Graham finds himself in hot water with a security firm after a data breach, Carole discusses credit card fraud, and we have a pleasant surprise for Thom Langford, who appears to have mostly agreed to be a guest to promote his own podcast.
All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Host Unknown’s Thom Langford.
And don’t miss our featured interview with Robbie O’Brien of MetaCompliance, all about the new book he’s written – Cyber Security Awareness for Dummies.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
I'll probably bleep out actually, but the name is Keep Labs. Yes, that's—
Keep Labs.
Yes. You're just going to keep me busy with the bleeper, aren't you? Is that what's going to happen?
The entire fucking episode.
So how do you spell Keep Labs? Smashing Security, episode 182. Space Force, credit card fraud, and beep beep beep with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 182. My name is Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 182. My name is Graham Cluley.
And I'm Carole Theriault.
And this week, Carole, we are joined on the show by, well, someone who's a fellow podcaster. He's been on the show before, but since then his podcast has been relaunched.
It's Host Unknown's sole founder, Thom Langford. Hello, Thom.
It's Host Unknown's sole founder, Thom Langford. Hello, Thom.
Hello, hello.
Welcome back to the show, Thom.
Thank you very much. Thank you very much.
I listened a couple of weeks ago and you said something about having guests on who are less security-minded and, you know, don't have any expertise in security.
And lo and behold, here I am.
I listened a couple of weeks ago and you said something about having guests on who are less security-minded and, you know, don't have any expertise in security.
And lo and behold, here I am.
Well, actually, Thom, that's not the reason we invited you on.
Oh, really?
No, no.
Graham, I'm gonna hand over to you because you uncovered this little thing, didn't you?
Well, yes, I did. You see, since Thom has relaunched his Host Unknown podcast about, I don't know, probably a couple of months ago, I've been listening in each week.
And there've been a fair few mentions of Carole and myself on the podcast. Although you seem to refer to it as Graham's podcast.
And there've been a fair few mentions of Carole and myself on the podcast. Although you seem to refer to it as Graham's podcast.
Oh, only once or twice.
Wow. And it's always Javad who jumps to Carole's defence.
Oh, Javad.
It is Javad, yeah.
But more than that, I hear you're really desperate for sponsors. And we—
Whoa, whoa, you're not donating one, are you, Graham?
Well—
Are you giving us one of your sponsors? Can we pick?
Well, specifically on your sponsor page, you say Smashing Security has enough sponsors. And so give your money to us instead.
Yeah, I'm a master negotiator. I believe in win-win.
Yes.
So if, uh, Smashing Security sponsors an episode, will you take that shit off your site and start saying something nice instead?
I will personally delete that before this recording is over if you're going to sponsor a show.
Graham, what do you reckon?
Yeah, right, right. We are going to record an ad for Smashing Security on the Host Unknown podcast.
Done.
There you go, Thom Langford.
Awesome.
Okay, let's get this show on the road.
All right, can I go now?
Hey, you sit right there and buckle in.
What's coming up this week?
First, let's thank this week's sponsors that sponsor Smashing Security: MetaCompliance and LastPass. Their support helps us give you this show for free.
Now stay tuned at the end of the show for a special feature interview with Robert O'Brien of MetaCompliance.
Not only does he share some great info on onboarding staff into better cyber awareness, but he has quite the dreamy voice. He does, let me tell you. ROBERT O'BRIEN. Hello.
Now stay tuned at the end of the show for a special feature interview with Robert O'Brien of MetaCompliance.
Not only does he share some great info on onboarding staff into better cyber awareness, but he has quite the dreamy voice. He does, let me tell you. ROBERT O'BRIEN. Hello.
Now on today's show, Graham tells us what happened when a security firm suffers a security breach. Thom talks about the importance of brand reputation in our new world.
And I'm looking into how we can make it harder for credit card hackers to dupe us. All this and much more coming up on this episode of Smashing Security.
And I'm looking into how we can make it harder for credit card hackers to dupe us. All this and much more coming up on this episode of Smashing Security.
Now, chums, I want to talk to you about something which has sort of affected me personally in the time since we last recorded a podcast. I want you to picture this.
I want you to imagine this scenario. Imagine that you personally suffered a security breach. Okay? You leaked data in some way. What would you do?
I want you to imagine this scenario. Imagine that you personally suffered a security breach. Okay? You leaked data in some way. What would you do?
That one time I almost replied all an email that would have got me fired, I ripped the cable out of my computer. So this is before Wi-Fi.
This is when I still had a manual leap over the desk and almost ripped the machine off the desk.
This is when I still had a manual leap over the desk and almost ripped the machine off the desk.
You thought you'd be faster than the electrons basically.
Well, do you know what? I think I made it.
Yeah.
Yeah.
I was lucky.
The advantage of having a 286 processor, I guess. Thom, what about you? If you suffered a security breach?
So there's two words spring to mind, honesty and transparency.
Oh.
And having done something similar myself, which affected 15,000 people in a company, all getting notifications of my meeting requests for a day, I decided the best bet was to basically email everybody and say, "Sorry, this is what I did.
Make sure you don't do it."
Make sure you don't do it."
Just adding to the spam. Excellent.
Let's take it one stage further. Imagine you're a security firm. Oh, the pain that must be involved in that. If you suffered some kind of security breach, what would you do then?
What's your recommendation? Thom, I guess it's still transparency and honesty.
What's your recommendation? Thom, I guess it's still transparency and honesty.
Honesty. Absolutely.
Yeah, I think I would maintain that as well.
Right.
Come clean real quick.
Let's go even crazier. Imagine you are a popular, and handsome award-winning security blogger. I'm not talking about Thom, who did win a security blogging award.
Damn, I thought you were going to talk about me last week.
No, and I said handsome and popular. And imagine you heard that this security firm had a security breach. What would you do if you're a blogger? You're going to write about it, right?
Well, it's interesting public knowledge, right? It's in the public domain.
You'd think, well, this will be an interesting story to write about. Now here's final little leaf of the—
So who's the handsome guy again?
Apparently not me.
Hypothetical one.
Okay.
Now imagine you are the security firm that realizes a security blogger has written about your security firm that had the security breach. What would you do?
I hope you wouldn't send in the lawyers.
I hope you wouldn't send in the lawyers.
Okay, can I ask some questions? Did the security blogger say anything that was untrue?
I don't think he did.
Did the security blogger put the knife in and twist it ridiculously hard?
I think I was most—
Oh, you're the handsome guy? Oh my God.
Yeah, sorry.
Geez.
I think I was balanced and reasonable in my blog post.
Did you ask them for comment?
I did ask them for comment, yes. I asked them if they would like to comment on the breach. So what happened was this.
I wrote about this UK security vendor who I'll probably bleep out, actually. I'll probably redact them from the podcast, but the name is Keeplabs. I wrote about them.
I wrote about this UK security vendor who I'll probably bleep out, actually. I'll probably redact them from the podcast, but the name is Keeplabs. I wrote about them.
Keeplabs?
Yes, that's—
Keeplabs?
Yes. You're just gonna keep me busy with the bleeper, aren't you? Is that what's gonna happen? The entire fucking episode?
So how do you spell Keeplabs?
It's spelled K-E-E-P, right? And then N-I-T. Nit.
And then beep, beep, beep.
Okay, so I wrote about this incident. In fact, it wasn't me who originally discovered it.
Bob Diachenko, who's an extraordinary security researcher, he's always uncovering massive databases that have been left exposed online, unprotected with even the simplest password.
He came across a database containing more than 5 billion, with a B-B-B-B, records.
Bob Diachenko, who's an extraordinary security researcher, he's always uncovering massive databases that have been left exposed online, unprotected with even the simplest password.
He came across a database containing more than 5 billion, with a B-B-B-B, records.
Jesus.
Which had actually been derived from past security breaches. So what happened is this security firm—
Was he just looking at Troy Hunt's collection?
No, it wasn't Troy Hunt.
Yeah, his personal email collection.
It wasn't Troy Hunt's database. Let's not start another legal fight. Okay. He's much taller than all of us. No, no, but it's similar kind of operation.
I imagine they were collecting data about past data breaches, but they then accidentally exposed it in some fashion. Right. So I wrote about them and I named the company.
And what I noticed over time was that that company's name, which had been reported in other places on the internet, began to disappear mysteriously.
Suddenly no one was naming the company. And then I received an email from this company saying, "Ah, hello.
Can you please update your article to remove our name from it because it's inaccurate and it's bad for our image?" You know, Graham, this is not the only time this happened last week.
Oh, really?
I imagine they were collecting data about past data breaches, but they then accidentally exposed it in some fashion. Right. So I wrote about them and I named the company.
And what I noticed over time was that that company's name, which had been reported in other places on the internet, began to disappear mysteriously.
Suddenly no one was naming the company. And then I received an email from this company saying, "Ah, hello.
Can you please update your article to remove our name from it because it's inaccurate and it's bad for our image?" You know, Graham, this is not the only time this happened last week.
Oh, really?
With you.
What else happened?
What have I done?
Who else have you pissed off, Graham?
