Hacking, Part #2: Pay 2.5 Bitcoin and We Will Unlock Your Computers

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Hannah Clayton-Langton (00:04):
Hello world and welcome to the Tech
Overflow podcast.
I'm Hannah Clayton Langton.

Hugh Williams (00:08):
And I'm Hugh Williams.

And we're the podcast that explains
technical concepts to smartpeople.

Yeah, and speaking of super smart people,
how are you going, Hannah?

That's very kind.
I am well as ever, as listenersknow.
Love an in-person record.
So pleased to see you, not on ascreen.

So so good.
So so good.
Now I'm heading for Australiaand you are heading for New York
this afternoon.

Yeah, I'm going on holiday.
Hugh's heading home, and we'regoing, I assume, opposite ways
around the world.

Yeah, I guess you'd be going west and I'll be
going east.
Correct.
Exactly.

Yeah.
Okay.
Well, listeners, we set you upon this topic of hacking last
week with a super interestingcase study.
And in this week's episode,we're going to be getting into
some more of the technicalaspects of hacking more gemity.

Yeah, we had a great conversation about MS,
Marks and Spencer's, you know,big retailer here in the UK and
the terrible ransomware attackthat they suffered.
And I guess we've pulled thatapart, speculated about it a
bit, shared what we know.
But I think it sets us upbrilliantly, Hannah, to really
talk about the broader field ofhacking today.

Yeah.
And if you've not listened tolast week's episode, I would
definitely recommend startingthere because there's no easier
way to get your head around newconcepts than through a warped
example.
And if you are UK-based, youprobably read a lot about this
on the news in the last sixmonths.
So it'll feel super relevant.

Yeah.
And I'll share a couple morestories today if you like.

Awesome.
Let's get back into it.
Martin Spencer's is an exampleof effectively a social
engineering hack, which issomeone on like a human level
getting in by exploiting trustsand impersonating others.
And they did eventually deploysome ransomware, but there's a
few different I imagine there'sa long list of types of hacking

(01:43):
attacks, but there's probablylike two or three key ones that
we can talk through.
Yeah, let's do it.
Okay, so malware.
Can you explain that to me?

So ransomware isn't an example of malware.
Okay.
And ransomware, you know, Ithink we've talked about that
enough.
So that's where typically thecontents of the computer is
encrypted.
This could happen to you athome.
You open up your laptop in themorning and you find it, you go
to access it, and there's a bigthing on the screen that says
some organization has lockedyour laptop, you need to pay
some Bitcoin, and then we'llunlock your laptop.
That's ransomware.

(02:11):
Viruses are another.

Those were the original, like in the
90s.
Yeah, yeah, yeah.

The OG hacking.
So maybe I'll give you anexample of a virus.
Um, let's imagine uh you get ayou get an email, you think it's
from a friend, it's notactually from your friend, looks
a bit like your friend's emailaddress, definitely your
friend's name, and it says,here's the photos from the
engagement party, and you opensome attachment, you click on
that attachment, you perhaps seesome photos, perhaps you don't

(02:38):
see some photos, you sort ofwonder what happened.
But in that process of youclicking on the attachment,
you've probably run what'scalled an executable, so one of
these sort of binary files thatwe talked about way back in our
first episode.
You've run that, and that hasnow done something to your
computer.
A couple of examples.
It might have installedsomething that's now tracking
every key that you press andsending your passwords back to

(02:59):
some bad guys.
It could have grabbed a wholebunch of documents from your
document folder and emailed themto somebody.
It could also have propagatedthis virus, right?
So now that you've done this,perhaps there was an email sent
by you that you don't knowyou've sent off to all of your
friends in your contact listsaying, here's the photos from
the engagement party, and nowthis is starting to happen to
all of your friends.

(03:20):
So effectively, some software'srun on your computer that's
done something nasty to you.
So that's a virus.

And this is like, again, back in the
day, it was almost like thefirst thing that I was taught
when I was on computers.
And our IT team do a reallygood job of like faking these
types of emails.
And if you click on the link,you get this thing that's like,
you've been had, you know, dothis training because you behave
greatly.
But it's like, it's exactlythat.
It's like click a link,download a virus locally.

(03:46):
And sometimes I used to getemails from like super random
people who I must have been ontheir contact list saying
something like the photos fromthe engagement party, and then
like it's very obviously a hackbecause I don't know them well
enough for that to be the case.
But like the odds are that acouple of people will click the
link and that's how itpropagates in that.

Yeah, and often, you know, you're you're busy,
you're moving fast, you'retrying to get through your
emails, you've got to catch aplane at four o'clock to New
York or whatever it is.
And uh, you know, you makemistakes.
People make mistakes.

And is a virus the same as a worm?
Is that an interchangeableterm?

Yeah, I'd say um I'd say they're fairly
interchangeable terms.
I think when folks say uh aworm, they probably mean it's a
little bit moreself-replicating, so it'll
continue to propagate itself,whereas a virus may or may not
do that.
But I'd say similar, similaridea.

Okay, so what other types of malware
might be interesting for thelisteners?

