Hannah Clayton-Langton: 0:04

Hello world and welcome to the Tech Overflow podcast. I'm Hannah Clayton Langton.

Hugh Williams: 0:08

And I'm Hugh Williams.

Hannah Clayton-Langton: 0:09

And we're the podcast that explains technical concepts to smart people.

Hugh Williams: 0:13

Yeah, and speaking of super smart people, how are you going, Hannah?

Hannah Clayton-Langton: 0:16

That's very kind. I am well as ever, as listeners know. Love an in-person record. So pleased to see you, not on a screen.

Hugh Williams: 0:24

So so good. So so good. Now I'm heading for Australia and you are heading for New York this afternoon.

Hannah Clayton-Langton: 0:29

Yeah, I'm going on holiday. Hugh's heading home, and we're going, I assume, opposite ways around the world.

Hugh Williams: 0:34

Yeah, I guess you'd be going west and I'll be going east. Correct. Exactly.

Hannah Clayton-Langton: 0:37

Yeah. Okay. Well, listeners, we set you up on this topic of hacking last week with a super interesting case study. And in this week's episode, we're going to be getting into some more of the technical aspects of hacking more gemity.

Hugh Williams: 0:50

Yeah, we had a great conversation about MS, Marks and Spencer's, you know, big retailer here in the UK and the terrible ransomware attack that they suffered. And I guess we've pulled that apart, speculated about it a bit, shared what we know. But I think it sets us up brilliantly, Hannah, to really talk about the broader field of hacking today.

Hannah Clayton-Langton: 1:06

Yeah. And if you've not listened to last week's episode, I would definitely recommend starting there because there's no easier way to get your head around new concepts than through a warped example. And if you are UK-based, you probably read a lot about this on the news in the last six months. So it'll feel super relevant.

Hugh Williams: 1:20

Yeah. And I'll share a couple more stories today if you like.

Hannah Clayton-Langton: 1:23

Awesome. Let's get back into it. Martin Spencer's is an example of effectively a social engineering hack, which is someone on like a human level getting in by exploiting trusts and impersonating others. And they did eventually deploy some ransomware, but there's a few different I imagine there's a long list of types of hacking attacks, but there's probably like two or three key ones that we can talk through. Yeah, let's do it. Okay, so malware. Can you explain that to me?

Hugh Williams: 1:50

So ransomware isn't an example of malware. Okay. And ransomware, you know, I think we've talked about that enough. So that's where typically the contents of the computer is encrypted. This could happen to you at home. You open up your laptop in the morning and you find it, you go to access it, and there's a big thing on the screen that says some organization has locked your laptop, you need to pay some Bitcoin, and then we'll unlock your laptop. That's ransomware. Viruses are another.

Hannah Clayton-Langton: 2:13

Those were the original, like in the 90s. Yeah, yeah, yeah.

Hugh Williams: 2:18

The OG hacking. So maybe I'll give you an example of a virus. Um, let's imagine uh you get a you get an email, you think it's from a friend, it's not actually from your friend, looks a bit like your friend's email address, definitely your friend's name, and it says, here's the photos from the engagement party, and you open some attachment, you click on that attachment, you perhaps see some photos, perhaps you don't see some photos, you sort of wonder what happened. But in that process of you clicking on the attachment, you've probably run what's called an executable, so one of these sort of binary files that we talked about way back in our first episode. You've run that, and that has now done something to your computer. A couple of examples. It might have installed something that's now tracking every key that you press and sending your passwords back to some bad guys. It could have grabbed a whole bunch of documents from your document folder and emailed them to somebody. It could also have propagated this virus, right? So now that you've done this, perhaps there was an email sent by you that you don't know you've sent off to all of your friends in your contact list saying, here's the photos from the engagement party, and now this is starting to happen to all of your friends. So effectively, some software's run on your computer that's done something nasty to you. So that's a virus.

Hannah Clayton-Langton: 3:25

And this is like, again, back in the day, it was almost like the first thing that I was taught when I was on computers. And our IT team do a really good job of like faking these types of emails. And if you click on the link, you get this thing that's like, you've been had, you know, do this training because you behave greatly. But it's like, it's exactly that. It's like click a link, download a virus locally. And sometimes I used to get emails from like super random people who I must have been on their contact list saying something like the photos from the engagement party, and then like it's very obviously a hack because I don't know them well enough for that to be the case. But like the odds are that a couple of people will click the link and that's how it propagates in that.

Hugh Williams: 4:03

Yeah, and often, you know, you're you're busy, you're moving fast, you're trying to get through your emails, you've got to catch a plane at four o'clock to New York or whatever it is. And uh, you know, you make mistakes. People make mistakes.

Hannah Clayton-Langton: 4:11

And is a virus the same as a worm? Is that an interchangeable term?

Hugh Williams: 4:14

Yeah, I'd say um I'd say they're fairly interchangeable terms. I think when folks say uh a worm, they probably mean it's a little bit more self-replicating, so it'll continue to propagate itself, whereas a virus may or may not do that. But I'd say similar, similar idea.

Hannah Clayton-Langton: 4:28

Okay, so what other types of malware might be interesting for the listeners?

