Check out my “live reaction” (isn’t that what all the kids post on social media these days?) to the much-hyped revelation of the identity of LockBit’s administrator.
For more background on what’s been happening regarding law enforcement’s disruption of LockBit this week, be sure to check out this episode of the “Smashing Security” podcast.
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Did it involve a steamroller?
No! Oh my God!
An accident with a trouser press?
Is that how you think I should die? I should get squished?
I don't know.
Squished?
Could be a grand piano falling out of the first floor window. There's all sorts of possibilities.
I could die in my sleep, really peacefully and fine.
Can't really see you going that way.
Wow!
Smashing Security, Episode 360. Ransomware, darkbit locked out, and funeral Facebook scams with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 360. My name is Graham Cluley.
And I'm Carole Theriault.
360. Actually, you know what? I've got it mixed up because it's 180 that they say on the darts, isn't it? And this is 360. So it's not quite as exciting as I imagined.
I don't know. It's a whole circle. Right?
It's how many minutes there are in a something or other.
Exactly.
6 hours.
Yeah. Before we kick off though, let's thank this week's wonderful sponsors, Kolide, BlackBerry, and Vanta. It's their support that help us give you this show for free. Now, coming up on today's show, Graham, what do you got?
I'm going to be talking about bad vulnerability management by the cybercriminals.
Ooh, okay. And I'm going to be doing something I'm calling Facebook, Funerals, and Fraud. Plus, today we get to hear from BlackBerry VP Keiron Holyome, who is going to talk to us about AI for good and AI for bad. All this and much more coming up on this episode of Smashing Security.
Well, chums, huge news in the world of ransomware. Very exciting, because the FBI and the NCA— that's the UK's National Crime Agency— have made an announcement on the day of recording that they have delivered a catastrophic blow against the LockBit ransomware group and its affiliates after a massive multi-year investigation, which they have called Operation Kronos.
Kronos.
Don't you love these sort of butch sort of Avengers-style names that they give their investigations? They don't call it Operation Lumpy Trousers.
Do you know what? The day they have Operation Barbie or something, I'm gonna celebrate.
They might have to get permission from Mattel for that one, maybe. Well, LockBit, as I'm sure many of our listeners know, is one of the most notorious ransomware operations out there. It's had lots of high-profile targets like Foxconn, the tech manufacturer who make your Apple iPhones and Samsung phones, IT giant Accenture, and the UK Royal Mail. Overseas deliveries of packages were being delayed a lot because they got hit by the ransomware.
When did they get hit? Last year, Royal Mail?
Yeah, last year. That's right. Last year they got hit.
I felt it. We seriously felt it. Did you not? Because we have a lot of things like The Economist delivered or Private Eye.
I think it was affecting deliveries going overseas rather than coming into the UK. I think what you may be experiencing is just the general decline of the British Royal Mail.
Yes, maybe.
Which now takes weeks to deliver a postcard.
Okay, crack on.
Well, anyway, LockBit are run like a major organisation. Some have even called them the Walmart of ransomware. It's quite a good little quote, isn't it? A good little soundbite there. The Walmart of ransomware, because they dwarfed all the other ransomware groups in terms of market share. They were the leader by quite a long way. Very organized, very professional.
If someone said, oh my God, your fashion is so Walmart, would you feel flattered?
I potentially not know. Potentially. Maybe they would think that I'm just someone who's, you know, careful with my cash. You know, because, well, what does it matter? As long as you're clothed, as long as the essential parts are covered, does it matter who's made them? I don't know.
Well, hopefully not little children in countries where, you know what I mean?
Ah, good point. Yes. Okay. Fair enough. Yes. You don't want it done by sweatshops. Now it's important to realize that a ransomware operation like LockBit isn't being run by just one guy launching the attacks from his back bedroom, surrounded by pizza boxes. LockBit takes this familiar form now, which we're seeing more and more with ransomware gangs, of a ransomware-as-a-service operation, meaning that other criminals are paying to be affiliates. They are launching attacks, they're sharing a percentage of their criminal earnings with the original gang.
Hmm.
And so identifying, charging one LockBit suspect doesn't necessarily mean the downfall of the entire criminal operation.
I suppose it depends who it is, right? If it's the person who's making the tea, probably not. If it's the person who's in charge of all the passwords, maybe?
Well, what has happened on this occasion is the authorities have seized complete control, it appears, over LockBit's infrastructure.
