A game about Squid Game pulls the rug from under cryptocurrency investors in what appears to be a scam, PayPal hackers use a devious trick to break into 2FA-protected accounts, and have you received a job offer that’s too good to be true?
All this and much more is discussed in this celebratory edition of the award-winning “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Dr Jessica Barker.
Plus don’t miss our featured interview with the CEO and president of Qualys, Sumedh Thakar.
Oh, and huge thanks to Darknet Diaries’ Jack Rhysider, F-Secure’s Mikko Hyppönen, The Cyberwire’s Dave Bittner, and Host Unknown’s Andrew Agnês, Thom Langford, and Javvad Malik for their special contributions to this episode.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Do you want me to stop?
I don't know. I'm just waiting. I'm thrilled with how excited you are about this process.
And it's really wonderful to be here. And Jess, I'm glad you're witnessing it. Anytime, Graham.
It's 250. 250.
Woo!
Woo!
Woo!
Are you not going to do a woo?
Wow.
Woo-hoo!
Woo-woo!
That's how you do it, Graham.
That's it. That's it.
Yee-hee!
This is Mikko.
Is Smashing Security the most popular infosec podcast?
No.
But do they have the largest cult following?
No.
But do Graham and Carole try their hardest with every single episode? Also no.
Smashing Security, episode 200. 250. Yes, you heard that correctly, 250, with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, episode 250.
My name is Graham Cluley.
My name is Graham Cluley.
Sorry, I got carried away there.
Sorry.
And I am Carole Theriault, and we are joined by Dr. Jessica Barker.
Hooray!
Hi, hi!
Lovely to be here.
Really thrilled to have you here.
Lovely to have you here, especially on such an auspicious day as our 250th episode.
I am honoured to be celebrating this with you. It is an amazing achievement.
Is it? Eh.
Graham, one day we're going to get to— I think our next milestone has to be 365, because then we'll have an episode for every single day of the year.
Well, you know, somebody said to me, why don't you celebrate episode 256? Because that's a bit more nerdy.
Nice.
Did they have a breathing problem or? Now, Graham, you said you had a surprise for me.
So, oh, I do, because I have gone to some of our fellow podcasters out there, people who've been on the show, some famous, some who'd love to be famous, to see what they have to say about smashing security.
And they recorded a few words. Let's check it out right now.
And they recorded a few words. Let's check it out right now.
Hey, this is Jack Rhysider. Congrats on making it to episode 250.
And to think this was all Carole's idea.
Wow.
Nice going. Thank you both for making this show. And I can't wait to see what comes next for you.
Oh, that's great.
Carole, what's going on this week on the show?
Well, first, let's thank this week's sponsors, 1Password and Qualys. It's their support to help us give you this show for free.
Now, coming up on today's show, Graham, what do you got?
Oh, this week I'm squinting.
Ah, what about you, Jess?
I'll be talking about some social engineer bots.
Ooh, and mine is for all you job hunters out there. Plus, we have a featured interview with CEO and President of Qualys, Sumedh Thakar.
We talk about his career and the upcoming annual security conference, their 21st, if you can believe it. So all this and much more coming up on this episode of Smashing Security.
We talk about his career and the upcoming annual security conference, their 21st, if you can believe it. So all this and much more coming up on this episode of Smashing Security.
Now, Jess, Jess, I have one burning question for you.
Uh-oh.
I think he wants a new co-host, Jess. I think that's what's happening.
I think I better—
Jess, I want to know if you have been watching the hit TV show Married at First Sight Australia Season 6.
It's on my list. Can I say that? No, I'm afraid not.
I am.
We've been talking about it the last couple of weeks. Carole is now watching it. I watched all of it. I binged on it.
It's horrific, and it's like heroin.
You can't—
You can't—
You can't get off the train. Not that I've ever done heroin. I'm imagining that's what happens with heroin.
What a sales pitch. And Netflix using that on their trailers.
Yeah, it's car crash TV and editing and everything. Anyway, Graham, I hate you forever for it.
Thank you. Thank you.
Jess, you are missing a treat because while the rest of the world is watching Squid Game on Netflix, Carole and I, we've been watching horrendous people doing horrendous things, marrying complete strangers, predictable outcomes.
But we can't get enough of it.
Jess, you are missing a treat because while the rest of the world is watching Squid Game on Netflix, Carole and I, we've been watching horrendous people doing horrendous things, marrying complete strangers, predictable outcomes.
But we can't get enough of it.
Is that not Squid Game?
I haven't watched that either.
No, you haven't seen that either?
No, not yet.
Not yet.
Have you seen Squid Game, Carole?
Nope.
Okay, so we're talking from a position of knowledge then about Squid Game.
We're not. You've obviously watched it.
No, I haven't watched it at all. I just assumed, Krow, you would have seen it.
My understanding is Squid Game is like a South Korean remake of The Sound of Music, but with more machine guns. It's something like that. It's a bit Hunger Games.
It's a bit gore and violence. It's a bit—
My understanding is Squid Game is like a South Korean remake of The Sound of Music, but with more machine guns. It's something like that. It's a bit Hunger Games.
It's a bit gore and violence. It's a bit—
You know, I think I got turned off by the fact that everyone talked about it so quickly. Exactly.
No, but it's so stupid in a way because there's this big conversation where I could have a point of view on it, and that's kind of cool.
But in fact, I kind of was like, "Oh, too many people are talking about it. I don't want to do it." And now look at me now.
No, but it's so stupid in a way because there's this big conversation where I could have a point of view on it, and that's kind of cool.
But in fact, I kind of was like, "Oh, too many people are talking about it. I don't want to do it." And now look at me now.
I'm exactly the same. And I feel like it's as stupid as watching something just because people are talking about it to not watch something just because people are talking about it.
And yet it puts me off.
And yet it puts me off.
Right.
You know? Yeah!
It does put me off. I didn't watch Line of Duty for years and years. Oh, really? I was like, "Everyone's talking about Line of Duty." Same.
And then I watched it and I loved it.
Yeah.
I thought, oh, why didn't I start watching this earlier?
Don't throw the baby Jesus out with the bathwater.
Oh, no, no, no. Mary, Joseph, the baby cheeses as well. So, I love a baby cheese. Now, the South Korean horror show, it's been a huge hit for Netflix. People have been binging on it.
And they've been watching hundreds of cash-strapped contestants accept an invitation to compete in children's games for a tempting prize.
At least that's what I've read, but with deadly stakes.
And they've been watching hundreds of cash-strapped contestants accept an invitation to compete in children's games for a tempting prize.
At least that's what I've read, but with deadly stakes.
Can I even ask, is this a game show or a fiction-y thing?
We don't know.
Somewhere in the middle.
It's a fictionalised thing.
Okay.
So it's a piece of drama about some dystopian future and, you know—
Fab. It does sound delish.
I'm sure it's good. I'm sure it's good. But it's just too many people are talking about it, so I don't want to watch it. Anyway, it's become a huge deal.
And of course, that means that some people think, oh, hello, Squid Game, that's popular. How can we take advantage of that?
So some opportunistic fellows thought, let's do an online version of Squid Game. And so they posted up online 6 different games and 456 people take part in each game.
And of course, that means that some people think, oh, hello, Squid Game, that's popular. How can we take advantage of that?
So some opportunistic fellows thought, let's do an online version of Squid Game. And so they posted up online 6 different games and 456 people take part in each game.
What?
Right?
No, but—
You don't have to have them all crowded around the same monitor.
Are they on the same Zoom? How does this work? That's an expensive account.
Anyway, they're playing these games, which look a bit like some of the games which are dramatised in the TV show. And—
You've been told, 'cause you haven't seen it.
Well, from the screenshots I've seen, yeah. I've seen the trailer for Squid Game. Hence I know it's like The Sound of Music.
Good old research.
Yeah. And so how do you get to play the online version of Squid Game? Well, you need to be the holder of some squid tokens.
And at the end of the game, if you are the ultimate winner of these online games, collects all the tokens, right? Squid tokens.
And at the end of the game, if you are the ultimate winner of these online games, collects all the tokens, right? Squid tokens.
Oh, so you pay a token to play, and then the winner of the 156 players takes all the tokens.
Takes all the tokens. Right. And so people have been buying squid tokens in order to participate.
And squid tokens, you aren't gonna be surprised to find out, is a hot new cryptocurrency. And it's called a play-to-earn cryptocurrency inspired by the TV show.
There's a white paper explaining all about Squid tokens. And they were launched on Tuesday of last week.
And squid tokens, you aren't gonna be surprised to find out, is a hot new cryptocurrency. And it's called a play-to-earn cryptocurrency inspired by the TV show.
There's a white paper explaining all about Squid tokens. And they were launched on Tuesday of last week.
Okay.
So you could buy yourself a Squid token for just 1 US cent with the promise that you'd be able to then play to earn online, right, in the game.
72 hours later, each Squid token, which started off at 1 cent, was worth $4.42.
72 hours later, each Squid token, which started off at 1 cent, was worth $4.42.
