Booking.com got hacked five years ago, and didn’t tell its customers… but now we know who might have been behind it. Bossware rears its ugly head again in the workplace, spying on employees. And did you receive a warning email from the FBI?
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Brian Klaas of the “Power Corrupts” podcast.
Plus we have a featured interview with Perimeter 81 co-founder and CEO Amit Bareket.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
He's a journalist and he dresses up as various things to do undercover journalism to expose people. So he once dressed up like a rock, which I absolutely love.
It's like this sandstone.
It's like this sandstone.
And not like The Rock, not like Dwayne Johnson.
Like literally a piece of sandstone that has two eye holes in it. It's hilarious, right?
Smashing Security, episode 252. Ransomware, doxing, phishing, malware, ransomware, doxing, hotel hacks, workplace spies, and the FBI with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 252. My name's Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 252. My name's Graham Cluley.
And I'm Carole Theriault.
And Carole, we are joined this week by a returning guest. It's Brian Klaas of the Power Corrupts podcast. Hello, Brian.
Hello.
The very wonderful Power Corrupts podcast. I'm on episode 5 at the moment of season 2. I love it, love it, love it, Brian. Love it.
Oh, thank you so much. That's very nice of you. Glad to have you in my ranks of listeners.
Oh, well, I am. I'm a big cheerleader for it.
But it's not just a podcast you've got up your sleeve, is it? You've also got a brand new book out.
I do. Yes, indeed. Just came out. It's called Corruptible: Who Gets Power and How It Changes Us. Shall I give you the very brief pitch of it?
Go on. Yes, please.
Okay. So basically, I studied dictators and authoritarian leaders mostly in my career.
And I started at one point to think, wait a minute, I've recognized these people who I've met in palaces actually in mid-level management and in homeowners associations.
I think we all have this experience of the dictatorial personality. So I sort of started to think, is the name of my podcast actually true?
Is it actually the case that power corrupts?
And the book draws on 500 interviews that I did with all sorts of awful people around the world, and then also brings in neuroscience, psychology, evolutionary biology, political science, all sorts of studies, and it completely flipped my view of power.
So it was a fascinating project, and I hope people will check it out.
And I started at one point to think, wait a minute, I've recognized these people who I've met in palaces actually in mid-level management and in homeowners associations.
I think we all have this experience of the dictatorial personality. So I sort of started to think, is the name of my podcast actually true?
Is it actually the case that power corrupts?
And the book draws on 500 interviews that I did with all sorts of awful people around the world, and then also brings in neuroscience, psychology, evolutionary biology, political science, all sorts of studies, and it completely flipped my view of power.
So it was a fascinating project, and I hope people will check it out.
Are you power hungry now? Did it rub off on you?
I don't think so, but I've managed to squeak in a lot of the interviews and fly around before the pandemic struck.
One of the ones I was going to do that got scratched because it was going to happen in April of 2020, was I was going to get my brain scanned to see if there was any traces of psychopathy inside there.
Being a psychopath, because they can actually look at it. So I was curious, and didn't happen. But I think I'm on the right side of that divide, hopefully.
One of the ones I was going to do that got scratched because it was going to happen in April of 2020, was I was going to get my brain scanned to see if there was any traces of psychopathy inside there.
Being a psychopath, because they can actually look at it. So I was curious, and didn't happen. But I think I'm on the right side of that divide, hopefully.
Wow.
Well, I'm buying this book for my dad for Christmas, so there you go. So that's happening. If I can get a signed copy, let's talk later.
What is it? What does it tell you about him?
Exactly.
Well, thanks to this week's sponsors, 1Password, Perimeter 81, and Qualys. It's their support that helps us give you this show for free.
Now coming up on today's show, Graham, what do you got?
Now coming up on today's show, Graham, what do you got?
Well, I'm going to be returning to an old data breach that you may not have heard of.
Ooh, and what about you, Brian?
I'm going to talk about workplace surveillance and how companies are spying on people without their knowledge.
And I am going to be talking about an FBI snafu. Plus, we have a featured interview with Amit Bareket.
He's the CEO and co-founder of Perimeter 81, an industry-leading SaaS security platform. So all this and much more coming up on this episode of Smashing Security.
He's the CEO and co-founder of Perimeter 81, an industry-leading SaaS security platform. So all this and much more coming up on this episode of Smashing Security.
Brian, you were just telling me that you interviewed 500 horrible people, you said.
I did, yes, indeed.
You say you've interviewed 500 horrible people.
Does that mean if someone gets a request from you that you want to interview them, you've kind of tipped them off in advance, they may be rather vile?
Does that mean if someone gets a request from you that you want to interview them, you've kind of tipped them off in advance, they may be rather vile?
Well, I will say that some of them were actually really lovely people. Most of them had no business being in power, but there were some exceptions.
Well, your travels, they must have taken you all around the world.
Moscow, Berlin, Paris, London, Tokyo, Slough, you know, some of the most glamorous places on the planet, beloved by the jet set and glitterati.
You must have loved checking into luxurious hotels, hot and cold running water, playing around with the trouser press.
Wasn't it great filling yourself up to the neck with complimentary room service? Carole, you like to stuff yourself, don't you, with a macaron if you're on holiday or travelling?
Moscow, Berlin, Paris, London, Tokyo, Slough, you know, some of the most glamorous places on the planet, beloved by the jet set and glitterati.
You must have loved checking into luxurious hotels, hot and cold running water, playing around with the trouser press.
Wasn't it great filling yourself up to the neck with complimentary room service? Carole, you like to stuff yourself, don't you, with a macaron if you're on holiday or travelling?
A macaron, please, please say it properly. It's not a— macaroon's a completely different thing.
Well, maybe, maybe when you've been travelling around, maybe you've booked your stay via a website like Booking.com. You heard of Booking.com, you two?
Yes.
Of course.
And I have booked via Booking.com.
I have too, because they allow you to cancel last minute.
Mm-hmm.
Ah, okay. Well, one of the world's leading online travel companies, it's where you can book flights, hotel stays, car rentals.
What possible reason would someone want to hack Booking.com? Any theories? Why would you want to hack Booking.com?
What possible reason would someone want to hack Booking.com? Any theories? Why would you want to hack Booking.com?
Steal data, put the ransomware on their bikes.
Right, yeah. Steal payment details.
Yeah, yeah.
I'm thinking, I'm trying to be a little bit more imaginative. What about defacing hotel listings to say the bed was full of cockroaches or slag off competing hotels?
I was thinking, I thought you meant you'd, you know, screw around with the pictures and put little cockroaches in them.
Oh, you could.
Pictures going across the bed.
If you managed to hack the site or hack accounts. Maybe you could do that.
Some sort of power-hungry bed and breakfast kingpin could do this, I think.
That's what I aspire to be. Yes, that sort of power-hungry.
Now, that wouldn't have been your motivation if you were the hacker who is said to have broken into Booking.com systems in 2016.
Yes, I am going back 5 years, actually to early 2016, so nearly 6 years. I like to keep things topical.
Now, that wouldn't have been your motivation if you were the hacker who is said to have broken into Booking.com systems in 2016.
Yes, I am going back 5 years, actually to early 2016, so nearly 6 years. I like to keep things topical.
It's okay. Short-term memory goes away as you get older, Graham. It makes sense you have to go back to the old days.
Well, this hacker who broke into Booking.com servers, he stole details of thousands of hotel reservations in countries in the Middle East.
Okay.
And Booking.com's IT security team realised they had a serious problem, and they began to investigate the breach alongside the Dutch intelligence service.
I think Booking.com is one of those companies, I think it was founded in the Netherlands. But it's also half American. So it's sort of a Dutch company.
And they determined that the culprit, they did lots of investigation with the Dutch intelligence service, and they determined that the culprit was a hacker called Andrew.
I think Booking.com is one of those companies, I think it was founded in the Netherlands. But it's also half American. So it's sort of a Dutch company.
And they determined that the culprit, they did lots of investigation with the Dutch intelligence service, and they determined that the culprit was a hacker called Andrew.
Oh God.
Not that useful really.
Instantly made me think of a certain Andrew who's rather famous here in Blighty, famous for not sweating very much, but enjoying the Pizza Express facilities.
But not him as far as I know. Now, do you remember reading the news stories about Booking.com at the time back in 2016?
Instantly made me think of a certain Andrew who's rather famous here in Blighty, famous for not sweating very much, but enjoying the Pizza Express facilities.
But not him as far as I know. Now, do you remember reading the news stories about Booking.com at the time back in 2016?
No.
No, you don't, do you?
Well, no, but I wouldn't remember probably.
You probably wouldn't remember.
I don't even remember what story I did last week.
No, you're probably too addled. You don't remember anything. Well, you probably wouldn't remember because it didn't become public knowledge.
Ah.
Now, according to three Dutch journalists, who wrote a book about the hack.
Their book is called 'De Machine in de Bann van Booking.com', which in English translates to 'The Machine Under the Spell of Booking.com'.
Their book is called 'De Machine in de Bann van Booking.com', which in English translates to 'The Machine Under the Spell of Booking.com'.
OK.
They say that the site was dissuaded from informing customers or even the Dutch Data Protection Authority about the hack.