Oh wow. Yeah. So, for instance, if you are currently a LockBit affiliate, if you're one of these other hackers who works with LockBit, hacking into companies, launching ransomware attacks, and planned to share a percentage with them and using their infrastructure. When you go to your LockBit control panel right now, you don't see the normal interface for launching attacks and stealing the information. If you were arrogant, you would think, "Yeah, yeah, they're just sending this automatically. They have no idea. It's going to take them ages to process the data. They'll never get to us. We'll disappear before then." Maybe you're right.
Maybe you're thinking they're just bluffing. Maybe you're thinking, yeah, I shouldn't be so worried about that. Whereupon you go to LockBit's website on the darkweb where they normally publish their leaks.
Okay.
And what you see there is that the police authorities are now dripping out information about how the gang operated and will carry on over the coming days. In fact, and this is really brilliant, if you fire up your Tor browser right now and go to the LockBitLeaks website on the darkweb, you'll see what appears at first to be their regular catalog of hacked companies. So what they do is they have a little gallery of different companies up there, and there's a countdown on it as to when they are going to release the information about those companies. That's what they normally have.
That's so gross.
Right. So that has now been replaced. Because when you read the words, what you actually find is now that gallery, the actual content on them, is actually a list of posts announcing what law enforcement agencies have done. And some of them have countdowns on them where they say, "We're not telling you this yet, but we're gonna be releasing this in the next two days," or something like this.
This is when, this is why marketing is important, people. You may have really, really, really interesting data, but they've obviously combined with people to come up with this idea, right? There's a lot of different brains being involved in here, don't you think?
Well, they are capturing the imagination of people online. You know, they are exploiting social media. They're posting up little things videos. So this is the information they're going to be releasing: sensitive information on LockBit's cryptocurrency operations and their financing, their affiliate infrastructure, detailed analysis of future iterations of LockBit. They're doing that in association with a cybersecurity vendor. Information about the exfiltration tool used to steal the data, sanctions that are going to be taken against the group, a decryption tool which has been developed by Japanese police. They've got information about 5 people have been charged in the States, including 2 Russian nationals.
Jesus.
2 of them— That's quite sexy.
Let me just cross and uncross my legs. Thank you, Sharon.
So 2 of them, 2 of these people are now in custody. Another 2 have just been arrested in Ukraine and Poland. More arrests seem likely, and they're even dripping information, saying they're going to reveal the identity of the LockBit gang's administrator. He's called LockBitSup, and they're saying we're going to reveal that in a couple of days. And they published screenshots of LockBit's source code, its backend admin panel, redacted images of negotiations that have taken place with victims. They've frozen over 200 cryptocurrency accounts.
This is fighting fire with fire. Right? And it's also slapping you back in the face with the same shit you've been torturing everyone else with. It's really interesting.
Well, LockBit's credibility is now in the drain, isn't it?
Right.
And people are wondering, well, how did the police manage to do this?
That's what I'm wondering. That's exactly right.
Well, it appears the authorities were able to breach LockBit's infrastructure because they had a vulnerability in PHP, which they hadn't patched. So they hadn't applied this darkweb patch.
We all have a fail soft spot, even the bad guys. Wow.
It's very similar to, of course, what the gang does to break into companies to launch their ransomware in the first place.
That's embarrassing, isn't it, guys?
Very embarrassing.
Mm-hmm.
So if you've been hit by LockBit, folks, you don't need— you definitely don't need to pay a ransom anymore. Yeah. The authorities can help you decrypt your data. They've created this tool. If you are a victim in the UK, you can email the NCA at .
Gorgeous.
If you're in the United States, I'll put links in the show notes. If you're in the United States, go to a site called lockbitvictims.ic3.gov. And anywhere else in the world, go to nomoreransomware.org where you can download a tool as well. So it's all really, really good news. You know, normally we have bad news, don't we, on the Smashing Security podcast?
Well, you often do. And I'm— Me? I'm just really thrilled that you're covering this story.
I mean, there is a slight, you know— Uh-oh.
Uh-oh. Okay.
Because of course, this isn't the end of ransomware. Someone else is going to fill this vacuum. Someone else is going to move in there, we can imagine. And some of those criminals will probably carry on pursuing ransomware operations too. So you should continue to tread carefully, but also the ransomware gangs should tread carefully as well because they never know when law enforcement might pull the rug from beneath them, just like they appear to have done with the LockBit gang as well.
Yeah. Amazing. Well done.
Super news. Some happy news from the world of Tech. Krow, give us some similarly uplifting, cheery news from the world of cybersecurity, please.
I think the way I'm going to tell you this tale is to imagine that I have passed away. Oh, I want you to imagine there's a very sad day that happened, right? And I've met my maker.
Right.
