security, the NSA spent two years trying to hack China's national time service center, the institution responsible for generating Beijing time and China says that it caught the operation as it was happening and it's [SPEAKER_01]: They post it on WeChat, so if you're a cyber criminal, you post up on Telegram. [SPEAKER_01]: If you're Chinese, you post up on WeChat. [SPEAKER_01]: Right.
[SPEAKER_01]: If you're America, you post up on Truths. [SPEAKER_01]: So you're social here. [SPEAKER_01]: Everyone's got their place for making these official pronouncements. [SPEAKER_01]: Sure. [SPEAKER_01]: It's a bit like the UK announcing one of its nuclear power plants has been hacked by releasing a TikTok video. [SPEAKER_01]: This is what the world's come to today. [SPEAKER_01]: Yeah. [SPEAKER_01]: So the USA predictably hasn't confirmed or denied anything.
[SPEAKER_01]: Which initially you think, well, if you didn't do it, why didn't you say you didn't do it? [SPEAKER_01]: But of course, that's not the way it works, is it? [SPEAKER_01]: It's always a policy. [SPEAKER_01]: Well, we're never going to confirm or deny anything, because if we deny some things, then one time when we don't deny it, you're going to know that we're confirming it. [SPEAKER_02]: Yeah. [SPEAKER_02]: Although, I will note that it is routine for China to deny everything.
[SPEAKER_02]: Yes, they definitely have never, ever hacked anybody. [SPEAKER_02]: No. [SPEAKER_02]: And they're quite expensive.
[SPEAKER_01]: They don't say, well, we can't confirm or deny, they just say, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no, no [SPEAKER_02]: right.
[SPEAKER_02]: And so I should, you know, shed some question on the reliability of this report in general, but let's proceed as if it perhaps it is true. [SPEAKER_01]: This is the thing. [SPEAKER_01]: This sounds like a huge story. [SPEAKER_01]: And what I think is actually interesting about it is the reaction outside China has been pretty quiet. [SPEAKER_01]: It hasn't been written about that much. [SPEAKER_01]: It didn't really make the headlines.
[SPEAKER_01]: And there has been a lot of skepticism. [SPEAKER_01]: Just like you expressed there a little bit of caution because [SPEAKER_01]: I think the media are nervous about just simply reporting China's allegation. [SPEAKER_01]: Yeah, there's a long history of Western nations calling out cyber attacks from Russia and China and North Korea and Iran and it's become almost routine to point fingers in those directions and sanctions to be imposed. [SPEAKER_01]: But now we are seeing China.
[SPEAKER_01]: flip this script, using the same playbook against the United States and it's almost like, well, you know, can we believe you have you actually given us the evidence to be convinced? [SPEAKER_01]: By the way, I saw that this story actually broke just before I think Donald Trump visited Asia and was over there doing some sort of a cream of China. [SPEAKER_01]: So again, you have to wonder is this some jockey in a round which was happening in the run-up to that event, right?
[SPEAKER_01]: Did it come up [SPEAKER_02]: Yeah, in our own editorial meeting when this story hit someone said China says that we're messing with their clocks and someone response was, well, China says a lot of things. [SPEAKER_01]: are you saying that it's a case of cool to move too often? [SPEAKER_01]: What's the phrase crime move?
[SPEAKER_02]: No, I mean look it's all of this is plausible and it's certainly within the I would say both the capabilities and the interest of the NSA to do such a thing. [SPEAKER_02]: And if we were caught in there with our hands in the cookie jar, then I suspect China would call it out But as you point out, they've released no evidence other than the accusation. [SPEAKER_02]: So all we have is an accusation.
[SPEAKER_02]: Yeah, and [SPEAKER_01]: Now, a whole lot you could do with that, and increasingly I think cyber attribution, you know, when we are deciding who was behind a particular attack, it has become a game of sort of narratives and credibility. [SPEAKER_01]: It is not just about technical evidence, and it is so difficult with cyber security to play. [SPEAKER_01]: properly identify who was responsible beyond all doubt because it could have been Belgium.