They were dissuaded? By whom?
Hmm.
Yeah. Who could possibly have a reason to want it to be hushed up and to withhold details of the hack from thousands of their victims.
The board, the board investors.
Well, yeah, exactly. The bosses. The bosses ultimately made the decision.
And the argument that's been given is that Booking.com checked with its London-based lawyers and was told that it was not legally required to tell the authorities or individuals affected because, quote, no sensitive or financial information was accessed.
And so they didn't.
And the argument that's been given is that Booking.com checked with its London-based lawyers and was told that it was not legally required to tell the authorities or individuals affected because, quote, no sensitive or financial information was accessed.
And so they didn't.
So sensitive, so no names? Is that—
Oh no, names were taken.
Email?
Names were taken. Some details, yeah. And as where people were staying as well, but no sensitive info. This is before GDPR came into force.
And according to Booking.com, it abided by all the laws and they were not required.
They could quite happily 'keep stum.' Now, of course, some people knew about this hack, but weren't very happy about this plan not to tell anyone, which included the IT experts who'd actually investigated, the people who actually worked inside Booking.com.
But under privacy laws at the time, Booking.com says that it was only required to notify people affected by the data theft if it would likely have adverse effect on their private lives.
And according to Booking.com, it abided by all the laws and they were not required.
They could quite happily 'keep stum.' Now, of course, some people knew about this hack, but weren't very happy about this plan not to tell anyone, which included the IT experts who'd actually investigated, the people who actually worked inside Booking.com.
But under privacy laws at the time, Booking.com says that it was only required to notify people affected by the data theft if it would likely have adverse effect on their private lives.
There's a lot of words here that have a lot of meaning. What does that mean, adverse effect?
Right. It's open to interpretation.
They get murdered? Oh, yeah, no, that had an adverse effect.
Because I would argue that it was sensitive information because thousands of hotel reservations accessed involving countries such as Saudi Arabia, Qatar, the United Arab Emirates, names, travel plans, reservation details were in the hands of this mysterious hacker Andrew.
And according to these journalists who've investigated, they say that the Dutch intelligence service determined that Andrew was working for a US-based company that often did work for US intelligence agencies.
And according to these journalists who've investigated, they say that the Dutch intelligence service determined that Andrew was working for a US-based company that often did work for US intelligence agencies.
Mm-hmm.
In other words, It was US spies, it appears, who hacked this Dutch company in order to steal information about some of their customers, ones who were in the Middle East.
And did they also lean on the legal team saying, hush, hush, guys, if you know what's good for you?
Well, I don't know. It's a simple answer, but you do begin to worry a little bit, don't you? It feels like a lot of power that these guys had, right, Brian?
Indeed, yes. And I do think it is— it's obviously private information. Yeah.
So if the journalist's book is accurate, the spying was carried out by the US against foreign diplomats and other people of interest in the Middle East.
And the theory goes that if the United States knew which hotels people of interest were staying at, they could cross-check it against their list of hotels who they've already determined are fairly easy to exploit, to plant surveillance equipment in or gather other information.
So intelligence agencies around the world, there are some hotels which they're going to find easier to spy upon than others. They may have people on the inside.
They may have influence over those companies. They may be able to sneak in. They may already have systems in place to snoop on people. And it appears that's what's happening.
So, it's rather astonishing that this huge website involved in travel and booking was breached. It didn't tell anyone, it kept it all quiet.
And furthermore, that it was actually hacked by what you would normally feel was a friendly country, rather than, you know, someone else.
And the theory goes that if the United States knew which hotels people of interest were staying at, they could cross-check it against their list of hotels who they've already determined are fairly easy to exploit, to plant surveillance equipment in or gather other information.
So intelligence agencies around the world, there are some hotels which they're going to find easier to spy upon than others. They may have people on the inside.
They may have influence over those companies. They may be able to sneak in. They may already have systems in place to snoop on people. And it appears that's what's happening.
So, it's rather astonishing that this huge website involved in travel and booking was breached. It didn't tell anyone, it kept it all quiet.
And furthermore, that it was actually hacked by what you would normally feel was a friendly country, rather than, you know, someone else.
I'm playing devil's advocate, but how many other companies and corporations did also stage strum, right? Pre-GDPR.
I mean, that's part of the reason GDPR is here because it was just going, it was rife. So I get that.
And it's hard, you know, 2020, you know, going back now and saying, how dare they?
What's annoying is the loose language, you know, the skirting around the truth and what is sensitive and what isn't it. And I think we have that definition now.
You know, it's been defined.
I mean, that's part of the reason GDPR is here because it was just going, it was rife. So I get that.
And it's hard, you know, 2020, you know, going back now and saying, how dare they?
What's annoying is the loose language, you know, the skirting around the truth and what is sensitive and what isn't it. And I think we have that definition now.
You know, it's been defined.
It certainly seems that more and more companies now are going public about having been hacked.
It's not, of course, completely without precedent for one country to hack a company in another friendly country in order to find out information about its customers in the Middle East.
This happened in 2013 with Belgacom, now known as Proximus. They're Belgium's largest telecoms company. They're multinational, but they're based in Belgium.
They were hit by spyware, and that spyware came from our very own GCHQ, Her Majesty's Government Communications Interception Headquarters, because there were people of interest again.
It's not, of course, completely without precedent for one country to hack a company in another friendly country in order to find out information about its customers in the Middle East.
This happened in 2013 with Belgacom, now known as Proximus. They're Belgium's largest telecoms company. They're multinational, but they're based in Belgium.
They were hit by spyware, and that spyware came from our very own GCHQ, Her Majesty's Government Communications Interception Headquarters, because there were people of interest again.
Sealed with a kiss from the Queen.
Exactly. Well, I don't know. I mean, I imagine—
No, I'm sure not.
Come on. I'm sure she wouldn't— It wasn't the royal internet that's been used. I think it was a dodgy LinkedIn invitation which happened.
Anyway, so what is Booking.com's response to these revelations?
Well, what they've said to this new book is, "Data security is a top priority for us." We are continually innovating the robust processes and systems we have in place to protect our customers and partners.
Anyway, so what is Booking.com's response to these revelations?
Well, what they've said to this new book is, "Data security is a top priority for us." We are continually innovating the robust processes and systems we have in place to protect our customers and partners.
Okay. Yeah, yeah, yeah.
So I hope you're satisfied with that. There's continual innovation going on.
Is there any, we're sorries?
No, but the people who run the hotels have decided that there was no sensitive or financial information which was accessed.
So by their determination, they're saying under the laws which were in place at the time, They say nothing sensitive was taken, therefore it doesn't need to be looked into anymore.
Thank you very much. Please shut the book.
So by their determination, they're saying under the laws which were in place at the time, They say nothing sensitive was taken, therefore it doesn't need to be looked into anymore.
Thank you very much. Please shut the book.
Yep.
Don't investigate any further.
Or STFU, basically.
Yeah, basically. And I don't know how I feel about this. Well, I do know how I feel about this.
I just kind of feel, well, Booking.com, you've sort of blotted your copybook, even if it was 6 years ago. You're not even saying now, we're really sorry that this happened.
I just kind of feel, well, Booking.com, you've sort of blotted your copybook, even if it was 6 years ago. You're not even saying now, we're really sorry that this happened.
So Graham, are you going to never book from Booking.com?
I don't know that I have ever used Booking.com, but this is the thing, is that other travel companies, chances are that they've been hacked as well from time to time.
You know, if intelligence agencies want to get into one, they probably want to get into others too. So who do I go to?
You know, if intelligence agencies want to get into one, they probably want to get into others too. So who do I go to?
That's a very wise statement, Graham. That's very wise.
Thank you very much. I feel rather nervous now you said that. Brian, what do you want to talk to us about this week?
I want to talk to you about companies that are surveilling their employees without them knowing. So there's a story out today in the Los Angeles Times that cites various research.
One of them is by Teramind, a Miami-based provider of employee monitoring software, and it said that basically about 70% of its sales came from companies concerned about security before the pandemic, and 30% that used to be concerned about worker productivity.
And now after the pandemic has struck, that relationship is completely flipped. So it's mostly about surveillance and less about security.
And when they've looked at the actual amount of companies that are using surveillance software, they say that about 60% of companies are doing it, double what it was early on in 2020.
And the rub here is that a lot of people aren't aware that this is happening to them. It can be done through webcams.
It can be done through keystroke logging if it's company computers and so on.
This also relates to— I can't miss an opportunity to make the link to the book that came out last week of my own, which is that I think that there is a systematic problem that we have in diagnosing who is worth watching.
What I mean by that is I have a chapter where I talk about how powerful oversight is for producing accountability in human behavior.
And I draw on a whole bunch of different studies from neuroscience to behavioral economics and so on.
But one of the things that I think we're getting wrong is that when you look at these corporate scandals or you look at abuse of power by big fish, the real problem's happening at the top.
It's happening in the boardrooms, it's happening behind closed doors in corner offices.
The companies like Enron aren't getting brought down by the person who's stealing 10 minutes on their lunch break or takes a paperclip home with them.