And do you want to know how I met my maker?
Was it— did it involve a steamroller?
No. Oh my God.
An accident with a trouser press?
Is that how you think I should die? I should get squished.
I don't know.
Squished.
Could be a grand piano falling out of the first floor window. There's all sorts of possibilities.
I could die in my sleep really peacefully and fine. That's what I was thinking.
I can't really see you going that way. Is that where you expect to go? Wow.
Yes.
Oh, okay. All right then. I'll be okay.
You think a piano is going to fall on my head? Okay, thanks. That's so great. Okay, moving on. Okay.
Yes.
Despite me not being on the socials, my people are, you know, people that like me, maybe even a listener or two.
Yeah. Yeah.
And they're sharing details on what happened and they're sharing lovely stories about my life. Oh, she was so funny and she was so patient with Graham.
Well, Carole, I certainly would have a few stories I'd be very, very willing to share on social media in the event of your death. In fact, there's some things—
What would you say? What would you say? What would you say?
Well, Carole, there's some things that I frankly am not prepared to share while you're still alive and able to charge me with slander. But once you're dead, then I reckon it's a free-for-all. Then there's various videos, audio clips, various things. But finally, I can unleash everything. You want to know what she was like? Let me show you.
Okay, okay. So you're online doing all this sharing stuff, sharing all the videos, all the most embarrassing things I've ever said that's happened to me. And at one point, someone, maybe you, you're going to ask, you know, when and where's the funeral, right? Because you want to pay your respects, even if despite your grief, you want to honor.
I want to make sure you're dead in case you call the lawyers. So I've said all these things just based upon a report. Thought that you've died.
I was just thinking, you know, a very important co-host has played an important role in your pod life.
Very important. Yes.
Important. Alas, the funeral, unfortunately, Graham, is on a day that you're just unavailable to—
I'm washing my hair.
Exactly. You have a meeting. Okay, let's say it's a diarrhea moment. It's a moment that everyone can understand. Maybe you go on socials and you're like, sorry, and you do the little emoji.
I'm planning to have diarrhea that day, so I can't go to Carole's. I think it might improve your funeral, to be honest. Give everyone something else to think about.
I think it would be a good reason to not attend my funeral, okay?
Okay, all right, I'm back.
But you wanna be there, you wanna be there. It's complicated for you. You've got this poo issue, you wanna pay your respects, but wait, you see in your feed, alongside a picture of me smiling from when I was about 32, right? Details of my funeral. Of an online streaming of my kick-ass funeral.
Oh, perfect. So while I'm streaming, I can watch the funeral streaming on my laptop.
You could be in your restroom, or loo, depending on where you live, right? And you could sit there with your iPad on your lap.
Yeah, maybe prop it up somewhere rather than have it that close to me.
A lot of people have white bathrooms. I might wanna put a black curtain around stuff. Just to somber it up a bit. Maybe turn the lights off.
Turn the lights off, yes.
Turn the lights off. Put the mute button on, because if you're on the loo, you know.
Well, I wasn't going to have my video camera on either. I was planning just to watch.
Why wouldn't you? To show your respects. To say, I'm here, present. I'm not sitting there doing the dishes while I'm listening to your funeral.
Okay. I suppose it's important for me to be seen to be mourning your loss, isn't it? Because that'd be good for my image.
And you are important in my life. I hate to say this. But it would matter, I think.
Okay, well, not to you any longer.
Maybe, who knows? Who knows? I could haunt you if you don't show up. I'm just saying.
Right, okay. Who knows?
You know, so you see this picture of me, you see this streaming my funeral, you're thinking this is great. And it says, please like, share, you know, with family and friends, right? And there's my mug, my face. You're thinking, I gotta do this, right? So you maybe share at this point with all our podcast listeners.
Yeah, I could share it with others. Yeah, yeah, yeah.
You might even be generous and go Sticky Pickles dudes and Art Musings dudes. You might do that at this point too, right? Get all the podcast people, a trifecta.
Do you think the streaming service can cope with that volume of people watching at the same time?
I don't know, Graham. I don't know. It won't be my problem. You might even record it for a future episode, maybe give you a bump in listens at a time where you don't need to share any spoils.
That's good.
Am I right?
That's a great idea, actually. I like that idea. Yeah. Yeah.
The day has come. You slap on a black t-shirt, black joggers just in case.
Yep.
And you click through to the livestream and you click through and it says, oh, you got to register first. Right. And then you'll get the link. You know, we don't want— we don't want no scammers. They're scammers, dudes. They're scammers. And you're thinking, yeah, you know, I know all about that stuff.