Yeah, look, let's talk about Trojan horses or
Trojans as they're they'recommonly known.
So that is uh something thatlooks like the piece of software
that you expect it to be, buthas something hidden inside it
that's malicious, right?
So let's imagine you knowyou're like, oh, I can't afford
Photoshop.
You know, I don't want to buyPhotoshop.
So you go online and you findlike a some website.biz.info,

(04:52):
whatever it is that claims to behaving a free version of
Photoshop or some open sourcething that you could use and you
download this thing.
Your computer's probablywarning you, you know, you're
sure you trust this thing thatyou've just downloaded from the
random internet, and you'relike, yeah, yeah, yeah, no
worries at all.
And you open this thing up andyou edit a photo or whatever it
is.
But in fact, what you'vedownloaded is not just some
photo editing software, butsomething that has this sort of

(05:13):
virus-like capability inside itas well.
So Trojan horse.

So it's kind of similar to the virus and
the worms in that it gets youto download something or click a
link.

Yeah, that's it.
But usually it's um you'reactually downloading a piece of
software and deciding to run thesoftware.
So you you think you'redownloading the photo editing
software or the game or whateverelse it is, but but inside it
is a is a malicious payload.
So a little bit different tosay that the trick of a virus,
which is you know, you're youthink you're getting the photos
and you click on them, and thenall of a sudden something bad
happens.
This is, you know, you'reactively downloading this

(05:44):
software, you just downloaded itfrom the wrong place.

Okay, so man in the middle attacks.

Let's imagine I park a van outside your work and
I put my big Wi-Fi router onthe roof of my van and I call it
uh, you know, your company'sname guest Wi-Fi.
Oh, that sounds convincing tobe fair.
And then uh you say, Oh, yeah,I didn't know how guest Wi-Fi
was called that, but um, that'sthat's pretty handy.
You know, I've forgotten thecredentials at work or you know,
I haven't got my phone orwhatever it is.

(06:10):
I'll just connect to the guestWi-Fi, that will be fine.
So now you're connected to myvan that's sitting outside your
work.
And depending on how yourcomputer is set up, I may or may
not have access to the plaintext versions of the things that
are going now going through myrouter and through my computer
sitting in my van.
So I I could potentially seeyour keystrokes, the passwords

(06:31):
you type into your bank app.
Um, I could potentiallyintercept your emails, all these
kinds of things because they'reall now passing through my
computer.
And of course, what I'm doingis I'm actually sending that
traffic out onto the internet.
So you're you're not seeingthis, right?
You're just connected to myWi-Fi.
I'm just watching things gopast, but I'm actually
connecting you properly out tothe internet and sending you
back the things that you expect.
I'm just sitting in the middlehere watching things go by.

(06:53):
There's a couple of things youcan do to stop this happening,
you know, just simple stuff.
So you'll notice when you'reusing a web browser that most of
the websites you go to show alittle padlock next to the
address that you've typed in.
And when you type in theaddress, it starts with HTTPS.
And when it's got an S, itmeans that everything's
encrypted end to end.
And so that means that as soonas it leaves your web browser,

(07:13):
it's now an unintelligiblestream of data.
And it won't turn back into anintelligible stream of data
until it arrives at the correctdestination it it needs to
arrive at.
And there's no way to kind ofbreak that.
The other thing you can do isuse a VPN.
And people usually use VPNsthese days to watch streams of
shows they want to watch fromsome location.
You know, you can't.

I use it to watch Married at First Sight
Australia in the UK.

Uh, the uses of technology.

Um is that better or worse than
finding out your maths?
Great.
I think we've revealed our truepersonality.

I think it's better.
Yeah.
I think it's better.
So yeah, so if you use a VPN,then all of your traffic going
out of your machine will beencrypted.
So it doesn't matter that I'mparked in my van outside, you
know, everything you do now onyour computer is going to is
going to look encrypted to me.

Okay.
And just to talk back to yourfirst mitigation, which was
HTTPS, does that mean that Ishould just be putting that at
the beginning of the webaddress?
And so if I access Gmail withHTTPS while I'm on a guest
Wi-Fi, that's encrypted.

Correct.
Correct.

Okay, that's really interesting.

And if you wind back um, I don't know how long
it is now, Hannah, but you know,if you go back uh 15, 20 years,
HTTPS was very uncommon and youknow, it was usually HTTP,
which was unencrypted.
But these days, pretty muchevery single website you could
possibly go to will be HTTPS.

But do you have to actively put that
in, or is it just something likeif I just type in gmail.com,
we'll it'll it'll redirect tothe HTTPS.

Oh, fine.

Okay.
So that's just that's notsomething you have to do.

That's something that if you if you see that
little padlock in your browsernext to your web address, then
you can feel safe that thedata's being encrypted.

Okay.
Yeah, that man in the middlething, particularly the guest
Wi-Fi version, like if I were ahacker, I would put that in like
an airport lounge or like nextto a hotel, and then everyone's
on the guest Wi-Fi.