One of them is by Teramind, a Miami-based provider of employee monitoring software, and it said that basically about 70% of its sales came from companies concerned about security before the pandemic, and 30% that used to be concerned about worker productivity.
And now after the pandemic has struck, that relationship is completely flipped. So it's mostly about surveillance and less about security.
And when they've looked at the actual amount of companies that are using surveillance software, they say that about 60% of companies are doing it, double what it was early on in 2020.
And the rub here is that a lot of people aren't aware that this is happening to them. It can be done through webcams.
It can be done through keystroke logging if it's company computers and so on.
This also relates to— I can't miss an opportunity to make the link to the book that came out last week of my own, which is that I think that there is a systematic problem that we have in diagnosing who is worth watching.
What I mean by that is I have a chapter where I talk about how powerful oversight is for producing accountability in human behavior.
And I draw on a whole bunch of different studies from neuroscience to behavioral economics and so on.
But one of the things that I think we're getting wrong is that when you look at these corporate scandals or you look at abuse of power by big fish, the real problem's happening at the top.
It's happening in the boardrooms, it's happening behind closed doors in corner offices.
The companies like Enron aren't getting brought down by the person who's stealing 10 minutes on their lunch break or takes a paperclip home with them.
It has an extra long poop, right?
It's by the people at the top.
Yeah.
So I think, you know, we have this weird relationship with power in our society where powerful people design systems to relentlessly observe and surveil powerless people.
And in fact, most of the damage is being done by the people who are watching, not the people who are watched. And so, you know, I think that this needs to be inverted.
Now, it's not to say that we want to have a surveillance state by any means. And I think that in general, this general trend is bad.
But I think that if you're going to have surveillance software, maybe some of it should be looking at what people who are actually moving millions of dollars around, what they're up to.
And in fact, most of the damage is being done by the people who are watching, not the people who are watched. And so, you know, I think that this needs to be inverted.
Now, it's not to say that we want to have a surveillance state by any means. And I think that in general, this general trend is bad.
But I think that if you're going to have surveillance software, maybe some of it should be looking at what people who are actually moving millions of dollars around, what they're up to.
24-hour video cam for CEOs.
Love it.
Webcam their houses, their mansions.
Webcam up the politicians. Isn't that what happened to Matt Hancock, I think? Isn't that how we discovered he was snogging his aide?
Yeah, and I think this gets to something more profound about the sort of power imbalances that come with tech.
And I think it's something about our own behavior where we have to think about who's actually doing the damage.
Most people who are working from home are actually trying to get their work done.
You know, they might not do it on the clock in the exact same way that the employer wants them to, but as long as they get the work done, it's not going to bring the company down.
And I think it's something about our own behavior where we have to think about who's actually doing the damage.
Most people who are working from home are actually trying to get their work done.
You know, they might not do it on the clock in the exact same way that the employer wants them to, but as long as they get the work done, it's not going to bring the company down.
I think, yeah, on the other hand, there's a lot of people in the higher echelons of these various positions who actually can bring the companies down and have.
Over time, I've read about bossware is what the kind of colloquial term is, you know, but they'll take pictures every 15 seconds to make sure that said employee or student is sitting with their butt on the seat looking at the screen.
Over time, I've read about bossware is what the kind of colloquial term is, you know, but they'll take pictures every 15 seconds to make sure that said employee or student is sitting with their butt on the seat looking at the screen.
Worse than that, I mean, when I was doing research for this, there are even chairs that exist— this is in the before times, in the actual physical office— but there are chairs that have pressure sensors to tell whether you're actually sitting in it.
Oh my God.
And there are companies in the U.S. that have a requirement that employees download GPS tracking software.
Yeah.
And this isn't turned off when they leave the office.
Yeah.
Right? So, I mean, one of the big takeaways I have from the book, one of the big points I make is how we have a very weird view of who does damage in society.
Of course, the book talks about a million other things, but this is one small section of how the feeling of being watched actually moderates our behavior in some ways.
But that's quite counterproductive if it's the feeling of being constantly surveilled when you're just doing your job.
And I think the lessons that we should learn— there's also, I talk about in the book, this amazing story, a guy I interviewed, one of the good ones actually, not of the 500 people, he's one of the good ones.
He's a journalist in Ghana, and he dresses up as various things to do undercover journalism to expose people. So there's two things I think that are important about him.
One is he once dressed up like a rock, which I absolutely love. It's not like The Rock, not like Dwayne Johnson, like literally a piece of sandstone that has two eye holes in it.
It's hilarious, right?
But the thing that I also love about him— I spoke to him on Skype, you know, this is two years ago before Zoom was a big thing, and I couldn't see his face because he covers it with these beads.
And the reason he does that is because he wants everybody in society who's powerful to think anybody could be him, right? So he never reveals his identity.
He's a secret figure who's known as Anas, but no one knows who he is, with the idea that anytime Anas could be watching you.
Now, that's a very powerful and productive thing for oversight of politicians, judges. He's exposed massive corruption scandals.
But it's not a good thing if we don't know if our webcam is watching whether we're having a tea break that's 1 minute too long. I think that's the point that I wanted to make.
Of course, the book talks about a million other things, but this is one small section of how the feeling of being watched actually moderates our behavior in some ways.
But that's quite counterproductive if it's the feeling of being constantly surveilled when you're just doing your job.
And I think the lessons that we should learn— there's also, I talk about in the book, this amazing story, a guy I interviewed, one of the good ones actually, not of the 500 people, he's one of the good ones.
He's a journalist in Ghana, and he dresses up as various things to do undercover journalism to expose people. So there's two things I think that are important about him.
One is he once dressed up like a rock, which I absolutely love. It's not like The Rock, not like Dwayne Johnson, like literally a piece of sandstone that has two eye holes in it.
It's hilarious, right?
But the thing that I also love about him— I spoke to him on Skype, you know, this is two years ago before Zoom was a big thing, and I couldn't see his face because he covers it with these beads.
And the reason he does that is because he wants everybody in society who's powerful to think anybody could be him, right? So he never reveals his identity.
He's a secret figure who's known as Anas, but no one knows who he is, with the idea that anytime Anas could be watching you.
Now, that's a very powerful and productive thing for oversight of politicians, judges. He's exposed massive corruption scandals.
But it's not a good thing if we don't know if our webcam is watching whether we're having a tea break that's 1 minute too long. I think that's the point that I wanted to make.
Yeah.
And not good if you've got a bad back and you want to stand at your desk, you know, if you have to keep your butt in the chair, the chair starts having an alarm, right?
Maybe they have standing mats for those people. Who knows?
It is.
I would have a dictionary if people, you know, you wouldn't know if your chair has these sensors, right?
So anyone who's going to go for an extra long bathroom break, make sure you bring a dictionary and slap it on the seat. You'd have to weigh equivalent.
So anyone who's going to go for an extra long bathroom break, make sure you bring a dictionary and slap it on the seat. You'd have to weigh equivalent.
What if you're really, really small?
Is there a particular book that you could put on your stool, if we want to use the phrase stool?
Oh yes, Brian.
How heavy is your book, Brian?
You know, it's 270 pages or so. So it's not massive.
They're gonna have to buy 3 copies.
Definitely buy hardbacks. 3 hardbacks.
Yeah.
Yeah, I think so. I think you're gonna have to get the — it's got on the cover it's got sort of gold foil. I think you'd need actual gold for it to work.
Probably. Carole, what have you got for us this week?
Okay, so we're gonna imagine it's November 12th and you guys are IT administrators.
Yes, I am.
And you're sitting around, you know, feet on your desk, definitely with butt in chair, so there's no alarms.
Yes.
And you get an email with the subject saying, "Urgent threat actor in systems." Now this isn't in your quarantine or spam folder, but sitting right there in your mainstream mail.
Right.
What's your first do then? Do you just get up, get a sandwich, ignore it, open it up? What do you do?
Well, I'd probably open — I wouldn't open the attachment, or if there was an attachment, or click on any links. Maybe I'd look at the actual message and see who it's come in from.
Yes, let's check the sender.
Yeah, yeah.
Okay, so the email is sent to you by — from the official email address of the FBI, so eims.jcfbi.gov. And you look this up, and it's a totally legit address.
It's part of the FBI's Law Enforcement Enterprise Portal, or something called LEAP. This is a one-stop shop to share intel across different departments.
And maybe you check the IP address, and indeed, it is the FBI's IP address.
It's part of the FBI's Law Enforcement Enterprise Portal, or something called LEAP. This is a one-stop shop to share intel across different departments.
And maybe you check the IP address, and indeed, it is the FBI's IP address.
And this isn't an accidental message that's been sent. You remember in Hawaii, they accidentally sent a message to everyone there saying that —
Oh, yes. And then later, oops, sorry.
Saying North Korea launched a missile towards Hawaii caused slight panic.
Yeah.
Nothing, so it's not a test that's gone wrong or something like that.
Should we read the email?
Okay, go on, yeah, tell me what the email says.
Okay, we're gonna go sentence by sentence.
All right, okay.
So it says, our intelligent monitoring indicates exfiltration of several of your virtualized clusters in a sophisticated chain attack.
Well, it's already lost me. It sounds quite technical.