So I have to log in as a legitimate mourner, I suppose.
And you're probably just going, sheesh, Jesus Christ, why did Carole choose this? Was this in her funeral requirements or this? Is this her Yeti?
Yeah, exactly. Her partner has actually monetized her funeral. He's probably getting a kickback.
You just have to register.
Oh, okay. Okay. All right.
But you're right. I would like to monetize. So you're thinking ahead. You go through and it's like, you know, right, the livestream's about to start.
Okay. Yes.
There's the whole livestream of Carole's funeral. And there's a video player, like a streaming service. And there's a little loading, loading, loading. And then it loads. And then there's a big button that says watch live now.
Here it is, finally. Yeah. Playing some emotional Canadian music.
Maybe, maybe Bryan Adams in Summer of '69 is bombing out.
Bit of a Loverboy.
And you press the button, right? Watch live now.
Yeah.
And you sit tall, 'cause you're on video on the loo, as we said earlier. So camera's very carefully angled. You then have to enter your credit card information to watch my funeral. And you're thinking, of course, that's why! Carole's trying to make a buck after she's dead!
Making money out of it once again.
And you'd be wrong, Cluley, because the whole thing—
No, it's your partner making a buck. You're not going to make any money out of it. Carole, have you not worked out how death actually works? You don't get to keep your bank account.
Oh, you're right. Well, the whole thing is not true. It's a whole nasty, disgusting scam making the rounds with increased ferociousness.
You mean you're not really dead?
Well, no, actually, I am really dead. So it's targeting people that have deceased, finding their information in public forums. Yes. And this is all according to Joe Cox from 404 Media. Yeah. So these scummy douchebags are grabbing information and the mugshot of the person who's passed.
Your mugshot is pretty shocking. So I mean, that is— I think mugshot is a good word.
And then they're populating pages, right, of the grieving with offers of an online streaming option for the funeral.
Wow. For people who can't be bothered to get there.
Well, or people that live 10,000 miles away or 2,000 miles away or have 8 kids or whatever.
Fair enough. Yeah.
And you're thinking, I want to show my respects.
Yeah, that's fair.
You click on it.
Yeah.
And you're actually going down a nefarious path run by jerks who are trying to get your credit card information and information from you, your registration information. And what's more even confusing is in some cases, yeah, these funerals are being live streamed. And this is how the information is being passed along through word of mouth, through groups. According to 404 Media, Facebook is awash with scams that direct visitors to fake live streams of funeral services preying on relatives and friends of the deceased.
Whoa, whoa, whoa. Are you saying Facebook is doing a bad job of policing something that's going on on its network?
Just wait, these words. Tell me what you think. Just give me two paragraphs and then tell me what you think. Okay. There have been pockets of media coverage of these funeral scams over the last year or so, but the scam appears to have ramped up, says 404 Media. Beyond the US outlets, Australia, the UK, and Ireland as recently as last week have all reported on the scams. And this Irish one is particularly stomach-churning because the deceased person was 6 years old. Oh, it's just so 404 Media sent a specific Facebook account that was peddling such bogus funeral streaming services to Meta, right? The parent company of Facebook.
Yes.
And a spokesperson responded in an email. Are you ready?
Yeah.
Quote, we don't allow this content on our platform and removed the page brought to our attention.
Oh, good.
Okay. So that says to me they are being reactive in their process as opposed to proactive, don't you think? They're saying, you tell me about it, we'll take it down. Otherwise, you know, we're busy.
That, I'm afraid, is their approach, isn't it?
It's not good enough.
No.
When 404 Media asked for comment from Meta, that request includes the specific question of whether Facebook proactively searches for accounts involved in this sort of scam. Meta did not answer the question directly and instead said it encourages people to report the content to the company and to the police.
I think they have answered the question there, haven't they?
So there's no proactive stuff.
Yeah.
It sounds to me, pardon mon anglais, horseshit.
Cheval poop.
Cheval poop. Exactly. Any of you who are in this situation where you're having— you're facing someone who's in this situation, be very careful about online. Go to the main website of the funeral home is what I think I'd say at this point. No social media.
Maybe leave explicit instructions in your will that you do not want to be livestreamed, or you don't want anyone who has a Facebook account being invited to your funeral.
What's the problem with the funeral being livestreamed? My family's all around the world, right? My family and my good friends, and they may not be able— if I die at a ripe old age, they're all good, and they're alive, they're going to be in their 80s and 90s.