Do you remember the other email you received suggesting that you change your blog article to reflect a different company point of view than the one that was factual.
You're talking about Sophos's PR agency who wanted me to change my article about the Naked Security blog being decimated.
Oh, really?
And their staff being made redundant. Yes.
Your old employer was going to sue you?
Well, no, no, no, nothing like that. I received a very friendly email from Sophos's PR agency saying that Naked Security would continue to operate.
And they were unable to answer any questions I might have regarding the editor and the writers being made redundant.
And they were unable to answer any questions I might have regarding the editor and the writers being made redundant.
Yeah.
So interesting. Yes. So that was something else we had last week. But, you know, good luck to them. And let's hope that all gets resolved.
Just saying you had a busy week.
That's all I'm saying. I had a busy week anyway. So these guys wanted their name removed. And so I said to them, oh, can you tell me what's wrong about my article?
Because I would love to fix it. I don't want to have inaccurate information up there. And they said, well, none of our customers were involved in the data breach.
And so I said, well, I didn't say any of your customers were involved in the data breach, so I haven't got any words to fix about that.
And they said, well, it wasn't really a breach because this was data which had already been breached.
And I said, well, I think that's still a security breach because people can find it that didn't have access to it before.
Yeah, you facilitated potentially— who knows if it actually happened or not, but potentially other people may have been able to access that data because you handled it.
Carelessly in some fashion.
Because I would love to fix it. I don't want to have inaccurate information up there. And they said, well, none of our customers were involved in the data breach.
And so I said, well, I didn't say any of your customers were involved in the data breach, so I haven't got any words to fix about that.
And they said, well, it wasn't really a breach because this was data which had already been breached.
And I said, well, I think that's still a security breach because people can find it that didn't have access to it before.
Yeah, you facilitated potentially— who knows if it actually happened or not, but potentially other people may have been able to access that data because you handled it.
Carelessly in some fashion.
Fair, fair point.
This carried on for a couple of months, and I wasn't talking about this publicly, but they did say, we are going to have to engage our lawyers to deal with this now.
And I said, well, that's fine, but you know, if you've got something to say, please let me know and I will put it up on the thing.
Or if you've got any refutation or any statements you'd like to officially make, I will post it up on my article so that you can have your position. And they didn't want to do that.
They didn't want to give me any statements whatsoever.
But what they did do is they said, oh, and by the way, maybe you'd like to work with us on some business opportunities in future.
And I said, well, that's fine, but you know, if you've got something to say, please let me know and I will put it up on the thing.
Or if you've got any refutation or any statements you'd like to officially make, I will post it up on my article so that you can have your position. And they didn't want to do that.
They didn't want to give me any statements whatsoever.
But what they did do is they said, oh, and by the way, maybe you'd like to work with us on some business opportunities in future.
So what, bribe you?
Well, you might say that, Carole Theriault.
So they say basically, hey, work with us, but we'll only think about doing that if you just do a little tweaky tweak tweak on that blog article. Thanks so much.
So I said, thank you very much. That's interesting, but let's have that as an entirely separate conversation from the conversation about your blog post. Let's resolve that first.
Before we discuss any other sort of business.
Next thing I knew, I got a letter from their lawyers telling me to take down their name and redact it and saying it was bad for their company and all the rest of it.
Now, I believe I haven't said anything inaccurate in that blog post, right? And I've given them a chance to have their say as well.
But what I didn't want was I didn't want to get bogged down in lots of legal arguments and letters where only the lawyers are going to get rich.
And this could go on for months and months and months. And who frankly gives a damn about it.
Before we discuss any other sort of business.
Next thing I knew, I got a letter from their lawyers telling me to take down their name and redact it and saying it was bad for their company and all the rest of it.
Now, I believe I haven't said anything inaccurate in that blog post, right? And I've given them a chance to have their say as well.
But what I didn't want was I didn't want to get bogged down in lots of legal arguments and letters where only the lawyers are going to get rich.
And this could go on for months and months and months. And who frankly gives a damn about it.
Yeah.
So when I got this letter from their lawyers, I thought, you know what, I'm just going to take their name down.
And in fact, what I did was I redacted their name, so I replaced it with black blobs.
And in fact, what I did was I redacted their name, so I replaced it with black blobs.
Mm-hmm.
And I thought, having done that, best thing I can do is probably just add a little explanation at the bottom of the article.
Okay, so you backed down, but you couldn't do it without taking a dump.
Well, people—
Yeah, people need to know. People need to know. No, I agree. Well, no, I agree with your stand. Don't get me wrong. I, you know, why should they win if you've done nothing wrong?
Well, what I did was I tweeted and I said, following a legal threat from beep beep, and I redacted the name, I've removed their name from this article on my site.
And I said, you know, I apologize to readers, but, you know, I can't afford to get into a legal fight.
Now, that did have an unforeseen consequence which I couldn't possibly have imagined would happen.
There were people on Twitter who were able to determine what the company's name was.
And I said, you know, I apologize to readers, but, you know, I can't afford to get into a legal fight.
Now, that did have an unforeseen consequence which I couldn't possibly have imagined would happen.
There were people on Twitter who were able to determine what the company's name was.
Wayback Machine.
So it appears, Kroll.
Wayback Machine.
I tweeted something similar about Streisand effect and Wayback Machine.
Yes. There you go. So there were quite a lot of people who sort of responded to it.
In fact, apparently over 100,000 people saw the tweet and it was— there were lots and lots of comments on it.
I haven't commented on my tweet or anyone else's comments regarding it or liked—
In fact, apparently over 100,000 people saw the tweet and it was— there were lots and lots of comments on it.
I haven't commented on my tweet or anyone else's comments regarding it or liked—
Oh, that's very mature of you.
Well, I thought so too. Well, I just didn't want to— I didn't want to—
You poked the bear enough already.
I didn't want to—
I mean, you know, you don't want to put a bear trap out.
I didn't want to pour any— the thing is, Carole, I'm not the only person who was possibly intimidated by this company to reveal their name.
Are you intimidated?
There was an attempt at intimidation, I think, the legal threat.
I do know that Javad Malik of the Host Unknown podcast, because he spoke about it on his latest episode, folded like a pack of cards. He was contacted. He hadn't written about it.
I do know that Javad Malik of the Host Unknown podcast, because he spoke about it on his latest episode, folded like a pack of cards. He was contacted. He hadn't written about it.
No, that's the best part of it.
You explain what happened, Thom.
So quick summary, Javad has been asked for a quote about this breach for an article by another writer. He supplied some quotes.
He actually used the term breach because let's face it, nowadays it's kind of a generic term, really, a bit of a catch-all for anything that's been lost or not secured or whatever.
He mentioned that, and this particular company in question reached out to him and said, take your comments down. To which, you know, Javad said, I can't, it's not my article.
I suggest you contact the publisher, the owner of the article. And he also said, you know, as a courtesy, I have contacted them to ask them to review it, but I can't do anything.
And then they basically then came back threatening legal action, at which point he said, speak to my lawyers, and left it at that.
He actually used the term breach because let's face it, nowadays it's kind of a generic term, really, a bit of a catch-all for anything that's been lost or not secured or whatever.
He mentioned that, and this particular company in question reached out to him and said, take your comments down. To which, you know, Javad said, I can't, it's not my article.
I suggest you contact the publisher, the owner of the article. And he also said, you know, as a courtesy, I have contacted them to ask them to review it, but I can't do anything.
And then they basically then came back threatening legal action, at which point he said, speak to my lawyers, and left it at that.
But the difference is, Javad has lawyers, whereas I don't.
Yes, exactly. That's the joy of being employed by a company.
The only legal thing I can even think of it, and I'm no lawyer, is just the breach. What does a breach mean? You know, how is it defined by the Computer Misuse Act?
And how is it used? That's the only—
And how is it used? That's the only—
There has been a breach of security.
A breach of trust.
Oh, careful, Carole, what you say. Who knows what you might get in the post?
It's like saying, well, it's not a breach because it's already been lost. It's ridiculous. It's like sending somebody an email to get it to the top of their inbox.
What it is, is putting it out there again in another easy-to-find format on the plain, regular internet. So that even more people can get access to it.
What it is, is putting it out there again in another easy-to-find format on the plain, regular internet. So that even more people can get access to it.
But what they should have done instead was, as soon as they were aware of it, they should have contacted the appropriate authorities, contacted anyone affected, and put it up on their website that this happened, this is how they're handling it, and if they have any questions, please see this FAQ.
Done.
Done.
So it's only after one week of Twitter outrage and people sort of going after them with pitchforks. And to be honest, some people, I feel, have gone a little bit too far on Twitter.
No, really? That's not like Twitter at all.
On Twitter? Holy God, I didn't realise this was this big.
So the security firm, Smashing Security, beepity beep, they have now today, hot off the press, just before we recorded this podcast, they have now published a statement about the exposure on their website where they try and explain what happened and try and excuse what happened.
Let me guess, they don't use the word breach anywhere.
I'm not going to get into the nitty-gritty of the accuracy of their statement.
But are you named in there?
No, I'm not.