That's it.
It's like a honeypot.
The other thing that you can dowith a man in the middle
attack, and this is where itreally starts to get ugly, is I
could actually edit your emails.
Let's imagine that uh you'relooking for some money to be
deposited to your bank account,right?
So somebody's bought somethingoff you and they owe you a
thousand pounds, and you sendthem an email and you say, Look,
you know, here's my bankdetails.
Now, if I'm sitting outside inthe van, I could then edit that

(09:14):
email, I could change thosebanking details, send that on
its merry way, but now it's gotmy bank details in it, and
they're gonna send me the money.
That's a that's a common thingas well, is not just not just
intercepting it, but also uhmodifying it in some interesting
way.

Right.
So that's Man and Mill attacks.
And then the last thing yousaid was we should talk about
SQL injection attacks.

Yeah.
It's probably the mosttechnical of the of the things
that we've we've talked about.
Let me try and give you anexample, right?
So first thing to know is thata lot of websites that you visit
have what's called a databasesitting underneath them.
And that database is, you know,you can think of it like an
Excel sheet.
It's probably the best way tothink about it.
So it's got rows, it's gotcolumns.
It might have uh your name,your address, your phone number,

(09:57):
your username, your password,encrypted password.
Encrypted, yeah.
And when you're accessing awebsite like this, there's
what's called database queriesbeing run that actually go and
access the information in thisdatabase.
And it could be to retrieve it,to display it, it could be to
add things, it could be to editthings, delete things, whatever
else it is, right?
There's a particular languagecalled SQL, and it's the most
popular database language forreading, writing, and updating

(10:19):
databases.
And so a lot of websites arerunning lots of SQL, right?
You know, you go in and you uhupdate your uh your address in
your fitness app.
There's probably some SQLbehind the scenes being run to
actually update your details insome database.

Yep, makes sense.

So what you can do if the software is not
written correctly is you canactually add extra SQL commands
into fields where the companyisn't expecting you to do that,
right?
So let's say um in the cityfield, you're updating your
address.
Let's say in the city field youtype in the city, and then you
put a semicolon, and then youwrite a big long SQL query that
does something completelydifferent, right?
So it says, okay, the city's uhSouth, semicolon, select star

(10:57):
from users, which would get allthe user data.
So if the system's not builtcorrectly, what you can actually
do is you can add an extra SQLquery on the end that causes the
system to do something andactually give you back a big
chunk of data or alter the datain some interesting way.
So I might be able to get allthe user information out of the
system and back onto my website.

So you mean literally I go on as a
hacker and update my address inlike a retailer's website, and
then I just like tack on someSQL and see if that works.
Yeah.

So I go semicolon, you know, select star
from users or uh select starfrom payments or whatever it is
and say give me all the paymentinformation.
And it literally works.
Yeah, it shouldn't work.
And so what a well-run companywith educated software engineers
will do is they'll include intheir validation of the data
some steps that make sure thatyou can't do one of these SQL
injection attacks, right?

So like you can't have more than 15
characters for your city.

Yeah, that's a good start.
And things like, you know,looking for semicolons, putting
quotation marks around things sothey can't be executed.

Because those like semicolons and
quotation marks are common inthe way you write SQL.

Yeah, exactly.
Exactly.
You'll find plenty of websiteswhere they've got holes galore
where you can get away with thisstuff.

Well, this is my what I was about to
ask, which is like if you haveenough time and the will and
malicious intent, you'll justtry this again and again and
again.
There'll be some small companythat has, you know, less of an
investment in security.
You can potentially get a wholebunch of passwords, and then

(12:24):
suddenly I've got Hugh's emailand password that he used for
this website, and then I'm gonnago around and try and use that
same username and passwordcombination on a bunch of other
websites.

Yeah.
And look, uh, one of the mostrookie things, and it's pretty
common, is people reusepasswords across websites.

Yeah, I've only embarrassingly
recently like really understoodthe scale of this because my
iPhone's gotten pretty good atlike telling me when a
password's been compromised.
And I have to say that likeit's mostly passwords from
things I don't use anymore.
And maybe around like 2015,2016, I was just recycling.

Yeah, exactly.

That is so clearly a vulnerability.
But I I don't think that I waseducated.
Well, I clearly wasn't educatedback then about it's just like
annoying when you got promptedto change your password all the
time or add an exclamation pointor add a number.
But when you talk about it,thinking about how someone with
malicious intent would viewthis, suddenly I'm feeling like
all sorts of uncomfortable aboutmy own passwords and security

(13:23):
practices in like my personallife.

Yeah.
And look, that's something Idefinitely say to our listeners
is if don't reuse the passwordsacross different websites or you
know tools that you use.
Like always have a differentpassword.

And that's what credential stuffing
is, right?
It's like getting access toyour credentials and then trying
them on a whole bunch of otherwebsites.

That's it.
That's it.

Okay, so let's pivot into what we as
individuals can do to help likereinforce the defenses.
So definitely serious approachto passwords.
I now, on advice from my boss,who's the CEO of a tech company,
so I took him as a very goodauthority.

Yeah.

He was like, Oh my, yeah, hi, James.
He was like, Oh my god, why areyou not using the passwords app
on your iPhone or like apassword keeper or some other
like third-party app to createpasswords for you that you just
like never know what they are?
I'm sure the listeners willhave seen those.
So like Google will try andprompt you with a strong
password.
It's like a string ofcharacters.
My dad uses this.
He was so clear in hisrecommendation, and it's so

(14:21):
obvious in his shock that Iwasn't using it that I've now
like reverted to using that forall of my passwords.