[SPEAKER_01]: Quite frankly, who are boutsin it off some laptop in Florida before going into. [SPEAKER_01]: China and trying to break into Beijing time were quite quite why Belgium would want to do that. [SPEAKER_01]: I'm not sure, but it's a battle was possible. [SPEAKER_02]: Yeah, and we also wonder when whoever did this and let's, for arguments, say it was the NSA, whoever did this got caught was getting caught part of the plan.
[SPEAKER_02]: Is it saying to them, yeah, we've been in your system for two years and hey, if we're in your clock system, if we're in your time system, who knows where else we are? [SPEAKER_02]: Maybe you need to be looking over [SPEAKER_02]: over your shoulder. [SPEAKER_02]: We did this at a time of our choosing at our leisure and yeah, you caught us. [SPEAKER_02]: We find China all over our systems pretty regularly. [SPEAKER_02]: So I guess this is just a regular part of espionage these days.
[SPEAKER_01]: So in some ways what your son is, it could almost be psychological warfare of destabilizing them. [SPEAKER_01]: Yeah, letting themselves be called, say, we were here, we could be anywhere else as well, which means that, of course, they then begin to distrust all manner of systems, which could have been compromised by other nations.
[SPEAKER_02]: Right, right, as it is all joke about the thief who breaks into someone's house and doesn't steal anything, but just rearranges all the furniture. [SPEAKER_02]: And how? [SPEAKER_02]: I'll discard surting that would be for someone to come home and find, right? [SPEAKER_01]: My auntie Liz once, just before Christmas, a burglar broke into her house, and he opened all the presents under the Christmas tree and left them all. [SPEAKER_01]: He obviously thought they were rubbish.
[SPEAKER_01]: That's despicable! [SPEAKER_01]: It probably did more harm to the family. [SPEAKER_01]: Well, maybe my cousin opened them and just blamed on a boat. [SPEAKER_01]: Oh, Nasi, I'm a good one. [SPEAKER_02]: See, must have been a burglar. [SPEAKER_02]: Must have been someone from the US. [SPEAKER_01]: It must be the NSA. [SPEAKER_01]: Okay, time to hear now from another one of our sponsors, which is material security.
[SPEAKER_01]: Now your company's Google workspace is full of valuable data and cybercriminals they know that. [SPEAKER_01]: One successful attack can expose sensitive files, hijack accounts, and spread across your entire environment before you even spotted and that's where material security steps in.
[SPEAKER_01]: It's the first detection and response platform [SPEAKER_01]: Materials security automatically catches sophisticated email attacks that slip past native controls cleans up risky file sharing and locks down accounts showing suspicious behaviour or with our agents, rule sets or extra noise.
[SPEAKER_01]: It runs quietly in the background, use an automation, and AI to detect, investigate, and remediate threats across Gmail, Google Drive, all your accounts before they spiral into something worse. [SPEAKER_01]: One platform, total visibility, less chaos. [SPEAKER_01]: See how it works for yourself at smashingscurity.com slash material? [SPEAKER_01]: That is smashingsecurity.com slash material, and thanks to material security for supporting the show.
[SPEAKER_01]: Right, let's get on with the rest of the show. [SPEAKER_01]: What's your story for us this week? [SPEAKER_02]: Well, my story comes from the folks at the Chicago Sun Times, and this is about a couple of cyber security folks who allegedly decided to switch teams. [SPEAKER_02]: According to some prosecutors in Chicago, this story centers on some folks who work professionally as ransomware negotiators.
[SPEAKER_02]: According to the FBI, this pair of men, one Kevin Martin, who was a ransomware negotiator at a company called Digital Mint and Ryan Goldberg, who was an incident response manager for Signia, allegedly they joined forces with a third accomplice to extort businesses for millions. [SPEAKER_02]: So the investigators say that they use ransomware to lock down corporate servers and they hit a Florida medical company and demanded $10 million in ransom crumbs.