Well, a special thanks to Graham.
But the thing is, here's the thing about the security industry.
It was an Elasticsearch database, I believe, which ships and installs with everything security-wise switched off, as I understand it.
And we get it as security professionals, we get it. You know, switching security on is difficult because it limits functionality. It can slow things down in some cases.
You know, it's difficult. But if you are a security company, you need to have your shit together.
You've got to, you know, you've got to have these processes in place that make sure that anything that faces the internet or anything that contains personal or confidential information needs to go through a hardening script of some kind, be it automatic or manual.
And if it doesn't work for some reason and you get found out, then tell us why it didn't work and what you should have done so that we can all learn from it.
It was an Elasticsearch database, I believe, which ships and installs with everything security-wise switched off, as I understand it.
And we get it as security professionals, we get it. You know, switching security on is difficult because it limits functionality. It can slow things down in some cases.
You know, it's difficult. But if you are a security company, you need to have your shit together.
You've got to, you know, you've got to have these processes in place that make sure that anything that faces the internet or anything that contains personal or confidential information needs to go through a hardening script of some kind, be it automatic or manual.
And if it doesn't work for some reason and you get found out, then tell us why it didn't work and what you should have done so that we can all learn from it.
So I think your advice is absolutely right, Thom, Carole.
I think transparency, honesty, prompt response to these kind of incidents means that, you know, when something bad happens, it doesn't have to be as big a deal as you can make it by responding badly.
I think transparency, honesty, prompt response to these kind of incidents means that, you know, when something bad happens, it doesn't have to be as big a deal as you can make it by responding badly.
So deep, Graham.
Yeah, well, fuck off deep. What's their name? Fuck off keeping it loose. And their lawyers.
Yeah.
I'll keep an eye on the letterbox.
That's right. And your bank account.
Thom, what have you got for us this week?
What have I got? So there was a lovely tweet that I saw the other day about brand reputation and how important it is to control your brand.
And we know this because, you know, many of us in security roles have experienced this when other companies register domain names that are either very close to your company name or they are the same but with a different, you know, .com or .co.uk at the end and start impersonating you.
And this is a big deal. And as a result, there's a whole sort of almost a sub-industry of, you know, brand management.
And when you register a domain, it will— you can automatically get similar domain names registered.
There are services that search out to see if there are domain names that are registered with you know, Cyrillic alphabet characters, but still looking like your domain, et cetera.
And we know this because, you know, many of us in security roles have experienced this when other companies register domain names that are either very close to your company name or they are the same but with a different, you know, .com or .co.uk at the end and start impersonating you.
And this is a big deal. And as a result, there's a whole sort of almost a sub-industry of, you know, brand management.
And when you register a domain, it will— you can automatically get similar domain names registered.
There are services that search out to see if there are domain names that are registered with you know, Cyrillic alphabet characters, but still looking like your domain, et cetera.
I think we've actually had this ourselves. I think we had a listener who bought the domain Smashing Security without a G.com to redirect to us, which was very generous of them.
Oh, that was very decent.
Yeah, very decent listeners. That's why we love them.
We should have done that and redirected it to Host Unknown.
But okay, see, you just screwed up again, Thom.
Yeah, well, if you'd listen to the podcast, you'd know that that's regularly what we do. But talking about someone else who screwed up is the US, believe it or not.
So the US a couple of years ago, or Mr. Trump, announced Space Force, the fifth wing of the US military.
So the US a couple of years ago, or Mr. Trump, announced Space Force, the fifth wing of the US military.
You can totally see that he came up with that name too, right? You can totally tell.
Oh my God, yeah.
He's just sitting in the background, "Oh, I want to get the laser guns." I don't know, but bottom line is he watched Moonraker, James Bond's Moonraker, and decided that's for him.
So they've yet to get involved in any kind of serious operations. They've yet to launch anything. They've kind of just been bubbling under.
They're probably still deciding what sort of camouflage they should have on their uniforms.
He's just sitting in the background, "Oh, I want to get the laser guns." I don't know, but bottom line is he watched Moonraker, James Bond's Moonraker, and decided that's for him.
So they've yet to get involved in any kind of serious operations. They've yet to launch anything. They've kind of just been bubbling under.
They're probably still deciding what sort of camouflage they should have on their uniforms.
I think they did actually design a logo, didn't they?
They did.
Looks very much like the Star Trek Enterprise logo, the Federation of Planets or whatever they're called. Yeah, exactly. Or Blake's 7.
Blake's 7, now that would have been good.
So what's going on with Space Force?
So also, you may have noticed recently on Netflix, there's a new series called Space Force, which is a little spoof on that. And it stars Steve Carell and John Malkovich. Very funny.
Oh, cool.
Very funny. I've just watched the first season. It's very good. Very lighthearted. Lots of fun. The problem is Netflix have trademarked Space Force.
Well, of course they did. But let me guess, let me guess, the government didn't.
Didn't, that's right. That's right. So maybe we're going to see rockets launched with Netflix on the side of it in order to pay them back for use of their trademark.
But it just strikes me that it doesn't matter how big your organisation is or how well-funded it is.
And let's face it, the US government has got to be kind of up there, size, complexity, and amount of characters.
But it just strikes me that it doesn't matter how big your organisation is or how well-funded it is.
And let's face it, the US government has got to be kind of up there, size, complexity, and amount of characters.
They could just change the name though, right? Why wouldn't they just change it to something like Space Fork or—
Or Space Farce.
Space Farce, exactly.
Yeah, which is roughly the zone around Trump's head at the moment.
But yeah, I just find it amazing that such basics like this, it's a bit like when you hear that somebody forgot to renew their certificates for their domains and stuff like that.
I find it just stunning that such basic stuff is not being done. I would imagine US Army is probably trademarked or copyrighted or something.
But yeah, I just find it amazing that such basics like this, it's a bit like when you hear that somebody forgot to renew their certificates for their domains and stuff like that.
I find it just stunning that such basic stuff is not being done. I would imagine US Army is probably trademarked or copyrighted or something.
When you brought up this topic, I of course went and searched for Space Force, right?
Oh yeah, found Netflix.
Well, yeah, Netflix came in first. And then there's a few IMDB sites, stuff like that. And then there's a review from The Verge saying the title is Astonishingly Bad Show. Really? Yes.
Which I'm— because I'm looking at—
Which I'm— because I'm looking at—
Are they talking about the presidency?
Oh.
Carole, what's your story for us this week?
Before we start, can I just ask, credit cards, do you guys have a strong relationship with them? Do you have many or just one?
I have a debit card. I don't tend to use a credit card unless it's for very painful purchases.
Really?
Even when you shop online?
Well, that's what I'm saying, when it's a painful purchase.
In fact, I have someone else in my household who does most of the shopping, so I think they may have a credit card, but I don't.
In fact, I have someone else in my household who does most of the shopping, so I think they may have a credit card, but I don't.
Damn me.
You should use a credit card when you shop online.
Well, yes, I know, to get the whatsits. Yes, to get the protection. No, not for that. No, for the protection only.
The toilet rolls.
No, it's because the creditors and you share responsibilities. So if you buy something stupid or you don't get it. Yes, protection.
I'm trying to explain it to the listeners too, Graham. It's a radio show, right? So it's not just about your knowledge.
Sometimes you have to pretend you don't know stuff to make it fun.
I'm trying to explain it to the listeners too, Graham. It's a radio show, right? So it's not just about your knowledge.
Sometimes you have to pretend you don't know stuff to make it fun.
Okay.
So what would be the benefit of me shopping with a credit card?
Oh, very good question, Graham.
It's like poetry in the making.
The reason is that if you buy with a debit card, you are 100% responsible for that loss if you don't get the item you've purchased.
But with a creditor, you share responsibility and you can say, you can sometimes claw money back from it from your creditor if you can prove it wasn't your fault.
So always purchase a credit card.
But with a creditor, you share responsibility and you can say, you can sometimes claw money back from it from your creditor if you can prove it wasn't your fault.
So always purchase a credit card.
Very cool. Very good advice.
Now listen, straight up, credit cards, not a very funny conversation topic to cover, right? Like just seriously, I was thinking—
I'm sure you can sort that out.
Well, you know, I decided I would, and this is how I've decided to do it.
I have peppered my story with a few jokes, which I got off the internet while looking for credit card jokes. Okay? And that is how we're gonna keep this light.
I have peppered my story with a few jokes, which I got off the internet while looking for credit card jokes. Okay? And that is how we're gonna keep this light.
Will you signpost them in some fashion?
Yeah, yeah, we're gonna start with a joke.
Okay.
So what do Trump and maxed-out credit cards have in common?
Nobody likes them?
They both deny all charges. Oh, very good.
Hey, okay.
Bit of science now. So credit cards are powerful tools, right?
People are setting up new online accounts, registering their credit card details with them willy-nilly because guess what?
They can't go to the bank and they can't go to the stores to buy the things that they require.
People are setting up new online accounts, registering their credit card details with them willy-nilly because guess what?
They can't go to the bank and they can't go to the stores to buy the things that they require.