Geez. Nice return.
An increase of 44,000%.
Wow.
So if you had bought $100 worth of Squid token, which isn't an outrageous amount, right? If you'd bought $100 worth, that would've been turned into $44,200 in just a few days.
So a huge amount of money, obviously quite unbelievable. Now, some people thought, that it might be a scam, because there had been a few clues.
For instance, nobody knew who was behind the Squid tokens.
So a huge amount of money, obviously quite unbelievable. Now, some people thought, that it might be a scam, because there had been a few clues.
For instance, nobody knew who was behind the Squid tokens.
Oh dear.
And there'd also been messages posted under the name of Elon Musk supporting Squid tokens, which I think makes you suspicious regardless of whether it's Elon Musk who's really posting those supportive comments or the fake Elon Musk.
Who's typing those comments?
Who's typing those comments?
I was just thinking, who now?
Which do you trust more?
It doesn't really matter.
Do you trust—
Cardboard cutout probably would be my favourite of that, but—
Furthermore, this whole online game, it wasn't endorsed by Netflix. They had nothing to do with it. So someone was kind of riffing off the Squid Game TV show.
And I can see that.
That must be happening all the time, with all TV shows.
There's probably an Antiques Roadshow Crypto Coin. Yeah, yeah. Starsky and Hutch.
So the biggest concern though, the thing which made people most suspicious was, well, what happens if you want to get hold of your money? 'Cause you've made suddenly $44,000. Right.
Maybe you'd like to get hold of it.
So the biggest concern though, the thing which made people most suspicious was, well, what happens if you want to get hold of your money? 'Cause you've made suddenly $44,000. Right.
Maybe you'd like to get hold of it.
Time to milk the cow. Right.
Yeah.
The problem was there didn't actually seem to be any way to actually sell Squid tokens.
Oh dear.
That doesn't bode well.
And there's no point having a cryptocurrency token that's surging in value if you are not able to sell it.
And meanwhile, other people were still buying Squid tokens, pushing up the price. And they were tempted as the price was racing up. So it was going up, further up and further up.
By Monday of this week, the week that we're recording this, the price of Squid tokens became truly enormous. It reached a height.
Each Squid token, remember it was 1 cent, became $2,861.80.
And meanwhile, other people were still buying Squid tokens, pushing up the price. And they were tempted as the price was racing up. So it was going up, further up and further up.
By Monday of this week, the week that we're recording this, the price of Squid tokens became truly enormous. It reached a height.
Each Squid token, remember it was 1 cent, became $2,861.80.
Jesus.
It had raced up 7,500% in just 3.5 hours.
Yikes.
If you had bought right at the beginning $100 worth of Squid tokens, it wasn't worth $44,000 anymore. It was now worth $28.6 million.
But was it worth it if you couldn't sell it, Graham?
Exactly.
Theoretically, that's a lot of money.
Yeah, I know there's a lot of adverbs missing in this segment.
Reportedly.
Allegedly.
People were complaining. People were leaving comments on the Squid token Twitter account until—
I'd like to have my cash, please.
Thank you.
Right.
And the Squid token Twitter account was closing off replies so people couldn't post replies anymore to them.
And on a Telegram group seemingly run by the token's administrators, they said, oh, someone's tried to hack our project and our Twitter account.
If anyone's having problems selling their Squid tokens because of anti-dumping measures we put in place to stop people artificially lowering the price.
And on a Telegram group seemingly run by the token's administrators, they said, oh, someone's tried to hack our project and our Twitter account.
If anyone's having problems selling their Squid tokens because of anti-dumping measures we put in place to stop people artificially lowering the price.
I should have an anti-dumping sign in my house.
Well, in which room?
I have a room that might be perfect for it, yeah.
Well, you don't want them dumping in other rooms, surely.
That's true.
That's a good point.
I think you want to very clearly sign which room is for dumping and which one isn't.
Well, yes.
Right.
Well, the Squid Game developers, the developers of this online game, eventually they said, well, we don't want to carry on running this project because we're getting a bit depressed because people are scamming us and we're overwhelmed with stress.
And so the website, the website with the game shut down, the Twitter account was removed, leaving 57,000 followers in the lurch. And the Squid token price—
Well, the Squid Game developers, the developers of this online game, eventually they said, well, we don't want to carry on running this project because we're getting a bit depressed because people are scamming us and we're overwhelmed with stress.
And so the website, the website with the game shut down, the Twitter account was removed, leaving 57,000 followers in the lurch. And the Squid token price—
I'm sure they'll get over it.
But anyway, yeah. Okay.
Yeah.
Squid token price 5 minutes after it reached its high of $2,861.80. On Monday, it plummeted within 5 minutes to $0.00079.
I really want to ask how something like that plummets if you couldn't sell the tokens. Yeah. Right? If they can't get rid of the tokens, how can they be demonetized?
I don't understand. But anyway, again, I've probably been sleeping. Yeah.
I don't understand. But anyway, again, I've probably been sleeping. Yeah.
So you know me.
Just cotton heads.
But I think essentially the theory is that someone has run off with all of the real money and left people with worthless squid tokens in this stupid online game, which you can no longer access as a consequence.
Who would've thought cryptocurrency would've ended in this way?
Who would've thought cryptocurrency would've ended in this way?
Who saw this happening with the squid tokens? That never seemed like a bubble that was gonna burst.
Dave Bittner here from the CyberWire wishing Carole and Graham a heartfelt congratulations on 2,500 episodes. Quite an achievement. I'm sorry, what? 250 episodes? And how long?
5 years?
I mean, come on, that's like a hobby. I did 250 episodes last week.
Yeesh.
I guess I should wish you well for the next 250, but honestly, Graham's not getting any younger. Anyway, congratulations on 250.
It's adorable.
Jess, what have you got for us this week?
I am talking about the underground market for bots that steal your two-factor authentication and OTP codes.
This is an article by Joseph Cox for Vice Motherboard, and it starts by describing a call seemingly from PayPal's fraud prevention team.
And it is an automated call, an automated voice.
You pick up the phone and it explains someone has tried to take a payment, a $50 payment, say, and if that wasn't you, you need to verify your identity to block the payment.
So it wasn't you, so of course you want to block the payment.
This is an article by Joseph Cox for Vice Motherboard, and it starts by describing a call seemingly from PayPal's fraud prevention team.
And it is an automated call, an automated voice.
You pick up the phone and it explains someone has tried to take a payment, a $50 payment, say, and if that wasn't you, you need to verify your identity to block the payment.
So it wasn't you, so of course you want to block the payment.
Yeah.
And at that moment, you get a two-factor code from PayPal, comes in over SMS. So you're told to input the code, you do, and the voice says, "Thank you.
Don't worry, the transaction has been blocked. Here is your reference number," reeling off a string, a long string of numbers. And don't worry—
Don't worry, the transaction has been blocked. Here is your reference number," reeling off a string, a long string of numbers. And don't worry—
Can you repeat?
Yes. Yeah. Press 1 to hear that reference code again.
Capital M, 5, 6, hashtag, hyphen, 1, 3, 3, 7.
7. And it ends with some nice reassurance. You know, if you see unauthorised payments going out of your account, don't worry, it's going to be reversed in the next 24 or 48 hours.
Now, of course, you know what's coming.
It is, of course, all a scam. And the fraudster is using bots that are now being bought and sold underground.
So the article is a great analysis of this seemingly new type of scam, and you can actually listen to the audio which Joseph Cox got hold of, received from a scammer who sells these bots.
Listen to how convincing it is.
So the article is a great analysis of this seemingly new type of scam, and you can actually listen to the audio which Joseph Cox got hold of, received from a scammer who sells these bots.
Listen to how convincing it is.
Welcome to PayPal's fraud prevention system. We have recently received a payment request of $58.82. If this was not you, please press 1.
In order to secure your account, please enter the code we have sent to your mobile device now.
In order to secure your account, please enter the code we have sent to your mobile device now.
Thank you.
Your account has been secured and this request has been blocked. Please make sure to only enter your password at paypal.com.
Don't worry if any payment has been charged to your account, we will refund it within 24 to 48 hours. Your reference ID is 1549926. You may now hang up.
Don't worry if any payment has been charged to your account, we will refund it within 24 to 48 hours. Your reference ID is 1549926. You may now hang up.
The thing is though, if I get an automated voice on the phone, I just hang up always. They could be saying anything to me.
Yeah, but I think at the same time we're getting more and more used to them, don't you think?
I don't know if I am, but I don't think I answer my phone enough.
Yeah, I'm the same.
I don't think they all talk Derek the Dalek anymore. Some of them are increasingly convincing.
Hi, this is Elon.
Look at the guy who announces our show every week, right? He's pretty good.
What, Steve?
He's great.
Yeah, Steve.
Love Steve. Have you not met him, Grim?
What's Steve got to do with this?
And I think if you go so far as to listen to the message, for some people, you're right, they'll pick up the phone, they'll hear an automated voice, they'll hang up.
