Smashing Security podcast #208: Hidden treasure, COVID tracker trauma, and happy holidays with IoT

All right. Hi everybody, Carole Theriault here from Smashing Security. Something a little different this week. We have had quite the year. So Graham Cluley and I have decided that any monies we receive via Patreon during the month of December 2020 will go directly to our local food bank. We're doing this because there are a lot of people that are hungry and it's getting cold out there and it's Christmas. If you're not a Patreon supporter, which is totally fine, I do urge you to look at your communities to see how you might be able to help bring a little bit more joy this season to those that are having a hard time. And lastly, just a huge thank you for all your support this year. It has meant the world to us. Now let's get this show on the road.

Now Anna, tell me, do you feel some sort of empathy for this woman who's in this situation where she was involved in a project and then suddenly she's no longer involved in the project. Maybe a new team have been brought in to take over. Is that something you can identify with at all? Sticky pickles?

Well, oh, sticky pickles. I actually thought you were talking about something else. Oh.

Episode 208: Hidden Treasure, COVID Tracker Trauma, and Happy Holidays with IoT with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security Episode 208. My name's Graham Cluley.

I'm Carole Theriault.

And Carole, we're joined this week by a special guest.

Oh, a very special guest.

Hello.

Hi, Anna Brading.

Hello, how are you?

Have we spoken since you left Sticky Pickles? I don't know.

Well, there was a smear against my name, Carole. You did spread vicious rumours and I'm not happy about it. You've denied that I'm indeed pregnant.

Well, thank God for COVID. Occasionally it works out.

Yes, thank God for COVID.

You can't beat me up.

Anyway, lovely to be here.

So Anna, you're ex Sticky Pickles, I don't know the details of why you fell out with Carole. Dry Pickle now. No longer doing the show and she's replaced you with someone else. Are you going to be attending the Smashing Security live Christmas party on the 17th of December?

Well, if I'm invited, I'd love to.

The whole world is invited.

The whole world. Oh, well, yes, definitely.

8 PM is a live stream. All you've got to do is go to smashingsecurity.com/live.

Well, I will be there. Yep.

8 o'clock UK time.

3 PM Eastern time.

And 12 noon Pacific Standard Time.

What time is that in Singapore?

It's going to be 9 AM.

I wouldn't bank on— I don't know if that's true.

11 hours, I was thinking. No, I don't think that's true at all. It's not 9 AM. Okay, well, I just wish you did it at work, Graham.

Well, okay, Carole, what's coming up on the show this week?

Well, first, let's thank this week's sponsors, Mimecast, Culture AI, and LastPass. Their support helps us give you this show for free. Now, coming up in today's show, Graham goes on the hunt for some hidden treasure in the Rockies. Anna tells us of a crazy police raid in Florida, and I'll share tips on avoiding cyber hell this holiday. And we have our featured interview with the rather informed Max Linscott of Mimecast. So all this and loads more coming up on this episode of Smashing Security.

Now, chums, chums. Do you love the thrill of the chase? Anna, you're heavily pregnant at the moment, so I imagine your partner loves the thrill of the chase.

I don't know. I mean, you haven't seen me, Graham.

Maybe you're not that hard to chase at the moment.

There's not much chasing to do.

Just to reach out an arm, grabs hold of her.

Carole, the thrill of the chase?

Well, I don't know what— I mean, it can mean a lot of things, and I know that you putting us into little traps. So I don't know what you mean.

Yes, but— A mobile office?

She speaks to the judge and she says, look, I've got this really important thing to do down in New Mexico. Can you give me a bit of time off? Let's rearrange some of the cases. And you may be wondering, why is she doing this?

Chicago and New Mexico are really rather far apart, Graham.

Well, she has a good reason because she is obsessed with a treasure hunt. Oh! This is a treasure hunt which was started by a chap called Forrest Fenn 10 years ago. Fenn, he was an art dealer, and he wrote his autobiography back in 2010 at the age, the grand old age of 80 years old, thinking that he didn't have much time left. And he thought, well, I better write a book. And he's had worries about his mortality before. Back in 1988, in fact, he was diagnosed with cancer and was told it was likely terminal. And one of the things he did while he was dealing with that news was he went walking around in the Rocky Mountains. Okay. And he thought, well, wouldn't it be fun if I could sort of leave something for other people after I've gone? And his idea was to hide a treasure chest somewhere in the great outdoors. And he thought he had found the perfect spot, the location which was very special to him, where he thought would be his ideal resting space if he was just to lie down. Now, thankfully, he actually recovered from his cancer diagnosis. But when he came to write his autobiography years later, he remembered his idea of a treasure hunt and a treasure chest with clues. And so what he did was he put into his autobiography a poem, a cryptic poem. I don't think—

Are we taking part in this story at all? Or— I'm just going to go for it. Keep going.

You're doing great.

I'm excited what's going to happen next.

I feel we're at bedtime, and we've told this story.

Have you got any questions so far, Carole?

No, no, no. Okay, so we have Forrest Fenn, who's 80. He had cancer, and while he had cancer, he walked around the Rockies in New Mexico and decided to put a treasure box somewhere.

Put a treasure box somewhere.

And thought he found the perfect spot.

Found the perfect spot. Wrote his autobiography. Wrote a poem. I can read out some of the poem to you if you want.

Oh, please do.

As I have gone alone in there, and with my treasures bold, I can keep my secret where, and hint of riches new and old. Begin it where warm waters halt and take it to the canyon down. Not far, but too far to walk. Put it in below the home of Brown. And it carries on for a few more verses.

Yeah, copyright though. Right?

So, okay. So, he has written this poem and it got published in the book. And it was describing where he had hidden a treasure chest containing gold nuggets, gold coins, gemstones, and jewelry. So that's what's in his treasure box.

That's what's in it. Gold nuggets, gold coins, gemstones, jewelry. We have no idea about how much value.

Well, it's estimated about $1 million.

Million bucks?

At the point where he hid it, yeah.

I can see why she's into this treasure hunt.

Yeah. You'd be into it?

You would take a 5-hour flight? Certainly not at the moment, Carole. I can barely get up off the sofa.

Bring me the treasure box.

You know, with COVID I don't want to go over there. It's difficult. But it's really hard. But I can see that she would be interested in the million dollars.

Yeah, Barbara Anderson was one of many people who became obsessed with solving the riddle and devoted themselves to finding the treasure. Smashing, a bear trap. Well, someone who does love the thrill of the chase is a woman called Barbara Anderson. She is a middle-aged— Barb's! So people were going into the Rocky Mountains in New Mexico, Colorado, Wyoming, Montana, hoping to find it. —attorney based out of Chicago. But in recent years, she's been spending lots of time with her border collie Cupcake in New Mexico, sleeping in her SUV. Okay, so she's gone from being an attorney to sleeping in her car by choice.

Because they read the book and they're thinking they had enough hints to think where they might find it.