Hugh Williams: 4:31

Yeah, look, let's talk about Trojan horses or Trojans as they're they're commonly known. So that is uh something that looks like the piece of software that you expect it to be, but has something hidden inside it that's malicious, right? So let's imagine you know you're like, oh, I can't afford Photoshop. You know, I don't want to buy Photoshop. So you go online and you find like a some website.biz.info, whatever it is that claims to be having a free version of Photoshop or some open source thing that you could use and you download this thing. Your computer's probably warning you, you know, you're sure you trust this thing that you've just downloaded from the random internet, and you're like, yeah, yeah, yeah, no worries at all. And you open this thing up and you edit a photo or whatever it is. But in fact, what you've downloaded is not just some photo editing software, but something that has this sort of virus-like capability inside it as well. So Trojan horse.

Hannah Clayton-Langton: 5:16

So it's kind of similar to the virus and the worms in that it gets you to download something or click a link.

Hugh Williams: 5:23

Yeah, that's it. But usually it's um you're actually downloading a piece of software and deciding to run the software. So you you think you're downloading the photo editing software or the game or whatever else it is, but but inside it is a is a malicious payload. So a little bit different to say that the trick of a virus, which is you know, you're you think you're getting the photos and you click on them, and then all of a sudden something bad happens. This is, you know, you're actively downloading this software, you just downloaded it from the wrong place.

Hannah Clayton-Langton: 5:46

Okay, so man in the middle attacks.

Hugh Williams: 5:49

Let's imagine I park a van outside your work and I put my big Wi-Fi router on the roof of my van and I call it uh, you know, your company's name guest Wi-Fi. Oh, that sounds convincing to be fair. And then uh you say, Oh, yeah, I didn't know how guest Wi-Fi was called that, but um, that's that's pretty handy. You know, I've forgotten the credentials at work or you know, I haven't got my phone or whatever it is. I'll just connect to the guest Wi-Fi, that will be fine. So now you're connected to my van that's sitting outside your work. And depending on how your computer is set up, I may or may not have access to the plain text versions of the things that are going now going through my router and through my computer sitting in my van. So I I could potentially see your keystrokes, the passwords you type into your bank app. Um, I could potentially intercept your emails, all these kinds of things because they're all now passing through my computer. And of course, what I'm doing is I'm actually sending that traffic out onto the internet. So you're you're not seeing this, right? You're just connected to my Wi-Fi. I'm just watching things go past, but I'm actually connecting you properly out to the internet and sending you back the things that you expect. I'm just sitting in the middle here watching things go by. There's a couple of things you can do to stop this happening, you know, just simple stuff. So you'll notice when you're using a web browser that most of the websites you go to show a little padlock next to the address that you've typed in. And when you type in the address, it starts with HTTPS. And when it's got an S, it means that everything's encrypted end to end. And so that means that as soon as it leaves your web browser, it's now an unintelligible stream of data. And it won't turn back into an intelligible stream of data until it arrives at the correct destination it it needs to arrive at. And there's no way to kind of break that. The other thing you can do is use a VPN. And people usually use VPNs these days to watch streams of shows they want to watch from some location. You know, you can't.

Hannah Clayton-Langton: 7:33

I use it to watch Married at First Sight Australia in the UK.

Hugh Williams: 7:37

Uh, the uses of technology.

Hannah Clayton-Langton: 7:38

Um is that better or worse than finding out your maths? Great. I think we've revealed our true personality.

Hugh Williams: 7:43

I think it's better. Yeah. I think it's better. So yeah, so if you use a VPN, then all of your traffic going out of your machine will be encrypted. So it doesn't matter that I'm parked in my van outside, you know, everything you do now on your computer is going to is going to look encrypted to me.

Hannah Clayton-Langton: 7:56

Okay. And just to talk back to your first mitigation, which was HTTPS, does that mean that I should just be putting that at the beginning of the web address? And so if I access Gmail with HTTPS while I'm on a guest Wi-Fi, that's encrypted.

Hugh Williams: 8:10

Correct. Correct.

Hannah Clayton-Langton: 8:11

Okay, that's really interesting.

Hugh Williams: 8:12

And if you wind back um, I don't know how long it is now, Hannah, but you know, if you go back uh 15, 20 years, HTTPS was very uncommon and you know, it was usually HTTP, which was unencrypted. But these days, pretty much every single website you could possibly go to will be HTTPS.

Hannah Clayton-Langton: 8:26

But do you have to actively put that in, or is it just something like if I just type in gmail.com, we'll it'll it'll redirect to the HTTPS.

Hugh Williams: 8:33

Oh, fine.

Hannah Clayton-Langton: 8:33

Okay. So that's just that's not something you have to do.

Hugh Williams: 8:35

That's something that if you if you see that little padlock in your browser next to your web address, then you can feel safe that the data's being encrypted.

Hannah Clayton-Langton: 8:42

Okay. Yeah, that man in the middle thing, particularly the guest Wi-Fi version, like if I were a hacker, I would put that in like an airport lounge or like next to a hotel, and then everyone's on the guest Wi-Fi.