Other people, if they are likely to listen to the message, then maybe they're more likely to be persuaded by it.
And I think if you go so far as to listen to the message, for some people, you're right, they'll pick up the phone, they'll hear an automated voice, they'll hang up.
Other people, if they are likely to listen to the message, then maybe they're more likely to be persuaded by it.
I think that's fair.
I think that's definitely the case because particularly when you're dealing with a large organisation, or like a large financial institution, it's not unusual, is it, to get an automated message saying, "This is a call from so-and-so.
Ring us back on this number," or, you know, "Press this number to go through our switchboard system." I've had this recently from a gym.
Ring us back on this number," or, you know, "Press this number to go through our switchboard system." I've had this recently from a gym.
Trying to leave this gym, as we all know, that's impossible.
And they keep ringing me with an automated voice message saying I have to call them back, which obviously means I'm never gonna call them back and they're gonna continue taking money from me.
And they keep ringing me with an automated voice message saying I have to call them back, which obviously means I'm never gonna call them back and they're gonna continue taking money from me.
Hang on, Jess, it's November. You are trying to leave a gym in November? I thought the traditional time to leave a gym was at the end of January.
Yeah, but I haven't watched Squid Games.
I like to buck trends. We've established this.
Oh, okay. All right, okay.
But what's interesting, I think, is how this can lower the barrier of entry to criminals, right? It's another kind of cybercrime as a service.
And the scammer even comments on how great the bots are because not everyone is comfortable on the phone.
So if you're the awkward type of criminal that doesn't have a great telephone manner, don't worry, these bots will do the social engineering for you.
And the scammer even comments on how great the bots are because not everyone is comfortable on the phone.
So if you're the awkward type of criminal that doesn't have a great telephone manner, don't worry, these bots will do the social engineering for you.
Yeah.
So I actually heard this audio from Joseph Cox before he published. He was kind enough to share it with me.
And that's one thing we spoke about, you know, how this lowers the bar for criminals and the fact that as we get more accustomed to communicating with bots, the more, of course, cybercriminals are going to try and subvert it and take advantage of the fact that we're using that and we're more comfortable with speaking with robots.
And that's one thing we spoke about, you know, how this lowers the bar for criminals and the fact that as we get more accustomed to communicating with bots, the more, of course, cybercriminals are going to try and subvert it and take advantage of the fact that we're using that and we're more comfortable with speaking with robots.
Yeah.
And of course, the voice message uses those classic social engineering techniques of both fear and reassurance. Oh, your account's been compromised, money's been taken.
You need to act now, put in your code, then you receive the code at exactly the right time. And for some— Sure. Oh, Siri's not sure. Siri's not sure if they understand that.
Sorry, that was my watch piping up at that point.
You need to act now, put in your code, then you receive the code at exactly the right time. And for some— Sure. Oh, Siri's not sure. Siri's not sure if they understand that.
Sorry, that was my watch piping up at that point.
I obviously wasn't explaining it.
Speaking of bots, Siri is maybe taking offense to this.
Yeah, shut up, Jessica.
Yeah, some of those bots are legit.
Siri, format Jess's hard drive.
It's a good job I've got my headphones on.
And then the reassurance at the end, which I just think is so clever, giving the reference code to seem extra professional, saying, don't worry if you see payments go out, they'll all be reversed.
So you leave it two days before you start to realise, hold on, loads of money's been siphoned out of my account and it's not going back in.
So you leave it two days before you start to realise, hold on, loads of money's been siphoned out of my account and it's not going back in.
No, it sucks, man.
Yeah, and they just keep on getting more sneaky, don't they?
What are PayPal doing about this? Anything?
It's not just PayPal. I mentioned PayPal, but it's of course all sorts of other services.
And I mean, they're putting out the communications, don't share your code with anyone who asks for it. We will never call and ask for it in that way.
What's interesting is the scammer says they're using some communication tools, I think is it Twilio, one of them? Other ones where they will make calls on your behalf.
So obviously legit services where as a business you can get that service to put calls out for you.
And so those platforms are also saying they're trying to crack down on the use of bots and they're aware of this and they're doing what they can to try and squash it.
And I mean, they're putting out the communications, don't share your code with anyone who asks for it. We will never call and ask for it in that way.
What's interesting is the scammer says they're using some communication tools, I think is it Twilio, one of them? Other ones where they will make calls on your behalf.
So obviously legit services where as a business you can get that service to put calls out for you.
And so those platforms are also saying they're trying to crack down on the use of bots and they're aware of this and they're doing what they can to try and squash it.
You know, Graham, you know how you go around saying you were once named the 11th greatest Briton in the UK?
In IT history. In IT history.
Oh, in IT history.
Yes.
Okay. Yes. So someone could basically fake your voice and put your voice on these recordings, right? Saying, "Hi, I'm Graham Cluley.
You know me from Smashing Security." And you do not own your voice. There's no copyright for voice ownership. So you wouldn't be able to say, "Hey."
You know me from Smashing Security." And you do not own your voice. There's no copyright for voice ownership. So you wouldn't be able to say, "Hey."
I don't know that my voice would be effective at scamming someone. I'm surely that wouldn't—
Well, I was just trying to appeal to your ego.
That's the—
That's how I get you to listen to what I'm saying.
But I think it's a very interesting technique that Jess is talking about here, because I think we've all heard before that you shouldn't share those two-factor codes with someone else.
So if someone asks you, "Oh, can you tell me what the two-factor code is that you've just been sent?" you should be wary of that.
But the fact that it's a robot asking you somehow might reassure people and think, "Oh, well, I'm just dealing with some automated system.
Maybe this is part of PayPal or whatever company it is that's called me up."
So if someone asks you, "Oh, can you tell me what the two-factor code is that you've just been sent?" you should be wary of that.
But the fact that it's a robot asking you somehow might reassure people and think, "Oh, well, I'm just dealing with some automated system.
Maybe this is part of PayPal or whatever company it is that's called me up."
Yes, it's not a person, it's just a computer.
Because they're safe, aren't they? But the truth is, of course, it means that they can do it at such a bigger scale than if they had humans ringing you up and doing all of this.
What if you just sort of wasted its time and just went, when they said, "Please give me this," you just go, "Whipple, whipple, whipple, whipple, whipple." And they would go, "I'm sorry, I didn't catch that." You'd go, "Honk, honk, honk, honk." And just see how long you could do that for.
I would love to hear that call.
Please.
Talking of recording, someone else has been in touch about our 250th episode. Let's hope they've got something nice to say.
I hope so. Why would they not?
Because some of them didn't. Some of them were a bit catty.
Naming no names.
No, no, no.
250 episodes! Blimey, I didn't think Graham was capable of lasting that long. Long time to stick to the same formula, jingles, and four guests.
You guys are like the Hutch to our Starsky, the Lacey to our Cagney, the Doyle to our Bodie, the Hutch to our Turner, the Danny DeVito to our Arnold Schwarzenegger, the Robin to our Batman, the Rodney to our Del Boy, the Cheech to our Chong, the canine to our Doctor.
From all of your friends at Host Unknown.
You guys are like the Hutch to our Starsky, the Lacey to our Cagney, the Doyle to our Bodie, the Hutch to our Turner, the Danny DeVito to our Arnold Schwarzenegger, the Robin to our Batman, the Rodney to our Del Boy, the Cheech to our Chong, the canine to our Doctor.
From all of your friends at Host Unknown.
Officially more entertaining than Smashing Security.
In your face!
Carole, what have you got for us this week?
In the last few years, because of the pandemic and stuff, people have looked more closely at their lives, their jobs, their routines.
And according to ProPublica, millions of people have just upped and quit their jobs, right? Looking for a new life or a new way of life.
In fact, in August, 2.9% of Americans quit their jobs.
And according to ProPublica, millions of people have just upped and quit their jobs, right? Looking for a new life or a new way of life.
In fact, in August, 2.9% of Americans quit their jobs.
Wow.
Which is huge. That's apparently a record-breaking number. And to add to the mix, there's a glut of laid-off workers scrambling for work.
So we're seeing this really huge churn in the labor market, particularly in the States, although I'm sure it's happening elsewhere.
So Graham, I want you to imagine that you are one of this 3% and you need a new job, right? This podcast gig isn't working out for you. You've done 250 episodes.
So we're seeing this really huge churn in the labor market, particularly in the States, although I'm sure it's happening elsewhere.
So Graham, I want you to imagine that you are one of this 3% and you need a new job, right? This podcast gig isn't working out for you. You've done 250 episodes.
You've heard everything that I have to say about everything on this topic.
We could just move on.
Do you think Carole's trying to tell you something, Graham?
Hang on, are you saying I'm looking for a new job or I'm looking for a new co-host? What is the thing? What are you after here?
No, no, you're looking for a new job. Job, okay?
And you're job hunting and you see an ad that says airport shuttle driver wanted. Oh yeah, and your job would be to pick up passengers for 35 hours a week.