And it wasn't necessarily a safe thing to do. In fact, in the last 10 years since the book got published, at least 5 people have died hunting for the treasure. By choice. I think she still is an attorney. She's still practicing.

Well, more people have died crossing a road, Clue. I don't know.

Yes, but these are people who've gone out there saying, "I'm going to find the treasure," and got on a raft or whatever, and have ended up at the bottom of a lake or whatever. Now, from the research I've done, all the people have died. All the 5? Of the 5, they were all men. And often with wives and families who said that they'd become a bit nuts. It ruined their lives. Some of the wives even said, I'm sure it's a hoax, but, you know, he has to go hunting every weekend, or he goes off for weeks on end looking for this damn thing.

Maybe he just had a girlfriend.

Maybe he was with his girlfriend. Hey, that's an idea, isn't it?

You say that you're going off treasure hunting.

Once I get this baby out, that's what I'm doing.

And you know, one thought which came to my mind is people are dying and things. Who's to say there ever was any treasure hidden? And there was no proof that Forrest Fenn ever actually hid anything in the Rocky Mountains other than he wrote a book. He could be some nutter. And then in June of this year, June 2020, there was an announcement. Forrest Fenn posted on his website that the treasure had been found. And he wouldn't say where, and he wouldn't say who had found it. All he'd say is that some guy who wanted to remain anonymous, some guy back east, he said, had found the treasure. Which raises all kinds of questions. Because was that even true? Was Forrest Fenn saying it'd been found to stop nutters going out into the Rocky Mountains looking for it?

Well, he'd probably be nervous for his life thinking, you know, a million quid's worth of stuff. Maybe someone's going to find Forrest Fenn and go, "Tell me where you put the box or else!" Well, I believe his house had been burgled before.

And yeah, maybe there were— I think there were a lot of obsessive types involved. The other possibility, of course, was maybe Forrest Fenn had told someone where the treasure was in order to bring the hunt to a close. And who cares?

It's his own treasure. Who gives a shit? He can do what he wants.

Well, it matters, Carole. It matters to Carole, to the people who've devoted their lives to the hunt for the treasure, including Babs. The now really pissed off Barbara. Yes, Babs. Really pissed off Babs. Barbara Babs Anderson, attorney of law.

Can you imagine if she represented you and she tried to— Sorry, sorry, I really would love to hear more about your saga, but I must dash. I just had a thought. Thought of where the treasure might be. Bye!

She had been living all this time in a shitty, broken-down Lincoln MKZ, regularly visiting Santa Fe. She decided that the treasure must be in Santa Fe, New Mexico, because she was certain of that because she said there was a clue about mildew contained in a picture Forrest Fenn had posted where he had a hole in his hat, and the hat was in the shape of the state of New Mexico. The hole in the hat was.

So she was driving back and forth is what you're saying, right? In her shitty car? Yes. Okay, I'm just going I can tell you how long a drive that is between Chicago, Illinois and Santa Fe, New Mexico. It's 19.5 hours driving. Is she single?

So, I just— So Barbara's upset, right? Barbara was certain that she was close to finding the treasure, and she believed it had been stolen under her nose because she says that someone had been taunting her.

Babs is bonkers.

Via text message for a while. Oh. And then she started to claim that her emails had been hacked. And whoever had found the treasure had stolen clues that she had found and information which she was storing in her email.

And there's the tangential security link. All right.

So she's American and she's an attorney, a dangerous combination. So of course, she filed in court against Forrest Fenn and the mystery finder. Why? Why?

A million dollars, Carole. Yeah, but it doesn't belong to anyone.

You know, he writes about it in a book, and did he taunt people to go try and find it?

Well, she says that this is highly unfair, and there's been some kind of fraud taking place, and she wants to know where was the treasure hidden, and who was it who found it? Now, since she filed the case, Forrest Fenn, sadly, about, I think it was about a month or two after the find was made, passed away at the age of 90.

At the age of 90. So he's just, just passed away.

That's right. He passed away in maybe September or something like that.

So RIP, Forrest Fenn. And I'm glad you don't have to see this disgusting behaviour happening here, because you did something cute.

But his descendants, including his grandson— Oh, God. What? They know who the finder was. And they've been compelled by court to reveal his identity publicly. And that's how we now know the person who ended up claiming to find the treasure is a former BuzzFeed journalist and medical student, 32-year-old Jack Stewart. Oh, I bet he's pissed off now. Who wanted to remain anonymous. He claims that his family are now in hiding. He says that he searched for the treasure for two years, analysing every single interview that Forrest Fenn ever gave, for any clues or way that he spoke. And he was been hunting around the Rocky Mountains before finally coming across the treasure. But to the annoyance of all these other hunters, he won't say where the location was or how he solved the riddle. And I think that's what's made everyone go bonkers. 'Cause they just want him to prove that he had some method of finding the treasure, which wasn't dodgy.

I think they should just all calm the fuck down, but treat him as a magician. The guy found it, and who cares how? You lucked out. Bad luck. Deal with it.

Hang on. Well, what if he did hack other people's accounts?

What if? Show me proof. What's the evidence?

Yeah. God, conspiracy theory, Graham. I imagine Barbara Anderson will present her evidence when this eventually comes to court.

I hope that's on TV or something. Court TV.

So Jack Stuart, the guy who found the treasure, he says that he wants to preserve the mystery of the location because he doesn't want to make it a tourist site. He says he's very close to Forrest Fenn, although he only ever met him once. That he formed a relationship with him after he found the treasure. He obviously denies the hacking claims. But if you're really obsessed with something, might you be tempted to break into the account of others?

You're like Fox News. You are. You have no proof of any of this at all. You're just basically tempting— Oh, don't like it.

I'm not saying he did do any of the hacking. I'm just saying he's been accused of it.

Do you think if I had a treasure in my house worth £1,000, you would break into my house to come get it? You think the average person would want to do that?

No, I'm not saying that. But if lots of people independently were searching for treasure—

How many is lots?

What, 50? Oh, come on, Carole. 5 people have died. There must be hundreds and thousands of people who've been searching for this.

If it's $1 million, there's going to be quite a few people that are looking for it. What does that get you though?

These days?

Well, armed guards for the journalists. Probably burn through that in a few days.

Well, good luck to Babs.

Yes, and maybe she wants to install two-factor authentication if she's worried about her accounts being hacked.

Yeah, what's her password? Yeah, who knows?

I think it's a very interesting story, this. And I hope we will get to the bottom of it. But what a fascinating treasure hunt anyway. If anyone else wants to— Well, there's no point anymore if this really has been found, but maybe you can work out the location and reveal that to the world.

I just can't believe you can't admit how pissed off you'd be. If you decide to do this, right? You have cancer, you decide, oh, I'm going to leave some great treasure somewhere for someone. And then everyone who gets wind of it starts scrapping amongst each other because someone won it. It's like, well, how did he win it? What exactly happened? How did he rip me?

He must have robbed me.