I suppose if they couldn't get a visa or something, yeah, okay. I can understand why people would pay to watch, you know. It's going to cost me so much petrol driving half an hour to go to Carole's funeral, or I could pay a fiver and stay at home and watch it in my undies. With Silence AI, the team at BlackBerry are helping you keep one step ahead, stopping more attacks earlier and with less effort than other solutions in the market, and that's independently tested and proven. The lightweight AI offers broad coverage, consistently low false positives, and quick threat responses, supporting endpoints seamlessly. Now, many solutions boast about how little time it took them to respond after a threat emerged, but with BlackBerry's Silence AI, you'll find out how long before—and it can be months or years—it has already protected its customers. Staying one step ahead is central to everything BlackBerry does. And in fact, it's your 24/7 AI-driven security partner. So visit smashingsecurity.com/blackberry to find out more. And thanks to them for supporting the show.
This episode of Smashing Security is sponsored by Kolide. Wouldn't it be great if a device which lacked compliance or lacked security was denied access to your organization? Ransomware-infected applications, SaaS apps, and other resources? Because this would mean that the hackers who had nabbed the unlucky employee's credentials, for example, could not gain access to your assets. It would effectively lock them out. Welcome to Kolide, a world where access is only given to approved, secure devices. As the administrator, you can manage every operating system, even Linux, from a single dashboard. Another bonus of Kolide: employees can often fix their own problems without involving IT support, meaning less resources are needed to effectively operate a more secure environment. Kolide is the device trust solution for companies with Okta. Kolide ensures that if a device is not trusted or it's insecure, it is denied access to your cloud apps. Learn more at kolide.com/smashing. That's k-o-l-i-d-e.com/smashing. And huge thank you to Kolide for sponsoring the show. Smashing Security is also sponsored by Vanta. Managing the requirements for modern security programs is increasingly challenging and time-consuming. Enter Vanta. Vanta gives you one place to centralize and scale your security program. Quickly access risk, streamline security reviews, and automate compliance for ISO 27001, SOC 2, and more. You can leverage Vanta's market-leading trust management platform to unify risk management and secure the trust of your customers. Plus, use Vanta AI to save time when completing security questionnaires. Smashing Security listeners, you get 20% off Vanta. All you lucky sausages have to do is visit vanta.com/smashing to claim your discount. That's V as in Victor, A-N-T-A.com/smashing. And thanks to Vanta for sponsoring the show.
And welcome back. And you join us at our favorite part of the show, the part of the show that we call Pick of the Week. And Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they like. It doesn't have to be security-related necessarily. Better not be. Well, my pick of the week this week is not a pick of the week. It's a nitpick of the week. Do you remember last week when I spoke about subtitles? And I said that I was very annoyed about the subtitles on One Day on Netflix, because every time one of the lead characters happened to go, like that, do a little mouth click. It would say "clicks mouth." And I'm afraid my nitpick of the week this week, Carole, is you and a few Smashing Security listeners. Because after that episode was broadcast, some Smashing Security listeners got in touch. Matthew G., for instance. Hi, Matthew. I've got a nitpick with him. And I've also got a nitpick with someone who called themselves Insane in the Brain.
Yeah, I don't have any problem with them either.
They suggested I might have goofed up the settings in my Netflix app, and that's why it was saying things like, "Bright instrumental music is playing," and "Clicks mouth." What they were suggesting is that you had also audio description stuff on.
So not just the translation or the subtitles, but also the audio descriptions. Yes.
Okay. Right. Thank you very much. You have just hanged yourself. I was explaining it for everyone else.
I know you're very angry. Agree, so maybe.
Well, you have now, I'm afraid, given me all the evidence I needed. And furthermore, I saw you reply to some of these people gleefully agreeing with them. And saying you should have picked me up at the time. But no, I spent some time investigating this issue. I've gone back and I have checked. And on Netflix, on One Day in English, there are no subtitle options available. Other than the ones which also tell you irrelevant information about keys jangling and lips smacking.
How many of you are right now hitting your keyboard to show that Graham is wrong?
Meanwhile, I have also learned— so I went back and I watched an episode or a little part of an episode, and sure enough, it came up and I looked at all the subtitle options and there's nothing there. Meanwhile, I have learned the difference between subtitles and closed captions and audio descriptions. Very good. Would you like to know what the difference is, Carole?
Yes, we would. All of us would.
I'll also put a link in the show notes because you, during this very section, have demonstrated that you don't properly know what the difference is. Because you have referred to audio descriptions. Let me tell you right now, audio descriptions are for people who can't see. So audio descriptions are not displayed as captions on the screen.
Yes, they're said out loud. You're absolutely right. Yes, they are said out loud.
So you'll have someone saying— well, they won't.