All right, at a pay that actually works out to about $100 grand a year, right? And let's imagine this is exactly the gig you've been looking for.
No more sitting at home in your stupid studio, you're hitting the open road. And so you're excited about this opportunity, so you click on the link and you send in your CV.
All right, at a pay that actually works out to about $100 grand a year, right? And let's imagine this is exactly the gig you've been looking for.
No more sitting at home in your stupid studio, you're hitting the open road. And so you're excited about this opportunity, so you click on the link and you send in your CV.
Wibble wibble, honk honk.
And luckily, you get a call a few hours later, right, from someone going, hey, hey, hey, Mr. Cluley, love the resume, love the resume. Can I ask you a few questions about this?
And then, okay, so let's play along. So I might say, have you ever fallen asleep at the wheel, Mr. Cluley?
And then, okay, so let's play along. So I might say, have you ever fallen asleep at the wheel, Mr. Cluley?
Well, what do you mean by asleep? I mean, I might have had a little nap. I mean, I haven't really sort of—
Excellent.
Okay, okay, good.
Excellent. How do you feel about picking up celebrities?
Ooh, I'd love— there's some celebrities I'd love to pick up. Yes, why not?
Fabulous.
And what would you do if passengers got all hot and smoochy in the back seat? Would you avert your eyes or, you know, get your phone out?
Turn on the webcam, post it on Instagram and TikTok.
Fabulous.
And I got to say, Graham, I'm super impressed with your answers. I think you are our best candidate for this job.
Thank you very much. This is easy.
All I got to do is get a little standard background ID check out of the way. And once that's cleared, we are ready to get you a brand new job.
All right, let's do it.
No, Graham, it's fake.
It's a fake job ad, Graham.
What?
How did you not spot that?
And the website, which totally looked legit where you post your CV, totally wasn't.
And the person on the phone that called you isn't an interviewer but a scammer trying to get as much info about you as they can to use their legit identity for their own nefarious purposes.
So, it's really interesting. So one version of the scam was posted in a Telegram channel of a Nigerian scam group called Yahoo Boys Community. This is according to ProPublica.
And then there was instructions on what to tell applicants to get them to share their Social Security numbers, photographs of their driver's license, and other personal details.
And the person on the phone that called you isn't an interviewer but a scammer trying to get as much info about you as they can to use their legit identity for their own nefarious purposes.
So, it's really interesting. So one version of the scam was posted in a Telegram channel of a Nigerian scam group called Yahoo Boys Community. This is according to ProPublica.
And then there was instructions on what to tell applicants to get them to share their Social Security numbers, photographs of their driver's license, and other personal details.
They weren't presumably looking for victims on the Yahoo Boys Telegram chat. That's the criminals talking to each other.
I haven't hung out there, but I'm presuming no.
Yeah, they're a bunch of notorious scammers, the Yahoo Boys. I've heard of them before.
Yeah.
And there's 5,000 members strong on this, apparently. And the idea is you ask an applicant generic questions after they've sent in a CV, and then you offer them a gig.
But what you need is to get their personal info in order to land them, get through the ID check. You know, make sure you are who you say you are, Mr. Cluley, type thing.
But what you need is to get their personal info in order to land them, get through the ID check. You know, make sure you are who you say you are, Mr. Cluley, type thing.
But asking some interview questions sort of lulls the applicant into a false sense of security.
Because I remember we used to work for a computer security company, and they had a hiring policy of asking people how many ping pong balls could fit into this room, and do you read Living Marxism and stuff like that, didn't they?
And which helped them decide who they wanted to employ.
Because I remember we used to work for a computer security company, and they had a hiring policy of asking people how many ping pong balls could fit into this room, and do you read Living Marxism and stuff like that, didn't they?
And which helped them decide who they wanted to employ.
And terribly bad these days.
Right. And they just generally ask you questions about sine and cosine to make you feel thick, and then they'd feel justified in offering you less money for the job.
But it's kind of worked, I think, as an approach for them.
But for many people, it would make them think, well, I've been through some sort of process and haven't I done well to get through it?
Now I will upload my passport details or my Social Security numbers or whatever else.
But it's kind of worked, I think, as an approach for them.
But for many people, it would make them think, well, I've been through some sort of process and haven't I done well to get through it?
Now I will upload my passport details or my Social Security numbers or whatever else.
Yeah, it's quite convincing, isn't it? You've answered some questions, you've spoken to someone, they love you, they think you're great, you're looking for a job.
I mean, it's, you know, maybe in a vulnerable position where you've been made redundant.
I mean, it's, you know, maybe in a vulnerable position where you've been made redundant.
Yeah, I can see that's the clincher here, because where you're seeing these ads are places Facebook or LinkedIn or Indeed, places where you expect to find positions being advertised.
So last December, Alexandra Mateus Vasquez, so she was speaking to ProPublica, she was applying for a graphic designer position at a restaurant chain called Steak 'n Shake, which, you know, gives me— I don't want anyone taking a steak and then shaking it around the room.
So last December, Alexandra Mateus Vasquez, so she was speaking to ProPublica, she was applying for a graphic designer position at a restaurant chain called Steak 'n Shake, which, you know, gives me— I don't want anyone taking a steak and then shaking it around the room.
It's a really weird name for a restaurant.
I think it means milkshake, Carole.
Oh, right, right. And she found this job on the Indeed job website. And the so-called Steak 'n Shake rep called her up to participate in an email screening test for the job.
And at first, she thought it was a bit weird. But then the questions seemed super standard, how do you meet tough deadlines? So she just provided the earnest answers to this.
And hours later, she received an email offering the job, asking her for her address and phone number so a formal letter could be dispatched. And the pay was super attractive.
And when the letter arrived, it sought her Social Security number too, which she provided the information for.
And then she was invited to do a background check via online chat with a supposed hiring manager.
She found herself trading messages with an account that had a blurry photograph of an old man and the name Iran Coleman attached to it.
And apparently other applicants described a similar experience at Steak 'n Shake, which is weird.
But this hiring manager requested copies of Vasquez's personal records to verify her identity.
She shared photographs of her New York State ID, her green card, but grew suspicious when the person got, in my view, super greedy and asked for her credit card number too.
And at first, she thought it was a bit weird. But then the questions seemed super standard, how do you meet tough deadlines? So she just provided the earnest answers to this.
And hours later, she received an email offering the job, asking her for her address and phone number so a formal letter could be dispatched. And the pay was super attractive.
And when the letter arrived, it sought her Social Security number too, which she provided the information for.
And then she was invited to do a background check via online chat with a supposed hiring manager.
She found herself trading messages with an account that had a blurry photograph of an old man and the name Iran Coleman attached to it.
And apparently other applicants described a similar experience at Steak 'n Shake, which is weird.
But this hiring manager requested copies of Vasquez's personal records to verify her identity.
She shared photographs of her New York State ID, her green card, but grew suspicious when the person got, in my view, super greedy and asked for her credit card number too.
Right.
And then she was, hey, wait a minute.
Right?
Yeah.
I mean, everything before that, there's different layers. You're speaking to different people. They're asking, and they kind of lulled the target in, haven't they?
As you said, asking expected questions, reassuring them, and then moving on to all things you would expect. You know, we need to verify your identity.
Well, yeah, of course, I'm applying for a job.
As you said, asking expected questions, reassuring them, and then moving on to all things you would expect. You know, we need to verify your identity.
Well, yeah, of course, I'm applying for a job.
I wouldn't trust a job interview unless they asked me that question of, tell me your worst characteristic, what you're really bad at.
And then you say, oh, well, I'm just, sometimes I'm just too devoted.
And then you say, oh, well, I'm just, sometimes I'm just too devoted.
Workaholic?
I'm too devoted to the job.
I'm a perfectionist.
I suffer from too much humility sometimes. I'm probably the best person at humility you've ever met.
I think yours would be, I pay a lot of attention to detail.
Outrageous.
So Alexandra, she's hesitated. And then she gets a call from ID.me, or ID.me. You might remember we talked about them a few weeks ago.
And this is an identity verification vendor used by 27 states to safeguard unemployment insurance from fraud.
And they called her and said, "Hey, are you trying to apply for jobless aid in California?" And that's when she realized she was for sure being scammed, because she wasn't, right?
So they were using her details to apply for aid in California.
And this is an identity verification vendor used by 27 states to safeguard unemployment insurance from fraud.
And they called her and said, "Hey, are you trying to apply for jobless aid in California?" And that's when she realized she was for sure being scammed, because she wasn't, right?
So they were using her details to apply for aid in California.
Yeah, I mean, yeah, yeah, yeah, yeah.
So she reported the incident and she contacted the Social Security Administration. They told her that they denied multiple requests to create an account in her name.
So I really feel for those that are duped by such a scam because it's in that world. You are looking for a job, right?
And someone's suddenly saying you are great for this, and you think you've spotted a great job at a salary.
So I really feel for those that are duped by such a scam because it's in that world. You are looking for a job, right?
And someone's suddenly saying you are great for this, and you think you've spotted a great job at a salary.