That's what happened.

And I'm going to take him to court. It's just—

God, poor— yeah, anyway, Forrest Fenn is probably rolling in his grave, embarrassed for humanity.

Although his actions did lead to the deaths of 5 people.

Exactly. Was what he did—

Oh, he's responsible for that too? Because some idiots went out—

No, because he could have stopped it much earlier.

They went out in their flip-flops and forgot their suntan lotion.

He didn't have to put it there, did he? He could have put it somewhere a little bit safer, in a mall, a supermarket, in a park or something.

Yeah, it's behind the diapers.

Then you'd be in, Anna.

Yeah, I would.

That's true. Anna, what's your story for us this week?

Well, I think we can all agree that the world has gone to shit in 2020. I'm loving it. Oh, are you? Great. Well, we have spent most of it locked inside. What do you guys miss the most?

Hugging people that I like. Oh, I know. I had to add that I like just in case.

I haven't hugged you all year, Carole. I know.

No one would be able to hug you at the moment. How would they get their arms around you?

Pat me on the shoulder.

Anna, please.

So, Graham, do you want to volunteer anything? No, thank you. Chess is online, isn't it?

Yes. You can still do that. I've been fine. I've been absolutely fine, yeah.

Anyway, in the first few months of the pandemic, obviously a lot of us were locked up, and many US states were under shelter-in-place orders, which is— Good for saving people's lives from COVID-19, not so good for the economy, as we all know. So over in Florida, data scientist Rebecca Jones was working for the state, and she was heading up a team who created and ran the COVID-19 dashboard for the state. So, you know, we've all been glued to the dashboards. But this one was a particularly good dashboard and had been—

So what do you mean a dashboard?

What does that mean? So it's got all the stuff like cases per day, total cases, deaths, testing information, vaccine—

It's like a webpage? With all the latest data.

Yeah, with lots of stats, right? Like who died, who has it, how many, numbers, numbers, going up, going down. Yes.

And this is for Florida. Now in particular, Florida's one was a good dashboard apparently, and it had been praised by White House officials for its transparency and accessibility. And it was used by researchers. They had plugged in to use the data, and media, and the public. It was a good dashboard anyway. Oh, cool.

And it came out very early, didn't it? Yes, it did. During the whole pandemic stuff, yeah.

Yeah, and I think everybody was kind of thinking, "Her and her team are doing a great job." Mm-hmm. So a bit further into the pandemic. I can't believe it's been going on for 9 months now, certainly here, a bit longer. I can. It feels like it to you.

Oh wait, and you're pregnant. Oh! I'm just doing the math.

Got a bit boring at the beginning, didn't it?

So anyway, when states were told that they could start opening back up, they were said that they could do that as long as they met certain criteria. Mm-hmm. And Florida obviously wanted to reopen. But the numbers that Jones and her team were publishing still looked a little bit shaky. So, and this is according to Jones, leadership at the Florida Department of Health where she worked asked her to sort of massage the numbers.

Like lie, basically.

Well, yeah, I think they wanted her to remove some of the regions where the— Yes. Yeah, remove some of the deaths. Just lower down some of the numbers just so that they could meet some criteria.

Which is a reasonable request, isn't it? Yeah, just— I mean, if the stats aren't helpful, and they clearly weren't helpful, then there's two ways of fixing the situation.

Just shave off a zero. Okay.

We can either do something to prevent there being so many infections and deaths, or we can change the numbers, right? Well, exactly. One is easier to do than the other.

And if you start preventing the deaths, then you have to shut things down again, and that's not good for the economy, right? So yeah, right, okay. Let's sort the numbers out. So Jones, because she'd been praised for the transparency and everything, she wasn't happy about the fact that these things had to change. So first of all, she said no, back and forth. And then she took down some of the numbers from the dashboard. But then obviously that broke all the links that had been published to the dashboard. So she said she was asked to put it back up again. But then the next day, she was told she no longer had a job.

So she took the dashboard down in a bit of a huff?

No, no, no. She removed parts of it because they didn't want to publish all the data. But then that was obviously— any news site that had referenced that, obviously it broke all the links. And then they were like, "Oh, shit." And they had to put it back up.

So, in their eyes, she'd been a bit of a nuisance. Yes. And had caused quite a lot of kerfuffle. And so they thought, "Well, you're going to have to go, Miss Rebecca Jenkins." Well, they brought in a different team to manage it.

She says that she was removed because she refused to comply with their orders fully. But they say it was because she exhibited a repeated course of insubordination during her time with the department.

Now, Anna, tell me, do you feel some sort of empathy for this woman who's in this situation where she was involved in a project and then suddenly she's no longer involved in the project? Maybe a new team have been brought in to take over. Is that something you can identify with at all? Sticky pickles? Well, sticky pickles.

I actually thought you were talking about something else. Oh, cybersecurity? I can't talk about one of them because I've signed stuff. The other one, yes, very much so. I feel I was pushed out because I was pregnant, Graham. I feel Ziggy Pickles pushed me out.

You might want to hire a Chicago attorney to deal with that, maybe. Yeah.

Oh, yes. Well, she sounds feisty. I like her. Yeah. Totally sane as well. Yeah, exactly. So back to my story. Jones now is publishing her own coronavirus dashboard, which she says the numbers are higher, but, and she says they're more accurate.

So she's doing an independent— basically she's done all this work, may as well do it independently. She knows how to do it.

Exactly. So look at that one, not the other one, if you want to know the real numbers, she says. So then fast forward a few months to November. And on the 10th, somebody sent a message on an official emergency communications channel that they shouldn't have done. So it was sent to the State Emergency Response Team members, who are the guys responsible for coordinating public health and medical response in Florida. So, the urgent stuff.

And what were they sent?

It said, "Speak up before another 17,000 people are dead. You know this is wrong. You don't have to be a part of this. Be a hero. Speak out before it's too late."

So this was an emergency alert sent to people who were working—

Yeah, working there. And it went to around 1,750 accounts before they intervened and shut it down. Right. And so, who could have sent it? We don't know. But on the 7th of December, so earlier this week, at 8:30 in the morning, state police raided Rebecca Jones's home. So they took her phone and her computer. Yes. So she took to Twitter, as everybody does, posting video footage which shows police asking her who was at home. She opens the door, they say, who's at home? And then they enter with their guns drawn. And she's already told them that upstairs are where her husband and kids are, and they're pointing them the stairs, so it's pretty scary. "In the house, man, my two children and my husband."

"Where's your husband?"

"Call him down. Call him down."

"You want the children down? Call them all down."

"Mr. Jones, come down the stairs now. Police, come down now. My children."

"Hang on, let me clear my house. He just pointed a gun at my children."

Yes, but in Florida, it's quite possible your husband and kids will be armed with submachine guns or something like that. So it doesn't really make any difference that your kids are upstairs, does it?

Oh my God, yeah, but I guess as a parent, I wouldn't like to think that my son would have a gun in his face. No, no, I guess not.