That's great.
Even if folks don't know how touse that, don't feel
comfortable using that.
If you're a listener out there,look that the simple basic
thing you can do is don't usecommon passwords that are easy
to guess, try and have a mix ofuppercase, lowercase numbers,
special characters.
So certainly do that.
Nice long password and never,ever, ever reuse a password
across different properties.

Well, because basically, if I've
understood correctly, what thatpassword app on my iPhone or
password keeper is doing is it'smaking sure that every single
password's different.
Correct.
And it's making them likereally long and random, i.e.
less easy to guess.

Correct.

Okay.

Which means if you know somebody downloads a
list of a few million passwordsfrom uh the web, that password
sure ain't going to be in there.

Amazing.
And then on top of a strongpassword or like a good approach
to passwords, we havemulti-factor authentication and
or two-factor authentication.
I assume that two-factor meanslike two factors, and then multi
means more than two.
Is that right?

Yeah, that's right.
So multi-factor is basicallythe idea that there's three
things you need in order to beable to log in.
So, first of all, something youknow, like a password or a pin,
something you've got with you.
So that could be your phone, itcould be a little security key
dongle that's on your key ring,it could be an authenticator
app.
And then something that youare, which means something like

(15:39):
a fingerprint or your face oryour retina or whatever else it
is.
Obviously, with two-factorauthentication, you're saying,
well, let's just go with two ofthose.

Which is normally like a phone, it's
normally a text, right?

Yeah, exactly.
So in in the case of my bank, Ihave to know my password to get
into my banking app, and itwill send me texts or it'll ask
me to use an authenticator appon my phone.

Okay, and as a user, like this is kind
of annoying if you don't haveany other context as to why
you're being asked for it.
Like it's kind of annoying thatyou have to be emailed or
texted a code and put the codein or have an authenticator app
when you just want like a smoothuser experience, but it's
obviously totally worth thesame.

Security is the enemy of convenience.
Yeah.
Like it's the enemy ofconvenience.
If you want convenience, youwouldn't have a password, right?
Just your email address.
And so, yeah, look, the priceof the price of security is
inconvenience.
And I think it's well worthit's well worth the trade-off.
I would say that using anauthenticator app is a much more
secure thing than a text,because it is possible to get a
SIM card that's a duplicate ofyour SIM card and put that

(16:36):
duplicate in a in a phone thatisn't your phone and start
receiving your texts, right?
If I've got your username andpassword and I've got a phone
that you know is effectivelyyour phone but isn't, then it's
possible to start receivingtexts and logging in as you.
Much, much harder to do with anauthenticator app.
So I love authenticator appsover being texted.

Okay, and this is where you start to
see like vulnerabilities andolder people being targeted for
these types of hacks becauseit's inconvenient and/or if you
don't really understand how appsor authenticators work on your
phone, you're just going to optout if you can.
Although I would say that inthe last few years it's felt
less and less optional to haveall these sort of layers of

(17:15):
security.

There's a new breakthrough called pass keys,
which we can talk about in asecond, which sort of simplifies
it a little bit.
But yeah, look, it's you know,it's getting harder and harder
to use technology as technologygets more and more
sophisticated.
And as these hackers get moresophisticated, security is
getting more sophisticated.
And so definitely for those whoaren't, you know, super
confident with technology, it'svery difficult to maintain
security.

Let's talk about pass keys.
I've understood that they arelike the level above
multi-factor authentication.
And as listeners can expect andperhaps experience, like after
the Marks and Spencer's hack andthe other attempted hacks on
the UK retailers, every execteam must have been like, what
are we doing to be secure?
How secure are we?
And the key thing I took awayfrom discussions at work was

(17:54):
like get these pass keyswherever you can installed as an
alternative to basically analternative to passwords, right?

Yeah.
Basically what happens is whenyou agree to use a pass key,
there's a what we'd call a key,an encrypted key stored on your
machine.
And when you try and access awebsite or an app, that app will
challenge your machine or sayback to your machine, are you
really you?
And then using this secret keythat's stored on your machine,
you'll sign this and that'll goback to the website and say that

(18:23):
you're really you.
So the miracle here is youdon't have to remember a
password, you don't have to typeanything.
All you've got to do is unlockyour phone with your face or or
perhaps, you know, your laptopwith your fingerprint, whatever
it is.
And then when you go and visitthe website, magic happens
behind the scenes and you get tolog in.
So you don't actually remembera password, you you don't know
what the password is, you can'tgive the password to anybody.

(18:43):
The computer's doing all thework of logging you in and
making sure that you aredefinitely talking to the thing
that you think you are.

So two quick follow-up questions.
I assume that the benefit ofthat is that there's less room
for human error or humanvulnerability.

Yeah, correct.
So somebody calls you up andtries to bully you into sharing
your password.
You don't know the password,there is no password.

