Uber may not face prosecution over its handling of a 2016 data breach – but its former chief security head does; how to defend your digital devices’ data while on vacation, and how to change your accent with artificial intelligence.
All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Paul Ducklin.
Plus don’t miss our featured interview with Ian Farquhar of Gigamon.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Oh no, I do remember. What I remember about our conversation with him was that he was so warm and charming and calm and very reasonable, I thought.
You know, this is news at Facebook, wasn't it?
Yeah, it's not that he pulled out the huge guns and started going, "Da da da da da da!" He would never have done that, and I'm really pleased that he didn't do that.
That's right, yes. Smashing Security, Episode 285. Ransomware's hidden hack, tips for travel, and AI accent fixes with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 285. My name's Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 285. My name's Graham Cluley.
And I'm Carole Theriault.
Hello, Carole. And also hello to our special guest this week, who is Carole? Well, no, he isn't Carole, but Carole, who is it?
Definitely not me. It is the wonderful, the fantastically funny, Paul Ducklin from Sophos.
Well, with that introduction, Carole— Graham made a slight mess with his commas in that sentence, they're quite hard to do vocally.
He's still learning.
They're very kind words anyway. I suppose I could be witty now by being deeply dry and boring throughout so that everyone goes, what a funster.
Thanks to this week's sponsor, Bitwarden, Gigamon, and Soul Cyber. It's their support that help us give you this show for free.
Now, coming up in today's show, Graham, what do you got?
Now, coming up in today's show, Graham, what do you got?
I'm going to be taking a ride back the recent past to talk about a data breach.
Oh, it's hot tub travel something time machine.
No, not time— not hot tub time machine. Not that again. All right.
Okay, Paul. Oh God, it's not gonna be Doctor Who, is it?
No, no, no, no. Just hold your— just hold your fire until I start my story.
Duck, what about you?
I am going to be talking about how you can travel with digital devices more safely by remembering a few simple tips.
That's cool.
Looking at the future of global call centers. Plus, we have a great featured interview with Iain from Gigamon, who shares the results from his latest research into ransomware.
All this and much more coming up on this episode of Smashing Security.
All this and much more coming up on this episode of Smashing Security.
Now, chums, chums, ever taken a lift in an Uber?
Of course you have.
You must have. Have you not done—
No, no, you won't do it.
You refuse on principle. I'm not spraying out—
Absolutely.
So why—
Don't need that in my life.
Why will you not take a ride in an Uber?
Just don't see the point. Plus, I'm not really into cars anymore.
Right, okay.
I get on the train. I take my bicycle with me. And then I can always get close enough that then I get a nice ride, do a bit of the tourist stuff. It's great through London.
And then you arrive right at the door and you don't have to listen to somebody else's conversation along the way telling you how fantastic it is to understand and agree with their political viewpoint or whatever it is.
And then you arrive right at the door and you don't have to listen to somebody else's conversation along the way telling you how fantastic it is to understand and agree with their political viewpoint or whatever it is.
Well, in which case, you also were never at any risk of having your confidential data stolen if Uber were perhaps, maybe, possibly couldn't possibly imagine that this would ever happen, if they were hacked, if they suffered some kind of security breach.
And it's recently been announced that the United States Department of Justice is not going to prosecute Uber about its 2016 data breach, which occurred after two hackers found that Uber's software engineers left some of their login credentials lying around on GitHub.
And it's recently been announced that the United States Department of Justice is not going to prosecute Uber about its 2016 data breach, which occurred after two hackers found that Uber's software engineers left some of their login credentials lying around on GitHub.
As you do.
Yeah. And—
Is that hard to do? You guys are techier than me. Is that something that you just one does? Or is that just colossally dumb of them?
It's something that one should not do.
Yes.
And that GitHub, bless their hearts, now try to detect, 'cause they look for the obvious directories that you weren't supposed to upload and go, "Whoa, no." But if you are determined to upload private data to a public place, it's very hard for anybody to stop you.