And people, even if you could pay in cash, people don't really want to receive cash at the moment, do they? Because it's—
Dirty. Dirty.
Dirty, dirty money.
Filthy lucre.
Now, I don't tend to use credit cards either, but I'm kind of glad that I've got one that's all paid up and ready if a bigger emergency hits me directly.
But others who are in the eye of the storm, you know, maybe jobless, or, you know, they're out protesting unbelievable injustices, or they're, you know, and they're staving off the bills with credit card payments.
Okay, joke time, right?
But others who are in the eye of the storm, you know, maybe jobless, or, you know, they're out protesting unbelievable injustices, or they're, you know, and they're staving off the bills with credit card payments.
Okay, joke time, right?
Oh yeah, good.
You see? Okay, so why did the dad— this is for you, Graham— why did the dad put the credit card statement on his feet?
I don't know why.
Because it said New Balance on it. It's a shoe company.
Oh, okay.
Such a fucking dad.
Such a dad. Set it dead.
Did you know that, Thom?
I did, but I didn't get the joke though.
Ah, maybe it's my telling. I'm not very good. I'll work on this. I'll work on it.
No, I don't know. I don't know.
Okay, so all this to say there's lots of credit card transactions going on right now.
Online shopping is up, and April saw a 200% jump in new mobile banking registrations, and mobile banking traffic rose 85%.
And we're not surprised by that because people are locked at home.
So since the corona shutdown, the US economy, Fidelity National Information Services, they're a fraud monitoring services for banks, have seen a huge jump in credit card scams.
Online shopping is up, and April saw a 200% jump in new mobile banking registrations, and mobile banking traffic rose 85%.
And we're not surprised by that because people are locked at home.
So since the corona shutdown, the US economy, Fidelity National Information Services, they're a fraud monitoring services for banks, have seen a huge jump in credit card scams.
Oh, really?
And these have become so pervasive that some executives at a community bank thought they'd been hacked before learning that it was just cardholders were falling victim to these scams.
That's how bad the numbers are.
That's how bad the numbers are.
Oh, so they saw so many weird transactions happening that they thought there must be someone inside the infrastructure. Oh, crumbs.
But actually it was just the customers.
It was just the customers falling for stuff.
Oh my God. Yeah.
And in the UK, things aren't better. Victims of scams related to coronavirus outbreak nearly lost a million quid in February. And most of this was focused on the COVID-19 crisis.
So phishing, phone, SMS scams, the whole nine yards.
And one pundit said, while your day job may have gone up in smoke or become way more difficult, the hackers' day jobs just got a whole lot easier.
So phishing, phone, SMS scams, the whole nine yards.
And one pundit said, while your day job may have gone up in smoke or become way more difficult, the hackers' day jobs just got a whole lot easier.
Yeah.
For a number of reasons. One, we're all stuck at home online all the time. And two, we are looking for information.
Could you give us another joke? Would that be all right?
Yeah, I've already got one lined up.
Okay, right, good.
Plenty more where they came from.
Yeah.
Because the last one about New Balance didn't really work for me. So—
You're such a dad. I'm really good at managing my credit card. My bank keeps sending me letters saying my account is outstanding.
Yeah.
Right. So, types of scams we're seeing. One is a service scam. So a typical one is they're talking about Netflix.
So you might get an SMS or an email that says, hey, free Netflix for a month or 3 months or 6 months.
Now, the reason this is hard for people to spot is because Netflix and other service video companies are offering incentives to get more users.
So you might get an SMS or an email that says, hey, free Netflix for a month or 3 months or 6 months.
Now, the reason this is hard for people to spot is because Netflix and other service video companies are offering incentives to get more users.
Yeah.
So it's our job to be able to tell the difference between a real one and a bogus one.
Right.
Now, the other one is government info or stimulus checks. So when the States.
Oh yeah, there's loads of people that have filed for legitimate stimulus checks coming in from the government.
So what if you get a phone call or an email, someone purporting to be a bank or government official, right, saying we need to get some more information to make sure you get your check, or we just want to double-check your postal address, we get the check in the mail for you.
Ironically, I saw on Twitter that people are mistaking their stimulus checks for junk mail or a scam because I don't know if you've seen what it looks like.
And it also has Donald—
Oh yeah, there's loads of people that have filed for legitimate stimulus checks coming in from the government.
So what if you get a phone call or an email, someone purporting to be a bank or government official, right, saying we need to get some more information to make sure you get your check, or we just want to double-check your postal address, we get the check in the mail for you.
Ironically, I saw on Twitter that people are mistaking their stimulus checks for junk mail or a scam because I don't know if you've seen what it looks like.
And it also has Donald—
It's been signed by a scam artist.
Exactly. I don't know if you've seen the signature, but he doesn't look someone I'd rely on.
Oh, so because the check comes with Donald Trump's signature, people think this must be a hoax. Oh my goodness. I wonder if Stormy Daniels has got a check from Donald Trump.
Many checks, I think.
Okay, then of course, we don't even have to go into it, but all the COVID stuff, and we know why that's happening.
Well, you were talking about that last week, weren't you, about the track and trace websites and, you know.
There's also the banking credit card stuff. This makes it hard again because banks are offering services.
I am getting legitimate text messages from my bank saying, "Hey, we're gonna freeze your interest that you owe us during this period."
I am getting legitimate text messages from my bank saying, "Hey, we're gonna freeze your interest that you owe us during this period."
"Get a $500 stimulus check from your bank, just tap here." But here's the thing, you say, "Is that legitimate?" Well, go to their website and find out. Do you know what I mean?
You know, don't click here, please.
You know, don't click here, please.
I guess that's the problem though, isn't it?
If the communication includes a link, many people will use the link in the communication or told to them down the phone rather than finding out what the real link is.
If the communication includes a link, many people will use the link in the communication or told to them down the phone rather than finding out what the real link is.
There's also—
Of course, of course.
But yeah, and that's so important, that advice. So maybe you should say that again, Graham, just to make sure everyone hears it. Super important.
So, so you got— you have to be careful. Don't click on the link which is given to you in the communication, in the email or in the text message or told to you down the phone.
Instead, work out what the real link is and go to it directly on your computer.
Instead, work out what the real link is and go to it directly on your computer.
Exactly.
One guy on Twitter was saying that he keeps getting calls, and the way they start the call off is, 'Credit card services, how are you doing?' And then they offer to lower your credit card interest.
One guy on Twitter was saying that he keeps getting calls, and the way they start the call off is, 'Credit card services, how are you doing?' And then they offer to lower your credit card interest.
Is it Joey from Friends? How are you doing?
Also, be careful of insurance scams.
So of course, many of us had plans for the summer, like perhaps we are renting a vacation home or going on a flight or doing something with the family, and some of us have had trouble getting money back from those things.
Emails saying, "Here's your Airbnb cancellation. We just need your banking details to refund your card," could also work pretty well. Okay, it's getting bleak.
You need a joke, don't you?
So of course, many of us had plans for the summer, like perhaps we are renting a vacation home or going on a flight or doing something with the family, and some of us have had trouble getting money back from those things.
Emails saying, "Here's your Airbnb cancellation. We just need your banking details to refund your card," could also work pretty well. Okay, it's getting bleak.
You need a joke, don't you?
I think we do.
Graham, I don't know if you're going to get this one.
I've done so well so far.
Let's see how you do. Let's see how you do. A tangent applied for a credit card but was denied. He couldn't find anyone willing to co-sign.
Oh yeah, okay. That is quite an intellectual joke.
A little trig for you there, Graham.
I like that one.
Okay, I understand that.
Okay, so advice time.
Now before I get into advice, the reason I wanted to bring this up today is because you guys are both smart and you will have better advice than the advice that is given on the official FBI credit card fraud site.
Now before I get into advice, the reason I wanted to bring this up today is because you guys are both smart and you will have better advice than the advice that is given on the official FBI credit card fraud site.
Oh, okay.
Oh dear.
Right? So there's things like, before using the site, check out the security and encryption software it uses.
Oh, so see if it has a padlock on the website.
Don't judge a person or company by their website. Flashy websites can be set up quickly. And then they say somewhere else, make sure you buy from a reputable source.
The Host Unknown podcast website looks pretty flashy, I have to say, but I wouldn't necessarily— I'm not sure it's entirely reputable.
Oh, it's certainly not reputable, but it is genuine.
So, okay, so I'm not saying any of the information here is wrong. I think it's all very difficult to follow.
It's a wall of text. You can't give this volume of advice and expect people to follow it. It's gotta be a far simpler message that people can emotionally attach to.
You know, I want to hear Carole Theriault's tips. Let's hear them.
I think the best one is sign up for alerts.
So every time your bank number or credit card is used for a purchase, you get a secondary notification that tells you, hey, your card has just been used.
So every time your bank number or credit card is used for a purchase, you get a secondary notification that tells you, hey, your card has just been used.
Great idea.
Yeah.
Right? And that way, at least, it doesn't mean it stops it from happening in the first place, but means you are on to it super quickly.
Smashing Security.
Yep.
Limit the number of websites you save your credit card information, right? You don't have to save everything.