Yeah, and it's adverts in places you would expect them.
You'd expect to see job adverts on LinkedIn.
Yep.
And the Better Business Bureau said in an alert last month that indeed LinkedIn and Facebook top the list of online platforms where users reportedly spot these fraudulent job advertisements, which doesn't really surprise me.
They're the three big ones, aren't they, really?
And the Better Business Bureau said in an alert last month that indeed LinkedIn and Facebook top the list of online platforms where users reportedly spot these fraudulent job advertisements, which doesn't really surprise me.
They're the three big ones, aren't they, really?
For people who are trying to protect themselves, people are looking for jobs legitimately and trying to protect themselves from being scammed in this way, would it be possible to throw in some deliberately ridiculous answers to interview questions and see if they get accepted or not?
You see what I mean? If someone says, "Oh yeah, that's good, that's good." So if they said, "What do you like in the office?" Say, "Well, I tend to burp and fart a lot."
You see what I mean? If someone says, "Oh yeah, that's good, that's good." So if they said, "What do you like in the office?" Say, "Well, I tend to burp and fart a lot."
Or—
I was just thinking I have a problem with projectile vomiting.
Exactly.
Yeah. But then what if it's legit? What if you actually are a burper?
Would I be able to get "Are you able to do this job while also playing Fortnite?" Or something. You know, if you said something like that.
Yeah.
You could say for your airport shuttle job, you have narcolepsy.
Right.
Which might interfere slightly, but—
And if the interviewer raises an eyebrow and goes, "What?" You can say, "I'm just checking if you're a scammer or not." But then you know, you see, whereas if they kind of go, "Great, great.
Yeah, sure."
Yeah, sure."
No problem. And if they just say, "No, there's no chance we're hiring you. We do not accept farters in this job." You're stuck then.
I'm not sure Graham's thought this all the way through, because what if it is a legit job? You've kind of blown that out of the water.
Hopefully you'd be able to say, "Oh, I was just checking.
This is an example of—" Admittedly, I haven't been to a job interview for over 30 years, so I'm possibly the wrong person to ask about technique.
This is an example of—" Admittedly, I haven't been to a job interview for over 30 years, so I'm possibly the wrong person to ask about technique.
I mean, if you try that and you don't get the job, then just send them, you know, this episode and say, "This is legitimate advice I was given to see if you were a scammer." No, it's the legitimate advice that I gave to the world is what it is.
Let's crack on, shall we?
From startup to enterprise, 1Password makes it easy for your team to store, generate, and share strong passwords.
The less time you need to spend dealing with hacks, phishing scams, lost passwords, the better, right? Well, it's not just for IT and security teams.
All kinds of teams inside your company like finance, HR, legal, marketing, they can also store and share sensitive information such as business credit cards, sensitive documents, and shared logins inside 1Password.
Work securely from home or in the office. 1Password allows secure access to logins and important resources anywhere you work.
Find out more and try 1Password for free for 14 days at 1password.com. And thanks to 1Password for supporting the show.
The less time you need to spend dealing with hacks, phishing scams, lost passwords, the better, right? Well, it's not just for IT and security teams.
All kinds of teams inside your company like finance, HR, legal, marketing, they can also store and share sensitive information such as business credit cards, sensitive documents, and shared logins inside 1Password.
Work securely from home or in the office. 1Password allows secure access to logins and important resources anywhere you work.
Find out more and try 1Password for free for 14 days at 1password.com. And thanks to 1Password for supporting the show.
Qualys, one of the pioneering providers of disruptive cloud-based IT, were one of the first SaaS security companies, and they deliver continuous critical security intelligence via their Qualys Cloud Platform and integrated cloud apps.
Plus, their 21st annual security conference is coming up between November 15th and 18th this year in Las Vegas. But you can also attend online.
One cool highlight is you'll get a keynote speech from Chris Krebs, former director of CISA, with further talks around the role of automation in security. Want to learn more?
Of course you do. Visit smashingsecurity.com/qualyslasvegas. That's Q-U-A-L-Y-S Las Vegas. And thanks to Qualys for sponsoring the show.
Plus, their 21st annual security conference is coming up between November 15th and 18th this year in Las Vegas. But you can also attend online.
One cool highlight is you'll get a keynote speech from Chris Krebs, former director of CISA, with further talks around the role of automation in security. Want to learn more?
Of course you do. Visit smashingsecurity.com/qualyslasvegas. That's Q-U-A-L-Y-S Las Vegas. And thanks to Qualys for sponsoring the show.
And welcome back. And you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week. Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security related necessarily. 250th show better not be. Well, my pick of the week this week is not security related. Yay! It is the game of Pit.
Have you guys ever played Pit? No. No. Oh, Carole, next time you invite me over, I'm going to bring Pit with me. It's good fun. It is a fabulous, raucous card game.
That I remember from my youth. It's been in existence since 1904, according to Wikipedia, inspired by the Chicago Stock Exchange, also known as The Pit. And what happens is this.
You deal out cards. You have 3 or more people, right? You deal out cards. Not playing cards. These are special cards.
Cards with different commodities on them, wheat, barley, flax, rye, etc., right? Whatever the commodity is. Right.
And your mission in the game is to get a complete set of the same commodity. So you've all got cards.
You don't know what other cards other people have, but you have an option to trade.
So you can put down, for instance, you may have two flax, for instance, which you want to get rid of in order to get more barleys, right?
And so you'd put them down face down and go 2, 2, 2, 2, 2, 2, 2. And other people meanwhile are doing the same, right?
So someone may have put down 2 cards or 3 cards or 4 cards, whatever. And if you get a match and you want, you can then swap with the other person without looking at their cards.
Are you going through the entire rule book of it? No, but I'm explaining how it works. Now, there's no taking turns in Pit.
It is just chaos because everyone's shouting out 2, 2, 3, 3, 3, etc., etc. Oh my God, very raw.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security related necessarily. 250th show better not be. Well, my pick of the week this week is not security related. Yay! It is the game of Pit.
Have you guys ever played Pit? No. No. Oh, Carole, next time you invite me over, I'm going to bring Pit with me. It's good fun. It is a fabulous, raucous card game.
That I remember from my youth. It's been in existence since 1904, according to Wikipedia, inspired by the Chicago Stock Exchange, also known as The Pit. And what happens is this.
You deal out cards. You have 3 or more people, right? You deal out cards. Not playing cards. These are special cards.
Cards with different commodities on them, wheat, barley, flax, rye, etc., right? Whatever the commodity is. Right.
And your mission in the game is to get a complete set of the same commodity. So you've all got cards.
You don't know what other cards other people have, but you have an option to trade.
So you can put down, for instance, you may have two flax, for instance, which you want to get rid of in order to get more barleys, right?
And so you'd put them down face down and go 2, 2, 2, 2, 2, 2, 2. And other people meanwhile are doing the same, right?
So someone may have put down 2 cards or 3 cards or 4 cards, whatever. And if you get a match and you want, you can then swap with the other person without looking at their cards.
Are you going through the entire rule book of it? No, but I'm explaining how it works. Now, there's no taking turns in Pit.
It is just chaos because everyone's shouting out 2, 2, 3, 3, 3, etc., etc. Oh my God, very raw.
It sounds hell. Yeah, so it's a trading floor.
It is exactly a trading floor. It is capitalism. That's right.
Yes. And then at the— and when you get a complete set, you go, "Corner!" Right? Which means that you've done it, and you win some points.
What do you shout? Corner?
Corner. Yeah. Corner.
That's what you shout.
Corner! I don't know why. And different commodities have different— Anyway, it's a lot of fun. I haven't even mentioned the bull and the bear cards. Don't worry about that.
Surely you're going to give us instructions to play Pit.
Oh no, we need to buy the— You need to have the exact cards. You need the cards.
You could make your own, to be honest. If you go to the Wikipedia page, you know enough basically to create your own set, or you can go out and buy them.
Some modern implementations of Pit have a little bell you can ring, but I think it's more fun to say corner when you do it.
And Pit is a— look, there will be someone listening to this who knows this game and will agree with me that this is an enormously fun game.
Some modern implementations of Pit have a little bell you can ring, but I think it's more fun to say corner when you do it.
And Pit is a— look, there will be someone listening to this who knows this game and will agree with me that this is an enormously fun game.
I'd love to have independent verification of that.
Next time I'm at your place, we are going to play Pit.
Okay.
And you can report back to listeners. Can't wait.
All right. I want to hear all about this.
We'll invite you, Jess. Don't worry.
That is my Pit of the Week. Oh!
Jess, what's your Pick of the Week?
Well, I have become mildly obsessed over the last 18 months with TV shows that essentially are about making or restoring things.
Things, particularly if they have an element of competition. And so my latest watch in this genre was Metal Shop Masters on Netflix.
And basically it's a group of— it's an American TV show— a group of metal artists who have to take scrap metal and then they torch it, they cut it, they weld it, and they make creations according to—
Things, particularly if they have an element of competition. And so my latest watch in this genre was Metal Shop Masters on Netflix.