It sounds quite technical. It sounds like, ooh, they know what they're talking about, the FBI.
I don't know what half those words mean.
Exactly. Yeah, it sounds like they know more than I do about something. Yes, right.
Okay, so you'd probably want to read the next sentence.
Right, yes, yeah.
Okay, we tried to black hole the transit nodes used by this advanced persistent threat actor.
However, there is a huge chance he will modify his attack with a fast flux technology, which he proxies through multiple global accelerators.
However, there is a huge chance he will modify his attack with a fast flux technology, which he proxies through multiple global accelerators.
It sounds like those FBI guys really know what they're talking about now. And we're up against some serious hackers.
I mean, fast flux guys, fast flux.
Yeah.
Where's the bank account to send the money to the Nigerian goods now?
We identified the threat actor to be Vinny Troia, whom is believed to be affiliated with the extortion gang, the Dark Overlord.
Oh, my cousin Vinnie. Yeah, okay, Vinnie. Yeah, well, Vinnie's an all right guy, right?
I think at this point, I think I'd be going, what? What? Why would you be telling me who the threat actor is? And what does this have to do with anything?
And you're telling me that your intelligence monitoring my virtualized clusters, tell me about them. Anyway, it says we highly recommend you check your systems and IDS monitoring.
And you're telling me that your intelligence monitoring my virtualized clusters, tell me about them. Anyway, it says we highly recommend you check your systems and IDS monitoring.
Right.
And then it signs off with, "Stay safe. Okay, US Department of Homeland Security." Well, that does sound authentic.
I can imagine that the Department of Security would sign off with a "stay safe." Really? No, but that's the sort of— Yes, I can actually. I'm not joking. I'm not being sarcastic.
No, they might. Well, what are they going to do? Say, "Yours sincerely"?
No, they might. Well, what are they going to do? Say, "Yours sincerely"?
It's too cutesy, Brian. Brian, you've read loads of government documents, I'm sure, in your time. I'm sure you've read loads through your career.
I think it depends what country it's coming from. I think that, you know, if it's American, they'd say have a good day or something like that.
Yeah. Stay safe. Yeah.
Okay. Okay. So what do you do at this point? Because there's no instructions, there's no attachments, there's no links.
Oh, so they're not up to any— so what's the point of this?
How are they—
So what's the point of this? And what are you supposed to do? And what, you know, how do you check your virtualized clusters? Right? And what is that? And what the heck's going on here?
Right.
I think I'd forward it to you.
Yeah.
Well, I don't think we'd help very much. I don't think we'd know either. So people were kind of, didn't know what to do. So what would you do? Maybe you'd call the FBI.
I would go onto Twitter. I would go onto Twitter and I'd see if other people have received something like this.
Right. Okay.
You wouldn't call the FBI immediately. That sounds too much like effort. I would just go and have a look on Twitter.
A lot of people decided to call and jam their lines.
The problem was that the Federal Bureau of Investigation, the email servers were indeed hacked to distribute this spam email impersonating the FBI.
And according to Bleeping Computer spam tracking nonprofit SpamHouse, noticed that this glut of messages were being delivered in two waves early on the 12th of November.
And they said that the fake emails reached at least 100,000 mailboxes, though they feel this is very conservative.
So Brian Krebs wrote on his blog that spam messages were being sent by abusing insecure code in the FBI online portals.
Online portals are such a pain in the ass for people to administrate because you already have your website and everything, other devices that you have to administer across the company.
And then all these marketing people and different communicators want online, special online portals to discuss things, you know, directly. Anyway, there are often issues in them.
I'm interested in Vinny, right? I'm interested in Vinny, who was mentioned in the mail.
The problem was that the Federal Bureau of Investigation, the email servers were indeed hacked to distribute this spam email impersonating the FBI.
And according to Bleeping Computer spam tracking nonprofit SpamHouse, noticed that this glut of messages were being delivered in two waves early on the 12th of November.
And they said that the fake emails reached at least 100,000 mailboxes, though they feel this is very conservative.
So Brian Krebs wrote on his blog that spam messages were being sent by abusing insecure code in the FBI online portals.
Online portals are such a pain in the ass for people to administrate because you already have your website and everything, other devices that you have to administer across the company.
And then all these marketing people and different communicators want online, special online portals to discuss things, you know, directly. Anyway, there are often issues in them.
I'm interested in Vinny, right? I'm interested in Vinny, who was mentioned in the mail.
Well, I've heard of Vinny before.
Okay, talk to me about Vinny.
Well, Vinny's on the speaking circuit.
Yes, he is on the speaking circuit.
He's one of those sort of people who stand up on a stage and give talks about cybersecurity.
Blah, blah, blah.
Can you imagine how hopeless that is? No, no. That sort of person. Yeah, no, he's basically the competition for me, Carole.
Right.
People like Vinny, yeah. But, you know, he's an author and, you know, he investigates cybercrime and things.
So I'm a little bit surprised that he's now turned to the dark side and is now exfiltrating data from my network.
So I'm a little bit surprised that he's now turned to the dark side and is now exfiltrating data from my network.
Graham, you identified him very well, 'cause I didn't know him, so I had to do a bit of looking in.
So he's also head of security research at the darkweb intelligence company Night Lion and Shadowbyte.
So he's also head of security research at the darkweb intelligence company Night Lion and Shadowbyte.
Right.
Bleeping Computer got in touch with Vinny to ask him why he's being blamed in this email. And he says, "My best guess is Pom Pom Purin and his band of minions.
These are the guys behind the incident." Pom Pom Purin? Pom Pom Purin.
These are the guys behind the incident." Pom Pom Purin? Pom Pom Purin.
That sounds a bit like Chim Chimerey, Chim Chimerey, Chim Chim Cheru. Well, what kind of name is that? What, is that a name of a hacker, is it?
Well, apparently Pom Pom Purin contacted Troia a few hours before the spam email campaign started and simply to say "enjoy" as a warning that something involving the research was about to happen.
And apparently Pom Pom Purin messages them every time they start an attack to discredit Troia.
So there's a long-running feud apparently between the members of the Raid forums hacking community. What? What are you saying?
And apparently Pom Pom Purin messages them every time they start an attack to discredit Troia.
So there's a long-running feud apparently between the members of the Raid forums hacking community. What? What are you saying?
Well, is it really doing that much damage to Vinnie Troia? I would imagine his name gets out there much, much more because—
Oh, are you in the market for someone to start badmouthing you in spam emails? Is that what you're looking for?
I've given people plenty of reason in the past. I don't think I'm important enough for them to bother.
Well, Mark Gaddafi contacts me all the time, so— and he's dead.
Well, so I was like, "Pom-pom Purin, what is going on?" Right? So I went looking around and turns out Krebs got a missive from an actor claiming responsibility.
And his first line is, "Hey, it's Pom-pom Purin. Check headers of the email. It's actually coming from FBI server.
I'm contacting you today because we located a botnet being hosted on your forehead. Please take immediate action. Thanks."
And his first line is, "Hey, it's Pom-pom Purin. Check headers of the email. It's actually coming from FBI server.
I'm contacting you today because we located a botnet being hosted on your forehead. Please take immediate action. Thanks."
Sorry, Brian Krebs has a botnet on his forehead.
Apparently.
I don't really know what that means. I thought I was going to ask you. You're a bit more geeky.
I think it's a comment on Brian's haircut, possibly. Maybe he doesn't have a big enough fringe to cover his forehead.
Well, I think he looks perfectly fine, but maybe the hackers have got some sort of issue with how he looks. It sounds rather juvenile to me. Is that possible?
A cybercriminal being juvenile?
Well, I think he looks perfectly fine, but maybe the hackers have got some sort of issue with how he looks. It sounds rather juvenile to me. Is that possible?
A cybercriminal being juvenile?
He said— so speaking of Krebs, he said, I could have 1,000% used this to send more legit-looking emails, trick companies into handing over data, etc., and this would have never been found by anyone who would responsibly disclose due to the notice the feds have on their website.
So that's interesting. He's basically saying that he could not responsibly disclose because of some—
So that's interesting. He's basically saying that he could not responsibly disclose because of some—
Some legalese.
Some legalese of the feds.
Right, saying you can't do this on our server if you find a bug. Well, couldn't the FBI now say, look, we're actually really grateful you found this.
If you would like to apply, telling us your full name and address.
If you would like to apply, telling us your full name and address.
Pom Pom Purin, Mr. Pom Pom Purin.
We will send a special delegation round to your house "to deliver your bug bounty personally." And a couple of extra surprises.
The thing was, they did manage to hack this page, but none of the data that was on the Leap system was accessed. It was all grabbed from another — scraped from another database.
So, it really was just a juvenile kind of trick, but it did cause some drama.
You know, I think people would not have been as lazy as you, and they might have contacted the FBI and going, "What the fuck, guys?"
So, it really was just a juvenile kind of trick, but it did cause some drama.
You know, I think people would not have been as lazy as you, and they might have contacted the FBI and going, "What the fuck, guys?"
WTF?" Well, clearly, yeah, clearly people did. Yeah. Even if they didn't lose any data, they still had a portal exploited by a mischievous little runt.