And you don't even know why, right? You're running your own independent data centre, presumably, and she's just, you know, tick-a-da-da-da-da-da-da. She doesn't know anything about the emergency and, you know.

But even if she was responsible for sending that emergency alert, it does seem a little bit over the top to have guns around the place. "Oh, do you think? You think?"

Oh, wow, okay. Yes, so they're saying they took evidence to prove she was the one who sent the message accessing the system she wasn't allowed to. Obviously she denies any wrongdoing.

So they think she's the one who hacked the system and gave the message. So they went to her house, they stole all their stuff with guns and the whole thing, and okay, gotcha.

Yes, so the message that was sent, so the people that received it, they're known as ESF-8, which are the emergency team, as I said, and they are employees of Florida Department of Health, and some also work for other government agencies. But once these people leave, they are told they're no longer authorised to access the group. Fair enough, understandable, yeah. So it should be relatively easy to track who sent the messages because presumably they all have a user account and they can just have a look.

Oh, so they think it's an inside job? They think it's someone—

Yeah, they think it's an inside job. They think it's someone that was on that group. But they all share the same username and password.

Of course they fucking do.

Well, that's transparency for you, isn't it?

There you are, it's true. It's a very efficient system, yes. Yeah, so, yeah, a little bit harder because who knows? So the special agent who was investigating all of this said he found the IP address of whoever sent the text. He checked the logs and it was traced back to her house. Her house, which is why they searched her house. I mean, we have no idea what the truth is. I'm sure it'll come out. But why do they all share the same username and password? And also, why wasn't it changed when she was fired? Yeah, and she was fired in May. So it's, what is it, December now? That's a long time. It's not gonna take long to change one username and password, is it?

Carole, have you changed the passwords on the Sticky Pickles podcast since there was a change in the staff? Did you?

I haven't tried to log in.

I blocked her on everything. You're dead to me.

Carole, what's your story for us this week?

Okay, so if you listen to us week in, week out, you probably know most of the stuff I'm going to talk about, so you can go make a cup of tea. All right, bye, bye, see ya. There's one thing we all have in common, right? We all have to help out family members or friends and neighbors with computer device drama, internet dramas, the routers, the whole thing. But if you're a first-timer to the show, first, a very warm welcome. And maybe you'll just learn a few tricks on being safer online. So the holidays are coming, right? We've got Christmas, Hanukkah, New Year's Eve coming. And normally we all get together and now we can't. I mean, it's been flipping freezing outside. So the whole idea of meeting in the garden with your parents doesn't feel ideal, does it? Unless you got a fire pit or something the fancy people... Do you have a fire pit, Graham?

I don't have a fire pit. I do have a barbecue.

Oh! Yeah. I don't want to boast or anything, but I've got a barbecue and a fire pit.

Well, I look forward to having a toasty, toasty night.

You're not invited.

Okay, so how are we going to make up for all this isolation, right? I'm thinking we're going to do frequent video calls, online shopping, e-cards, all that malarkey. And the plan is hopefully they'll make us feel less apart, but they are all reliant on technology. So I've pulled together a smattering of tips which should help us sidestep the pesky little online potholes so we can avoid cyber hell.

Sorry, are you seriously saying that an e-card is a good replacement for getting together with the rest of your family?

No, no, no. My question is, what are you gonna do if you can't see your extended family? Are you gonna have a video call?

Yeah, maybe. Yeah, I suppose so. I'm not sure. I, you know, it depends how bored I get. I mean, it depends what's on TV. Yeah, maybe. Yes, why not?

A Zoom quiz.

Oh no, they're quite fun. Yes, exactly.

You know, and you're going to be sitting there cooing at someone's tree decorations or all that kind of stuff. So tips to make sure the experience is a happy one. Okay, number one, make sure your service is end-to-end encrypted. So FaceTime is, WhatsApp is, I think Zoom is now, and there's loads of others that are, but there's loads that are not. And end-to-end encryption is really important because it makes sure that the service provider, Zoom or Apple, whoever it is, can't decrypt the content of your conversations when they're in transit. I want both of you to come up with a good Wi-Fi or video call tip. Okay, second one, obviously check your settings, your passwords, make sure the organizer can control who's allowed in and out. This is obviously to avoid things Zoom bombing. I mean, it's not every grandma that takes kindly to someone wagging their Graham Cluleys in the webcam. So I did that just for you, Anna, just to make you laugh.

Sorry, is that rhyme? Is that rhyming slang? Waving their Graham Cluleys? Are they called Grahams now? The Cluleys?

That's what I refer to them as.

Graham Cluley's out my face, I'm crying. So basically, you need to have control on those things, you know, and keep the link private. You can even have a password. Only those that are in the know get into the party. Yes, of course. And finally, my last one on this one is just assume the call's being recorded. So the story about how you drop the milk in the supermarket and the whole thing explodes, Coke's all over you is fair game, right? But your private stuff like your phone numbers are—I can't believe they guessed my password, it's—they start telling you.

So banking details, things like that, just stick to random stories, not stories that have personally identifiable information in them. And this goes especially for saucy calls and videos that some of you might have, right? Being careful, especially with those Graham Cluley's. Noted.

Can we not make that a thing?

I don't know. It's too late now, Graham.

Too late now.

I was going to say, be careful about what's in your background. So, you know, if you've opened any intimate presents during the festive season—

It's already a thing.

If you have a big dildo behind it on the table.

And you've left it on the table, you don't necessarily want to share that with the in-laws, do you?

Yeah, don't write your password on a flip chart and then, you know, in your background in your house.

Do you have a flip chart in your house?

Yeah, I do, Graham, with all my passwords. She loves lists.

Oh, I've got another one. Don't—okay, this is a great one actually. Don't complain just before or after the call because some of these services have been known to have a longer lag time during termination. So say you've had a difficult conversation with Uncle Bob, don't immediately flip them the bird once the call's over and call them a you-know-what because—

Don't bitch until it's gone.

Yeah. I find this when I'm on a, I don't know what, maybe it's Zoom or whatever it is, you hit the quit button.

I know, Graham.

Oh. And then it kind of says, are you really sure? So you think you've quit and you're kind of going, Jesus, thank God. That's a—oh, you have to hit it again.

Or you have to have that forced smile. Just a full smile kind of for ages while you're waiting for it to quit. So those are pretty good tips, right? They're great tips, Carole.

So the cops Okay, I'm gonna do one more, just one more set, okay, on IoT because no matter how much I say don't buy IoT and keep the crap out of your house, people are gonna buy it because the kids are screaming for it or partners are screaming for it or you just think they're cool or it makes your life easier or whatever. So my advice on this front, but please, throw yours in, would be one, stay away from version 1, you know, the alpha smart IoT. actually show up Let the boffins who are tech mad and know what they're doing test it out and report their findings. at her house? Do you agree with that, guys?