[SPEAKER_02]: Yeah, allegedly only one target paid so they got a poultry $1.2 million in cryptocurrency. [SPEAKER_02]: I don't know about you, Graham, but that would be a lifestyle upgrade for me. [SPEAKER_01]: Yes, I wouldn't have called it poultry. [SPEAKER_01]: I don't think I'm happy with that. [SPEAKER_02]: Right. [SPEAKER_02]: And then, allegedly, they laundered it through some of these mixing services and using multiple wallets.
[SPEAKER_02]: Yes. [SPEAKER_02]: So the story is calling out the irony, of course, that these gents had built their careers, advising companies of how to avoid paying ransoms. [SPEAKER_02]: Indeed, you might say that they were experts about this subject. [SPEAKER_02]: They had spoken at cybersecurity [SPEAKER_02]: Oh, really? [SPEAKER_02]: Yeah. [SPEAKER_02]: And their under investigation for launching them themselves.
[SPEAKER_02]: The companies they work for, of course, say they have no knowledge of the scheme and nothing to do with it, digital mint fired the gentleman who worked with them. [SPEAKER_02]: And Signee says that they have nothing to do with this and they're working with law enforcement, which is good. [SPEAKER_01]: But now they've heard about the idea, they might be tempted to, you know, to set up a new business. [SPEAKER_01]: No, no, no. [SPEAKER_01]: No, no. [SPEAKER_01]: Of course not.
[SPEAKER_01]: Of course not. [SPEAKER_02]: Well, I want to get to that in a second here. [SPEAKER_02]: There's a wrap-up story here. [SPEAKER_02]: So they've both been indicted on conspiracy, extortion, and computer damage charges. [SPEAKER_02]: Yes. [SPEAKER_02]: Mr. Goldberg is in custody. [SPEAKER_02]: Mr. Martin was released on bond. [SPEAKER_02]: And the prosecutors say that these attacks spend about two years before the FBI caught up with them.
[SPEAKER_02]: And one of them tried to flee to Paris on a one-way flight, but got stopped at the airport. [SPEAKER_02]: But I have often wondered, Gramm, and I'm curious for your insights on this, your take on this, right? [SPEAKER_02]: How many cybersecurity professionals out there in the back corner of their mind have as a backup plan, right? [SPEAKER_02]: Just in case. [SPEAKER_02]: The retirement savings doesn't work out. [SPEAKER_02]: Right.
[SPEAKER_02]: In case the social security just they can't meet ends meet. [SPEAKER_02]: Right. [SPEAKER_02]: How many of them just have in the back of their minds? [SPEAKER_02]: What I would call nuisance ransomware, right? [SPEAKER_02]: A few hundred bucks a month. [SPEAKER_02]: Okay, just enough to make ends meet. [SPEAKER_02]: Not enough that you would draw law enforcement to your front door. [SPEAKER_01]: Oh, I see.
[SPEAKER_01]: Right, whereas your plant, you've subit in a ransomware as we're going to call it. [SPEAKER_01]: That's right. [SPEAKER_01]: By the way, I'd suggest a different brand name if you don't want to. [SPEAKER_02]: Well, we've already got bit in a coin, so... Oh, yeah, that's true. [SPEAKER_02]: Yeah, that's how you pay for your bit in a ransomware. [SPEAKER_02]: You pay for it in bit in a hundred. [SPEAKER_01]: Okay, so you're just going to ask for just a few hundred dollars a month.
[SPEAKER_02]: Well, I think about, so if I were going to do this, I wouldn't say you target, let's say, senior citizens for like $50, right? [SPEAKER_02]: And I was not going to, not going to ruin their lives, not really going to change their lives very much, but let's say you hit up a few people for $50 per day. [SPEAKER_02]: Well, it heads up. [SPEAKER_02]: Yeah. [SPEAKER_02]: And now you can make ends meet.