Hugh Williams: 8:54

That's it. It's like a honeypot. The other thing that you can do with a man in the middle attack, and this is where it really starts to get ugly, is I could actually edit your emails. Let's imagine that uh you're looking for some money to be deposited to your bank account, right? So somebody's bought something off you and they owe you a thousand pounds, and you send them an email and you say, Look, you know, here's my bank details. Now, if I'm sitting outside in the van, I could then edit that email, I could change those banking details, send that on its merry way, but now it's got my bank details in it, and they're gonna send me the money. That's a that's a common thing as well, is not just not just intercepting it, but also uh modifying it in some interesting way.

Hannah Clayton-Langton: 9:28

Right. So that's Man and Mill attacks. And then the last thing you said was we should talk about SQL injection attacks.

Hugh Williams: 9:35

Yeah. It's probably the most technical of the of the things that we've we've talked about. Let me try and give you an example, right? So first thing to know is that a lot of websites that you visit have what's called a database sitting underneath them. And that database is, you know, you can think of it like an Excel sheet. It's probably the best way to think about it. So it's got rows, it's got columns. It might have uh your name, your address, your phone number, your username, your password, encrypted password. Encrypted, yeah. And when you're accessing a website like this, there's what's called database queries being run that actually go and access the information in this database. And it could be to retrieve it, to display it, it could be to add things, it could be to edit things, delete things, whatever else it is, right? There's a particular language called SQL, and it's the most popular database language for reading, writing, and updating databases. And so a lot of websites are running lots of SQL, right? You know, you go in and you uh update your uh your address in your fitness app. There's probably some SQL behind the scenes being run to actually update your details in some database.

Hannah Clayton-Langton: 10:32

Yep, makes sense.

Hugh Williams: 10:33

So what you can do if the software is not written correctly is you can actually add extra SQL commands into fields where the company isn't expecting you to do that, right? So let's say um in the city field, you're updating your address. Let's say in the city field you type in the city, and then you put a semicolon, and then you write a big long SQL query that does something completely different, right? So it says, okay, the city's uh South, semicolon, select star from users, which would get all the user data. So if the system's not built correctly, what you can actually do is you can add an extra SQL query on the end that causes the system to do something and actually give you back a big chunk of data or alter the data in some interesting way. So I might be able to get all the user information out of the system and back onto my website.

Hannah Clayton-Langton: 11:14

So you mean literally I go on as a hacker and update my address in like a retailer's website, and then I just like tack on some SQL and see if that works. Yeah.

Hugh Williams: 11:24

So I go semicolon, you know, select star from users or uh select star from payments or whatever it is and say give me all the payment information. And it literally works. Yeah, it shouldn't work. And so what a well-run company with educated software engineers will do is they'll include in their validation of the data some steps that make sure that you can't do one of these SQL injection attacks, right?

Hannah Clayton-Langton: 11:45

So like you can't have more than 15 characters for your city.

Hugh Williams: 11:48

Yeah, that's a good start. And things like, you know, looking for semicolons, putting quotation marks around things so they can't be executed.

Hannah Clayton-Langton: 11:54

Because those like semicolons and quotation marks are common in the way you write SQL.

Hugh Williams: 11:58

Yeah, exactly. Exactly. You'll find plenty of websites where they've got holes galore where you can get away with this stuff.

Hannah Clayton-Langton: 12:04

Well, this is my what I was about to ask, which is like if you have enough time and the will and malicious intent, you'll just try this again and again and again. There'll be some small company that has, you know, less of an investment in security. You can potentially get a whole bunch of passwords, and then suddenly I've got Hugh's email and password that he used for this website, and then I'm gonna go around and try and use that same username and password combination on a bunch of other websites.

Hugh Williams: 12:33

Yeah. And look, uh, one of the most rookie things, and it's pretty common, is people reuse passwords across websites.

Hannah Clayton-Langton: 12:40

Yeah, I've only embarrassingly recently like really understood the scale of this because my iPhone's gotten pretty good at like telling me when a password's been compromised. And I have to say that like it's mostly passwords from things I don't use anymore. And maybe around like 2015, 2016, I was just recycling.

Hugh Williams: 12:58

Yeah, exactly.

Hannah Clayton-Langton: 13:00

That is so clearly a vulnerability. But I I don't think that I was educated. Well, I clearly wasn't educated back then about it's just like annoying when you got prompted to change your password all the time or add an exclamation point or add a number. But when you talk about it, thinking about how someone with malicious intent would view this, suddenly I'm feeling like all sorts of uncomfortable about my own passwords and security practices in like my personal life.

Hugh Williams: 13:25

Yeah. And look, that's something I definitely say to our listeners is if don't reuse the passwords across different websites or you know tools that you use. Like always have a different password.

Hannah Clayton-Langton: 13:34

And that's what credential stuffing is, right? It's like getting access to your credentials and then trying them on a whole bunch of other websites.

Hugh Williams: 13:40

That's it. That's it.

Hannah Clayton-Langton: 13:40

Okay, so let's pivot into what we as individuals can do to help like reinforce the defenses. So definitely serious approach to passwords. I now, on advice from my boss, who's the CEO of a tech company, so I took him as a very good authority.

Hugh Williams: 13:59

Yeah.