My final question. My final question. Do you think the FBI has apologized for their oversight on the website?
I think, yes, they have.
Okay. Brian?
I would guess no.
Correct. Brian's right. No, not the first time. Okay.
Perimeter 81 is the first ever cybersecurity experience platform designed around instant deployment, unified management, integrated security, and full visibility.
Perimeter 81 allows organizations of any and all industry sizes to support IT teams with robust tools to secure and manage your global network with one unified platform.
Securing remote access for cloud and hybrid businesses and organizations, Perimeter 81 provides unified solutions such as zero trust network access, firewall as a service, device posture check, and more.
Learn more and request a demo at perimeter81.com. That's perimeter81.com.
Perimeter 81 allows organizations of any and all industry sizes to support IT teams with robust tools to secure and manage your global network with one unified platform.
Securing remote access for cloud and hybrid businesses and organizations, Perimeter 81 provides unified solutions such as zero trust network access, firewall as a service, device posture check, and more.
Learn more and request a demo at perimeter81.com. That's perimeter81.com.
We're also sponsored by Qualys, one of the pioneering providers of disruptive cloud-based IT.
Qualys delivers continuous critical security intelligence via their Qualys Cloud Platform and integrated cloud apps.
And their powerful solutions empower organizations to streamline and consolidate their security and compliance solutions in a single platform, achieving greater business agility, better outcomes, and substantial cost savings.
Qualys announces 3 solutions: ransomware risk assessment, cybersecurity asset management, and zero-touch patch management.
Qualys delivers continuous critical security intelligence via their Qualys Cloud Platform and integrated cloud apps.
And their powerful solutions empower organizations to streamline and consolidate their security and compliance solutions in a single platform, achieving greater business agility, better outcomes, and substantial cost savings.
Qualys announces 3 solutions: ransomware risk assessment, cybersecurity asset management, and zero-touch patch management.
Want to learn more?
Of course you do! Check out smashingsecurity.com/qualys. Q-U-A-L-Y-S. That's smashingsecurity.com/qualys. And thanks to Qualys for sponsoring the show.
1Password 8 for Windows is out right now. 1Password 8 for Windows has been reimagined to feel right at home on the world's most popular desktop operating system.
From dark mode and passwordless integration to smart search and secure item sharing, 1Password 8 is the new home for your digital life.
Productivity improvements, enhanced security and privacy features, and a modern design deliver a first-class experience that offers the best of Windows 11.
1Password 8 for Windows helps you manage, remember, and protect your sensitive information more easily and securely than ever before. So what are you waiting for? Find out more.
Try 1Password free for 14 days at 1Password.com/SmashingSecurity. And thanks to the folks at 1Password for supporting the show. And welcome back.
Can you join us at our favorite part of the show? The part of the show that we like to call Pick of the Week.
From dark mode and passwordless integration to smart search and secure item sharing, 1Password 8 is the new home for your digital life.
Productivity improvements, enhanced security and privacy features, and a modern design deliver a first-class experience that offers the best of Windows 11.
1Password 8 for Windows helps you manage, remember, and protect your sensitive information more easily and securely than ever before. So what are you waiting for? Find out more.
Try 1Password free for 14 days at 1Password.com/SmashingSecurity. And thanks to the folks at 1Password for supporting the show. And welcome back.
Can you join us at our favorite part of the show? The part of the show that we like to call Pick of the Week.
Pick of the Week.
Pick of the Week.
Perfect.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security related necessarily.
Better not be.
Now, in a slight change, I'm going to do a little bit of a shout-out because it was my niece Marlowe's birthday recently, and I sent her some little cupcakes, which was frankly a bit of a lazy gift.
And—
And—
Yeah, did you make them?
No.
No, no, no.
Thank God. Lucky her.
Yeah, she should be grateful, shouldn't she?
She definitely should be.
But as a penance, she has asked me to give a bit of a shout-out on the podcast.
And indeed, I'm going to dedicate my Pick of the Week suggestion to Paul Frost of Streatham and Clapham High School, London.
He is the best computer science teacher within the Streatham and Clapham catchment area.
And indeed, I'm going to dedicate my Pick of the Week suggestion to Paul Frost of Streatham and Clapham High School, London.
He is the best computer science teacher within the Streatham and Clapham catchment area.
Ah!
As voted for by my two nieces, Mallory and Marlow. So Paul, congratulations. This Pick of the Week is for you. And hopefully I've got off any birthday shenanigans for another year.
So my pick of the week this week is not security related.
It is a video game called Trailmakers, which I've been playing with my son on the PlayStation, but it is also available on Steam and on the Xbox.
It is a physics-based game where it's a bit like Lego.
It's a bit like technical Lego where you can build cars and monster trucks and boats and submarines and tanks and aircraft and amphibious vehicles. All sorts of things.
You can even build an AT-AT from Star Wars or, you know, it's basically you're limited by your imagination, your imagination and your ability to make them aerodynamic or having a good center of gravity.
Because it turns out, Carole, I don't know if you found this as well, Brian.
It turns out it's quite hard to make a working helicopter or an aircraft and to actually get it to go up in the air and not crash. If you can get it to leave the ground at all.
Turns out it's tricky.
So my pick of the week this week is not security related.
It is a video game called Trailmakers, which I've been playing with my son on the PlayStation, but it is also available on Steam and on the Xbox.
It is a physics-based game where it's a bit like Lego.
It's a bit like technical Lego where you can build cars and monster trucks and boats and submarines and tanks and aircraft and amphibious vehicles. All sorts of things.
You can even build an AT-AT from Star Wars or, you know, it's basically you're limited by your imagination, your imagination and your ability to make them aerodynamic or having a good center of gravity.
Because it turns out, Carole, I don't know if you found this as well, Brian.
It turns out it's quite hard to make a working helicopter or an aircraft and to actually get it to go up in the air and not crash. If you can get it to leave the ground at all.
Turns out it's tricky.
You know, you're giving me a great idea for a game. Imagine you could scan your body and then say, how do I become aerodynamic?
And you'd have to lengthen your arms or, you know, whatever to kind of be weightless enough. And you could find out what length of arms you would require.
And you'd have to lengthen your arms or, you know, whatever to kind of be weightless enough. And you could find out what length of arms you would require.
Right.
Yeah.
Okay.
Listeners, someone run with it. It's yours.
Well, yeah. And anyway, so, and once having designed these things, you can share them online. You can have other people download them and adapt them.
My son and I, we've been doing little build challenges. And he came up with the idea of, how about we build some monster trucks, Dad, but let's make them look like dogs.
And so we've been driving dogs around this island in a little sandbox island. Well, his drove around complete with a wagging head and tail. Mine just sort of fell over.
It had the oddest way of steering you've ever seen in your life. But anyway, I've had great fun. The game is called Trailmakers.
I will put some links in the show notes where you can check it out or check out the video as well.
I think if your kids are going to play video games, this is a better kind of video game to play because you are creative.
You're learning about physics, you're learning about engineering, and it was all good fun. So that is my pick of the week.
My son and I, we've been doing little build challenges. And he came up with the idea of, how about we build some monster trucks, Dad, but let's make them look like dogs.
And so we've been driving dogs around this island in a little sandbox island. Well, his drove around complete with a wagging head and tail. Mine just sort of fell over.
It had the oddest way of steering you've ever seen in your life. But anyway, I've had great fun. The game is called Trailmakers.
I will put some links in the show notes where you can check it out or check out the video as well.
I think if your kids are going to play video games, this is a better kind of video game to play because you are creative.
You're learning about physics, you're learning about engineering, and it was all good fun. So that is my pick of the week.
Nice.
Brian, what's your pick of the week?
All right, so my pick of the week is a book. It's not my book, but it's featured in my book.
Oh, it should be your book. What's the name of your book again?
Have you got a book out, Brian? Have you ever written a book?
Oh, right. It's funny you mentioned it. It's called Corruptible: Who Gets Power and How It Changes Us.
But the book of the week that I'm going to— my pick of the week is actually a book that inspired a chapter, and it's a book by a journalist called Mitch Moxley, one of the other good people in the 500 that I've interviewed.
He's a journalist who spent a lot of time in China, and the book is Apologies to My Censor, as I say.
Now, one of the things that I think is amazing about this book and where this story comes into my work is he gets this call while he's living in China. He's a freelancer.
He's living paycheck to paycheck, basically trying to get some sort of story published so he can buy food, pay rent.
And one of his buddies calls him up and says, you know, we've got this job for you. Do you want to fly to this town called Dongying? And all you need to do is bring a suit.
And Mitch Moxley says, okay, sure. It sounds like a story to me, so I'll do it.
Now, what was amazing about this, and it's the beginning of this chapter, is called White Guy in a Tie.
Is that what he was there to do was to pretend to inspect a factory that was being built.
And local investors were told that a California parent company had come and was really interested in this factory.
And he was given this knockoff vest that was supposed to be Dolce & Gabbana, but was totally misspelled. And so he would go, and it was a construction vest as well.
So it makes no sense that it would be Dolce & Gabbana. But he would go into this room and they would put him in a suit.