Okay, and then is it true?
My recollection of theexplanation I had at the time
was that there's like an elementof location here, which is like
for me, the pass key alwaysinvolves me opening up my phone,
scanning a QR code, and then itlike authenticates my face.
And I had understood that thepass key is recognizing that
both my computer, which is whereI'm trying to log in, and my

(19:25):
phone, which is where I'mactivating the pass key, are
like in the same physicallocation.

Yeah, and look, and that's an additional uh
layer of security over the ideaof a pass key, but that's um
that's fantastic as well.
This is as secure as it gets.

So basically, listeners, get on top
of your password game.
It can be annoying in terms ofdisrupting convenience.
And then for like companies,there's some pretty basic stuff
as well.
So like I mentioned earlierthat our InfoSec team do like
fake phishing emails, which Ihave to admit, I have been
caught once.
Yeah.
So that's so that's definitelygood that they do that.
And then they do, I think theydo something called pen testing,

(19:59):
which is penetration testing.
So what's that?

So penetration testing is basically the idea of
uh getting somebody to attackyour website for you.
So think about the SQLinjection attack that we talked
about earlier.
So one of the things that Iwould do if I was trying to
check if your website was secureis I would try some SQL
injection attacks on yourwebsite.
I'd go and test all thedifferent fields and try lots of
different things and see if Icould make that happen, right?

(20:22):
And of course, you're gonnahope I fail.
Yeah.
Um, and then you'll get a nicegreen square that says, you
know, that your company is safeagainst SQL injection attacks.
Another thing you might do isyou might look for open ports,
we call them, um open servicesthat are available that should
be secured.
And this is another thing thatcommonly happens to companies is
imagine, you know, you and Iare running our startup and we
we decide we're gonna hosteverything up in the cloud on

(20:43):
top of AWS, and we set up AWS.
One of the things you have todo in setting up AWS is set all
the permissions of who canaccess what and where's our data
available and to what otherpieces of software and to who
and things.
Easy to make mistakes.
So it's possible sometimes thatyou know a database, for
example, is just hanging outthere on the World Wide Web, and
I can just go and uh, you know,if I know how to get into an

(21:03):
AWS database, I can get into ourdatabase and start sniffing
around.
So just making sure that all ofthe things that should be
secured are generally secured.
So best security practices,these penetration testing folks
are gonna run some software todo some of this.
So try a whole bunch of thingsin a fairly methodical way.
They're also gonna try somehuman things, and then we're
gonna get back a report and it'sgonna have some, you know, some
green, some yellow, and somered.
And if there's some red, thenwe should uh we should go fix

(21:25):
that, you know, yellowopportunities for improvement
and green, you know, you and Iare pretty happy with our
security practices.

Okay, so one question, one observation.
I assume that these are oftenthird-party like services that
you can hire from.
Okay, because you if someoneinside is doing it, then they
like are they compromisedalready.

Yeah, that's right.
Um occasionally, though, you'llyou'll have what's called red
team, blue team activity in yourin your company.
So you might say, hey, look,you know, let's spend a day
trying to hack ourselves.
We'll start up two teams, we'llhave a red team, and the red
team's job is to try and getinto us, and the blue team's job
is to try and stop thathappening.
You know, people will downloadsome tools, have a real shot.

It's good fun.
Fun until you get in and thenyou create a whole bunch of war
for yourself.
Yeah, that's right.

But um, but you know, better us, uh, you know,
our smart engineers having a funday hacking with some pizza and
whatever else, better us thanuh some nasty folks from the
outside.

There's a version, I think, where people
will just try and get into yourbuilding by like tailgating
someone through the securitygate at an office and then like
looking for a laptop that's notbeen locked.
I mean and this all amounts toan attempt to like hack, get on
someone's laptop, go and steal abunch of confidential
documents.
And I think when we talk aboutlike security audits, we

(22:34):
obviously definitely mean youknow getting into the systems,
but there's like such basicstuff that if you you're not
hygienic on as a business willabsolutely be a vulnerability.

It's the social engineering type stuff that'll
get you every time.
Seriously.
I mean, that this is, you know,the we talked about the MS
attack at the top of the show,and that's social engineering,
right?
Like I'm I'm bullying somebodyon a help desk into doing
something and being veryconvincing about it.
That's what will get you mostof the time.
And so this tailgating, callingand bullying employees, you
know, asking for things from thefinance department, whatever it

(23:06):
is, is what will get you mostof the time.
As we've talked about in theshow a couple of times, Hannah,
you know, I was at eBay um earlyin the 2010s, uh, I think about
three, four months after Ileft, eBay was a subject of a
hack.
It wasn't a ransomware hack.
Um, it was a hack where theygot in and they got hold of all
the user's information.
eBay forced everybody to changetheir passwords, you know,
long, long process of figuringout how that one happened.

(23:28):
But again, started with anemployee being bullied by
somebody into doing something.
Happened again at a companycalled Pivotal that I worked at.
Somebody impersonated the CFO,called up somebody in the
finance department and said,Look, I need this information,
this payroll information, I needit right now.
It's Saturday, just send it tomy Gmail address.

Never send it to the Gmail address.