Hannah Clayton-Langton: 13:59

He was like, Oh my, yeah, hi, James. He was like, Oh my god, why are you not using the passwords app on your iPhone or like a password keeper or some other like third-party app to create passwords for you that you just like never know what they are? I'm sure the listeners will have seen those. So like Google will try and prompt you with a strong password. It's like a string of characters. My dad uses this. He was so clear in his recommendation, and it's so obvious in his shock that I wasn't using it that I've now like reverted to using that for all of my passwords.

Hugh Williams: 14:27

That's great. Even if folks don't know how to use that, don't feel comfortable using that. If you're a listener out there, look that the simple basic thing you can do is don't use common passwords that are easy to guess, try and have a mix of uppercase, lowercase numbers, special characters. So certainly do that. Nice long password and never, ever, ever reuse a password across different properties.

Hannah Clayton-Langton: 14:45

Well, because basically, if I've understood correctly, what that password app on my iPhone or password keeper is doing is it's making sure that every single password's different. Correct. And it's making them like really long and random, i.e. less easy to guess.

Hugh Williams: 14:56

Correct.

Hannah Clayton-Langton: 14:56

Okay.

Hugh Williams: 14:57

Which means if you know somebody downloads a list of a few million passwords from uh the web, that password sure ain't going to be in there.

Hannah Clayton-Langton: 15:03

Amazing. And then on top of a strong password or like a good approach to passwords, we have multi-factor authentication and or two-factor authentication. I assume that two-factor means like two factors, and then multi means more than two. Is that right?

Hugh Williams: 15:17

Yeah, that's right. So multi-factor is basically the idea that there's three things you need in order to be able to log in. So, first of all, something you know, like a password or a pin, something you've got with you. So that could be your phone, it could be a little security key dongle that's on your key ring, it could be an authenticator app. And then something that you are, which means something like a fingerprint or your face or your retina or whatever else it is. Obviously, with two-factor authentication, you're saying, well, let's just go with two of those.

Hannah Clayton-Langton: 15:47

Which is normally like a phone, it's normally a text, right?

Hugh Williams: 15:50

Yeah, exactly. So in in the case of my bank, I have to know my password to get into my banking app, and it will send me texts or it'll ask me to use an authenticator app on my phone.

Hannah Clayton-Langton: 15:59

Okay, and as a user, like this is kind of annoying if you don't have any other context as to why you're being asked for it. Like it's kind of annoying that you have to be emailed or texted a code and put the code in or have an authenticator app when you just want like a smooth user experience, but it's obviously totally worth the same.

Hugh Williams: 16:14

Security is the enemy of convenience. Yeah. Like it's the enemy of convenience. If you want convenience, you wouldn't have a password, right? Just your email address. And so, yeah, look, the price of the price of security is inconvenience. And I think it's well worth it's well worth the trade-off. I would say that using an authenticator app is a much more secure thing than a text, because it is possible to get a SIM card that's a duplicate of your SIM card and put that duplicate in a in a phone that isn't your phone and start receiving your texts, right? If I've got your username and password and I've got a phone that you know is effectively your phone but isn't, then it's possible to start receiving texts and logging in as you. Much, much harder to do with an authenticator app. So I love authenticator apps over being texted.

Hannah Clayton-Langton: 16:54

Okay, and this is where you start to see like vulnerabilities and older people being targeted for these types of hacks because it's inconvenient and/or if you don't really understand how apps or authenticators work on your phone, you're just going to opt out if you can. Although I would say that in the last few years it's felt less and less optional to have all these sort of layers of security.

Hugh Williams: 17:16

There's a new breakthrough called pass keys, which we can talk about in a second, which sort of simplifies it a little bit. But yeah, look, it's you know, it's getting harder and harder to use technology as technology gets more and more sophisticated. And as these hackers get more sophisticated, security is getting more sophisticated. And so definitely for those who aren't, you know, super confident with technology, it's very difficult to maintain security.

Hannah Clayton-Langton: 17:34

Let's talk about pass keys. I've understood that they are like the level above multi-factor authentication. And as listeners can expect and perhaps experience, like after the Marks and Spencer's hack and the other attempted hacks on the UK retailers, every exec team must have been like, what are we doing to be secure? How secure are we? And the key thing I took away from discussions at work was like get these pass keys wherever you can installed as an alternative to basically an alternative to passwords, right?

Hugh Williams: 18:01

Yeah. Basically what happens is when you agree to use a pass key, there's a what we'd call a key, an encrypted key stored on your machine. And when you try and access a website or an app, that app will challenge your machine or say back to your machine, are you really you? And then using this secret key that's stored on your machine, you'll sign this and that'll go back to the website and say that you're really you. So the miracle here is you don't have to remember a password, you don't have to type anything. All you've got to do is unlock your phone with your face or or perhaps, you know, your laptop with your fingerprint, whatever it is. And then when you go and visit the website, magic happens behind the scenes and you get to log in. So you don't actually remember a password, you you don't know what the password is, you can't give the password to anybody. The computer's doing all the work of logging you in and making sure that you are definitely talking to the thing that you think you are.