Yeah, and I'd also suggest, I think some of these smart speakers, for instance, now, they're beginning to introduce technology whereby they'll do more of the processing on the device rather than sending it up to the cloud. So if you don't want someone to be analyzing what you're saying. And you can also have, on some of these devices, a hardware switch where you can actually turn it off and tell it to stop listening, and then you can decide when you want to turn it on again.

Yeah, hard switch is a really cool thing. That's a great one. Don't believe the blurb on the website or on the Amazon or Walmart page. I know, read the terms and conditions. This is the only place that firms have to think twice before they BS you. Okay, that's the issue. That's why you're looking. And all you're looking for is what data they collect from you, where do they store it, and who are they sharing it with. And Ctrl+F, or finding stuff through— you don't have to read every single word in it. You can look for keywords to find out what they say about that stuff. And if I think Jack Rhysider is the one who told us about tosdr.org, Terms of Service Didn't Read. So that's a website where it kind of shrinks down the information, try and put it into clear English if you're finding it a little bit crazy.

That's handy because I can't see people that aren't interested in security but want, you know, an Alexa or whatever in their house. I can't see them reading all the terms and conditions, but that's good. So I was going to ask if there was anything like that. So that sounds quite good. But I'm obsessed with them now, and I keep going to these online services going, oh, this sounds cool. And then I go read their terms.

See, it's funny how you're obsessed with that, but you're not obsessed with a treasure hunt in the Rocky Mountains, which could make your money.

We've all got our own interests, Graham.

And for any smart device you buy, first check if there've been any previous security problems. That's not to say if they have had a security problem, you do not buy it, but what you want to look at is how they handled it. So for example, if it turned out that they left a database open and they closed it publicly, no one had landed on it, they still told everybody about it, I kind of think they get a pass. But if they were found out because some unauthorized party got in and then they tried to hide it, and the company denies it, I think walk away, right? So you want to know who your partner is. These guys are business partners of yours as an individual. That's what you have to see them as. And if you don't want to do business with them, if you don't like the way they work. And lastly, this was one that was said by one of our guests, set up a Google alert for your smart IoT devices. LastPass. Your router, your phones, your tablets, your Roomba, because then if there's this big security problem, you'll get it, you'll get a little info on it, and you'll be able to be pre-informed, which gives you a bit more time to do something about it. Good tip. Good tip. Do you want to add any, guys? Did I cover everything to do with IoT? Graham, you already had some good ones.

I did, thank you.

Anna? Oh yeah, she's pregnant.

So pressure off me. God, how dare I.

Don't pick on me.

You're amazing.

I feel like you've covered it all. I'm sorry.

Well, thanks. No, let's not be sorry. That just means I'm perfect. Oh, you are. Well, you are. So there you go, right? Amazing. A few tips to help you and your loved ones sidestep cyber hell this holiday.

Today's show is sponsored by Mimecast, the number one cloud email security solution for Microsoft 365. Safeguard your organization with Mimecast's end-to-end phishing, impersonation, and brand exploitation protection service. It's a layer of email security defense that picks up where Microsoft security leaves off. Mimecast's innovative service blocks brand attacks before they can launch, stops live cyberattacks in their tracks, and gives you visibility into anyone using your domains without your authorization. Start today by downloading a free copy of the State of Email Security report at smashingsecurity.com/mimecasthub. Security training sucks. It's boring. Users hate it. They aren't paying attention. Doesn't work. For security training to actually work, you'd have to find out what each person in the company is doing that's risky, send them phishing emails, monitor logs, check for passwords and how they're being pwned, and then you'd have to train them in a way that doesn't send them to sleep, try and track what they're doing to see if it worked.

Who's got time for any of that? Culture AI do. What? Culture AI. They make this amazing software that plugs into your company, runs your phishing campaigns, integrates with Slack, tests if your users accept phony MFA requests— that's a biggie— and pulls in tons of other behavioral metrics from your existing apps. It basically figures out what everyone needs to know and then creates personalized training that is not boring. And it even checks that it's working, and it's all done automagically. And they've got a deal just for our listeners. Sign up at culture.ai/smashing and your first 50 employees are free for life. Cool. More information, culture.ai/smashing. Stop your whining, Graham.

This episode of Smashing Security is sponsored by LastPass. Now everyone knows about LastPass's password manager for end users, but it's also a great solution for businesses. In fact, tens of thousands of companies rely upon LastPass to protect themselves. LastPass Enterprise simplifies password management for companies of all sizes and helps you secure your workforce. So whatever the size of your business, go and check it out. Go and visit lastpass.com/smashing to find out more. And thanks to LastPass for supporting the show. And welcome back. Can you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week?

Pick of the

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security-related necessarily. Better not be. Well, my Pick of the Week this week, I was perusing one of my favorite periodicals, the Jerusalem Post.

Week. Pick of the Week.

Wow, mine too. I came across an interesting story, which is a little admission which has come out actually from the former space security chief of Israel. He held the position for many years, and he's recently come out and said, oh, by the way, he says, aliens exist. And in fact, a galactic federation, his words, has been in contact with Israel and the United States for years, but they are— By the way, I don't know why we're not leading with this story. Why have we hidden this away in Pick of the Week? Because this is pretty packed.

It's no, no, no, Yeah, it would be better no, no, no.

The Jerusalem Post is where I will put links in the show notes where you can see this is reported. So he's come out and said this. He says a galactic federation has been in contact with the United States and Israel for years, but they are avoiding revealing themselves to the public.

than the treasure hunt one.

Panic, because I think not only will there be a panic— can you imagine the whole world in a panic in 2020? They think not only would there be a panic, but humanity is not ready yet. Now, I don't know what you think about this revelation.

Because it's a conspiracy theory.

I am leaning towards it being poppycock, because I think if the United States really was aware of this, then I think we can be fairly confident the president of the United States would be aware of this Galactic Federation. And I find it very hard to believe that he wouldn't have tweeted about it. So that is my evidence, if circumstantial, as to that this may not actually have occurred and the former space security chief of Israel may be wrong. But you should go and check out the story because if this is true, it could be pretty big news. Could be pretty big news, Anna.

Lonely, from you guys? You know where Graham got it, guys? Graham got it from the Daily Mail.

No, I did not.

Okay, then yes.

I did not find it.

Are we worried that this is going to be next year's pandemic? Well, thanks to people like Graham to spread this information. It's not going to be. Maybe they brought COVID, those aliens.

This has been widely reported already. This revelation, whether it is nonsense or not, this is something which is spreading around the world. This is a breaking news story as we record this show. And I saw it and I was quite interested. Apparently, the Jerusalem Post say that they've attempted to get into contact with the Galactic Federation, but have not had a response.

I'm just putting my, I'm gonna do more research before I listen to any of that stuff.

Thanks. You can find out more.

Yeah, check out the Daily Mail.

In Professor Haim Eshed's book, The Universe Beyond the Horizon. He's the chap who has made this claim, and he says that aliens have prevented nuclear apocalypses. And he'd say, yeah, it's available right now. Go and check it out.