[SPEAKER_02]: Chances are you're not going to be tracked down by law enforcement because you're just a low level nuisance operator right so I just wonder Because obviously the thought is crossed my mind clearly [SPEAKER_02]: And now you're telling everybody that it's gross to you, but it's very interesting, right? [SPEAKER_02]: Exactly. [SPEAKER_02]: I put a big target on my back. [SPEAKER_02]: I doubt that I have the technical capabilities to pull off such a thing.
[SPEAKER_02]: Although, I'm fairly quick learner, but I think someone like you, Graham, who has. [SPEAKER_01]: I don't bring me into it. [SPEAKER_02]: You have more technical capabilities than I do and certainly a history of knowing all about cyber threats, perhaps you've done reverse engineering and so on. [SPEAKER_02]: I'm just I'm just putting it out there as a possibility. [SPEAKER_01]: Yes, you are on you. [SPEAKER_01]: You won't put it out there. [SPEAKER_01]: So listen.
[SPEAKER_01]: So when you started telling me this story about these guys who weren't involved in ransomware negotiations and then they turned a bit rogue, I didn't imagine that they were actually plant in ransomware on victims' computers to steal the money. [SPEAKER_01]: I thought they were somehow trying to exploit the ransomware attacks which were being brought to their attention so people are coming to them saying, we've been hit. [SPEAKER_01]: can you negotiate for us?
[SPEAKER_01]: I thought you were going to say that for the negotiators we're going to speak to the rent of my gang. [SPEAKER_01]: So look, I'm negotiating for these guys. [SPEAKER_01]: How about we do a little bit of a diamond deal? [SPEAKER_01]: They're going to pay me X, but I'll give you Y, but I'll tell them this is a really good deal for them. [SPEAKER_01]: And you still get some money, right?
[SPEAKER_01]: You know, clearly these [SPEAKER_02]: That's a really good, yeah, because if a negotiator could say, listen, I worked out a great deal for you. [SPEAKER_02]: Instead of a million dollars, I'm going down to half a million, here is the Bitcoin account that you need to make the deposit in. [SPEAKER_02]: Right. [SPEAKER_02]: And then they make the deposit and the negotiators come back and say, bad news. [SPEAKER_02]: Yes, bad news.
[SPEAKER_02]: We can't trust these ransomware operators. [SPEAKER_02]: They just ran off with the money. [SPEAKER_02]: Shall we try to keep negotiating? [SPEAKER_01]: Well, the negotiators aren't being regulated as far as I know are they. [SPEAKER_01]: I mean, they're just going a bit of a world west out there. [SPEAKER_01]: I remember one case there was a company near Oxford, which got hit by ransomware attack, a genuine ransomware attack.
[SPEAKER_01]: they brought in their IT team to deal with it as you would expect and one of the IT guys went into the email of the chief executive who had received the ransom note. [SPEAKER_01]: He changed the email which they had received from the ransomware gang to change the Bitcoin address to be one which he controlled rather than the ransomware gang. [SPEAKER_01]: And then he was turning up at these meetings inside the company.
[SPEAKER_01]: Should we pay the ransomware guys or not and he was kind of like, [SPEAKER_01]: maybe you should. [SPEAKER_01]: I have no horse in this race but it's a murky world but I've never heard of them actually install in the ransomware as well. [SPEAKER_01]: I don't know how I feel about these professional negotiators. [SPEAKER_01]: It does seem a little bit like Doug the bounty hunter or something. [SPEAKER_01]: This feels a little [SPEAKER_01]: The right.
[SPEAKER_02]: Well, who watches the watchman, right? [SPEAKER_02]: You know, as you say, it's unregulated and with anything in a black market, you roll the dice and you take your chances. [SPEAKER_02]: Just like you've taken your chances by announcing your future career plan. [SPEAKER_02]: That's here on the podcast. [SPEAKER_02]: That's right. [SPEAKER_02]: That's right. [SPEAKER_02]: Well, if I need to flee the country suddenly, perhaps you have a spare bedroom, I could crash in.