They'd have him in his suit and he would be reading magazines and then they'd say, okay, now you got to do your job. He'd look around and do quality control.
And he's like, I have no idea what I'm actually looking for. I've never done this. They said, just look, it'll be fine.
And then they had them go to the grand opening, which he still says, he's like, the factory was half done. So I don't understand what we were doing.
But one of his friends gave the speech at the grand opening. They handed him a thing to read and all grammatical errors and so on.
And he's part of this industry in China that he termed white guy in a tie, of lending a veneer of sort of international prestige to these Chinese enterprises.
And the funniest one I came across was this filmmaker named David Borenstein, who basically played the clarinet, and they introduced him at this grand opening as being part of America's most popular country band called Traveler, which they didn't know doesn't have clarinets involved in it.
And the lead singer didn't speak English. She was from Spain and couldn't sing. So a few problems with their plan.
But the reason I bring it up is because I use this as the introduction to a chapter that talks about how evolutionary processes have meant that we look at individuals when we're deciding who to give power to, and we make some very irrational calculations that are often superficial.
So the book was fantastic.
By Mitch Moxley, Apologies to My Censor, and it shaped my thinking a lot in trying to understand what I call the power delusion of why we give power to all the wrong people for the wrong reasons.
But the book of the week that I'm going to— my pick of the week is actually a book that inspired a chapter, and it's a book by a journalist called Mitch Moxley, one of the other good people in the 500 that I've interviewed.
He's a journalist who spent a lot of time in China, and the book is Apologies to My Censor, as I say.
Now, one of the things that I think is amazing about this book and where this story comes into my work is he gets this call while he's living in China. He's a freelancer.
He's living paycheck to paycheck, basically trying to get some sort of story published so he can buy food, pay rent.
And one of his buddies calls him up and says, you know, we've got this job for you. Do you want to fly to this town called Dongying? And all you need to do is bring a suit.
And Mitch Moxley says, okay, sure. It sounds like a story to me, so I'll do it.
Now, what was amazing about this, and it's the beginning of this chapter, is called White Guy in a Tie.
Is that what he was there to do was to pretend to inspect a factory that was being built.
And local investors were told that a California parent company had come and was really interested in this factory.
And he was given this knockoff vest that was supposed to be Dolce & Gabbana, but was totally misspelled. And so he would go, and it was a construction vest as well.
So it makes no sense that it would be Dolce & Gabbana. But he would go into this room and they would put him in a suit.
They'd have him in his suit and he would be reading magazines and then they'd say, okay, now you got to do your job. He'd look around and do quality control.
And he's like, I have no idea what I'm actually looking for. I've never done this. They said, just look, it'll be fine.
And then they had them go to the grand opening, which he still says, he's like, the factory was half done. So I don't understand what we were doing.
But one of his friends gave the speech at the grand opening. They handed him a thing to read and all grammatical errors and so on.
And he's part of this industry in China that he termed white guy in a tie, of lending a veneer of sort of international prestige to these Chinese enterprises.
And the funniest one I came across was this filmmaker named David Borenstein, who basically played the clarinet, and they introduced him at this grand opening as being part of America's most popular country band called Traveler, which they didn't know doesn't have clarinets involved in it.
And the lead singer didn't speak English. She was from Spain and couldn't sing. So a few problems with their plan.
But the reason I bring it up is because I use this as the introduction to a chapter that talks about how evolutionary processes have meant that we look at individuals when we're deciding who to give power to, and we make some very irrational calculations that are often superficial.
So the book was fantastic.
By Mitch Moxley, Apologies to My Censor, and it shaped my thinking a lot in trying to understand what I call the power delusion of why we give power to all the wrong people for the wrong reasons.
And just to be absolutely clear on this, because I think I've only just tweaked, this wasn't for a scam or anything. This is purely for prestige and kudos.
It's just like, "Oh, look, we've got this man coming along who's involved." Exactly.
It's just like, "Oh, look, we've got this man coming along who's involved." Exactly.
There's actually a cottage industry. There are people who make their money in China who are expats.
Basically, they're white, and they're brought in to give the veneer of legitimacy to Chinese operations to show that they have international appeal.
So they sometimes will have attractive white women at the opening of bars to show that they're—
Basically, they're white, and they're brought in to give the veneer of legitimacy to Chinese operations to show that they have international appeal.
So they sometimes will have attractive white women at the opening of bars to show that they're—
I've never seen a Western company do that ever.
So it's an amazing— I mean, it's an amazing statement on race and power and all sorts of things, but it's a whole cottage industry apparently.
Rich just stumbled across it and said, "This actually is something that a lot of people do and it's how they earn their money in modern China." Maybe there are actually agencies which have a variety of white men on their books you can choose from, maybe with a clarinet, maybe not.
The funniest thing about this, I talked to him about this, and he was featured in the 100 hottest bachelors in China's Cosmo.
Cosmopolitan magazine, and they hadn't seen a picture of him before they picked him.
Now, he happens to be a good-looking guy, but it's just— it's just a very funny thing where they just picked 100 white people and put them in this magazine.
And it's just, oh my God, how does this happen in the 21st century? It's just so unbelievable.
Rich just stumbled across it and said, "This actually is something that a lot of people do and it's how they earn their money in modern China." Maybe there are actually agencies which have a variety of white men on their books you can choose from, maybe with a clarinet, maybe not.
The funniest thing about this, I talked to him about this, and he was featured in the 100 hottest bachelors in China's Cosmo.
Cosmopolitan magazine, and they hadn't seen a picture of him before they picked him.
Now, he happens to be a good-looking guy, but it's just— it's just a very funny thing where they just picked 100 white people and put them in this magazine.
And it's just, oh my God, how does this happen in the 21st century? It's just so unbelievable.
Did he get paid well though?
I think he got paid $1,000 and then got lodging, but he was in this backwater town. So I think he did it for the story.
Because ultimately he wrote about this in The Atlantic and then I think an agent probably contacted him and he turned it into a book about all about his adventures in modern China.
Because ultimately he wrote about this in The Atlantic and then I think an agent probably contacted him and he turned it into a book about all about his adventures in modern China.
Fantastic. So the book's called Apologies to My Censor by Mitch Moxley. That's right. Terrific. Carole, what's your pick of the week?
Okay, we're heading to entertainment and culture. So Graham and I, we share some tastes actually, but we don't share everything. You hate nuts, for example, which is ironically nuts.
I don't like the clock on the wall in your living room.
Yes, which is an amazing clock. I should send a picture to our listeners and they will agree with me.
I don't think they'll like it either.
I think they will. But I think you're going to like this Pick of the Week. Actually, I should ask you first, do you like Billie Piper?
Billie Piper? Rose from Doctor Who. She's terrific.
She's terrific?
Yes. Secret Diaries of a Call Girl?
Exactly. Okay, so have you heard of a series called I Hate Suzie?
I have not.
I think I have heard it. I haven't seen it.
I hadn't either, but friend of the show Dave Bittner sent me a message saying you should check it out.
It was right up my street, and I obviously trust him because I had to purchase it because I don't have Sky or anything like that. So Billie Piper stars in it.
She plays Suzie Pickles, a former child screen star. And as the character, she has poor impulse control.
She's utterly irresponsible, she's high maintenance, but she also has a number of assholes in her life that don't help matters at all.
But things get super complicated when a compromising sex scandal involving the married Pickles hits the papers, all thanks to a phone hack.
Oh my God, that's kind of security related.
It was right up my street, and I obviously trust him because I had to purchase it because I don't have Sky or anything like that. So Billie Piper stars in it.
She plays Suzie Pickles, a former child screen star. And as the character, she has poor impulse control.
She's utterly irresponsible, she's high maintenance, but she also has a number of assholes in her life that don't help matters at all.
But things get super complicated when a compromising sex scandal involving the married Pickles hits the papers, all thanks to a phone hack.
Oh my God, that's kind of security related.
Oh, hello.
Apologies for that.
Her phone is hacked, eh?
Yeah, I'm sorry, guys. Yeah, yeah. Anyway, so it has a lot of references to things that have happened in the UK press over the last decade or so, two decades probably.
And also, it probably follows a lot of tangents in her own career because she was a child star, right? A singer.
And also, it probably follows a lot of tangents in her own career because she was a child star, right? A singer.
Yes, she was. Yeah.
Yeah. And the writing is very fresh. It's written by Lucy Prebble, who also wrote Secret Diary of a Call Girl. And it has the same gritty sadness.
It's funny, it's lewd, it's a little wild, it's a little dangerous.
But you just feel like you're on a roller coaster, and you think the thing's going to fly off the track at any point, and you just don't— you can't predict it.
And that's hard to do in a story. So, this is definitely not for kids, but my pick of the week this week is a TV series called I Hate Suzie. Thanks, D-Dog Dave.
It's funny, it's lewd, it's a little wild, it's a little dangerous.
But you just feel like you're on a roller coaster, and you think the thing's going to fly off the track at any point, and you just don't— you can't predict it.
And that's hard to do in a story. So, this is definitely not for kids, but my pick of the week this week is a TV series called I Hate Suzie. Thanks, D-Dog Dave.
Oh, right. And where can people watch this?