Do we know how they've prevented nuclear apocalypses? I think we'd have to read the book. The book's only just come out.

Do you say they look a bit like blood-sucking lizards? I don't know if he's said anything like that. Did he take a photo? Only stream live to Twitter.

Oh, for goodness' sake. Don't get the Kindle edition.

I'm not suggesting he's met the aliens. He is just saying that the aliens have been in contact with the United States and Israel, the Galactic Federation. And we have not passed the test to join. It's a bit like the European Union. It's just, it's basically Brexit. The Galactic Federation is not letting us join. Oh, and that is my pick of the week. Happy Christmas, almost. Anna, do you have a pick of the week?

I do. And I thought, you know, because it's Christmas, I would take you back to Christmas 2009. One of my favourite Christmas. Now we were all working together then. At an undisclosed company. And let me show you a photo. Does anyone want to describe what's going on here?

Ah! Oh, look at that!

What a really wonderful office setup, eh? God, it was so beautiful.

We're gathered around a Christmas tree, and we have Anna, Carole, myself looking very trim, and our friend Yogi. And we also have some Doctor Who cutouts for some reason around the Christmas tree. We've got David Tennant and a Dalek and a Cyberman. Look at that. No idea why. No, I don't know why either. Oh, I know why.

I know why, because you had a birthday party and you got them for your birthday party. Then your wife said, get these out of the house, thanks. So you brought them into the office.

Yes. And what happened to them after you left Sophos?

I do not know.

I cannot answer that question.

He probably has them all wrapped around his neck. I bet he's still got them. Anyway, it's not about Doctor Who. So we were trying to organise a little work do because it was Christmas, but we didn't work in sales. So our budget was about £25 per head, I think. We thought, Carole and I, because Graham wasn't interested in getting involved in this kind of party planning, thought we would have a buffet at work and then go ice skating, which may I say, Graham, you were fabulous at.

I do remember the ice skating. That was quite traumatic.

It was fantastic. So the buffet consisted of, if you look carefully at this photo, which maybe I can tweet.

Yeah, you tweet it and we'll retweet it from the Smashing Security account.

Okay. It's where I discovered novelty Christmas crisps. Now Yogi, who's also in that picture, is also a fan of these novelty Christmas crisps.

How do you guys feel? I hate them. I'm the enemy of these. We've had a number of conversations about these.

I seem to remember they were pretty disgusting.

Well, I think probably back then they weren't as sophisticated as they are now. But anyway, I thought because, you know, 2020, as we've talked about, isn't anybody's top year, I would imagine. I thought my pick of the week would be Christmas novelty food. So I'm not talking about— can you tell I've moved house in the last week and I have done nothing apart from unpacking boxes? This is all I have. I've just eaten. So I'm not talking about Christmas dinner and sprouts and stuff. That's boring. But it's the novelty stuff, right? So a quick roundup of the good stuff. So Pret are doing a fantastic Christmas sandwich in both baguette form and run-of-the-mill sandwich bread. I did actually have the Christmas baguette for lunch.

Sorry, can I just clarify? Your pick of the week is a Pret à Manger baguette? Is what you're basically saying.

That's what you've brought to the table. It's not just a Pret à Manger baguette. What is your problem, Graham? I'm trying to bring a bit of festive cheer to the podcast. You've got aliens. All right, carry on. Marks & Spencer's, let me tell you, have an excellent offering. There's a turkey feast sandwich, which we all expect. I mean, I don't want to go into a sandwich place without them offering me a turkey feast at this time of year. But they're also doing truffled egg and honey roast ham. Oh God. Perhaps you could try that with some pigs in blankets crisps or some Christmas tree tortilla chips.

You see, I like the holiday foods, not the crisp stuff, the fake flavoured crisps.

Why? It's so exciting. It's so exciting. Why don't you just dip a crisp in some cranberries or something?

Oh.

No? No. Well, no. I think I'll have— My friend told me to stay away from their Christmas soup. Apparently not so good.

I think, and this may be a shock to many people listening, but I think I agree with Carole. And on that bombshell—

Wait, I haven't finished. Oh, okay, sorry. Let me peek at the KFC gravy burger, which includes a chicken fillet, a slice of cheese, and a hollowed-out hash brown with the side of gravy, which you pour into the hash brown.

I'm thinking, where

So it's an interactive experience, and then you eat it.

I've had that as well.

Are you just suggesting these things because you're pregnant and you've got cravings? Have you been eating coal or something like that as well? Is it just weird?

have you done Didn't you say at the beginning of this section it could be anything you want? So exactly, you know, STFU, Clue. Give me a break. your research on this?

Just one last one. There's Pizza Hut's festive pizza. So what would you imagine would be on a festive pizza?

Oh, is it gonna be a cranberry and brie stuffed crust?

Is it a reindeer turd?

Maybe. I should imagine a lot of these taste like reindeer turds. It's not turkey, 'cause maybe they're too hard to source throughout the whole festive period. I don't know. Maybe they're more expensive. But chicken, crispy bacon and stuffing with a red wine gravy base. Oh, so there you go. I'll send you some more, Graham, so you can try them all.

I think maybe anybody that comes to our Christmas party on

I think that's a great idea. Maybe you could do a Christmas cook-along, Carole.

Thursday, December 17th, perhaps wants to maybe bring a Christmas flair My other half bought already two bags of festive crisps, so he's in your camp. He loves it. in their snacks. I'm going to have a few.

Yes. Yeah, I don't know which ones you got.

I'll send a pic over and we can put it on Twitter, Graham.

Please do. All right. Okay, that'd be great. Everyone can't wait to see that. Carole, what's your pick of the week?

Yeah, because your stories were so great. Okay, my pick of the week— you guys both know my pick of the week because as you're my two bud buds that love podcasts as much as I do, or almost as much as I do, I threw them your way after galloping through the first episode only. And this podcast is called Brian and Roger. I'll just give the premise, and then you guys just jump in because it's just— So, this is created by Harry Peacock and Dan Skinner. They're the brains and voices behind the characters, Brian and Roger. And Brian and Roger met at a divorced men's support group about a year ago. And they're really codependent. And the problem is that one of them's quite a nice guy, right? A good guy. But the other guy is not such a good guy. And every week they inch towards a horror show of a sticky pickle. And the outcomes are truly disturbing, wonderful, horrible, delicious, awful.

The whole podcast is a series of voicemails which they leave each other. So they never have a conversation. They leave a voicemail for each other and then the other one replies to it. And I have to say, after you told me about this, Carole, I listened and I kept listening. I must have listened to about 20 episodes. I know, I think you're ahead of me now.

Yeah.

I'm halfway through season 2 at the moment. I have really enjoyed it. I mean, it is the same joke over and over again, but it— It is not the same joke. That isn't true. But it doesn't matter, 'cause it is brilliantly done.