[SPEAKER_02]: What do you say, Graham? [SPEAKER_01]: Okay. [SPEAKER_01]: No worries. [SPEAKER_01]: It was a valuable few days. [SPEAKER_01]: So this episode of the show is sponsored by Drumutter, and I'm going to tell you why I should check them out. [SPEAKER_01]: Look, if you're in security or compliant, you know the drill, you're constantly wearing like 10 different hats, risk management, compliance, budget. [SPEAKER_01]: It's quite a handful.
[SPEAKER_01]: Here's the thing though, Drumutter actually helps with all of that. [SPEAKER_01]: Basically, they've made a platform that handles all the tedious, compliant stuff that normally eats up your entire week. [SPEAKER_01]: What Drata does is automate the evidence collection, the compliance track in the security questionnaires. [SPEAKER_01]: It just handles it.
[SPEAKER_01]: They've got real-time monitoring, so you're always audit ready, which is nice, because no one enjoys scrambling before an audit, and they've even got AI assistance for questionnaires now, which, honestly, thank the Lord. [SPEAKER_01]: The point is, instead of spending all your time proven that you are secure and compliant, you can actually focus on being more secure and compliant. [SPEAKER_01]: Crazy, I know.
[SPEAKER_01]: Anyway, if that sounds useful to you, check them out at drata.com slash smashing. [SPEAKER_01]: That's drat.com slash smashing. [SPEAKER_01]: And if you use that link, they will know that you [SPEAKER_01]: And welcome back, can you join us on our favourite part of the show, the part of the show that we like to call, because of the week. [SPEAKER_01]: Pick up the week.
[SPEAKER_01]: Pick of the week is the part of the show where everyone chooses something like could be a funny story a book that they've read a TV show a movie a record a podcast or a website or an app whatever they wish it doesn't have to be security relatedness serley better not be oh the old days well this week my pick of the week is not security related [SPEAKER_01]: I don't just love chess, you know, Dave. [SPEAKER_01]: Oh, the Beatles. [SPEAKER_01]: I love all kinds.
[SPEAKER_01]: I've got wide interests, wide interests. [SPEAKER_01]: Yeah. [SPEAKER_01]: And one of them is a board game called Micro Macro Crime City. [SPEAKER_01]: So it's a physical board game. [SPEAKER_01]: And it looks really simple. [SPEAKER_01]: You where you get is this huge printed map. [SPEAKER_01]: Full of tiny cartoon people in that review and I, Dave, I'll find this difficult because you do need your reading glasses for this. [SPEAKER_01]: I'll need a magnifying glass.
[SPEAKER_01]: You really do need a microphone glass and bright light. [SPEAKER_01]: This is probably right. [SPEAKER_01]: But what you have is this giant city in Cartoon form and you can see all these people going about the lights walking the dog, shopping, robbing banks, that kind of thing. [SPEAKER_01]: And hidden within the illustration are dozens of crimes to solve. [SPEAKER_01]: And you're given a sure case file and a clue. [SPEAKER_01]: And you scan the map.
[SPEAKER_01]: It's been like scanning a great big wears-wally sort of thing. [SPEAKER_01]: Mm-hmm. [SPEAKER_01]: He's in together what happened and this character is here. [SPEAKER_01]: Where was he earlier on? [SPEAKER_01]: You couldn't look around. [SPEAKER_01]: So, ah, he was walking down here and he had a baguette in his bucket or whatever it was. [SPEAKER_01]: Oh, there he is. [SPEAKER_01]: Hitting someone over the head with it.