I know it makes everything a little bit faster, but actually it's much safer not to save it with a bunch of different companies out there.
And you can also use things like either PayPal or Apple Pay or Google Pay.
These might be a smarter way to be able to manage your money because then you have a kind of an account you can manage.
I know it makes everything a little bit faster, but actually it's much safer not to save it with a bunch of different companies out there.
And you can also use things like either PayPal or Apple Pay or Google Pay.
These might be a smarter way to be able to manage your money because then you have a kind of an account you can manage.
Also use LastPass to store a credit card and have it automatically fill in the site.
Very good point. Yes, you can.
So I like this, I like this idea of using Apple Pay or PayPal or Google Pay and things like that, particularly on sites which you aren't familiar with, you know, for an additional level of protection.
That's a great idea. I've also heard some people use, are they called virtual credit cards? What's the name of these things? Do you know about these, Thom?
That's a great idea. I've also heard some people use, are they called virtual credit cards? What's the name of these things? Do you know about these, Thom?
I do. Yeah.
So you get either a virtual credit card, which is you've got your regular card, but then your app will generate a virtual card, so you don't actually get a physical card, and you can use that for all your purchases, say, at Amazon or John Lewis or wherever.
And if something happens to that card, you can just delete that card. You don't have to apply for a new card because you've obviously still got your credit card.
But you can also get disposable cards as well, which are good for one shot. So you create a card, use that number for your purchase, and then that card is immediately destroyed.
So you get either a virtual credit card, which is you've got your regular card, but then your app will generate a virtual card, so you don't actually get a physical card, and you can use that for all your purchases, say, at Amazon or John Lewis or wherever.
And if something happens to that card, you can just delete that card. You don't have to apply for a new card because you've obviously still got your credit card.
But you can also get disposable cards as well, which are good for one shot. So you create a card, use that number for your purchase, and then that card is immediately destroyed.
You know where I've heard those are excellent to use? If you're signing up for like a 1-month trial or membership of something and you know they're not going to let you out easily.
And this way, you follow the rules and at the end it just goes poof and they can't hold you for money.
I don't know if this will work or not, but this one guy called Deldy on Twitter said he's been getting way more scam calls recently, so he's been opening with the line, "Hi, I was actually wondering if I can share my Social Security number and credit card info before we move any further." And apparently they instantly hang up.
So anyone who's inundated with calls, try that one.
And this way, you follow the rules and at the end it just goes poof and they can't hold you for money.
I don't know if this will work or not, but this one guy called Deldy on Twitter said he's been getting way more scam calls recently, so he's been opening with the line, "Hi, I was actually wondering if I can share my Social Security number and credit card info before we move any further." And apparently they instantly hang up.
So anyone who's inundated with calls, try that one.
The folks at MetaCompliance are fabulous, not only because they're sponsoring our podcast this week, but also because they're offering listeners a free Cybersecurity Awareness for Dummies book.
In the guide, you will learn what cybersecurity awareness means for your organization, how to implement a cyber risk awareness campaign, the critical role of policies to establish safe baselines, how to maintain momentum and staff engagement, 10 cybersecurity awareness best practices, and oodles, oodles more.
Grab a free copy of the Cybersecurity Awareness for Dummies book from MetaCompliance now. More at smashingsecurity.com/cyberaware.
In the guide, you will learn what cybersecurity awareness means for your organization, how to implement a cyber risk awareness campaign, the critical role of policies to establish safe baselines, how to maintain momentum and staff engagement, 10 cybersecurity awareness best practices, and oodles, oodles more.
Grab a free copy of the Cybersecurity Awareness for Dummies book from MetaCompliance now. More at smashingsecurity.com/cyberaware.
Are you having trouble remembering your plethora of passwords? Maybe it's time you look to get a password manager.
LastPass by LogMeIn is a password manager both for consumers and the enterprise.
In a company, you get extras like central admin oversight, controlled shared access, automated user management, and everything is protected with multifactor authentication.
Learn more at lastpass.com/smashing. Oh, and if you're a home user, LastPass is available for free, so check it out, lastpass.com/smashing. Back to the show.
LastPass by LogMeIn is a password manager both for consumers and the enterprise.
In a company, you get extras like central admin oversight, controlled shared access, automated user management, and everything is protected with multifactor authentication.
Learn more at lastpass.com/smashing. Oh, and if you're a home user, LastPass is available for free, so check it out, lastpass.com/smashing. Back to the show.
And welcome back. Can you join us on our favorite part of the show? The part of the show that we like to call Pick of the Week.
Pick of the Week.
Pick of the Week. Pick of the Week. Pick of the Week. Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. Doesn't have to be security related necessarily.
Ooh, you said that weird. Better not be, Mr. Cleverley.
Yeah, well, it isn't security-related. It is shoelace-related, because—
Oh, you've done this before.
No, I haven't. Have I?
Okay, go ahead.
Have I? I think you might have. After 182 episodes, he can't remember.
Crack on, crack on.
Now I'm frightened. A chap called Iain Fegan runs a website called Iain's Shoelace site.
He is the inventor of the Iain Knot, which he claims is the world's fastest way of tying your shoelaces. He also has an app for Android and iOS.
If you want to learn over 60 different ways of lacing your shoes, then his app is the one that you want.
Now, this is an extraordinary website all about shoelaces and how to tie your shoes, which is incredible.
What I find particularly astonishing is that Iain admits he doesn't actually give a shit about shoelaces, but he wanted to be the best at something and produce some corner of the internet, which has been there.
And that's what he's done. He's built this. His website gets over 9,000 visits per day, which is quite a lot when you consider it's all about shoelaces.
He is the inventor of the Iain Knot, which he claims is the world's fastest way of tying your shoelaces. He also has an app for Android and iOS.
If you want to learn over 60 different ways of lacing your shoes, then his app is the one that you want.
Now, this is an extraordinary website all about shoelaces and how to tie your shoes, which is incredible.
What I find particularly astonishing is that Iain admits he doesn't actually give a shit about shoelaces, but he wanted to be the best at something and produce some corner of the internet, which has been there.
And that's what he's done. He's built this. His website gets over 9,000 visits per day, which is quite a lot when you consider it's all about shoelaces.
Well, shoes are big business, Clue, a billion-dollar industry.
That company New Balance is really big.
Anyway, I will put in the link in the show notes.
I think he has been your Pick of the Week in the previous week.
I would call on to our more avid listeners to see if they remember which episode that came out of, because I don't remember.
I would call on to our more avid listeners to see if they remember which episode that came out of, because I don't remember.
Are you kidding?
But you guys might.
Are you serious? You think I've done this before?
Yep, I think you have a little pick of the week document with a bunch of links, and maybe perhaps you haven't been doing very good hygiene.
No, no, I clear out my old entries.
This is what happens when we get to episode 125.
Well, look, I'm sure our listeners will give me feedback.
It's worth it. It's worth it.
It certainly is worth going to. I'm a bit worried now.
Don't be worried. It's fine. You're old. You're forgetful. Everyone's understandable.
Okay, Thom, what's your pick of the week?
So it was going to be an app called Magnet, which is totally non-security related because I know how much Carole Theriault desires non-security pick of the week. Just a touch.
Just a little bit.
Just a little bit.
Yeah.
It's the one thing that stands out every week that I listen. But yeah, this app for Magnet for the Mac, very, very simple app. It just sits in your taskbar.
And what it does is it allows you to very quickly and easily resize your windows.
Now, you might think that's not very useful, but you can drag a window to the top left-hand corner and it will automatically size it to a quarter of the size of the window.
You can drag it to the left and it will be half of the window. You can drag it to the very top, it'll be the whole page.
And there's also lots of keyboard shortcuts that allow you to pick it for an eighth or for a third or different locations, etc.
And in this age of very high-resolution monitors and all that sort of thing, and I've got, you know, two 5K monitors in front of me now, I can actually end up with 8 different windows of apps open at any one time, all nicely positioned.
So some are vertical, so, you know, Twitter and Signal, etc. Some are vertical quarters because they scroll up and down. Others are, you know, regular quarters.
So yeah, I was going to choose that as my pick of the week, but instead I thought I would, in a last-minute fit of ego, I thought I'd mention the Host Unknown podcast, which I think everybody really should be listening to.
And what it does is it allows you to very quickly and easily resize your windows.
Now, you might think that's not very useful, but you can drag a window to the top left-hand corner and it will automatically size it to a quarter of the size of the window.
You can drag it to the left and it will be half of the window. You can drag it to the very top, it'll be the whole page.
And there's also lots of keyboard shortcuts that allow you to pick it for an eighth or for a third or different locations, etc.
And in this age of very high-resolution monitors and all that sort of thing, and I've got, you know, two 5K monitors in front of me now, I can actually end up with 8 different windows of apps open at any one time, all nicely positioned.
So some are vertical, so, you know, Twitter and Signal, etc. Some are vertical quarters because they scroll up and down. Others are, you know, regular quarters.
So yeah, I was going to choose that as my pick of the week, but instead I thought I would, in a last-minute fit of ego, I thought I'd mention the Host Unknown podcast, which I think everybody really should be listening to.