And basically it's a group of— it's an American TV show— a group of metal artists who have to take scrap metal and then they torch it, they cut it, they weld it, and they make creations according to—
Is it Scrap Heap Challenge with an arty twist? It sort of is.
I do feel could be more challenges, particularly in the final. I'm just leaving that as a note for Netflix.
But I think it's so therapeutic, you know, particularly when our day jobs are about people who break things, break technology, exploit people.
It's so therapeutic to watch people just build something beautiful out of basically scrap metal.
But I think it's so therapeutic, you know, particularly when our day jobs are about people who break things, break technology, exploit people.
It's so therapeutic to watch people just build something beautiful out of basically scrap metal.
Yeah, I'm watching the trailer right now. It's a bit The Great British Bake Off, isn't it? But with metal rather than soggy bottoms.
It is exactly. And I mean, there's so many of these shows. The one where people make weapons is quite fun. Forged in Fire, that's a good one.
Blown Away, where people do the glass blowing. Amazing. Smashing, love that one, highly recommended.
Blown Away, where people do the glass blowing. Amazing. Smashing, love that one, highly recommended.
And I think I partly them because it is just so far out of my skill set or my potential ability.
If you gave me a pile of scrap metal and told me to make something, you could give me 10 hours and you will end up with me showing you a pile of scrap metal. That's the limit.
If you gave me a pile of scrap metal and told me to make something, you could give me 10 hours and you will end up with me showing you a pile of scrap metal. That's the limit.
Do you not find these shows, though, give you a false sense of, hey, that doesn't look that hard, I could go do that. I've watched one of these make your own small house.
I'm, yeah, I could do that.
I'm, yeah, I could do that.
Tiny House. Yeah, yeah, same, same. Yeah, I definitely have that with— I have that with Nailed It, the bake show.
Well, people are actually— no offense, Nailed It contestants— but they are rubbish, and they know they're rubbish, and they turn out these just monstrosities.
So, when I watch that, I know I can do better.
Well, people are actually— no offense, Nailed It contestants— but they are rubbish, and they know they're rubbish, and they turn out these just monstrosities.
So, when I watch that, I know I can do better.
Is it about fingernails or is it about nails as in hammers?
Although, nailed it with fingernails would be good, but no, this is like nailed it. And it's sort of the British Bake Off, but it's American.
And it is people who have to recreate a sort of baking work of art, but they choose people who know that they're terrible at baking. So, what they produce is horrendous.
And then some of the shows, oh, they're hilarious. And when I watch that, I'm like, yeah, I can do better.
Although I then attempted to make cake pops, and let me tell you, I could be a contestant on Nailed It. They were terrible. So I just love this stuff, you know, what people make.
And the fact that I know I could never ever do it's so much fun.
And it is people who have to recreate a sort of baking work of art, but they choose people who know that they're terrible at baking. So, what they produce is horrendous.
And then some of the shows, oh, they're hilarious. And when I watch that, I'm like, yeah, I can do better.
Although I then attempted to make cake pops, and let me tell you, I could be a contestant on Nailed It. They were terrible. So I just love this stuff, you know, what people make.
And the fact that I know I could never ever do it's so much fun.
But hey, we can dream. We can dream. Yeah.
So Metal Shop Masters on Netflix. Metal Shop Masters.
Great fun.
That's my pick of the week. What have you got, Carole? Well, mine's actually pretty useful, or I think it's useful. And I'd like you guys to take a look and see what you think.
Tools.techjunkie.com. And this is a site that has basically short links to all those little annoying things having to do with file conversions.
You know, when you have to just send in only PDFs to someone or you need to convert your photos to PNGs or whatever. This site might be for you.
So you can look through, if you look through, is there any that just jump out at you going, oh, I wouldn't mind a quick link to that?
Tools.techjunkie.com. And this is a site that has basically short links to all those little annoying things having to do with file conversions.
You know, when you have to just send in only PDFs to someone or you need to convert your photos to PNGs or whatever. This site might be for you.
So you can look through, if you look through, is there any that just jump out at you going, oh, I wouldn't mind a quick link to that?
So I'm seeing some which say trim a video for instance, or compress a video.
There's a whole bunch for doing things with PDFs, adding a password or compressing them, because sometimes PDFs are quite large, aren't they?
There's a whole bunch for doing things with PDFs, adding a password or compressing them, because sometimes PDFs are quite large, aren't they?
That's right. And just taking one page out of a PDF. And URL tracer. Sorry to bring it back to security, but yeah. Tracking the redirection. Tracking the redirection path.
No, no, it's really cool, I think. And it's one of those things that might be really useful if your bookmark bar, because you're, oh, I gotta do this.
I know I can, you know, I don't have to think about what particular app I've got on my system. You can just run it through here.
And they say that they, all files are deleted 15 minutes after upload. So you load it up, you do what you need to do, and then it goes poof.
I know I can, you know, I don't have to think about what particular app I've got on my system. You can just run it through here.
And they say that they, all files are deleted 15 minutes after upload. So you load it up, you do what you need to do, and then it goes poof.
Oh, well, if they say it, it must be true.
I know, do your own recon, people.
That's, I mean, that's it, isn't it? You immediately see something this and you're, it looks so useful unless it's a scam.
Yeah. Yeah, totally.
And as it's our 250th episode, I'm going to give you the source of this pretty cool tool because there are 15 others that, you know, that they've waxed lyrical about.
So this is on Alphr or alphr.com, link in the show notes.
But you can see the view here that you might actually recognize from your own use, DuckDuckGo, for example, the Wayback Machine.
So this is on Alphr or alphr.com, link in the show notes.
But you can see the view here that you might actually recognize from your own use, DuckDuckGo, for example, the Wayback Machine.
So this is just a list of other sort of quirky, handy websites.
They're called the 15 Secret Websites, but there's a few having to do with news, arts, searching and reference, and then there's math ones, academics. So it's worth checking.
There's some quite good ones here. Okay. Nice. There you are. Those are my picks of the week. A useful thing after you finish playing Graham's game and watching Jess's TV show.
There's some quite good ones here. Okay. Nice. There you are. Those are my picks of the week. A useful thing after you finish playing Graham's game and watching Jess's TV show.
I think Jess and I, our picks a week are more fun than yours, to be honest, Craig. Oh, we've got a featured interview this week, haven't we?
Yes, we do. Listen up. All right, so today is exciting. We are chatting with Sumedh Thakar, CEO and President of Qualys, a pioneering provider of disruptive cloud-based IT.
Now, delighted to have you on the show, Sumedh.
Now, delighted to have you on the show, Sumedh.
Thank you for having me.
Now, Qualys has been around a long time. You must be one of the first SaaS security companies to have ever even existed.
Yeah, you know, we really pioneered this notion that you can deliver scalable and cost-effective security solutions.
When we started back then, the words SaaS and cloud as the nice marketing words today did not exist.
It was very interesting, but the idea came even before the terminology SaaS was really used publicly.
We're quite excited about the innovation that we brought into cybersecurity and have continued to build on top of that with our belief that the SaaS model and the cloud model is the best scalable model for today's needs for cybersecurity.
When we started back then, the words SaaS and cloud as the nice marketing words today did not exist.
It was very interesting, but the idea came even before the terminology SaaS was really used publicly.
We're quite excited about the innovation that we brought into cybersecurity and have continued to build on top of that with our belief that the SaaS model and the cloud model is the best scalable model for today's needs for cybersecurity.
Yeah, and I've read actually that you have been with Qualys since the early noughties, and you held a number of different roles before you became President and CEO.
And I was curious if you thought having those different roles really helped give you the skills to be CEO, if it helped you out at all.
And I was curious if you thought having those different roles really helped give you the skills to be CEO, if it helped you out at all.
It certainly does. I started as a software engineer, one of the first 4 people who worked on the platform back in the very early day.
Not to date myself, but it's been about almost 20 years that I've been part of this journey and driven this journey in many ways.
I think the really great part about that is just the experiences that you get along the way that really help you understand the customers, help you understand what you can do to innovate and drive that innovation.
Having these different roles in engineering, product management, support, and now as I focus on sales, marketing, go-to-market, it's just given me a very well all-rounded perspective of the market, what works, what customers want, and really how we can help the customers.
So it's been a very rewarding experience.
Not to date myself, but it's been about almost 20 years that I've been part of this journey and driven this journey in many ways.
I think the really great part about that is just the experiences that you get along the way that really help you understand the customers, help you understand what you can do to innovate and drive that innovation.
Having these different roles in engineering, product management, support, and now as I focus on sales, marketing, go-to-market, it's just given me a very well all-rounded perspective of the market, what works, what customers want, and really how we can help the customers.
So it's been a very rewarding experience.
I have worked for many different CEOs in my time and not all of them have been well-rounded.
So I think your employees are quite lucky. On that front.
Now, Qualys and you are going to be hosting your 21st annual security conference in Las Vegas on November 15th to 18th. And this is also an online opportunity.