[SPEAKER_01]: You see different things which are going on, or people who are having affairs, or someone who's spying on someone else, it's wonderful, and you follow these characters through the streets, the parks, the dark alleyways of the city, in this charming art form, and what really hooks you is how cleverly it's designed, you just observe, you reason you argue with her, or you're playing with about whether that man was carrying a baguette, or not
[SPEAKER_01]: and you think oh well he was there at the murders was he at the murder scene 10 minutes later it's hard to tell but it's the kind of game we suddenly realized you've been hunched over a table for an hour. [SPEAKER_01]: Looking at these tiny little pixel-sized clues in which you did have a magnifying glass. [SPEAKER_01]: What's the gameplay like? [SPEAKER_01]: How do multiple players engage?
[SPEAKER_01]: Well it's it's sort of collaborative [SPEAKER_01]: It's sort of collaborative where you're playing with your friends or suppose you could see on a timer, who manages to solve the different cases in a quicker time. [SPEAKER_01]: But they have just brought out a mobile version of this as well. [SPEAKER_01]: Now that's Anathema for me, obviously. [SPEAKER_01]: I haven't downloaded it.
[SPEAKER_01]: But it is available apparently for the iPhone and Android as well now, haven't tried that out. [SPEAKER_01]: But the original board game version is really family-friendly and it's a different kind of thing to do. [SPEAKER_01]: And you can have some great fun trying to work out what has happened and to exercise your detective capabilities. [SPEAKER_01]: I know how you like to exercise your little gray cell. [SPEAKER_01]: I do. [SPEAKER_01]: Well, this is the kind of thing for you.
[SPEAKER_02]: This appeals to me and I have to say it also reminds me of a scandal that occurred when I was a young lad. [SPEAKER_02]: We used to get the Baltimore Sun newspaper delivered to our doorstep every day. [SPEAKER_02]: In fact, I was a paper boy for the Baltimore Sun. [SPEAKER_02]: Yep, my first computer with the money I saved up from being a paper boy.
[SPEAKER_02]: Anyway, the city of Baltimore was going to have their annual city fair where people would go together and they were rides and food and much like this drawing, there was a drawing like this game has with all the fun things to do with the fair. [SPEAKER_02]: Right. [SPEAKER_02]: And it was one of these drawings where you could spend a lot of time taking it in and looking and seeing what was all there and the artists put lots of details. [SPEAKER_02]: I love it.
[SPEAKER_02]: Yeah. [SPEAKER_02]: Yeah. [SPEAKER_02]: Until someone discovered that on the merry go round.
[SPEAKER_02]: there was a gentleman oh no it was not a horse he was riding let's just say that oh yeah were you scarred Dave by this experience uh yes yes the hours that i spent looking at that drawing uh really stayed with me oh my goodness anyway my pick of the week is my chrome macro crime city uh go and check it out if it sounded interesting to you [SPEAKER_01]: Dave, what's your pick of the week? [SPEAKER_02]: Well, Graham, as you know, I have a great love for all things Star Wars.
[SPEAKER_02]: Ah, yes. [SPEAKER_02]: And so, I was very excited to find out that our local mega hardware store, the Home Depot. [SPEAKER_02]: Do you have Home Depot's where you are? [SPEAKER_02]: Not really, no, no. [SPEAKER_02]: Okay, have nice. [SPEAKER_02]: Well, Hum Depot here in the US is a giant warehouse of a hardware store. [SPEAKER_02]: Are these the stores where you can buy basically? [SPEAKER_02]: Almost. [SPEAKER_02]: Right.
[SPEAKER_02]: The center of their bullseye is being a hardware store. [SPEAKER_02]: Okay, but you can also buy holiday decorations, so they have Halloween and Christmas and all that sort of stuff. [SPEAKER_02]: Well, I was very excited to find that they were introducing for this Christmas season, a nearly full-size Star Wars R2D2 animated R2D2 model. [SPEAKER_01]: Oh, it moves. [SPEAKER_02]: It's an R2D2 the moves. [SPEAKER_02]: Yeah, yeah, he moves. [SPEAKER_02]: He can make sound effects.