And did a pretty good job of impersonating the
CFO, you know, junior financeemployee dutifully took all the
payroll data and sent it to uhheaven knows who.
And uh, you know, allemployees' pay information,
personal details, socialsecurity numbers, all those
things were uh owned by somehackers within seconds.
So this is this is what willget most people.
Yeah.

(24:11):
And of course, you know, it'snot just companies that are
subjected to this.
I actually was called by uhsomebody two weeks ago,
pretending to be my bank.
So I was sitting at home onenight, called me up, and they
said, uh, is this Hugh Williams?
I said, yeah.
And they said, Look, it's uhit's your bank.
They gave my bank's name andthey said, Um, you know, you've
got a business banking issuethat we need to talk to you
about.
And I said, Oh yeah.

(24:32):
Um, who are you?
And they're like, You're basedat, and they read out my
address.
So they've got my phone number,they got my name, they got my
address, right?
They've read these three thingsout.
And I said, uh, yeah, but thenI'm thinking in the back of my
head, the bank usually uses mypost office box, not my physical
address.
So I'm like a bit strange.

And the bank always say that they'll
never call you, or at least inthe UK.
They're like, we don't ringyou.

Yeah.
And I said, Um, what's thematter about?
And they said, Look, you know,we just need to validate your
details.
And I'm like, you you're, youknow, you're fishing for me to
give you something.
And I said, Well, I'm not goingto give you the details.
And I said, Look, um, you know,who are you?
And they said, I can give youmy employee number, or I can
give you a number that you cancall us back on.
And I thought, well, you know,the employee number sounds
impressive, right?
They can read out one, two,three, four, five and hopefully

(25:13):
it'll fool me.
Um, or they can give me a phonenumber that's their phone
number and hope that I'll callthem back and we can just
continue the conversation.
And I said, Look, I know you'renot my bank, and I just hung up
on them.
But but these folks, you know,they're they're pretty good,
pretty aggressive.
It sounded urgent.

100%.
And I think they exploit thefact that particularly a junior
employee, if the CFO wantssomething into their Gmail, that
junior employee may not feelentitled to challenge it.
And that's where like trainingyour population on this stuff,
and I guess every now and thenlike testing them via those like
fake phishing emails that Imentioned is actually just
really good practice.

Yeah, yeah, really, really important.
I mean, it's really importantto develop a culture where
people will challenge thingsthat they that they think are
suspicious.
You know, I worked at Google.
Google absolutely has a cultureof you you can't tailgate
somebody through any door with abadge.
If you try to tailgatesomebody, the person in front of
you will turn around and say,You need to scan your badge.
Can I see your badge?
And everybody will ask thatfrom you know the cleaner to the

(26:06):
CEO.

I've never worked anywhere where
that's allowed, to be fair.
And I said no to people beforewhen they say, Can you let me
in?
I'm like, nope.
Yeah, great.
Don't know if it was a test ornot, or I was being annoyed.

The majority of companies that I've been
involved in are fairly lax whenit comes to that.
Google was an outlier, youknow, for me.

It's that social element though,
isn't it?
Like people trying to behelpful.
Like it's never that people arebeing intentionally careless.
It's just that our naturalreaction as humans is to trust,
right?
And that's where like AI deepfakes, where I think you can
like muster up someone'slikeness via voice, starts to
get really worrying.
Cause then like someone couldcall me purporting to be my

(26:42):
boss.
Yeah, yeah.
Yeah, yeah.
And I it could be incrediblyconvincing that they were,
right?
And so that's I when I get toget all sorts of nervous.

Absolutely.
So, you know, you need todefinitely have a culture of
questioning and challenging andmaking sure things are
absolutely right.
Another thing we we should justquickly talk about, Hannah, is
just keeping software up todate.
You know, one of the bestthings you can do both as an
individual and a company is justkeep your software up to date.
So when your laptop uh says,you know, it's time to install
this update or this new versionof whatever it is, just say yes.

(27:14):
You know, don't postponeupdates.
Because what of course thesecompanies are doing is they're
they're discovering how theirsoftware can be exploited,
they're fixing those problemsprobably pretty quickly, and
they're making available whatwe'd call patches or updates.

I was gonna say, is that a security
patch?
Okay.

Yeah.
And then, you know, if youapply it, then you're uh, you
know, you've effectively takenthe vaccination, right?
And so a lot of the folks whoget hacked who aren't victims of
the social engineering hacks, alot of these folks who get
hacked are victims of hacks thatcould have been prevented had
they have kept the software upto date.

And I presume that applies to like
apps on your phone as well.
Absolutely.
Yeah.

Absolutely everything.
So keep your software up todate.

So just to round us off on a more
positive note, let me just giveethical hacking a bit of a
shout-out.
So that is where folks who knowhow to hack, they've got the
skills, you know, they will tryand hack a company, but instead
of exploiting that for blackmailor other malicious intent, they

(28:11):
basically like contact acompany and they say, Hey
Google, I got into your thissystem, which I'm pretty sure
you don't want me to get into,and I can tell you how I did it.
And then they get some sort oflike bounty reward for doing
that.