For goodness' sake, I use— I actually use Magnet. I have to say, I have to endorse this product as well. It's a great little product.
Okay, where's their privacy agreement?
Do you know what their privacy agreement says? We do not collect any information at all, period.
Okay, I was looking for it and I couldn't find it on their webpage, and I was typing in /agreement, /terms, /privacy, and nothing came up. And then I see a 3FA key.
We can't capture nothing. And that in itself is a good lesson in infosec. If you don't need it, don't capture it. You don't have to worry about it.
Thom, you have done your homework.
I have, I have, especially on the Host Unknown podcast, which I think everybody should listen to.
Graham, hand over to me, please.
Bro, bro, talk, talk. What have you got?
My pick of the week this week is a TV series from BBC Two, or at least that's where we saw it. It's Alex Garland's. He's the guy who made Ex Machina?
Oh, yes.
Did you guys see that? This is his first time dipping his toes into the small screen waters, and it's called Devs. And I say, Alex, baby, dive in. He rocked it. Okay?
So, there's— the central character is Lily. She's played by Sonoya Mizuno. She's played in other of Garland's films and works. Basically, she works at a kind of Google-like complex.
Her boyfriend works there too. He goes missing. Oh my God, yes! Did you watch it?
So, there's— the central character is Lily. She's played by Sonoya Mizuno. She's played in other of Garland's films and works. Basically, she works at a kind of Google-like complex.
Her boyfriend works there too. He goes missing. Oh my God, yes! Did you watch it?
I've seen the first episode.
Yes, it's got your man from Parks and Recreation, Nick Offerman's in it.
Yeah.
Yeah, he plays the main kind of Elon Musk god of the whole Devs Lab. But it's kind of technically, you know, it's sci-fi, but there's some technically sound stuff going on.
A bit like Mr. Robot, you know, was obviously in our universe.
And what do they do in this DEVS thing? Because it's actually a physically separate lab, and it's a big deal getting into it. And it's kind of crazy. They kind of tease the audience.
They tease you, drip feeding you a little bit of information of what's going on in there.
Plus, they have the coolest statue ever in the kind of campus, which I just think we should litter the entire planet with them as a reminder of what kind of future we want to build.
So, I say watch it. I watched the entire thing in two nights. Loved it, loved it, loved it. Geeky, dark, beautiful, smart. Well acted.
They tease you, drip feeding you a little bit of information of what's going on in there.
Plus, they have the coolest statue ever in the kind of campus, which I just think we should litter the entire planet with them as a reminder of what kind of future we want to build.
So, I say watch it. I watched the entire thing in two nights. Loved it, loved it, loved it. Geeky, dark, beautiful, smart. Well acted.
How many episodes are there, Carole?
I have no idea. I gobbled them up. I don't know, 6 maybe? 6?
Carole still thinks it's Saturday.
Isn't it?
Yeah, I saw the first episode of that. I was really impressed. But then I had to finish something else before I started, you know, back on track.
It's worth it. It's worth it. Graham, you'll love it. So will Mrs. Cluley.
Okay. All right. Well, fantastic. Well, on that note, I think it's just about time to wrap it up. Thom, I'm sure lots of our listeners would love to follow you online.
What's the best way for folks to do that?
What's the best way for folks to do that?
So I'm on Twitter @ThomLangford. That's Thom with an H because Twitter made me have an H. Thom. And also my website ThomLangford.com and HostUnknown.tv and podcast.HostUnknown.tv.
Very cool. And you can follow us on Twitter @SmashingSecurity. No G, Twitter allows to have a G. And also join us on our Smashing Security subreddit as well.
And don't forget, if you want to make sure never to miss another episode, subscribe in your favorite podcast app such as Apple Podcasts, Spotify, or Pocket Casts.
And why not leave us a nice review as well? I always love reading those.
And don't forget, if you want to make sure never to miss another episode, subscribe in your favorite podcast app such as Apple Podcasts, Spotify, or Pocket Casts.
And why not leave us a nice review as well? I always love reading those.
Huge thank you for listening and supporting us. It means everything. Also, thank you to our sponsors MetaCompliance and LastPass. Their support helps us give you this show for free.
And don't forget, stay tuned after the show for our special interview with Robert O'Brien of MetaCompliance with the smooth voice.
Check out smashingsecurity.com for past episodes, sponsorship details, and information on how to get in touch with us.
And don't forget, stay tuned after the show for our special interview with Robert O'Brien of MetaCompliance with the smooth voice.
Check out smashingsecurity.com for past episodes, sponsorship details, and information on how to get in touch with us.
Until next time, cheerio. Bye-bye.
Later, skaters.
Bye-bye.
So, Rob— Robbie's got a smooth voice.
Robbie. No, he's just got that kind of Irish lisp. You know what I should have asked him to say? I should have asked him to say palimpsest. Palimpsest.
Because that's how you test— I don't know if people know that, but that's how you test an accent to see if it does anything to your knees or not.
Get the person to say palimpsest, and if your knees kind of go a little bit weak, you are a sucker for that accent.
So we have a very special guest, a new guest, someone who hasn't been on the show before. I'd everyone to meet Robert O'Brien from MetaCompliance.
Robbie, thank you so much for coming on. ROBERT O'BRIEN. My pleasure, Carole.
Because that's how you test— I don't know if people know that, but that's how you test an accent to see if it does anything to your knees or not.
Get the person to say palimpsest, and if your knees kind of go a little bit weak, you are a sucker for that accent.
So we have a very special guest, a new guest, someone who hasn't been on the show before. I'd everyone to meet Robert O'Brien from MetaCompliance.
Robbie, thank you so much for coming on. ROBERT O'BRIEN. My pleasure, Carole.
So maybe you should start by explaining who you are, what you do. ROBERT O'BRIEN.
I think, Carole, I've been a John the Baptist, a voice crying in the wilderness for, oh, I think about 15, 16 years.
Was really focused on the people aspect of security and data protection. And it's clearly the hardest piece of the jigsaw. People are difficult.
But unfortunately, I've become fascinated with that. And I've worked with a lot of companies who have tried to increase the vigilance of their teams.
And really, about 8 years ago, as phishing became prevalent and ransomware, this became a clear and present danger.
But I found that there wasn't any guides to how do you go about dealing with the people aspect of it. Where do you start?
And it was a surprise to me that when we engaged with organizations, one of the first questions is, well, what do you do? How do you start?
They hadn't really taken cybersecurity awareness or the culture change around security as a business as usual issue before.
And that really led me to go and write the Cybersecurity Awareness for Dummies book.
I think, Carole, I've been a John the Baptist, a voice crying in the wilderness for, oh, I think about 15, 16 years.
Was really focused on the people aspect of security and data protection. And it's clearly the hardest piece of the jigsaw. People are difficult.
But unfortunately, I've become fascinated with that. And I've worked with a lot of companies who have tried to increase the vigilance of their teams.
And really, about 8 years ago, as phishing became prevalent and ransomware, this became a clear and present danger.
But I found that there wasn't any guides to how do you go about dealing with the people aspect of it. Where do you start?
And it was a surprise to me that when we engaged with organizations, one of the first questions is, well, what do you do? How do you start?
They hadn't really taken cybersecurity awareness or the culture change around security as a business as usual issue before.
And that really led me to go and write the Cybersecurity Awareness for Dummies book.
That is why we're here today. You have helped write, or did you write the entirety of it? ROBERT O'BRIEN. I wrote the entirety of it.
And a colleague thankfully edited out the more crazy things that I was trying to put into the book.
And a colleague thankfully edited out the more crazy things that I was trying to put into the book.
So this is the author of the Cybersecurity for Dummies book that has launched from MetaCompliance.
And it's totally focused on how a company can help get employees on board to be safer and help protect the company and themselves. Is that fair? ROBERT O'BRIEN. That's fair.
And I think we have condensed all the learnings and low-hanging fruit and approaches that we've seen organizations use to move this along and really brought it into an easy-to-use playbook.
And it's totally focused on how a company can help get employees on board to be safer and help protect the company and themselves. Is that fair? ROBERT O'BRIEN. That's fair.
And I think we have condensed all the learnings and low-hanging fruit and approaches that we've seen organizations use to move this along and really brought it into an easy-to-use playbook.
Now, it is not a tiny playbook. It's 50 pages. And is this free for anyone to download? ROBERT O'BRIEN. It's available from the MetaCompliance website.
And if you reach out to us, we can also send you a physical copy, which interestingly is an excellent way to get those Luddites within your organization to move forward where they have a physical book in front of them and they'll actually read that more than go and read a PDF.
And if you reach out to us, we can also send you a physical copy, which interestingly is an excellent way to get those Luddites within your organization to move forward where they have a physical book in front of them and they'll actually read that more than go and read a PDF.
Obviously, we're going to encourage everyone to go download it because I've taken a look at it. I think it's an impressive amount of work that went into that.
There's some really, really good information. Maybe we can start with the idea of what motivates a hacker. ROBERT O'BRIEN.