I had to buy it. So you can get it on Sky in the UK. I purchased it off, you know, you can, you know, wherever you can buy series, TV series, right?
So Apple or Amazon or any of these.
So Apple or Amazon or any of these.
Hmm. Oh, interesting.
Okay.
Check it out, Graham. It's worth it. You'll like it.
All right. Okay. Well, Carole, you've had a busy week, haven't you? You've been speaking to the folks at Perimeter 81.
Yes, I spoke with Amit. Interesting interview. Check it out.
Okay, today we are speaking with Amit Bareket, CEO and co-founder of Perimeter 81, an industry-leading SaaS security platform. Welcome to the show, Amit.
Okay, today we are speaking with Amit Bareket, CEO and co-founder of Perimeter 81, an industry-leading SaaS security platform. Welcome to the show, Amit.
Thank you very much. I'm happy to be here.
Now, you are the co-founder of Perimeter 81. Can you tell us a little bit about what drove you to launch this SaaS security platform?
Was there a problem you wanted to fix, or what drove you?
Was there a problem you wanted to fix, or what drove you?
Actually, it's a very deep question. I had my previous company, SaferVPN, a consumer VPN company that me and my co-founder sold to a public company in the US.
Back then in 2013, we developed a consumer VPN solution, which was our first startup, our first company that we incorporated together after I left my corporate job at IBM and Sergey at Siemens.
Back then we wanted to develop cloud security solutions for consumers.
But while we were working with our customers back then, the consumers, we heard a lot of demand from the business side, from businesses, to consume security and networking from the cloud.
And we, back then, fiber started and 5G, there were discussions about it, and internet became faster and faster.
It was before COVID but we saw a trend where the internet is going to become the new corporate network.
We thought, how can we utilize all knowledge and know-how, both on building SaaS solutions specifically for B2C, business-to-consumer, security solutions, to build a secure network for organizations to be delivered over the internet?
So it doesn't matter where the employees are, when they open the laptop, they have the same security experience.
Back then in 2013, we developed a consumer VPN solution, which was our first startup, our first company that we incorporated together after I left my corporate job at IBM and Sergey at Siemens.
Back then we wanted to develop cloud security solutions for consumers.
But while we were working with our customers back then, the consumers, we heard a lot of demand from the business side, from businesses, to consume security and networking from the cloud.
And we, back then, fiber started and 5G, there were discussions about it, and internet became faster and faster.
It was before COVID but we saw a trend where the internet is going to become the new corporate network.
We thought, how can we utilize all knowledge and know-how, both on building SaaS solutions specifically for B2C, business-to-consumer, security solutions, to build a secure network for organizations to be delivered over the internet?
So it doesn't matter where the employees are, when they open the laptop, they have the same security experience.
That's incredible because your timing is perfect in a way, considering the last few years that we went through where people were having to work from home for the first time in their lives in some cases.
That's right. It's absolutely correct. COVID really accelerated this trend overnight in February 2020. I remember that very clearly.
For us, COVID accelerated this trend, which would anyway would happen, but instead of 10 years, everything shrunk into 2 years.
So our product development and adoption, we strongly believe that it will only get stronger.
For us, COVID accelerated this trend, which would anyway would happen, but instead of 10 years, everything shrunk into 2 years.
So our product development and adoption, we strongly believe that it will only get stronger.
Yeah. You know, I've heard you guys refer to the cyber complexity trap. Can you tell me a bit about that?
Absolutely.
So what we found out that not only employees are working from home and resources are moving to the cloud and the internet is the corporate network, but today there are many, many different cybersecurity solutions.
And the average IT manager, and we've done a survey, manage about 20 different security solutions.
Each one managed separately has its own setup installation, sometimes most of the times hardware management console.
And that increase, the inflation of security solutions, it basically creates a paradox, a trap where there are dozens of tools to manage. Because of that, you don't see anything.
And even you don't know which security solution you need to implement. So when you ask an IT manager, what is your current area of focus, right? Is confused.
And it's also increased the ability to provide impact.
That basically complexity, we call it the cybersecurity complexity trap, where employees are working from everywhere and the internet is now the corporate network.
There are many devices, many resources, many hybrid environments, but there are dozens of tools to manage.
So what we found out that not only employees are working from home and resources are moving to the cloud and the internet is the corporate network, but today there are many, many different cybersecurity solutions.
And the average IT manager, and we've done a survey, manage about 20 different security solutions.
Each one managed separately has its own setup installation, sometimes most of the times hardware management console.
And that increase, the inflation of security solutions, it basically creates a paradox, a trap where there are dozens of tools to manage. Because of that, you don't see anything.
And even you don't know which security solution you need to implement. So when you ask an IT manager, what is your current area of focus, right? Is confused.
And it's also increased the ability to provide impact.
That basically complexity, we call it the cybersecurity complexity trap, where employees are working from everywhere and the internet is now the corporate network.
There are many devices, many resources, many hybrid environments, but there are dozens of tools to manage.
Yeah, the complexity for the IT professional and the CISO has just grown exponentially, I think, over the past maybe even 5 to 10 years.
And yet I'm not sure the resources have climbed with that. I wonder how many of them have actually pulled their hair out completely because of the new situation that they're facing.
And yet I'm not sure the resources have climbed with that. I wonder how many of them have actually pulled their hair out completely because of the new situation that they're facing.
So absolutely, I think that if two years ago, a year ago, during COVID right, the discussion was around how I'm going to secure my employees while they're working from home, how I'm going to secure my cloud environments, right?
Today is how I'm going to deal with all those tools. This is a very hot topic because that inflation of different tools and solutions decreasing the impact on security.
And what we found, that it's not only important to provide a tool to secure, to unify security and networking over the cloud, but also building an experience in order to deliver cybersecurity in a simple way and engineer the solution, right?
Not only to answer the use cases, but rather put the people in the center and think and engineer, right?
Invest many hours and days and weeks and years into and make a revolution, not evolution, in the way that cybersecurity is being consumed.
This is one of the reasons why we launched the new category now which we call the Cybersecurity Experience Platform.
Today is how I'm going to deal with all those tools. This is a very hot topic because that inflation of different tools and solutions decreasing the impact on security.
And what we found, that it's not only important to provide a tool to secure, to unify security and networking over the cloud, but also building an experience in order to deliver cybersecurity in a simple way and engineer the solution, right?
Not only to answer the use cases, but rather put the people in the center and think and engineer, right?
Invest many hours and days and weeks and years into and make a revolution, not evolution, in the way that cybersecurity is being consumed.
This is one of the reasons why we launched the new category now which we call the Cybersecurity Experience Platform.
Perfect. I really wanted to ask about that. So please tell us about that, tell us about this new service.
So the Cybersecurity Experience Platform, what we've done along the way, and we've hearing from our customers that we managed to build a solution that is very simple.
It increases productivity, it increases the impact on the organization, the ability to implement security solutions.
That we basically build a radically simple cybersecurity solution. That's what we're hearing from our customers. As we continue to hear that, we'd like to double down on that, right?
To invest more and to continue engineering a solution, right? To provide insights that will be an evolutionary step in cybersecurity for any businesses.
It increases productivity, it increases the impact on the organization, the ability to implement security solutions.
That we basically build a radically simple cybersecurity solution. That's what we're hearing from our customers. As we continue to hear that, we'd like to double down on that, right?
To invest more and to continue engineering a solution, right? To provide insights that will be an evolutionary step in cybersecurity for any businesses.
Is it fair to say almost out of the box is what people really need right now because they don't want to spend too much time worrying about security?
They want expert partners that are going to do that for them, right?
They want expert partners that are going to do that for them, right?
They want the minimal effort. We call it becoming a Sherpa, right?
A partner where you basically give them solutions for today's needs, but also for tomorrow, and take them hand by hand throughout this journey to implement a modern cybersecurity posture within the organization, specifically in this new world where the internet is the new corporate network.
Our platform includes a few positive tips to do it, like the deployment is instantly and you don't need to wait or order any hardware. Everything is being done via software.
There is one management console that is unified and provides a lot of insights and data and extract the juice, right, the important thing to the IT managers and the security personnel in a very effective way.
Integrations with all the important security solutions like identity provider and SIEM service in a very holistic way, not just like PR or blog post about integration, but really to drill down deeply into how we can be better together with using security services and to unify the experience, full visibility and partnership and guidance as well with our customers.
A partner where you basically give them solutions for today's needs, but also for tomorrow, and take them hand by hand throughout this journey to implement a modern cybersecurity posture within the organization, specifically in this new world where the internet is the new corporate network.
Our platform includes a few positive tips to do it, like the deployment is instantly and you don't need to wait or order any hardware. Everything is being done via software.
There is one management console that is unified and provides a lot of insights and data and extract the juice, right, the important thing to the IT managers and the security personnel in a very effective way.
Integrations with all the important security solutions like identity provider and SIEM service in a very holistic way, not just like PR or blog post about integration, but really to drill down deeply into how we can be better together with using security services and to unify the experience, full visibility and partnership and guidance as well with our customers.
If you had a new customer who's listening to this and going, this sounds absolutely fantastic, one of the things that they often ask for versus like, what is the onboarding times?