Hannah Clayton-Langton: 18:49

So two quick follow-up questions. I assume that the benefit of that is that there's less room for human error or human vulnerability.

Hugh Williams: 18:56

Yeah, correct. So somebody calls you up and tries to bully you into sharing your password. You don't know the password, there is no password.

Hannah Clayton-Langton: 19:03

Okay, and then is it true? My recollection of the explanation I had at the time was that there's like an element of location here, which is like for me, the pass key always involves me opening up my phone, scanning a QR code, and then it like authenticates my face. And I had understood that the pass key is recognizing that both my computer, which is where I'm trying to log in, and my phone, which is where I'm activating the pass key, are like in the same physical location.

Hugh Williams: 19:29

Yeah, and look, and that's an additional uh layer of security over the idea of a pass key, but that's um that's fantastic as well. This is as secure as it gets.

Hannah Clayton-Langton: 19:36

So basically, listeners, get on top of your password game. It can be annoying in terms of disrupting convenience. And then for like companies, there's some pretty basic stuff as well. So like I mentioned earlier that our InfoSec team do like fake phishing emails, which I have to admit, I have been caught once. Yeah. So that's so that's definitely good that they do that. And then they do, I think they do something called pen testing, which is penetration testing. So what's that?

Hugh Williams: 20:01

So penetration testing is basically the idea of uh getting somebody to attack your website for you. So think about the SQL injection attack that we talked about earlier. So one of the things that I would do if I was trying to check if your website was secure is I would try some SQL injection attacks on your website. I'd go and test all the different fields and try lots of different things and see if I could make that happen, right? And of course, you're gonna hope I fail. Yeah. Um, and then you'll get a nice green square that says, you know, that your company is safe against SQL injection attacks. Another thing you might do is you might look for open ports, we call them, um open services that are available that should be secured. And this is another thing that commonly happens to companies is imagine, you know, you and I are running our startup and we we decide we're gonna host everything up in the cloud on top of AWS, and we set up AWS. One of the things you have to do in setting up AWS is set all the permissions of who can access what and where's our data available and to what other pieces of software and to who and things. Easy to make mistakes. So it's possible sometimes that you know a database, for example, is just hanging out there on the World Wide Web, and I can just go and uh, you know, if I know how to get into an AWS database, I can get into our database and start sniffing around. So just making sure that all of the things that should be secured are generally secured. So best security practices, these penetration testing folks are gonna run some software to do some of this. So try a whole bunch of things in a fairly methodical way. They're also gonna try some human things, and then we're gonna get back a report and it's gonna have some, you know, some green, some yellow, and some red. And if there's some red, then we should uh we should go fix that, you know, yellow opportunities for improvement and green, you know, you and I are pretty happy with our security practices.

Hannah Clayton-Langton: 21:30

Okay, so one question, one observation. I assume that these are often third-party like services that you can hire from. Okay, because you if someone inside is doing it, then they like are they compromised already.

Hugh Williams: 21:41

Yeah, that's right. Um occasionally, though, you'll you'll have what's called red team, blue team activity in your in your company. So you might say, hey, look, you know, let's spend a day trying to hack ourselves. We'll start up two teams, we'll have a red team, and the red team's job is to try and get into us, and the blue team's job is to try and stop that happening. You know, people will download some tools, have a real shot.

Hannah Clayton-Langton: 21:59

It's good fun. Fun until you get in and then you create a whole bunch of war for yourself. Yeah, that's right.

Hugh Williams: 22:04

But um, but you know, better us, uh, you know, our smart engineers having a fun day hacking with some pizza and whatever else, better us than uh some nasty folks from the outside.

Hannah Clayton-Langton: 22:12

There's a version, I think, where people will just try and get into your building by like tailgating someone through the security gate at an office and then like looking for a laptop that's not been locked. I mean and this all amounts to an attempt to like hack, get on someone's laptop, go and steal a bunch of confidential documents. And I think when we talk about like security audits, we obviously definitely mean you know getting into the systems, but there's like such basic stuff that if you you're not hygienic on as a business will absolutely be a vulnerability.

Hugh Williams: 22:43

It's the social engineering type stuff that'll get you every time. Seriously. I mean, that this is, you know, the we talked about the MS attack at the top of the show, and that's social engineering, right? Like I'm I'm bullying somebody on a help desk into doing something and being very convincing about it. That's what will get you most of the time. And so this tailgating, calling and bullying employees, you know, asking for things from the finance department, whatever it is, is what will get you most of the time. As we've talked about in the show a couple of times, Hannah, you know, I was at eBay um early in the 2010s, uh, I think about three, four months after I left, eBay was a subject of a hack. It wasn't a ransomware hack. Um, it was a hack where they got in and they got hold of all the user's information. eBay forced everybody to change their passwords, you know, long, long process of figuring out how that one happened. But again, started with an employee being bullied by somebody into doing something. Happened again at a company called Pivotal that I worked at. Somebody impersonated the CFO, called up somebody in the finance department and said, Look, I need this information, this payroll information, I need it right now. It's Saturday, just send it to my Gmail address.

Hannah Clayton-Langton: 23:47

Never send it to the Gmail address.