I think that there are as many different types of hackers as there are people.
And I think that every time the human race has come up with a brand new way of commerce, there has always been piracy.
When the Americas were opened and we were transferring goods between the Old World and the New World, you had this blossoming of piracy, Pirates of the Caribbean type thing.
And hacking is no different than that. It's really a way of people gaining advantage, mainly for money. In my experience, that is the great motivator.
There are certainly other issues, political, national players. And so you find that it's a very, very complex issue.
Then we have businesses who are going about their mission involved in what they've been doing typically for a very long time.
And we have this brand new backdrop, and they find themselves really at a disadvantage. And the hacker spends months possibly thinking about the organization.
The organization wouldn't necessarily be thinking months on awareness or security.
The demands of the day, the crises of the day typically distracts them from approaching this problem in a more systemized fashion.
There's some really, really good information. Maybe we can start with the idea of what motivates a hacker. ROBERT O'BRIEN.
I think that there are as many different types of hackers as there are people.
And I think that every time the human race has come up with a brand new way of commerce, there has always been piracy.
When the Americas were opened and we were transferring goods between the Old World and the New World, you had this blossoming of piracy, Pirates of the Caribbean type thing.
And hacking is no different than that. It's really a way of people gaining advantage, mainly for money. In my experience, that is the great motivator.
There are certainly other issues, political, national players. And so you find that it's a very, very complex issue.
Then we have businesses who are going about their mission involved in what they've been doing typically for a very long time.
And we have this brand new backdrop, and they find themselves really at a disadvantage. And the hacker spends months possibly thinking about the organization.
The organization wouldn't necessarily be thinking months on awareness or security.
The demands of the day, the crises of the day typically distracts them from approaching this problem in a more systemized fashion.
Oh, I know it's true, isn't it?
I remember when I used to work in the corporate land, even working in cybersecurity, in a cybersecurity company, you could still see plans always fall off for immediate reactionary job that everyone had to be all hands on deck.
So do you find that people have good intentions with awareness, but sometimes just don't do their homework or don't actually follow through? ROBERT O'BRIEN.
Cybersecurity culture change is a change management project. And I don't think there's any organization out there that hasn't seen change management projects really crash and burn.
I think everyone's history is littered with the failures of those things. And the problem is that you really require two things.
Number one, you require the leadership team to be 100% behind it and give it the resources that it needs.
And the second thing is that the organization is braced for the long term because change takes time.
And in my opinion, to move the needle substantively for cybersecurity takes at least 18 months. Possibly 2 years, because you have some real hardened attitudes to change.
And the minute that people see a wavering of the commitment from senior management, the whole thing falls apart like a game of cards.
I remember when I used to work in the corporate land, even working in cybersecurity, in a cybersecurity company, you could still see plans always fall off for immediate reactionary job that everyone had to be all hands on deck.
So do you find that people have good intentions with awareness, but sometimes just don't do their homework or don't actually follow through? ROBERT O'BRIEN.
Cybersecurity culture change is a change management project. And I don't think there's any organization out there that hasn't seen change management projects really crash and burn.
I think everyone's history is littered with the failures of those things. And the problem is that you really require two things.
Number one, you require the leadership team to be 100% behind it and give it the resources that it needs.
And the second thing is that the organization is braced for the long term because change takes time.
And in my opinion, to move the needle substantively for cybersecurity takes at least 18 months. Possibly 2 years, because you have some real hardened attitudes to change.
And the minute that people see a wavering of the commitment from senior management, the whole thing falls apart like a game of cards.
I love that you say both those things. I love that you say that it takes 18 months because that's kind of my experience too.
And I find a lot of companies kind of say, oh, you can do this overnight. It's not an overnight job trying to change a culture within an organization.
And two, you're absolutely right. If you don't have absolute buy-in from the senior management team and if they are kind of cutting corners, that's not a good thing, right?
ROBERT O'BRIEN. It's not a good thing. And I also think that unfortunately, so up until now, cybersecurity doesn't make you profit. It doesn't get you revenues.
And therefore, it was seen as an IT thing. Now, interestingly, that's changing massively.
And I've seen it change really from the introduction of GDPR, where within the supplier contracts that every company uses as an engagement mechanism, you now have a couple of things that have come to the fore.
Number one, you have cybersecurity insurance. Ten years ago, that was unheard of. But now, what is the level of liability that is covered by your cybersecurity insurance?
The second thing is, where does the liability sit for GDPR? Who is responsible for a data protection failure and who takes the liability?
And the third thing then is you get a risk assessment from your potential customer and you have to fill in that risk assessment.
Now, before GDPR, that was largely a box-ticking exercise.
But now the risk assessment will be called upon to defend the decision to go with that vendor, that vendor selection as part of an overall privacy lifecycle.
And also the lawyers are heavily focused on it.
So really having high levels of cyber hygiene, high levels of being able to demonstrate your cyber credentials now becomes a competitive advantage.
Having ISO 27001 now becomes a competitive advantage.
And I think going forward, that is going to become more and more a feature of how people look at cybersecurity, the people that they deal with, but more importantly, I think will justify the spend that's needed in these type of projects.
And I find a lot of companies kind of say, oh, you can do this overnight. It's not an overnight job trying to change a culture within an organization.
And two, you're absolutely right. If you don't have absolute buy-in from the senior management team and if they are kind of cutting corners, that's not a good thing, right?
ROBERT O'BRIEN. It's not a good thing. And I also think that unfortunately, so up until now, cybersecurity doesn't make you profit. It doesn't get you revenues.
And therefore, it was seen as an IT thing. Now, interestingly, that's changing massively.
And I've seen it change really from the introduction of GDPR, where within the supplier contracts that every company uses as an engagement mechanism, you now have a couple of things that have come to the fore.
Number one, you have cybersecurity insurance. Ten years ago, that was unheard of. But now, what is the level of liability that is covered by your cybersecurity insurance?
The second thing is, where does the liability sit for GDPR? Who is responsible for a data protection failure and who takes the liability?
And the third thing then is you get a risk assessment from your potential customer and you have to fill in that risk assessment.
Now, before GDPR, that was largely a box-ticking exercise.
But now the risk assessment will be called upon to defend the decision to go with that vendor, that vendor selection as part of an overall privacy lifecycle.
And also the lawyers are heavily focused on it.
So really having high levels of cyber hygiene, high levels of being able to demonstrate your cyber credentials now becomes a competitive advantage.
Having ISO 27001 now becomes a competitive advantage.
And I think going forward, that is going to become more and more a feature of how people look at cybersecurity, the people that they deal with, but more importantly, I think will justify the spend that's needed in these type of projects.
I think that's one of the big problems is resources, especially now with COVID-19 happening.
Lots of IT teams have been culled or have had to deal with resource issues on that front, plus they're having to manage a whole new workforce working from home, and they want to keep it safe.
So obviously, you wrote this before all this happened, but did you touch upon remote working? And do you have any views on that? ROBERT O'BRIEN.
In the industry, we have seen the incidence of phishing and cyber activity just go through the roof.
And the reason for that is that people involved in cybercriminal activity love change.
They love different things happening to us as human beings so they can exploit the moves between working in an office, working from home, people not being within their social circle and things like that.
The issue is vigilance. The issue is then having messaging or having a subject on a monthly basis that you address to your audience.
So for example, a lot of our clients who take this really seriously immediately switched to secure remote working, immediately began sending out training based on the dangers of working from home, the increased levels of people trying to cajole you to do things that you wouldn't normally do in the office.
And they increased their vigilance. Those companies also continued with their simulated phishing attacks.
And then some people just killed them off altogether, saying, oh, you know, our staff are dealing with working from home, they're having a bad time, and they stopped.
Some people stopped simulated phishing.
And my view there was, well, in actual fact, that's what the hacking community is betting on you doing, betting on your change and the fact that everybody is disarranged.
And so I think the people that did continue with the phishing attacks actually increased the vigilance in this new environment, which is likely to continue in some form or fashion well beyond COVID.
Lots of IT teams have been culled or have had to deal with resource issues on that front, plus they're having to manage a whole new workforce working from home, and they want to keep it safe.
So obviously, you wrote this before all this happened, but did you touch upon remote working? And do you have any views on that? ROBERT O'BRIEN.
In the industry, we have seen the incidence of phishing and cyber activity just go through the roof.
And the reason for that is that people involved in cybercriminal activity love change.
They love different things happening to us as human beings so they can exploit the moves between working in an office, working from home, people not being within their social circle and things like that.
The issue is vigilance. The issue is then having messaging or having a subject on a monthly basis that you address to your audience.
So for example, a lot of our clients who take this really seriously immediately switched to secure remote working, immediately began sending out training based on the dangers of working from home, the increased levels of people trying to cajole you to do things that you wouldn't normally do in the office.
And they increased their vigilance. Those companies also continued with their simulated phishing attacks.
And then some people just killed them off altogether, saying, oh, you know, our staff are dealing with working from home, they're having a bad time, and they stopped.
Some people stopped simulated phishing.
And my view there was, well, in actual fact, that's what the hacking community is betting on you doing, betting on your change and the fact that everybody is disarranged.