So what can you tell us about this event?
So what can you tell us about this event?
Yeah, I think first of all, we're quite excited to do this as a hybrid event.
I think we have been very committed to getting everybody back into having meetings face-to-face, interactions that really help increase productivity.
And that's been one of the things why we've been pushing this year to really participate in this conference in person because of COVID last couple years.
At least last year we couldn't do the conference in person, we did a virtual conference, which was very well attended. And this year we're going to do a hybrid.
The reason this conference is really well attended and appreciated is because we really focus on showcasing the innovation that Qualys is doing at this conference.
And this is about our engineers getting an opportunity to work directly with our customers, understand from them how they look at the challenges that they face in the cybersecurity realm and how they can solve them.
And then the ability for them to showcase the innovations and get feedback from customers in the direction that we're going.
So for customers and security professionals, it's a great opportunity to come and interact with other security professionals who are in the same space trying to solve the same problems and have that interaction with each other to really understand how somebody else might be solving a cybersecurity challenge that you may be facing.
And then it's also great because one of the things we offer here is two days of free training on the Qualys capabilities.
So for a lot of them, it's great to come have a refresher for two days. We go through many different capabilities, and that's one of the most liked aspects.
I think we have been very committed to getting everybody back into having meetings face-to-face, interactions that really help increase productivity.
And that's been one of the things why we've been pushing this year to really participate in this conference in person because of COVID last couple years.
At least last year we couldn't do the conference in person, we did a virtual conference, which was very well attended. And this year we're going to do a hybrid.
The reason this conference is really well attended and appreciated is because we really focus on showcasing the innovation that Qualys is doing at this conference.
And this is about our engineers getting an opportunity to work directly with our customers, understand from them how they look at the challenges that they face in the cybersecurity realm and how they can solve them.
And then the ability for them to showcase the innovations and get feedback from customers in the direction that we're going.
So for customers and security professionals, it's a great opportunity to come and interact with other security professionals who are in the same space trying to solve the same problems and have that interaction with each other to really understand how somebody else might be solving a cybersecurity challenge that you may be facing.
And then it's also great because one of the things we offer here is two days of free training on the Qualys capabilities.
So for a lot of them, it's great to come have a refresher for two days. We go through many different capabilities, and that's one of the most liked aspects.
After the pandemic, I think a lot of IT professionals have had to work in silos and have had to react to constant requirements from staff across the company requiring access to this and that.
And I'm sure a lot of people feel a bit stressed out.
We're going to make sure that we follow all protocol from a safety perspective, keep everybody safe, but that in-person interaction, being able to talk to each other in person, being able to do a quick diagram on the back of a napkin on the table sometimes brings you a lot more value than trying to schedule a Zoom call with somebody.
It takes time and then people are distracted with other things.
It takes time and then people are distracted with other things.
Well, I know from the IT professionals in my life that they cannot wait to get back out there safely, of course, but they are just dying to start networking again and building their networks and building relationships with people that can help them along their work IT journey, security journey.
I noticed as well that Qualys has launched a number of new cybersecurity solutions to help businesses get to grips with this new working world.
And one I noticed was a ransomware risk assessment. Can you tell us about that?
I noticed as well that Qualys has launched a number of new cybersecurity solutions to help businesses get to grips with this new working world.
And one I noticed was a ransomware risk assessment. Can you tell us about that?
Yeah, it's been quite exciting to launch this service to help the situation that we are in with ransomware attacks.
If you look at where Qualys started and where we are today, customers have just way too many tools that they have to use for cybersecurity, individual siloed solutions that don't work with each other.
And a lot of times people just don't know what they have on their network.
So when we started developing this platform and expanding it, we took a step back and we said, really at the end of the day, cybersecurity professionals are looking to do three main things.
One is find all devices in their environment, which is their asset inventory.
Smashing security, and do your best effort to reduce your risk by patching, hardening, fixing what you can, CI/CD pipeline scanning.
So now you've done everything to make sure that you've eliminated as many possibilities of somebody coming in the environment, which is reducing your risk.
And then the third part is to monitor if after all of that somebody gets into your environment, can you actually keep track and take some action on it, which is typically your EDR solutions or your SIEM/XDR solutions.
What we did is we took a step back and we said, let's put all of these capabilities together on a single platform so customers can go from detecting something to actually taking action on it very, very quickly because it's all in one tool rather than having to go to multiple tools.
Instead of just going and launching some free marketing gimmick, we said, why don't our researchers go and they spend a bunch analyzing ransomware attacks over the last five years so that we can actually find out what techniques are used by these families.
And it's kind of a mafia, right? So they have families of ransomware that basically do different attacks leveraging similar techniques.
And so each family has a characteristic of how they go about and what they focus on from an exploitation perspective.
And based on the research, we identified about 100 or so very commonly used vulnerabilities and techniques that are being exploited by these attackers.
We created a very simple workflow which was actionable and measurable, which says, okay, get into the Qualys assessment tool.
It is going to focus and show you exactly those issues that exist in your environment that map to that.
So that ability to find your asset, detect the vulnerabilities, prioritize them, and patch them is — that is what the service does on a single platform.
If you look at where Qualys started and where we are today, customers have just way too many tools that they have to use for cybersecurity, individual siloed solutions that don't work with each other.
And a lot of times people just don't know what they have on their network.
So when we started developing this platform and expanding it, we took a step back and we said, really at the end of the day, cybersecurity professionals are looking to do three main things.
One is find all devices in their environment, which is their asset inventory.
Smashing security, and do your best effort to reduce your risk by patching, hardening, fixing what you can, CI/CD pipeline scanning.
So now you've done everything to make sure that you've eliminated as many possibilities of somebody coming in the environment, which is reducing your risk.
And then the third part is to monitor if after all of that somebody gets into your environment, can you actually keep track and take some action on it, which is typically your EDR solutions or your SIEM/XDR solutions.
What we did is we took a step back and we said, let's put all of these capabilities together on a single platform so customers can go from detecting something to actually taking action on it very, very quickly because it's all in one tool rather than having to go to multiple tools.
Instead of just going and launching some free marketing gimmick, we said, why don't our researchers go and they spend a bunch analyzing ransomware attacks over the last five years so that we can actually find out what techniques are used by these families.
And it's kind of a mafia, right? So they have families of ransomware that basically do different attacks leveraging similar techniques.
And so each family has a characteristic of how they go about and what they focus on from an exploitation perspective.
And based on the research, we identified about 100 or so very commonly used vulnerabilities and techniques that are being exploited by these attackers.
We created a very simple workflow which was actionable and measurable, which says, okay, get into the Qualys assessment tool.
It is going to focus and show you exactly those issues that exist in your environment that map to that.
So that ability to find your asset, detect the vulnerabilities, prioritize them, and patch them is — that is what the service does on a single platform.
I mean, I'm sure a lot of listeners out there that haven't worked, you know, haven't rolled up their sleeves and worked in an IT or a cyber environment just can't really understand how it's so difficult, the environments these days.
But especially since the pandemic, the number of apps that people are using simply to communicate and store data and share information, it is astounding.
But especially since the pandemic, the number of apps that people are using simply to communicate and store data and share information, it is astounding.
Yeah, you know, this is always the sort of the battle between the innovation and the safety and all of that, right? How fast do you go?
And you see that today with self-driving car technology, right?
There's people are trying to go very fast on the technology and then you kind of have this pull from, well, how safe is it?
So that kind of pulls back some of the innovation, but in a positive way because you can't have this innovation without the security aspect.
And the same thing is happening in IT and security.
As we have been entering this new world of cloud and containerization, there's a lot of very new innovation that is happening in terms of IT and how you deploy apps and lots of databases.
In the past, it was only one database or two databases that you could use.
The positive side is there's a very fast growth of expansion in the technology that is being used so we can have nimble and very scalable and nice apps that we can use.
The flip side of that is that it creates obviously an architecture where you have a lot of different things, data stored in many different areas and everything is moving at a fast speed and the IT team doesn't always communicate that or most of the time communicate that fully to the security team.
So they see that there's a bunch of servers running, but they don't quite know what is running on each one of them.
What we are going to talk about is what are the challenges coming from moving into cloud containerization from a security perspective, and what are the solutions?
What are people looking at out there and obviously how Qualys platform is going to help you sort of see the full picture so that in the same platform you can manage your remote laptops for the employees, where you can manage your cloud and your container environment and your handheld mobile devices, all of that.
So you can get a bigger and better picture of the risk in one place. And that's really the focus for us here.
And you see that today with self-driving car technology, right?
There's people are trying to go very fast on the technology and then you kind of have this pull from, well, how safe is it?
So that kind of pulls back some of the innovation, but in a positive way because you can't have this innovation without the security aspect.
And the same thing is happening in IT and security.
As we have been entering this new world of cloud and containerization, there's a lot of very new innovation that is happening in terms of IT and how you deploy apps and lots of databases.
In the past, it was only one database or two databases that you could use.