Yeah, yeah, exactly.
And there's a couple ofcompanies, um, there's there's
one called Bug Crowd and the onecalled Hacker One that
effectively are intermediaries.
And uh it's exactly how itworks, Hannah.
Is uh I often offer challenges.
So you work at a a well-knownretailer in in the UK, put up a
program or a challenge, youknow, people out there have a
have a shot at trying to getinto your website.
If they can get in, then uhthey'll get paid a bounty.

(28:45):
And some of these bounties arequite high.
You know, you can you can gettens, if not hundreds, of
thousands of dollars from themajor tech companies for um
finding vulnerabilities and andeverybody wins.
So uh these people areeffectively, you know, good guys
and gals out there, you know,earning a living, trying to make
the internet safer, reportingthis information before the bad
guys find it, the companies maketheir services more secure.

When I listen to these sort of
half-nerdy podcasts wherehackers come on and talk, most
of them at least claim thatthey're now ethical hackers.
I don't know to the extent withwhich that's true, but they
sort of will often say they'veseen the light and you know now
help the cause rather thaninfiltrate it.

Yeah.
Yeah, and it seems like asmarter thing to be doing.

If anyone is an ethical hacker or
knows an ethical hacker, wewould love to talk to them about
all of this for a futureepisode.
So, you know, email us atHannah at
techoverflowpodcast.com withyour contacts and and we'd love
to talk to someone.

Yeah, absolutely.

Okay, so a lot of really rich content
there that we've talked through.
Are there any last points, orI'm hoping you're gonna have
like a one more cool anecdotefor us to round off the episode.

Yeah, I'll tell you a story.
Got a good one for you, Hannah.
My friend Richard Orm said Icould use his name.
Richard's uh Hi, Richard.
Great guy.
Uh you know, well known CTO inthe in the London scene.
Richard was working for.
For a company, I want to say,you know, 10, 12 years ago, came
in one day and uh discoveredthat slowly but surely various

(30:10):
different parts of the systemstopped working.
You know, can't seem to accessthat file.
Oh, you know, that part of theprocess doesn't seem to be
working.
And slowly but surely thesystems at this company ceased
to work.
So then they discovered on theshared drives, so the the drives
that are, you know, madeavailable to every employee,
that all of the files that wereon those had been encrypted.

Oh my God, that's like the worst,
that's the moment that yourheart drops out your stomach.

So they're like, how did these get encrypted?
And this has sort ofprogressively occurred over a
period of time.
And so they they start runningaround the office trying to
figure it out.
And eventually, after lookingat lots and lots of different
computers, they find that oneguy on his screen, it says, you
know, your computer has deployedransomware within your

(30:59):
organization.
You need to pay two and a halfBitcoin.

Oh my god.

And then we will unlock all of the files.
So my friend Richard says,Well, we don't have to do that
because we got backups.
So we will uh we'll just go getthe backups and we'll we'll
restore all of the systems.

Yep.

He goes to the IT team, says, Right, let's let's
get on with this.
And somebody in the IT teamsays, Um, we stopped taking
backups.
And he says, You what?
Yeah, um, you know, we neededto save costs.
We've been on a cost reductionprogram.
I thought backups were gettinga little bit expensive, and so
we haven't taken backups for Iforget what it was, six, nine

(31:36):
months a year.
This is back in the deep darkdays where you know Bitcoin
wasn't as sort of in the publicdomain as it is today.
So my friend Richard's like,what exactly is Bitcoin?
How do you buy Bitcoin?
What's a Bitcoin wallet?
We should do an episode onBitcoin.

Yeah, we definitely should.
And I've had a listener emailthrough on Bitcoin at the
moment.
Oh, awesome.
Yeah, yeah.

And so he goes and figures this out.
He ends up at some strangewebsite, you know, dealing with
whoever it is, and he buys fiveBitcoin, which uh at this point
$20, $30 a Bitcoin.

I was gonna say five Bitcoin.
Okay, yeah.
Yep.

So he goes and buys five, needs two and a half,
goes and um deposits this 2.5Bitcoin into this wallet, and uh
the machines start gettingdecrypted.
So one by one, files startreturning to their original
state.
You can see this slowlyhappening.
48 hours has elapsed, right?
So the business has beenbasically suspended for 48

(32:27):
hours, but he's he's figured outthis Bitcoin thing, he's paid
the Bitcoin, and now the filesare coming back.
Richard said to me, you know,he said, I was just sitting
there hoping this machine likedid not die.
Like, as if this machine died,then there was no way to
obviously decrypt all the files.
He obviously didn't know thatif he paid the 2.5 Bitcoin that
they would actually decrypt thefiles, but he's paid it and it's

(32:48):
decrypting.
They were sitting there justwatching all the files decrypt.
And when the last filedecrypted, he said we just
pulled the network cables out ofthis computer and got it off
the network.
And then uh business resumed.

Oh my god, wait.
So let me just talk thatthrough.
So some employees' computerbecomes compromised via what?
Some one of the hacking.