And so I think the people that did continue with the phishing attacks actually increased the vigilance in this new environment, which is likely to continue in some form or fashion well beyond COVID.
Say I want to try and put a scenario to you just to drive the point home to everyone how important this is, right?
So let's say I'm an IT guy and I really want to get through to my CEO, right? They're just not taking this seriously.
They've cut my budget, they've cut my resources, and I really need them to see the importance of cybersecurity.
Do you think a better approach is to go in with a bunch of stats to explain how dangerous it is out there?
Or do I want to talk more about how the company can grow and make more money and be safer, more secure? Lower risk. ROBERT O'BRIEN. I mean, I really feel for people in that situation.
So let's say I'm an IT guy and I really want to get through to my CEO, right? They're just not taking this seriously.
They've cut my budget, they've cut my resources, and I really need them to see the importance of cybersecurity.
Do you think a better approach is to go in with a bunch of stats to explain how dangerous it is out there?
Or do I want to talk more about how the company can grow and make more money and be safer, more secure? Lower risk. ROBERT O'BRIEN. I mean, I really feel for people in that situation.
Me too.
Yeah. ROBERT O'BRIEN. There has to be some good come out of this pandemic. And I think there is for cybersecurity because our concept as a society of what's possible has expanded.
Now, if someone had told me before Christmas that my entire organization would be working from home, all these controls would have been put into place, I wouldn't have believed them.
But now I am prepared to believe much more in terms of change. Change and the world that we lived in.
So getting someone to believe that we could have a cyber event that could cripple the organization, I think, is easier to believe. So I think that envelope expanding will help us.
Now, if someone had told me before Christmas that my entire organization would be working from home, all these controls would have been put into place, I wouldn't have believed them.
But now I am prepared to believe much more in terms of change. Change and the world that we lived in.
So getting someone to believe that we could have a cyber event that could cripple the organization, I think, is easier to believe. So I think that envelope expanding will help us.
Totally. And you know what else, actually? This may be an excellent opportunity for IT people to actually approach their CEOs about investment in this area.
Because of the change in environment, there's inherently a little bit more risk there until they can lock down both security and cyber awareness for home workers.
So this might be the time to say, look, the environment's changed. We need to be on top of it to make sure we're safe. I don't know. What do you think about that? ROBERT O'BRIEN.
Look, people have gone home. And we implemented one of the biggest changes in organizational working in centuries.
We did it in weeks where normally that would take months or maybe years for organization to put it into place and you would train everybody and so on and so forth.
But we flicked the switch and we got it done.
The other thing is the digital assets that the organization rely upon now exist within those homes, now exist within those firewalls within those homes and rely on people within and indeed rely on their families, not just the people that work for you, to be aware of the dangers and aware that certain things could happen.
And the only way to do that is to engage with your staff population and give them the information and give them the resources to actually make the change.
Because thinking it'll happen by osmosis is naive. It just won't.
And what has happened whilst there are many benefits from homeworking, from a security perspective, our perimeter has just morphed into something that is unrecognizable now.
Because of the change in environment, there's inherently a little bit more risk there until they can lock down both security and cyber awareness for home workers.
So this might be the time to say, look, the environment's changed. We need to be on top of it to make sure we're safe. I don't know. What do you think about that? ROBERT O'BRIEN.
Look, people have gone home. And we implemented one of the biggest changes in organizational working in centuries.
We did it in weeks where normally that would take months or maybe years for organization to put it into place and you would train everybody and so on and so forth.
But we flicked the switch and we got it done.
The other thing is the digital assets that the organization rely upon now exist within those homes, now exist within those firewalls within those homes and rely on people within and indeed rely on their families, not just the people that work for you, to be aware of the dangers and aware that certain things could happen.
And the only way to do that is to engage with your staff population and give them the information and give them the resources to actually make the change.
Because thinking it'll happen by osmosis is naive. It just won't.
And what has happened whilst there are many benefits from homeworking, from a security perspective, our perimeter has just morphed into something that is unrecognizable now.
You know, the more I'm thinking about this, I think a lot of different people need to read this book.
At first, I was thinking this is really, really good for IT staff to understand what they're facing and how they can get their hands around all the different components.
But maybe, maybe, you know, maybe I was blindsided.
Maybe C-levels need to read this too, just to understand all the different components and the complexities that need to be understood so that they can be more sensitive when they're budgeting and dealing with IT.
ROBERT O'BRIEN. Carole, I mean, you've hit the nail on the head.
I mean, when I was writing this book, I sort of had an image in my mind of a CISO at a board meeting with a number of these books and basically handing them, physically handing them.
So, you know, I have the power of a gift. Here's a gift. And it's a Wiley book that we've all seen, The Dummies Guide.
And even if someone dips in and out of it, you've already made an impact. Because I think if you can get the C-level, the executive team on your side, you can change so much.
Because the problem I find with cybersecurity is that it isn't user-friendly. It involves implementing controls.
And people hate controls and they hate policies and they hate e-learning. So it's not a popular job.
But once you get the C-level involved, you get a tone from the top and people never focus on that. What does our organization stand for?
Do we have zero tolerance on these things or are we laissez-faire? Where do we fit?
And once the people in charge say, this is where we stand, then your initiatives are not diluted by middle management.
Someone who goes, look, don't bother with that e-learning, keep doing your jobs, get around to it whenever.
And suddenly your awareness campaign has just died because you have a manager somewhere who is just not supportive.
But if the CEO is supporting the actual initiative, you typically get people to buy into it.
At first, I was thinking this is really, really good for IT staff to understand what they're facing and how they can get their hands around all the different components.
But maybe, maybe, you know, maybe I was blindsided.
Maybe C-levels need to read this too, just to understand all the different components and the complexities that need to be understood so that they can be more sensitive when they're budgeting and dealing with IT.
ROBERT O'BRIEN. Carole, I mean, you've hit the nail on the head.
I mean, when I was writing this book, I sort of had an image in my mind of a CISO at a board meeting with a number of these books and basically handing them, physically handing them.
So, you know, I have the power of a gift. Here's a gift. And it's a Wiley book that we've all seen, The Dummies Guide.
And even if someone dips in and out of it, you've already made an impact. Because I think if you can get the C-level, the executive team on your side, you can change so much.
Because the problem I find with cybersecurity is that it isn't user-friendly. It involves implementing controls.
And people hate controls and they hate policies and they hate e-learning. So it's not a popular job.
But once you get the C-level involved, you get a tone from the top and people never focus on that. What does our organization stand for?
Do we have zero tolerance on these things or are we laissez-faire? Where do we fit?
And once the people in charge say, this is where we stand, then your initiatives are not diluted by middle management.
Someone who goes, look, don't bother with that e-learning, keep doing your jobs, get around to it whenever.
And suddenly your awareness campaign has just died because you have a manager somewhere who is just not supportive.
But if the CEO is supporting the actual initiative, you typically get people to buy into it.
Well, with this book, you have given a lot of IT people and indeed companies a helping hand. Robert O'Brien from MetaCompliance, thank you so much. ROBERT O'BRIEN.
Thank you very much, Carole.
Thank you very much, Carole.
There we go. What do you think? ROBERT O'BRIEN. I thought it went very well.
Listeners, you can get your free copy of MetaCompliance's Cyber Awareness for Dummies Graham Cluley's book by going to smashingsecurity.com/cyberaware.
That's smashingsecurity.com/cyberaware. See you next week.
That's smashingsecurity.com/cyberaware. See you next week.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
@thomlangford.bsky.social
@
Show notes:
- Security firm leaves more than five billion records exposed on unsecured database — Graham Cluley.
- "Following a legal threat from ███████ ████ I have removed their name from this article on my site…" — Graham Cluley on Twitter.
- Keepnet Labs confirms contractor exposed 'data breach database' of 5 billion records — Verdict.
- Public Statement in Relation to Data Briefly Exposed on an ElasticSearch Database — Keepnet Labs.
- After threatening me with legal action, Keepnet Labs finally issues statement over data breach — Graham Cluley.
- Goodbye Naked Security? — Graham Cluley.
- US Military Could Lose Space Force Trademark to Netflix Series — CBR.
- Space Force review: astonishingly bad show — The Verge.
- The number of credit card scams continues to soar during the pandemic — Verdict.
- Pandemic Brings Huge Increases In Card Fraud And Mobile Banking — Forbes.
- Credit Card Fraud During the Pandemic — Consumer Reports.
- Credit Card Fraud — Advice from the FBI.
- How to Reduce Credit Card Fraud — The New York Times.
- Ian's Shoelace Site – Introduction
- Magnet – Window manager for Mac.
- The Host Unknown Podcast.
- DEVS — BBC iPlayer.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsor: LastPass
LastPass Enterprise makes password security effortless for your organization.
LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
Sponsor: MetaCompliance
People are the key to minimizing your Cyber Security risk posture. Create a more security-conscious workforce with MetaCompliance’s Cyber Security Awareness for Dummies book. Download it for free at smashingsecurity.com/cyberaware now.
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, Spotify, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