The positive side is there's a very fast growth of expansion in the technology that is being used so we can have nimble and very scalable and nice apps that we can use.
The flip side of that is that it creates obviously an architecture where you have a lot of different things, data stored in many different areas and everything is moving at a fast speed and the IT team doesn't always communicate that or most of the time communicate that fully to the security team.
So they see that there's a bunch of servers running, but they don't quite know what is running on each one of them.
What we are going to talk about is what are the challenges coming from moving into cloud containerization from a security perspective, and what are the solutions?
What are people looking at out there and obviously how Qualys platform is going to help you sort of see the full picture so that in the same platform you can manage your remote laptops for the employees, where you can manage your cloud and your container environment and your handheld mobile devices, all of that.
So you can get a bigger and better picture of the risk in one place. And that's really the focus for us here.
Yeah, and it's great because you'll be able also to get pain points from people out there, from people going, this is what I'm having trouble with, with my employees, and what solutions or what advice do you have for me?
And this is a great place for them to do that.
And this is a great place for them to do that.
Exactly. And for us, we develop solutions and I was a chief product officer for many years.
So that's been very exciting to create capabilities and solutions that some of the largest businesses in the world are using.
But sometimes you do something and then when they look at it, they say, this is great, but I need this one basic thing to get started in my environment.
Without that, I cannot deploy what you have. So that feedback is very helpful. And as I mentioned, we have really good customers.
We have Euronet and few other customers who are coming there who are going to actually present. Yeah, that's so great. And so that's a good way to learn.
How are other people solving some of the challenges and to what extent have they been successful?
One of the things that they're going to cover is what are CISOs presenting to their management, to their board, to show success when it comes to cybersecurity and what measures they're taking, what is measurable, what is actionable.
And then there's a lot of good, exciting sessions around that and in-person interaction because we will have, you know, hopefully a couple hundred people at least who will be coming there in person.
So that's been very exciting to create capabilities and solutions that some of the largest businesses in the world are using.
But sometimes you do something and then when they look at it, they say, this is great, but I need this one basic thing to get started in my environment.
Without that, I cannot deploy what you have. So that feedback is very helpful. And as I mentioned, we have really good customers.
We have Euronet and few other customers who are coming there who are going to actually present. Yeah, that's so great. And so that's a good way to learn.
How are other people solving some of the challenges and to what extent have they been successful?
One of the things that they're going to cover is what are CISOs presenting to their management, to their board, to show success when it comes to cybersecurity and what measures they're taking, what is measurable, what is actionable.
And then there's a lot of good, exciting sessions around that and in-person interaction because we will have, you know, hopefully a couple hundred people at least who will be coming there in person.
Is there anything else that you'd like to add before we close this interview, Sumedh?
Lots of things happening in the IT space, lots of new innovation, lots of new technology.
But at the end of the day, when you look at a breach that happened recently where it was a cloud-based breach because people use new technology, put things in the cloud and they are breached, but if you go and look at it, a lot of time it's just the same basic issue that we have had for many years, which is cloud asset was misconfigured.
Oh, we didn't change the password, we used a default password, oh, we didn't apply a patch that was available or we didn't close this particular port.
So I think a lot of times as we are looking at the expansion of IT and it may seem daunting, I think it is important to be able to take a step back.
A lot of times just comes down to the basics, just the basic hygiene of detecting misconfigurations, fixing vulnerabilities.
And the basic process of security at that point is just the ability to find your devices, do everything that you can to reduce your risk, and then make sure that you're able to monitor and detect any threats in the environment.
And I think that's the journey that Qualys is pioneering in a single platform to do all of that. Really looking forward.
I really encourage your listeners to come and join us at the conference and tell us and give us feedback so we can improve these capabilities and create new capabilities that are going to help us as an industry overall to fight back against the attackers.
But at the end of the day, when you look at a breach that happened recently where it was a cloud-based breach because people use new technology, put things in the cloud and they are breached, but if you go and look at it, a lot of time it's just the same basic issue that we have had for many years, which is cloud asset was misconfigured.
Oh, we didn't change the password, we used a default password, oh, we didn't apply a patch that was available or we didn't close this particular port.
So I think a lot of times as we are looking at the expansion of IT and it may seem daunting, I think it is important to be able to take a step back.
A lot of times just comes down to the basics, just the basic hygiene of detecting misconfigurations, fixing vulnerabilities.
And the basic process of security at that point is just the ability to find your devices, do everything that you can to reduce your risk, and then make sure that you're able to monitor and detect any threats in the environment.
And I think that's the journey that Qualys is pioneering in a single platform to do all of that. Really looking forward.
I really encourage your listeners to come and join us at the conference and tell us and give us feedback so we can improve these capabilities and create new capabilities that are going to help us as an industry overall to fight back against the attackers.
Brilliant. Listeners, you've heard Sumedh.
If you want to get together with other cyber leaders and hash out today's problems and get some serious solutions, all you got to do is clear your calendar for November 15th to 18th—that's in two weeks' time—and sign up at smashingsecurity.com/qualyslasvegas to attend in person at Las Vegas or remotely via the powers of the internet.
That link again is smashingsecurity.com/qualyslasvegas. Sumedh Thakar, CEO and President of Qualys, thank you so, so much for your time today.
If you want to get together with other cyber leaders and hash out today's problems and get some serious solutions, all you got to do is clear your calendar for November 15th to 18th—that's in two weeks' time—and sign up at smashingsecurity.com/qualyslasvegas to attend in person at Las Vegas or remotely via the powers of the internet.
That link again is smashingsecurity.com/qualyslasvegas. Sumedh Thakar, CEO and President of Qualys, thank you so, so much for your time today.
Thank you very much.
It was a pleasure being with you, and I wish your listeners a great day. Brilliant.
Thank you. Terrific stuff. Well, that just about wraps it up for this week. Jess, I'm sure lots of our listeners would love to follow you online, find out what you're up to.
What's the best way for folks to do that?
What's the best way for folks to do that?
You can find me on Twitter @DrJessicaBarker and check us out at sygenta.co.uk.
And you can follow us on Twitter Smashing Security, no G, Twitter @smashingsecurity, and we are also up on the Smashing Security subreddit as well.
And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Google Podcasts.
And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Google Podcasts.
And of course, thank you to this episode's sponsors, Qualys and 1Password, and of course to our wonderful Patreon community. It's thanks to them all that this show is free.
For episode show notes, sponsorship information, guest list, and the entire back catalog of more than 249 episodes, check out smashingsecurity.com.
For episode show notes, sponsorship information, guest list, and the entire back catalog of more than 249 episodes, check out smashingsecurity.com.
Until next time, cheerio, bye-bye, bye-bye.
Bye for the 250th time. Fun though. Well, we're going to do a few more. Are we going to do a few more, Graham, before we throw in the towel?
You've got to get to 256, 256, and then 365.
Okay, good point. Yeah.
Okay, 365 is giving us the strength to carry on.
256, 512, 1024, 2048, 4096, 8192, 1064. Stop recording now.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guests:
Jessica Barker – @drjessicabarker
Show notes:
- Squid Game cryptocurrency rockets in first few days of trading — BBC News.
- Squid Game crypto token collapses in apparent scam — BBC News.
- 'I Lost Everything': How Squid Game Token Collapsed — CoinMarketCap.
- Squid Game Cryptocurrency Scammers Make Off With $3.3 Million — Gizmodo.
- The Booming Underground Market for Bots That Steal Your 2FA Codes — Vice.
- Scammers Are Using Fake Job Ads to Steal People’s Identities — ProPublica.
- FBI Warns Cyber Criminals Are Using Fake Job Listings to Target Applicants’ Personally Identifiable Information — FBI.
- Don’t let job scams block your path forward — FTC Consumer Information.
- Pit — Wikipedia.
- Pit game description — Board Game Geek.
- Metal Shop Masters — Netflix.
- Metal Shop Masters trailer — YouTube.
- Techjunkie Tools.
- 15 Secret Websites — Alphr.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsor: 1Password
From start-up to enterprise, 1Password makes it easy for your team to store, generate and share strong passwords. The less time you need to spend dealing with hacks, phishing scams, and lost passwords, the better.
Not just for IT and Security teams – all kinds of teams like Finance, HR, Legal, and Marketing can also store and share business credit cards, sensitive documents and shared logins in 1Password.
Work securely from home or in the office. 1Password allows secure access to logins and important resources anywhere you work.
Instantly deploy, grant and revoke access to shared vaults. You can securely add new team members and recover locked-out user accounts.
Find out more and try 1Password free for 14 days at 1password.com
Sponsor: Qualys
Qualys Security Conference 2021 is taking place in Las Vegas November 15-18 2021, and you can attend either in person or online.
Hear from experts such as Chris Krebs, former Director of the DHS & CISA, learn strategies and tactics to secure your organization, and network with your peers and other Qualys experts to accelerate your career.
To learn more about attending the Qualys Security Conference 2021 in person or online visit smashingsecurity.com/qualyslasvegas
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