They'll say, "Someone appears." "The guy has a gun at her head." Right.
Yes, exactly. Now, so that's fairly easy to understand. But what's the difference between closed captions and subtitles, you're wondering? Not really. Because we tend to say as a generic term, subtitles. It turns out that subtitles are translations. Only if it's translated is it actually technically a subtitle. So if you're watching a French movie, for instance, you can't speak French, it would put up the subtitles in English, right? But if you are watching something where you can't hear it properly, then you put on closed captions, which will put up in the same language. That's super interesting, Mr. Cluley. Very interesting. Yes. It does not however explain why Netflix are calling what I was seeing subtitles. And anyway, I'm a bit annoyed. I think there's a number of issues with Netflix. In his defense, Matthew G did point out that kids' profiles on Netflix can reset the caption settings on other profiles, although that wasn't happening in my case because I looked into it. And also in defense of Insane in the Brain, he wasn't quite as brusque as Matthew Gee, who tut-tutted at me for being a dumbo. So I think, well, I think I am vindicated.
He's not wrong.
Well, I think I am vindicated. Netflix, sort it out. And that continues to be my nitpick of the two weeks. Thank you.
Cruel. Yeah. I do have a pick of the week. And, you know, sometimes I have them and I'm thinking, this is not his bag, right? I think it might be some listeners' bags, but I don't think it's your bag. No, it's fun for me. It's so fun for me every week. But this one, I think it's in your wheelhouse. I think it's up your street. I think, you know. It's so fun for me.
All right. Well, let's see.
Okay. It's a movie called Fingernails. I would refer to it as an eccentric sci-fi romance with a teeny tiny dark underbelly and comedic bits. So, you know, you and your partner are happy, right? You're in a happy place. That's all good. You might even use the term in love. Yes. Absolutely. Right. Perfect. Okay, good, good, good. Now, what if there was a love institute in downtown Oxford? Right. Where you could certify scientifically through the state of analysis and biosamples, whether you were really, really, really in love and she was really, really, really in love with you.
Would you want to be tested? It sounds like an episode of Black Mirror. It sounds absolutely horrific.
I think that is a very good thing to think, right? So, in the movie Fingernails, this is by Krzysztof Niku, we find the glorious, and she is really glorious, Jessie Buckley. She plays Hannah, teacher, right? In a committed but unexciting relationship with this guy, Ryan, who's played by Jeremy Allen-White. Now, this relationship has been certified by the Love Institute, right? Which means it is scientifically, truly big-time real in love. Fantastic. For both of them. Yeah. Fantastic. The test— you want to know what the test is? What is the test? Both partners have to submit to the agonizing process of having a fingernail extracted from the root for analysis. What? Why would you do that? To know if you're in love or not. Maybe you're lying to yourself. Maybe your partner's lying to you and you don't believe them.
Well, I might not love someone if they've had their fingernail pulled off. Maybe I really love their fingernails.
Well, it depends which one. What if you love their index one but not their pinky one? You might go, hey, go for it.
Good point. Get rid of that manky one. Could you— could I offer them a toenail instead? That's what I asked.
You see, much easier. So this is all happening. There's a love triangle thingy, which I'm not going to ruin for anyone. It crops up and the drama ensues. Miss Buckley is terrific. I really thought she was fantastic. It's one of those things that could have been extended into a whole series, and it really just has a movie's worth. It's sweet and quirky. You can find it on Apple TV+, and it's called Fingernails. And that is my pick of the week.
Yes, you may.
Did you watch it with the closed captions on? Notice I didn't say subtitles.
No, I did not. Could you do that
No.
I have boundaries now. I'm not taking on any of your garbage. before I decide to watch it?
Deal with it. Well, it sounds an interesting pick of the week. Now you've been chatting to the folks at BlackBerry this week, haven't you?
I have. Keiron Holyome, he's a VP at BlackBerry and he talks to us about AI from the professional defensive side and also from the attacker side. Just so I don't get annoyed? Check it out. All right. So today we welcome Keiron Holyome to Smashing Security. Keiron is a vice president of cybersecurity at BlackBerry, looking after the UK, Ireland, and emerging markets. It's a big job. So welcome to the show, Keiron.
Yeah, well, I'm so glad you're here because we are talking artificial intelligence. And I personally would really to better understand how AI is used in threats from your point of view at BlackBerry, but also in defense. So it's amazing to have an expert in the room. So thank you so much for being here. So first, can you tell me a little bit about you so our listeners can understand, how did you end up looking after cybersecurity at BlackBerry?