Hugh Williams: 23:51

And did a pretty good job of impersonating the CFO, you know, junior finance employee dutifully took all the payroll data and sent it to uh heaven knows who. And uh, you know, all employees' pay information, personal details, social security numbers, all those things were uh owned by some hackers within seconds. So this is this is what will get most people. Yeah. And of course, you know, it's not just companies that are subjected to this. I actually was called by uh somebody two weeks ago, pretending to be my bank. So I was sitting at home one night, called me up, and they said, uh, is this Hugh Williams? I said, yeah. And they said, Look, it's uh it's your bank. They gave my bank's name and they said, Um, you know, you've got a business banking issue that we need to talk to you about. And I said, Oh yeah. Um, who are you? And they're like, You're based at, and they read out my address. So they've got my phone number, they got my name, they got my address, right? They've read these three things out. And I said, uh, yeah, but then I'm thinking in the back of my head, the bank usually uses my post office box, not my physical address. So I'm like a bit strange.

Hannah Clayton-Langton: 24:48

And the bank always say that they'll never call you, or at least in the UK. They're like, we don't ring you.

Hugh Williams: 24:52

Yeah. And I said, Um, what's the matter about? And they said, Look, you know, we just need to validate your details. And I'm like, you you're, you know, you're fishing for me to give you something. And I said, Well, I'm not going to give you the details. And I said, Look, um, you know, who are you? And they said, I can give you my employee number, or I can give you a number that you can call us back on. And I thought, well, you know, the employee number sounds impressive, right? They can read out one, two, three, four, five and hopefully it'll fool me. Um, or they can give me a phone number that's their phone number and hope that I'll call them back and we can just continue the conversation. And I said, Look, I know you're not my bank, and I just hung up on them. But but these folks, you know, they're they're pretty good, pretty aggressive. It sounded urgent.

Hannah Clayton-Langton: 25:26

100%. And I think they exploit the fact that particularly a junior employee, if the CFO wants something into their Gmail, that junior employee may not feel entitled to challenge it. And that's where like training your population on this stuff, and I guess every now and then like testing them via those like fake phishing emails that I mentioned is actually just really good practice.

Hugh Williams: 25:46

Yeah, yeah, really, really important. I mean, it's really important to develop a culture where people will challenge things that they that they think are suspicious. You know, I worked at Google. Google absolutely has a culture of you you can't tailgate somebody through any door with a badge. If you try to tailgate somebody, the person in front of you will turn around and say, You need to scan your badge. Can I see your badge? And everybody will ask that from you know the cleaner to the CEO.

Hannah Clayton-Langton: 26:07

I've never worked anywhere where that's allowed, to be fair. And I said no to people before when they say, Can you let me in? I'm like, nope. Yeah, great. Don't know if it was a test or not, or I was being annoyed.

Hugh Williams: 26:16

The majority of companies that I've been involved in are fairly lax when it comes to that. Google was an outlier, you know, for me.

Hannah Clayton-Langton: 26:21

It's that social element though, isn't it? Like people trying to be helpful. Like it's never that people are being intentionally careless. It's just that our natural reaction as humans is to trust, right? And that's where like AI deep fakes, where I think you can like muster up someone's likeness via voice, starts to get really worrying. Cause then like someone could call me purporting to be my boss. Yeah, yeah. Yeah, yeah. And I it could be incredibly convincing that they were, right? And so that's I when I get to get all sorts of nervous.

Hugh Williams: 26:52

Absolutely. So, you know, you need to definitely have a culture of questioning and challenging and making sure things are absolutely right. Another thing we we should just quickly talk about, Hannah, is just keeping software up to date. You know, one of the best things you can do both as an individual and a company is just keep your software up to date. So when your laptop uh says, you know, it's time to install this update or this new version of whatever it is, just say yes. You know, don't postpone updates. Because what of course these companies are doing is they're they're discovering how their software can be exploited, they're fixing those problems probably pretty quickly, and they're making available what we'd call patches or updates.

Hannah Clayton-Langton: 27:27

I was gonna say, is that a security patch? Okay.

Hugh Williams: 27:29

Yeah. And then, you know, if you apply it, then you're uh, you know, you've effectively taken the vaccination, right? And so a lot of the folks who get hacked who aren't victims of the social engineering hacks, a lot of these folks who get hacked are victims of hacks that could have been prevented had they have kept the software up to date.

Hannah Clayton-Langton: 27:44

And I presume that applies to like apps on your phone as well. Absolutely. Yeah.

Hugh Williams: 27:48

Absolutely everything. So keep your software up to date.

Hannah Clayton-Langton: 27:51

So just to round us off on a more positive note, let me just give ethical hacking a bit of a shout-out. So that is where folks who know how to hack, they've got the skills, you know, they will try and hack a company, but instead of exploiting that for blackmail or other malicious intent, they basically like contact a company and they say, Hey Google, I got into your this system, which I'm pretty sure you don't want me to get into, and I can tell you how I did it. And then they get some sort of like bounty reward for doing that.