Like, from actually looking at it and getting it to actually having it up and running and protecting you?
Like, from actually looking at it and getting it to actually having it up and running and protecting you?
No, we made it very, very easy. And just like implementing Office 365 can be done very quickly, in an hour, sometimes some deployment a bit more.
But it is important to stress that companies that are starting with us, not overnight, basically removing all their existing security solutions and appliances. It's a process.
It's not rip and replace, but it's migrate, right?
So as you move to the cloud, yes, we have integrations with all the existing security solutions, including all the firewalls out there, and allowing companies to do the migration in their phase, right?
And we don't push them to do it in one day to completely change the way the IT and security is being delivered.
But rather than join this journey, you can start with a small team, for example third parties.
Okay, we have many larger enterprises that instead of moving their entire company to consume networking and security from the internet and the cloud using Perimeter 81, they choose to do it only with a third party.
Okay, so any chain of supply, instead of giving them access to the legacy network of the organization, they provide them different network that is secured by Perimeter 81 and slowly, slowly adding more and more departments.
But it is important to stress that companies that are starting with us, not overnight, basically removing all their existing security solutions and appliances. It's a process.
It's not rip and replace, but it's migrate, right?
So as you move to the cloud, yes, we have integrations with all the existing security solutions, including all the firewalls out there, and allowing companies to do the migration in their phase, right?
And we don't push them to do it in one day to completely change the way the IT and security is being delivered.
But rather than join this journey, you can start with a small team, for example third parties.
Okay, we have many larger enterprises that instead of moving their entire company to consume networking and security from the internet and the cloud using Perimeter 81, they choose to do it only with a third party.
Okay, so any chain of supply, instead of giving them access to the legacy network of the organization, they provide them different network that is secured by Perimeter 81 and slowly, slowly adding more and more departments.
And so from what I'm getting, actually, this is a solution that is not just suitable for large enterprises or small businesses, but actually can accommodate across the whole spectrum of company sizes.
You can think about it like Gmail, right? Gmail can be for small company and very large enterprise.
Yeah, yeah. Is there anything that you'd like to add for our listeners?
Yes, I think that we are in a point of time that is revolutionary in matter of cybersecurity and networking infrastructure that is being developed, and we are here to help.
I think that it's better to prepare ahead for this evolution. It will increase. I think we're just in the beginning.
It will increase over the next few years and it's very, very meaningful. We see all the attacks that are happening in the world.
It's starting to double down on the security posture of the organization.
And regardless to implementing Perimeter 81 or not, we have a team and consultancy team that helping through that journey and transformation that is happening today in the market.
So feel free to reach out to us and ask us anything that you have in your mind.
I think that it's better to prepare ahead for this evolution. It will increase. I think we're just in the beginning.
It will increase over the next few years and it's very, very meaningful. We see all the attacks that are happening in the world.
It's starting to double down on the security posture of the organization.
And regardless to implementing Perimeter 81 or not, we have a team and consultancy team that helping through that journey and transformation that is happening today in the market.
So feel free to reach out to us and ask us anything that you have in your mind.
I actually have one more question for you, if that's okay.
Sure.
I just was wondering your opinion on the plethora of cloud services out there that have default settings that may not necessarily be in the best cybersecurity interest of the company.
Have you seen that as well? Is that your experience?
Have you seen that as well? Is that your experience?
Yeah, so that a lot. That is an area that we, Planetary One, would like to continue and develop as well within our platform. Definitely all that posture management of SaaS solutions.
And it's a big topic now. Whether two-factor is enabled or not, right? How you can have visibility to all your SaaS applications.
You have lots of different SaaS applications, and it's a very hot and relevant topic these days.
And it's a big topic now. Whether two-factor is enabled or not, right? How you can have visibility to all your SaaS applications.
You have lots of different SaaS applications, and it's a very hot and relevant topic these days.
Yeah, absolutely.
Well, Smashing Security listeners, you wonderful people can learn all about Perimeter 81 and its flagship cybersecurity experience platform, and you can even book a demo.
So go to Perimeter 81, that is perimeter81.com. Amit Bareket, CEO and co-founder of Perimeter 81, thank you so much for coming on and speaking to us about cloud security.
Well, Smashing Security listeners, you wonderful people can learn all about Perimeter 81 and its flagship cybersecurity experience platform, and you can even book a demo.
So go to Perimeter 81, that is perimeter81.com. Amit Bareket, CEO and co-founder of Perimeter 81, thank you so much for coming on and speaking to us about cloud security.
Absolutely, it was a pleasure. Thank you so much.
Terrific. Well, that just about wraps up the show for this week. Brian, I'm sure lots of our listeners would love to follow you online, find out more about your book.
What's the best way for folks to do that?
What's the best way for folks to do that?
Yeah, so my Twitter handle is Brian Klaas, which is Brian with an I and Klaas, K-L-A-A-S.
And the podcast is Power Corrupts and the book is Corruptible: Who Gets Power and How It Changes Us.
And the podcast is Power Corrupts and the book is Corruptible: Who Gets Power and How It Changes Us.
Go out and buy it, people.
Fantastic. And you can follow us on Twitter at Smashing Security, no G, Twitter and LastPass have a G, and we've also got a Smashing Security subreddit.
And don't forget, to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Google Podcasts.
And don't forget, to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Google Podcasts.
And finally, thanks to this episode's sponsor, 1Password, Qualys, and Perimeter 81, and to our wonderful Patreon community. It's thanks to them all this show is free.
For episode show notes, sponsorship information, guest lists, and the entire back catalog of more than 251 episodes, check out Smashing Security www.britishenglish.com.
For episode show notes, sponsorship information, guest lists, and the entire back catalog of more than 251 episodes, check out Smashing Security www.britishenglish.com.
Until next time, cheerio, bye-bye.
Bye. Bye.
And actually, Brian, I have to ask this because I wasn't sure. Do you have a clip of Piers Morgan speaking in one of your Power Corrupt episodes? Do you remember?
I don't think so. I can't remember.
Okay. Oh God. Okay, okay. Maybe it wasn't him. I was just thinking it sounds like him. I can't remember even which one it was now. I was just listening to yesterday.
You know, it's possible. The thing is, I draw clips from all sorts of news things, so it's totally possible, but I don't remember him specifically.
Anyway, it was just because Graham has a bit of a love affair with him.
Oh, right. I think when you say love affair, what you actually mean is deep, deep hatred.
I thought that might be the case.
Yeah, sure.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Brian Klaas – @brianklaas
Show notes:
- American spy hacked Booking.com, company stayed silent — NRC.
- Booking.com was reportedly hacked by a US intel agency but never told customers — Ars Technica.
- Dutch newspaper links Booking.com break-in to US spy groups — The Register.
- Belgium’s largest telecoms company says it was hacked — Graham Cluley.
- GCHQ “infected Belgium’s largest telecom company with spyware” — Graham Cluley.
- Is your company secretly monitoring your work at home? — Los Angeles Times.
- School janitor says she was fired for not installing smartphone tracking app — Graham Cluley.
- Hawaii’s ballistic missile false alarm and a user interface failure — Graham Cluley.
- FBI system hacked to email 'urgent' warning about fake cyberattacks — Bleeping Computer.
- Hoax Email Blast Abused Poor Coding in FBI Website — Krebs on Security.
- Vinny Troia's website.
- FBI Statement on Incident Involving Fake Emails — FBI.
- What is Trailmakers? — YouTube.
- Trailmakers – Build vehicles and explore the world.
- "Apologies to My Censor" by Mitch Moxley.
- "I Hate Suzie" trailer.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff
- Support us on Patreon!
Sponsor: 1Password
1Password 8 for Windows has been reimagined to feel right at home on the world’s most popular desktop operating system.
From Dark Mode and passwordless integration to smart search and secure item sharing, 1Password 8 is the new home for your digital life.
Productivity improvements, enhanced security and privacy features, and a modern design deliver a first-class experience that offers the best of Windows 11.
1Password 8 for Windows helps you manage, remember, and protect your sensitive information more easily and securely than ever before.
Take the 14 day free trial now at 1password.com
Sponsor: Qualys
Qualys was one of the first SaaS security companies, and delivers continuous, critical security intelligence via their Qualys Cloud Platform and integrated Cloud Apps.
Its powerful solutions empower organisations to streamline and consolidate their security and compliance solutions in a single platform and achieve greater business agility, better outcomes and substantial cost savings.
Qualys recently announced three new solutions designed to address today’s challenges faced by enterprises: Ransomware Risk Assessment, Cybersecurity Asset Management, and Zero Touch Patch Management.
Learn more at qualys.com
Sponsor: Perimeter 81
Perimeter 81 is the first-ever Cybersecurity Experience Platform, designed around Instant Deployment, Unified Management, Integrated Security, and Full Visibility.
Perimeter 81 allows organizations of any and all industry sizes to support IT teams with robust tools to secure and manage your global network with one unified platform.
Securing remote access for cloud and hybrid businesses and organizations, Perimeter 81 provides unified solutions such as Zero Trust Network Access, Firewall as a Service, Device Posture Check, and more.
Learn more and request a demo at perimeter81.com
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