He actually used his personal Gmail.
Um, so he'd opened up hispersonal Gmail on his computer.
Which we all do.
Which we all do.
Yeah.
That bypassed some of thetypical security checks that
would happen within the systems.
It's Friday afternoon, guys ina bit of a hurry, double clicks
on something, runs this thing onthe work machine, uh, it goes
into the shared drives andstarts encrypting absolutely

(33:27):
everything.
Now, the the good thing herewas there was no human involved.
So this was just a piece ofsoftware, a little bit like a
virus, I guess, that was justrunning on his computer.
So the attackers actuallydidn't know that they'd
infiltrated a company andsuspended a company's operation.
But I guess also the companyhad no way of contacting the
hackers because the hackersdidn't know they'd hacked the
company.

(33:47):
So really the only way out ofthe jungle here was either
backups, which they didn't have,or, you know, pay this 2.5
bitcoin ransom and hope likeheck that it decrypts the files
and you end up in a reasonablestate.

Wow.

Do you want to know the best part of the story
though?

Yeah.

Remember, Richard bought five Bitcoin, he's only
paid two and a half.

Yeah.

Do you know how much Bitcoin's worth today?

Yeah, I've looked it up.
About 80,000 pounds.
Yeah.

So Richard's sitting on top of 2.5 Bitcoin
still today, but he can'tremember the password to the
laptop that it's stalled on.
He's tried the password a fewtimes, he's actually got one
attempt left.

This is a story you hear.

Uh and so he's got a very, very valuable laptop
sitting in his house at homethat's worth an enormous amount
of money, but he doesn't knowthe buns.

Oh my god, Richard, well, maybe the
hackers can help him infiltratethat laptop to get the Bitcoin
back.
Wow, that's crazy.
And this was a long time past.

Yeah, over 10 years ago.

So you don't need to talk through the
details because poor old Richardprobably doesn't want us
exposing at all.
But like the vulnerabilitiesthat were exploited, presumably
wouldn't get through in the sameway today because we're more
secure.

I think this would still happen.
I think this would stillhappen.
One thing I'd say that maybemight make some of our listeners
feel a little bit better isit's a bit like burglary in your
street, right?
You've only got to be moresecure than the house next door
and they'll they'll burgle thehouse next door.
So really what you've got to dois you've got to think about
your company and look at yourpeers and make sure you are more
secure than the peers of yoursize, right?

(35:10):
So when these hackers aresizing up a target, they think
of this as an economic thing,right?
And so what they're looking foris somebody of that class, what
they are capable of paying.
If you're harder to hack thanthe than the folks next door,
they'll hack the folks nextdoor.
So we don't all have to be assecure as Microsoft, Google,
Amazon, Meta.
We just have to be more securethan the people that are in our
class.

To be clear, blackmail is a crime,
misuse of Computer InformationAct or something in the UK that
makes all this stuff.

Highly illegal stuff.
Highly illegal stuff.

And also, this might be an
interesting note to end thepodcast on paying ransom to
hackers is something thatgovernments are going to start
intervening on because it'screating quite a nice little
industry for them at the moment,right?
To get, you know, to get moneyoff of big companies where they
can, you know, get into thesystems.

Yeah.
And the UK I think is veryclose to actually making it
illegal to pay ransom.
And you might say, well, howare how is you know a particular
company going to get out of themess that they're in if they
don't pay the ransom?
But you know, if you make thewhole country an unattractive
target and you say, look,there's no point in attacking
companies in the UK because noneof them can pay us, um, then
you know, hopefully folks willgo somewhere else.
That's the thinking.

Okay.
And uh does that mean that youcould still pay white hat
hackers or ethical hackers, Iassume you can't.
Oh, yes, of course.
Okay, of course.
Okay.
Of course.
Interesting.
Well, we'll see if that works.
I guess only time we'll see.

But uh, you know, it's a big industry, it's a big
problem, and uh certainlysomething for all of our
listeners to be making sure thatat their company they're doing
the right things.
And remember again, you know,security is the enemy of
convenience, so expect someinconvenience, want some
inconvenience.
And then from a personalperspective, unique passwords,
nice long passwords, not commonpasswords, and keep your
software up to date and besuspicious.

Be suspicious, okay, right.
Well, on that note, this hasbeen the Tech Overflow Podcast.
I'm Hannah Clayton Langton.

And I'm Hugh Williams.

And if you like what you've heard
today, you can subscribewherever you get your podcasts,
share it with friends, family,give us a review.
We appreciate all of thatstuff.

Yeah, absolutely.
Uh, we're also available onLinkedIn, posting three or four
times a week about the episodesthat are coming up, uh, having
some real fun there.
And uh we're also available onInstagram and X.

Yeah, and you can also find us on
techoverflowpodcast.com.
That's the show.
So thanks for listening.
Thank you.
Bye.
Bye.

All Episodes

Episode Transcript

Popular Podcasts

Stuff You Should Know

Dateline NBC

The Bobby Bones Show

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}Hacking, Part #2: Pay 2.5 Bitcoin and We Will Unlock Your Computers

Episode Transcript

Popular Podcasts

.css-r6mb8g{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:1;overflow:hidden;}Stuff You Should Know

Dateline NBC

The Bobby Bones Show

All Episodes

Hacking, Part #2: Pay 2.5 Bitcoin and We Will Unlock Your Computers

Stuff You Should Know