The joke is that one is nasty to the other person. That's not a joke.

Well, no, the format of the show is basically there's a guy who's very agreeable, and even when asked to do ridiculous things, keeps on saying, well, initially he puts up some sort of objection, which gets overridden, and then he finds himself doing this thing, and then it all turns to shit. It's much, much worse.

We should warn, it's not for the faint-hearted, okay? They do talk about things like pussy scrotums, right? They talk about jazz cigarettes, they intimate that an 82-year-old deaf woman is kind of a sex fiend.

It's an adult podcast.

It's an adult podcast, but it is wonderful. And the thing I love most is the horrific Mike Henshaw — the mouth noises are just revolting, but so perfect because there are so many people that you speak on the phone with that eat on the phone, right? And do it really grossly.

And you're just like, "You're in my ear!" It really is, by both of them, a — 'cause there's only two people who appear in it. It's a wonderful acting performance.

Yep. Or just honest.

They're short, aren't they? They're 15 minutes long.

Yeah, that's right. Anyway, snack-sized fun. I love it. So check it out if it sounds like your thing. It's Brian and Roger Podcast, and you can find it wherever you get your podcasts.

Fantastic. Now, Carole, you've got a featured interview for us this week.

I do. This week we have Max Linscott of Mimecast. Let's see what he has to say. Max Linscott from Mimecast. He is a senior manager of marketing strategy at Mimecast. Max, thanks for joining us and explain to me what you do. That's a big title.

Hey, thanks, Carole. It's really nice to be here. So I've been working in cybersecurity for about 8 years now, and for the last 2 years I've been working on the market strategy team here at Mimecast. My job is to basically try and understand the threat landscape, what technologies are out there, and ensure that we're delivering solutions that are solving the most pressing problems for organizations today.

Yeah, so you've got to really keep your finger on the pulse. And obviously, the pulse in 2020 isn't what it was in 2019 or before. So companies are having a hard time. What are you seeing as the main challenges?

Well, the first is remote working. So organizations are having to figure out how to keep users safe and productive while they work from home? How can they protect their intellectual property and people? And with the ever-increasing amount of data and collaborating that's going on, we have to think about how we can manage to avoid pretty important sanctions that can come on our laps from GDPR, for example.

Yeah, no one's talked about that, the whole remote working environment and the GDPR component. That's actually quite a big one.

Yeah, 100%. And as I say, the more that people are collaborating, you start to suddenly lose control of what your users are doing, what they're using, and what they're interacting with. I think the second thing that I would highlight there is this new word that I've learned, pandanomics.

I like it, and I want an explanation of what it means.

Yeah, so I think the easiest thing to, or easiest way to explain, is probably the economic impact that COVID has brought us, and this is obviously affecting most people's bottom line in one way or another. And it's therefore inextricably linked to everything, but specifically from a cyber perspective, it affects this new strategy that people are having to set up. The run costs that people are used to supporting are being driven down and new spend is rejected. And the sad truth of this is that all the while, the threats out there are increasing. Part of this is the commercials of falling foul of some of this stuff could actually bring an organization to their knees. So, decision makers are left in a really tight spot where they're forced to solve all of these problems and deliver complicated projects with half the budget, twice the pressure, introducing untried new technologies for the first time, and often sadly, with a very small amount of manpower.

I mean, actually, you're giving me the thought that IT workers, and especially ones that work on security, they're first-line workers, right, in this pandemic situation that we have. So, okay, so what are the things that people need to keep top of mind? Okay, you've talked about this new remote working ecosystem. What's changed and what do we have to focus on?

Well, from a threat perspective, it's worth just noting the trends that have changed, as you say, and collaboration is of course the center of the new cloud order. We've seen amazing adoption of tools like Teams, which I believe went up in the region of 40% in 5 days at the beginning of our first lockdown. We've seen pretty similar trends for the likes of Slack, Zoom, OneDrive, SharePoint, Box, LastPass, Dropbox, and so on. All of this is great, but email remains the most utilized and most universal tool that we have. 94% of cyber threats begin with an email. It remains the number one threat vector by a country mile. And when we talk about the impacts that COVID has had in the behavioral changes, we've only seen this rise and increase during COVID. We've sent and received far more emails. We reply faster. We open links and attachments quicker than ever before because we don't have that immediate personal interaction anymore.

Exactly. Yeah, so people are ever more reliant on email and the bad guys know it and are focusing on that vector.

Can I sum it up that way? Yeah, definitely. I mean, we are increasingly relying on non-email tools as well. But the reality is that email is such an easy thing to manipulate as a malicious actor, and it was never really designed for security. Looking at the trends, we've seen a significant rise in email attacks over the last year, and this ranges from opportunistic drive-by type attacks to the lower volume and more targeted headline-grabbing phishing and whaling. The hackers are better equipped to send more advanced threats with tools like commercially available phish kits. If I was to call out two highlights just in terms of common themes in all the emails that we've observed. Yeah, shoot, fantastic. Yeah, I think that these will probably both be quite familiar and obvious, but the first of these is COVID-related notifications, things like click here to see the latest guidance from corporates about when you're going to be able to return to the office, or local council about the new restrictions, and famously the World Health Organization that we saw earlier in the year. And obviously we've just had announcements in the UK, and as we enter this period of tiers and vaccination and announcements, this is likely to get worse. So the second thing that's noticed here is, as I said, we've got this increase in dependence on other collaboration tools, and a definite trend that's emerging is the impersonation of these collaboration tools and a threat that is sent through on email. So there is— it's interesting because there is always going to be some sort of link or correlation between adoption and targeting. So the more people that depend on a technology, the more that technology is exploited as part of the attacks. And this could come in the form of fake links for Zoom meetings, password reset requests for Office 365, and so on.

And as you kind of pointed out, we are captive audience and we're frantically collaborating at home on all of these tools that we're thoroughly engaged with. We're protected by a security team that is stretched and underfunded at best, not to mention that, as you say, we're all clamoring for this information about when and how our lives are going to return to normal, and the list goes on. So there's this real spectrum of attacks. And the ones that make the headlines are often the sort of dastardly ones that are very sort of cleverly crafted. And while we do see hackers occasionally relish the challenge of architecting a bleeding-edge attack, they'd much rather shoot fish in a barrel.

So it's like they're using the email as a vector, but it's tied to a different service, and that collaboration obfuscates the risk for the user? Exactly, exactly.

Right, gotcha. And we said, we're dependent and more likely to click on these links because we are already using Teams or SharePoint or Office 365. And it's therefore a more successful and more compelling attack.

I feel like we're a fish in a fishbowl right now for the bad guys, because we're all interested in these topics, right? We're all doing this and we're all running a bit mad because it's been an insane year for everybody.