Hugh Williams: 28:22

Yeah, yeah, exactly. And there's a couple of companies, um, there's there's one called Bug Crowd and the one called Hacker One that effectively are intermediaries. And uh it's exactly how it works, Hannah. Is uh I often offer challenges. So you work at a a well-known retailer in in the UK, put up a program or a challenge, you know, people out there have a have a shot at trying to get into your website. If they can get in, then uh they'll get paid a bounty. And some of these bounties are quite high. You know, you can you can get tens, if not hundreds, of thousands of dollars from the major tech companies for um finding vulnerabilities and and everybody wins. So uh these people are effectively, you know, good guys and gals out there, you know, earning a living, trying to make the internet safer, reporting this information before the bad guys find it, the companies make their services more secure.

Hannah Clayton-Langton: 29:06

When I listen to these sort of half-nerdy podcasts where hackers come on and talk, most of them at least claim that they're now ethical hackers. I don't know to the extent with which that's true, but they sort of will often say they've seen the light and you know now help the cause rather than infiltrate it.

Hugh Williams: 29:23

Yeah. Yeah, and it seems like a smarter thing to be doing.

Hannah Clayton-Langton: 29:25

If anyone is an ethical hacker or knows an ethical hacker, we would love to talk to them about all of this for a future episode. So, you know, email us at Hannah at techoverflowpodcast.com with your contacts and and we'd love to talk to someone.

Hugh Williams: 29:36

Yeah, absolutely.

Hannah Clayton-Langton: 29:38

Okay, so a lot of really rich content there that we've talked through. Are there any last points, or I'm hoping you're gonna have like a one more cool anecdote for us to round off the episode.

Hugh Williams: 29:48

Yeah, I'll tell you a story. Got a good one for you, Hannah. My friend Richard Orm said I could use his name. Richard's uh Hi, Richard. Great guy. Uh you know, well known CTO in the in the London scene. Richard was working for. For a company, I want to say, you know, 10, 12 years ago, came in one day and uh discovered that slowly but surely various different parts of the system stopped working. You know, can't seem to access that file. Oh, you know, that part of the process doesn't seem to be working. And slowly but surely the systems at this company ceased to work. So then they discovered on the shared drives, so the the drives that are, you know, made available to every employee, that all of the files that were on those had been encrypted.

Hannah Clayton-Langton: 30:32

Oh my God, that's like the worst, that's the moment that your heart drops out your stomach.

Hugh Williams: 30:36

So they're like, how did these get encrypted? And this has sort of progressively occurred over a period of time. And so they they start running around the office trying to figure it out. And eventually, after looking at lots and lots of different computers, they find that one guy on his screen, it says, you know, your computer has deployed ransomware within your organization. You need to pay two and a half Bitcoin.

Hannah Clayton-Langton: 31:02

Oh my god.

Hugh Williams: 31:03

And then we will unlock all of the files. So my friend Richard says, Well, we don't have to do that because we got backups. So we will uh we'll just go get the backups and we'll we'll restore all of the systems.

Hannah Clayton-Langton: 31:16

Yep.

Hugh Williams: 31:16

He goes to the IT team, says, Right, let's let's get on with this. And somebody in the IT team says, Um, we stopped taking backups. And he says, You what? Yeah, um, you know, we needed to save costs. We've been on a cost reduction program. I thought backups were getting a little bit expensive, and so we haven't taken backups for I forget what it was, six, nine months a year. This is back in the deep dark days where you know Bitcoin wasn't as sort of in the public domain as it is today. So my friend Richard's like, what exactly is Bitcoin? How do you buy Bitcoin? What's a Bitcoin wallet? We should do an episode on Bitcoin.

Hannah Clayton-Langton: 31:49

Yeah, we definitely should. And I've had a listener email through on Bitcoin at the moment. Oh, awesome. Yeah, yeah.

Hugh Williams: 31:53

And so he goes and figures this out. He ends up at some strange website, you know, dealing with whoever it is, and he buys five Bitcoin, which uh at this point $20, $30 a Bitcoin.

Hannah Clayton-Langton: 32:04

I was gonna say five Bitcoin. Okay, yeah. Yep.

Hugh Williams: 32:06

So he goes and buys five, needs two and a half, goes and um deposits this 2.5 Bitcoin into this wallet, and uh the machines start getting decrypted. So one by one, files start returning to their original state. You can see this slowly happening. 48 hours has elapsed, right? So the business has been basically suspended for 48 hours, but he's he's figured out this Bitcoin thing, he's paid the Bitcoin, and now the files are coming back. Richard said to me, you know, he said, I was just sitting there hoping this machine like did not die. Like, as if this machine died, then there was no way to obviously decrypt all the files. He obviously didn't know that if he paid the 2.5 Bitcoin that they would actually decrypt the files, but he's paid it and it's decrypting. They were sitting there just watching all the files decrypt. And when the last file decrypted, he said we just pulled the network cables out of this computer and got it off the network. And then uh business resumed.

Hannah Clayton-Langton: 32:59

Oh my god, wait. So let me just talk that through. So some employees' computer becomes compromised via what? Some one of the hacking.