[SPEAKER_02]: His little head turns. [SPEAKER_02]: Yeah, does, I mean, it's almost everything you could want in R2D2 to be. [SPEAKER_02]: for the money. [SPEAKER_02]: It's really good. [SPEAKER_02]: How much money, Dave? [SPEAKER_02]: Well, the only $300. [SPEAKER_02]: Okay. [SPEAKER_02]: Here's the thing. [SPEAKER_02]: If you want to go to, let's say, Walt Disney World, and buy a full size R2D2, fully functional R2D2. [SPEAKER_02]: The Disney Corporation will sell one to you for $25,000.
[SPEAKER_02]: Right? [SPEAKER_02]: So off down to Home Depot. [SPEAKER_02]: Yeah, $300 doesn't seem so bad for your little R2V2, so of course now I have my site set on getting one of these things, but they are in high demand and short supply. [SPEAKER_02]: Right, so I joined a Facebook group dedicated to trying to find these Home Depot R2D2s as they become available.
[SPEAKER_02]: And they turned me on to an online resource called trackallacker.com right and what this does is it allows you to put in the web page for something that you want to purchase That is out of stock and the moment that it comes back in stock on the website trackallacker sends you a text message. [SPEAKER_02]: Oh, it says spring into action. [SPEAKER_02]: So you're really going to buy one of these things. [SPEAKER_02]: Oh, yeah.
[SPEAKER_02]: Oh, yeah, I'm really going to buy one of these things. [SPEAKER_02]: Oh, yeah, I'm really going to buy one of these things. [SPEAKER_02]: Oh, yeah, I'm really going to buy one of these things. [SPEAKER_02]: Oh, yeah. [SPEAKER_02]: Oh, yeah. [SPEAKER_02]: I'm really going to buy one of these things. [SPEAKER_02]: Oh, yeah. [SPEAKER_02]: I'm really going to buy one of these things. [SPEAKER_02]: Oh, yeah. [SPEAKER_02]: I'm really going to buy one of these things.
[SPEAKER_02]: Oh, yeah. [SPEAKER_02]: Oh, yeah. [SPEAKER_02]: I'm really going to buy one of these things. [SPEAKER_02]: Oh, yeah. [SPEAKER_02]: I'm really going to buy one of these things. [SPEAKER_02]: Oh, yeah. [SPEAKER_02]: Oh, yeah. [SPEAKER_02]: I'm really going to buy one of these things. [SPEAKER_02]: Oh, yeah. [SPEAKER_02]: Oh, yeah. [SPEAKER_02]: I'm really going to buy one of these things. [SPEAKER_02]: Oh, yeah. [SPEAKER_02]: Oh, yeah.
[SPEAKER_02]: I'm really going to buy one of these things. [SPEAKER_02]: Oh, yeah. [SPEAKER_02]: I'm really going to buy one of these things. [SPEAKER_02]: Oh, yeah [SPEAKER_02]: They might breed, yes, you've got to keep them apart. [SPEAKER_02]: Yes, correct. [SPEAKER_02]: Don't feed them after midnight. [SPEAKER_02]: Oh, wait, that's a different movie. [SPEAKER_02]: No one liked C3PO, did they? [SPEAKER_02]: Everyone loved R2D took.
[SPEAKER_02]: Yeah. [SPEAKER_02]: R2D2 is the robot equivalent of a lovable dog. [SPEAKER_02]: And C3PO's kind of a, I don't know, a whiny twit. [SPEAKER_02]: So I did get an alert the other day on my phone a text message and said they're in stock. [SPEAKER_02]: Unfortunately, I was in the car so I was unable to, I mean as much as I wanted to slam on the brakes, pull over to the side of the road and buy my R2D2 cooler heads prevailed and I did not do that. [SPEAKER_02]: So the system does work.