I've been working in the IT industry for about 25 years, helping customers and organizations solve problems with technology. And about, I don't know, 10 years ago, 12 years ago, I decided to sort of jump into the dark side, if you, and come across the cybersecurity information technology sphere. And I call it the dark side because I think, you know, 10 years ago, security was seen as a bit of a blocker and a bit of a— they always say no to stuff. And, you know, that's certainly my experience. And I didn't understand why. So I thought I'd dip my toe into cybersecurity and get an understanding of what was exactly going on and why. And I've really, really enjoyed the past 10, 12 years in this part of the world of IT, especially as it's, you know, this understanding of how critical it is for organizations now to get the right cybersecurity posture. Because if you're not doing that, your business or organization is at significant risk, right?
It's true. And you're totally right about it being a bit of a blocker 10 years ago. I worked in the market for 15 years, and I remember traveling my first time out with my fully locked-down computer from the cybersecurity firm I worked at. And I couldn't get access to the hotel no matter what I tried. We had three experts trying, ridiculous. So I'm glad times have changed. So we are here to talk about artificial intelligence, the big hot term of the day. And when people talk about AI today, they typically mean generative AI, ChatGPT and other language models. But artificial intelligence as a technology has lots of guises, right?
Yeah, I think it's a really important point. You know, as you say, there's a lot of talk about AI right now. But not all AI is created the same. A lot of the models we see today that call themselves AI are really not AI, and they're not mature enough or good enough for today's challenges. You kind of see this by the outcomes that they produce. I think if you look at the world of the threat actors right now, I would suggest every single one of them is using AI in one way, shape, or form. So it's not a case— and I guess the sophistication levels vary. I think we're sort of at an inflection point, really, that's going to have a profound impact on technology, security, and humanity as a whole. And as I've just talked about, I think AI can be good, and it should be seen as a whole good. We can make some medical advances. We can make things easier and accessing services and things. So when we talk about generative AI, that's about the interaction and providing people with the information they need. From our side, we also talk about preventative AI, and that's really, really important. And we feel that you can't really exist in the world of cybersecurity AI if you're not being able to do the preventative and the GenAI as well. I think a lot of leading cybersecurity companies talk about AI, and we, looking outwardly into the market, see models being used, and then we see how they fail or they're not able to do what they're supposed to be doing. In fact, just recently, I think a couple of weeks ago, there was an imaginatively named new technique for hacking called Pool Party. That's all brilliant, right? But fundamentally, we have to really get to grips with the security element underneath it. And I think the democratization, if you like, or the consumerization of AI, which is now easily available to everybody— previously, if you had the resources or the finances to go and buy it, you could, but now everyone can use it. That lower barrier to entry is really going to start seeing in the market, in the world, the prevalence of AI in everything we do. So if you've got nation state, then I would say they're heavily invested in AI. If you've got your backroom hackers, then they're probably using some form of AI to either make their attacks more frequent, i.e., speed them up, or speed to market, if you get them out there quicker, or secondly, make them more effective. I love the names. Pool Party. Do you think they just sit around, you know, coming up with these names anyway? Pool Party. And it was basically a new way of injection techniques that enable you to go in and trigger malicious code. And we're already seeing it. Those AI, the various actors are using AI to get better and faster at phishing and social engineering and goodness knows what. And then we've got this other thing that hangs over us, which is polymorphic malware, which in itself scares me. Its inherent ability, if those that don't know what it is, it has its inherent ability to mutate itself in its appearance, to continuously get around all of the security measures we put in place to deal with that. So I do think that every attack really has probably these days got some form of AI in it. Now, we would have expected a lot of organizations out there that are using AI, inverted commas, to be able to detect and stop this from executing. In fact, the report that you can find online shows that leading EDR companies in the world were unable to detect and prevent Pool Party. And that really is, is AI really AI at that point? Because if it's generative AI, it's not going to stop executing, right? So we couple the AI as effectively a consumer, downloadable consumable, effectively polymorphic malware, and then we throw that at organizations that are still trying to do signature updates. It really does scare me. So organizations must, must act now to make sure that they get AI in their vernacular, in their lexicon of cybersecurity defense. Otherwise, they're going to be outpaced, and unfortunately, they will suffer.
Carole, do you have a pick of the week?
Carole, can I ask a question about Fingernails?
Thanks, Carole. Lovely to be here.
Okay, so that's what it is. So you're surprised that people that kind of wave the AI banner weren't able to stop this. It makes it complicated though for us outside the market, I think.