Hugh Williams: 33:07

He actually used his personal Gmail. Um, so he'd opened up his personal Gmail on his computer. Which we all do. Which we all do. Yeah. That bypassed some of the typical security checks that would happen within the systems. It's Friday afternoon, guys in a bit of a hurry, double clicks on something, runs this thing on the work machine, uh, it goes into the shared drives and starts encrypting absolutely everything. Now, the the good thing here was there was no human involved. So this was just a piece of software, a little bit like a virus, I guess, that was just running on his computer. So the attackers actually didn't know that they'd infiltrated a company and suspended a company's operation. But I guess also the company had no way of contacting the hackers because the hackers didn't know they'd hacked the company. So really the only way out of the jungle here was either backups, which they didn't have, or, you know, pay this 2.5 bitcoin ransom and hope like heck that it decrypts the files and you end up in a reasonable state.

Hannah Clayton-Langton: 34:01

Wow.

Hugh Williams: 34:02

Do you want to know the best part of the story though?

Hannah Clayton-Langton: 34:03

Yeah.

Hugh Williams: 34:04

Remember, Richard bought five Bitcoin, he's only paid two and a half.

Hannah Clayton-Langton: 34:07

Yeah.

Hugh Williams: 34:07

Do you know how much Bitcoin's worth today?

Hannah Clayton-Langton: 34:09

Yeah, I've looked it up. About 80,000 pounds. Yeah.

Hugh Williams: 34:12

So Richard's sitting on top of 2.5 Bitcoin still today, but he can't remember the password to the laptop that it's stalled on. He's tried the password a few times, he's actually got one attempt left.

Hannah Clayton-Langton: 34:23

This is a story you hear.

Hugh Williams: 34:24

Uh and so he's got a very, very valuable laptop sitting in his house at home that's worth an enormous amount of money, but he doesn't know the buns.

Hannah Clayton-Langton: 34:30

Oh my god, Richard, well, maybe the hackers can help him infiltrate that laptop to get the Bitcoin back. Wow, that's crazy. And this was a long time past.

Hugh Williams: 34:38

Yeah, over 10 years ago.

Hannah Clayton-Langton: 34:40

So you don't need to talk through the details because poor old Richard probably doesn't want us exposing at all. But like the vulnerabilities that were exploited, presumably wouldn't get through in the same way today because we're more secure.

Hugh Williams: 34:50

I think this would still happen. I think this would still happen. One thing I'd say that maybe might make some of our listeners feel a little bit better is it's a bit like burglary in your street, right? You've only got to be more secure than the house next door and they'll they'll burgle the house next door. So really what you've got to do is you've got to think about your company and look at your peers and make sure you are more secure than the peers of your size, right? So when these hackers are sizing up a target, they think of this as an economic thing, right? And so what they're looking for is somebody of that class, what they are capable of paying. If you're harder to hack than the than the folks next door, they'll hack the folks next door. So we don't all have to be as secure as Microsoft, Google, Amazon, Meta. We just have to be more secure than the people that are in our class.

Hannah Clayton-Langton: 35:30

To be clear, blackmail is a crime, misuse of Computer Information Act or something in the UK that makes all this stuff.

Hugh Williams: 35:37

Highly illegal stuff. Highly illegal stuff.

Hannah Clayton-Langton: 35:38

And also, this might be an interesting note to end the podcast on paying ransom to hackers is something that governments are going to start intervening on because it's creating quite a nice little industry for them at the moment, right? To get, you know, to get money off of big companies where they can, you know, get into the systems.

Hugh Williams: 35:54

Yeah. And the UK I think is very close to actually making it illegal to pay ransom. And you might say, well, how are how is you know a particular company going to get out of the mess that they're in if they don't pay the ransom? But you know, if you make the whole country an unattractive target and you say, look, there's no point in attacking companies in the UK because none of them can pay us, um, then you know, hopefully folks will go somewhere else. That's the thinking.

Hannah Clayton-Langton: 36:14

Okay. And uh does that mean that you could still pay white hat hackers or ethical hackers, I assume you can't. Oh, yes, of course. Okay, of course. Okay. Of course. Interesting. Well, we'll see if that works. I guess only time we'll see.

Hugh Williams: 36:24

But uh, you know, it's a big industry, it's a big problem, and uh certainly something for all of our listeners to be making sure that at their company they're doing the right things. And remember again, you know, security is the enemy of convenience, so expect some inconvenience, want some inconvenience. And then from a personal perspective, unique passwords, nice long passwords, not common passwords, and keep your software up to date and be suspicious.

Hannah Clayton-Langton: 36:44

Be suspicious, okay, right. Well, on that note, this has been the Tech Overflow Podcast. I'm Hannah Clayton Langton.

Hugh Williams: 36:50

And I'm Hugh Williams.

Hannah Clayton-Langton: 36:51

And if you like what you've heard today, you can subscribe wherever you get your podcasts, share it with friends, family, give us a review. We appreciate all of that stuff.

Hugh Williams: 37:01

Yeah, absolutely. Uh, we're also available on LinkedIn, posting three or four times a week about the episodes that are coming up, uh, having some real fun there. And uh we're also available on Instagram and X.

Hannah Clayton-Langton: 37:11

Yeah, and you can also find us on techoverflowpodcast.com. That's the show. So thanks for listening. Thank you. Bye. Bye.