[SPEAKER_02]: But I was not able to respond quick enough and they were sold out by the time I was able to get somewhere safe. [SPEAKER_01]: So, it's not just the $300 of buying the R2D2. [SPEAKER_01]: You've also got to cover the expense of getting an Uber to work every day as well. [SPEAKER_01]: That's right. [SPEAKER_01]: It's just in case you get the text message. [SPEAKER_01]: Yes. [SPEAKER_02]: I'm ready to spring into action at any moment.
[SPEAKER_02]: So, technically my pick of the week is track a lacquer, but my sub pick of the week is the Home Depot R2D2, which if anybody happens upon one in stock, please let me know. [SPEAKER_01]: I think you've been very foolish, Dave. [SPEAKER_01]: You shouldn't really be publicized in these home depot R2D2s when you can't get hold of one due to lack of stock.
[SPEAKER_01]: Because smash and security listeners, they are going to be racing to buy these and the micro macro crime city game now. [SPEAKER_01]: You should have announced this. [SPEAKER_01]: After you've managed to get one. [SPEAKER_02]: True, true. [SPEAKER_02]: Yeah, cats out of the bag. [SPEAKER_02]: And anyway, R2D2 and Tracker Lacker are my pick of the week. [SPEAKER_01]: Brilliant stuff. [SPEAKER_01]: Well, that just about wraps up the show for this week.
[SPEAKER_01]: Thank you so much Dave for joining us. [SPEAKER_01]: I'm sure lots of listeners would love to find out what you're up to and fully online. [SPEAKER_01]: What is the best way for folks to do that? [SPEAKER_02]: You can go to theciberwire.com and you'll find all of the podcasts that I am part of.
[SPEAKER_01]: Brilliant, and please tune in to those, they're all terrific, and of course, smashing skirties on social media you can find us on BlueSky, and you can find me, Graham Tluley on LinkedIn, and don't forget to ensure you never miss another episode. [SPEAKER_01]: Please follow Smash and Security in your favourite podcast app, such as Apple Podcasts, Spotify, and Pocketcasts.
[SPEAKER_01]: The episode show notes, a bunch of info, guest lists, and the entire back catalog, with over 440 episodes, check out Smash and Security.com. [SPEAKER_01]: Until next time, Cheerio, bye-bye, bye-bye, bye-bye.
[SPEAKER_01]: You've been listened to a smashing security with me, Graham clearly, thanks a million to Dave Bittner, the journalist today, and also thank you to this episode's sponsors, Vanta, material security, and data, and of course the chums who've signed up for smashing security plus over on Patreon.
[SPEAKER_01]: They include Matt Weir, Michael Crum, Greg Bailey, Jonathan Haddock, Mayor McDonald, Sean, Robert Odegaard, Skadone, Henry Walshore, Stephen Castle, Dan H, Alexander Hugues, [SPEAKER_01]: Roy Tate, Jessica Orth, Doctor Herblist, Andrew Davison, Frankie Guzikowski, Bobby Hendrix, Ted Wilkinson, John W, Travis West, and Hades. [SPEAKER_01]: Now, would you like to hear your name read out at the end of the show from time to time?
[SPEAKER_01]: It's so, consider joining Smash and Security Plus. [SPEAKER_01]: For as little as $5 a month, you'll become part of our merry band. [SPEAKER_01]: And get early access to episodes without those annoying ads. [SPEAKER_01]: Just head over to Smash and Security.com slash plus. [SPEAKER_01]: for all the details to check it all out. [SPEAKER_01]: Now of course I know not everyone can stretch to that and that's perfectly fine there's actually no pressure to become a patron.
[SPEAKER_01]: The truth is you can support the show in plenty of ways that don't cost a penny. [SPEAKER_01]: You can like, you can subscribe, you can leave a five star review, please leave a five star review wherever you listen.
[SPEAKER_01]: Tell your friends about the show simply spread the word, every little bit helps and it really does [SPEAKER_01]: Okay, don't you then, about time for me to turn off the microphone for this week, but I will speak again next week, and I hope you'll be there to listen. [SPEAKER_01]: Tudely, bye-bye.