Yeah, it's really complicated. I think we lose a lot of people along the way because we start talking in IT speak and cybersecurity speak. I think if the AI at a higher level, if the AI is really to be understood by the general public in organizations, we need to do that education piece as to what AI is and how it propagates and the good and bad. You know, AI can be used for good. I think that's a really important topic as well. But from a being used for bad and how do you fend against it perspective, then not all AI is the same. And how you apply different models is really important. AI will have a tremendous impact, not going, is having a tremendous impact on the future, right? And that's especially true when we talk about cybersecurity from a defensive posture perspective. BlackBerry's been using AI for over a decade now. And in a space as broad as cybersecurity, it's really important to recognize that, as you've just said, different models, AI models can be good at solving different problems. And when it comes to threat defense, from our side, two general categories, right? As we've talked about predictive AI, where AI models can automatically stop threats. And automatic is the important point there, right? They make their own decisions. So automatically stop and anticipate threats and zero-day activity before they happen. So the predictive model effectively goes in very early in the kill chain or attack sequence, makes a high-confidence decision that that is a malicious activity, and then stops it and proactively stops the attack and shields the user organization from that threat. These predictive models don't converse with people. They're not chatbots. They're not friendly. They're math models that we all think of. But then on the other side, we've got this generative AI, as you mentioned. Now, these models are designed to interact with people. And their purpose really is to make sense of large amounts of information. And to give that individual they're interacting with or that organization they're interacting with the ability to speed up the understanding of the situation, give them the knowledge base, and then enable them to make better and informed decisions. But generative AI models, GenAI models, don't proactively stop attacks on their own.
So if we talk about the threats that you see at BlackBerry, do you have a category story that you now call artificial intelligence threats? Is that how— or is there more granularity in that? Yeah, it makes sense too because I mean, I know lots of developers that when they write a little bit of code, well, the first thing they do is run it through some AI chatbot, you know, as you call it, interactive one to just see if there's any mistakes in it. Right, so why wouldn't the bad guys do that too? And I guess to your point, they're also probably using, can I say penetrative AI as opposed to preventative? So they're using AI models to try and get in to bypass traditional security?
100%, yeah. I think certainly the most frequent attacks we're seeing are that generative pre-trained transformer. So we know that best as ChatGPT, but there are others out there like WormGPT, for example. And they're designed to do exactly what you just said, run some code through, do it as quickly as possible, get it out, test it, bring it back, do the same again, and just keep doing it until you hit the jackpot and get through and are able to ransomware someone. So I think if you look at it on an axis of one is volume, one is efficacy, what GPT or AI gives you is the ability to do both quicker. So you can get more volume out there and have more efficacy. And that's the scary thing, the ability for organizations to be able to scale to that demand without using and deploying AI themselves is a real scary thought.
Yeah, and if you think about it, you were saying, BlackBerry's been in the AI space or working with artificial intelligence for at least a decade. How many technology firms out there have just jumped on the bandwagon, right? So, okay, so tell me, how is BlackBerry able to harness the power of AI as a component of cybersecurity? Because without it, we're sitting ducks, I'm guessing, in this new world. So we need it. Are you able to give us a few things that people should look out for when— so imagine you're using traditional scanning methods. You realize it's not enough. You want to up your game and get something that's going to help you that has AI involved, what things to look for? Because I'm sure there's some maybe less reputable or quality software out there, and maybe there's things they can look out for. Clearly, I'd say come and talk to BlackBerry. That's my job. But I think outside of that is act now. Yeah, this is definitely not the time to act like an ostrich and put your head in the sand. It's basically what I'm hearing here. Act now. 100%. Act now. Keiron Holyome, Vice President of Cybersecurity at BlackBerry. Thank you so, so much. Listeners, you can learn more about artificial intelligence and how BlackBerry is harnessing its power and defending against its threats by visiting smashingsecurity.com/blackberry. That's smashingsecurity.com/blackberry. Thanks so much. Awesome, thanks very much.
Very, very cool. And that just about wraps up the show for this week. You can follow us on Twitter at SmashingSecurity, no G. Twitter now has to have a G. We also have a Mastodon account. And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Overcast. And huge thank yous to our episode sponsors. That's BlackBerry, Kolide, and Vanta. Until next time, cheerio. Bye-bye, bye.
Graham, I'm really sorry. My voice is still cracky.
Oh, do you think the end is near? They give me some warning.
I'm gonna croak. My voice is croak. And yeah, no, I'm just apologizing to any listeners that have made this far. I'm sorry, my voice is not repaired yet.
Some people like that. Some people like it when a woman gargles with whiskey and razor blades. It's like a sexy kind of sound, isn't it?
Some hate it though.