Yeah, well, I mean, I really like that analogy and I think that as we maybe think about putting ourselves in a hacker's shoes, it's quite a useful exercise to think about where you're vulnerable and where you're most vulnerable. They're trying to run a business, if you think about it. So, they study their total addressable market. They're thinking about delivering a minimum viable product, and they're aiming for excellent adoption rates. Which basically means how can I successfully target as many as possible with the most effective attack that costs me the least amount to produce.

Yeah, business 101, really. Exactly.

Yeah, right, exactly. OK, we need a bit of— we need to pivot here to something a bit more silver lining to this doom and gloom. So tell me about how organizations are going about changing their strategy to compensate or to just meet the requirements of this new world.

Well, I'm not quite finished with doom and gloom yet, but I think it's— Oh no. I think it's— Okay, carry on. I think it's pretty tough at the moment, obviously, but it's fair to say that a trend that's emerging is consolidation. So organizations are looking to reduce complexity at every turn. The burden on IT is just too great. So, sadly, the sort of doom and gloom part of this is that the first things to be questioned are the headcount and licenses that are associated to operational costs, as a CFO would look at where am I spending my money? And IT doesn't seem to be making me any money, it's just costing me money. So how can I cut that down to size? So people are being forced to sort of consider their options at this point, and the future is in the cloud, and it always has been. But what COVID's done is it's catalyzed the transformation projects but simultaneously, as we've said, shrunk timeframes, resource, and budgets all in one fell swoop. So in order to kind of protect IP and people in the cloud, it is about striking a balance between how much consolidation do I go into and what other things do I need to consider?

OK, so what are the keys to an effective strategy? Would you say that Microsoft 365 is a kind of knight in shining armor for companies?

Again, it's really important to strike the right balance. I think Microsoft solves an enormous amount of problems incredibly well. And consolidation is important because it can reduce complexity and cost. But we have to ask ourselves, can I deliver economics, experience, and efficacy in equal measure. So, if we look at that Microsoft example and we were to take consolidation to its extremes by choosing the apparent economics and simplicity of becoming totally dependent on one single vendor like Microsoft, and we kind of ignore what we see in the rearview mirror and forget measures like layered security or independence, things that we used to value, right? Does that mean that I then underdeliver on efficacy? And what's the knock-on effect of, if we think about the security side of things, what's the true cost of failing to deliver that? Does it actually have an effect on the economics? So what would a breach cost me and how many breaches can I expect and how much time am I going to spend clearing them up?

Yes, seriously, really important questions that I think few companies really take seriously, right? Good point.

Absolutely. And I think M365 is a phenomenal toolkit. It's got a compelling amount of functionality and it will be the heart of most cloud strategies, and rightly so. Microsoft have released more security features than they ever have done before, and you can see that it's really starting to shape nicely to deliver things like Zero Trust, which is pretty cool. But I think it's worth raising— there are a couple of issues with expecting using one cloud to be everything to everybody. So today M365 has almost 300 million business users on its platform, all ferociously adopting and collaborating with all of these tools and bits of kit that they've given you. And this means a few things. It means an increased attack surface. And what I mean by this is every single user added represents a new angle of attack for malicious actors. 95% of data breaches are the result of human error. And I always think about it like, you know, those old vampire movies. They can't cause you that much harm unless you invite them in. And as we kind of touched on earlier, it means that when you're creating an attack via email and you imitate a Teams login, it is more successful because you know that they're using it. Also, this collaboration means that you've got more people generating more data all sitting on this Microsoft platform. And the result of that is that there is more data to steal, more people to target, and this incentivizes attackers to target Microsoft.

So you're kind of putting into question the whole idea of having this kind of homogeneous environment. SPEAKER_03. Yeah, exactly. And this is the main sort of other point that I would want to make, and this is the dependence on that single vendor. So the compelling bundling and features that are included in the Microsoft packages at the moment are combined with the pandemics and the financial pressure, meaning that organizations are very prepared to accept that suddenly Microsoft security is good enough. And this creates a homogenous monoculture where more organizations are sitting behind identical protection. It's a really funny kind of phenomenon, and the result of this is that Microsoft has actually unified malicious actors. So there are more users to attack, there is more data to steal, and all of these users and all of this data is sitting behind exactly the same security. Email is the number one attack vector. It's really unsurprising that email attacks are being purpose-built and designed to penetrate Microsoft's included security. It's just too obvious a target. And even against the best security that they've invested in, the Microsoft Advanced Threat Protection, hackers are proving themselves well up to the challenge. So you have to bring me a silver lining now as we wrap this up. You have to. I know you're English, but bring me some sunshine. SPEAKER_03. So I think the good news is there is some silver lining, and actually what we've described isn't a bad thing to look at and to do, it's just that we need to go into it with our eyes open. You have to build, and you must, and you probably will build your strategy around Microsoft 365, and you need to pick the other tools that you need to succeed. This has to include a thorough assessment of risks and for you to be able to ask some more challenging questions of the technology. Where is Microsoft great? Where do they need some help? And should I expect them to face certain challenges on their own? And what is the true cost of being totally dependent on them? So you're going to introduce more vendors than your CFO thinks you need. So it's important that your vendors can help you demonstrate the value of any extra spend or more likely the cost of not spending that money. So we talked about organizations being brought to their knees and according to the IBM data breach report, the average cost of a data breach in the UK is $3.9 million. Jeez. So in prepping this year, because we have to, we are actually building hopefully more resilient systems that actually can help IT security people provide better services for their users and for clients and for everyone. SPEAKER_03. Absolutely. Max Linscott, thank you so much. Listeners, you can learn more on smashingsecurity.com/mimecasthub, and thank you so much for coming on the show today. I really appreciate it. SPEAKER_03. That's a pleasure. It's been great to be here.

Well, that just about wraps it up for this week. Anna, I'm sure lots of our listeners would love to follow you online. What's the best way for folks to do that?

You can get festive snack recommendations on @AnnaBrading on Twitter. And I'm also on LinkedIn if you want to give me work, but not for another 6 months or so. Yeah, hunting a bit early.

And you can follow us on Twitter, @SmashInSecurity, no G, Twitter must have a G. And you can also join us on Reddit, just look for the Smashing Security subreddit. And don't forget, you want to make sure never to miss another episode of Smashing Security, subscribe in your favorite podcast app, whether it be Apple Podcasts, Spotify, or Pocket Casts.

Remember, you all have a VIP invitation to our YouTube Live Christmas special on Thursday, 17th of December. That is next Thursday, folks, at 8 PM UK time. You can sign up at smashingsecurity.com/live. Be there, be triangulaire. And again, quick shout out to our sponsors, Mimecast, Culture AI, and LastPass, and our individual contributors via Patreon. This support is what helps make the show free for everyone. All the details for past episode sponsorship, guest list and everything else is available at smashingsecurity.com until next time, cheerio.

Bye bye. Bye.

Bye. Bye. Bye.

I love how you say you sound like you're flying away like a bird.

Oh, yeah, it's more like sort of flipping over like a whale. Like a beached whale.

Sometimes you have to do that to make your Graham Cluley's comfortable, though.