Yeah.
If you're a developer, you might write a piece of test code and you might hardcode into it some passwords for your testing purposes.
And then whoops-a-daisy, you've left it somewhere public where someone else can scoop them up and abuse them, which appears to have happened in this particular case.
And the hackers—
And then whoops-a-daisy, you've left it somewhere public where someone else can scoop them up and abuse them, which appears to have happened in this particular case.
And the hackers—
It's worse than that with GitHub type things, Graham, because you could have a whole directory tree with your code in.
And when you go to sync it back, you go, oh, new project, upload everything.
And you upload the hidden directories, including on Unix, the ones that start with a dot, that might include the subdirectory that has all your private stuff in it that you didn't mean to upload.
So you upload everything rather than a subset of everything. So you could even include the private keys that actually give access to the whole account just like that.
And when you go to sync it back, you go, oh, new project, upload everything.
And you upload the hidden directories, including on Unix, the ones that start with a dot, that might include the subdirectory that has all your private stuff in it that you didn't mean to upload.
So you upload everything rather than a subset of everything. So you could even include the private keys that actually give access to the whole account just like that.
Private keys are exciting, Carole. They're not quite that exciting, although they might also open back doors into your system. Who knows?
But anyway, back in 2016, these two hackers, they got hold of the passwords and that allowed them to access data which Uber had stored on AWS servers, and they stole confidential data related to 57 million customers and drivers.
But anyway, back in 2016, these two hackers, they got hold of the passwords and that allowed them to access data which Uber had stored on AWS servers, and they stole confidential data related to 57 million customers and drivers.
Chump change these days. That's so disgusting to even say that, but—
Well, what the hackers then did is they contacted Uber and said, oh, hey, we've got your data.
If you don't want us to release it, if you want us to permanently delete it, just pay our ransom effectively.
And what do you think Uber, that rather controversial organization, might have done when faced with that?
If you don't want us to release it, if you want us to permanently delete it, just pay our ransom effectively.
And what do you think Uber, that rather controversial organization, might have done when faced with that?
I'm imagining they paid immediately.
Well, what they did was, yes, they did pay.
They paid in a special way.
They paid the hackers $100,000 in Bitcoin. But controversially, they also didn't go public about the security breach. They didn't tell the world.
They didn't tell the affected individuals.
They paid the hackers and they said to the hackers, "Look, shh." They said, "Keep it quiet, keep it under your hat, delete the data." Which breaches convention, right?
They didn't tell the affected individuals.
They paid the hackers and they said to the hackers, "Look, shh." They said, "Keep it quiet, keep it under your hat, delete the data." Which breaches convention, right?
Because you're mandated to inform people when this happens, right?
You're supposed to, aren't you? Yes, exactly.
Particularly if you write it up on a special piece of paper headed with the words "bug bounty." So you— Sort of after the fact.
Yes, so Paul has remembered exactly what actually happened here because Uber's security team headed up by a guy called Joe Sullivan. Hmm, wonder where we've heard of him before.
Facebook.
Joe Sullivan used to be in charge of security at a little company called Facebook.
He did such a good job, Uber snapped him up.
Yeah, right.
So he was heading up a team and what happened was they identified one of the hackers. They worked out that he was a chap called Brandon Charles Glover.
But rather than telling the authorities, "We've found out who one of the hackers is," Uber popped round to his place to go and have a chat with him.
But rather than telling the authorities, "We've found out who one of the hackers is," Uber popped round to his place to go and have a chat with him.
What, with baseball bats and stuff?
Maybe they took an Uber to get there. I don't know. What they did bring, rather than a baseball bat, was a confidentiality agreement.
Saying, "Shut the fuck up!" Well, more than that.
They said, "Can you sign this?" And according to prosecutors, the NDA signed by the hackers falsely stated that they had never taken nor stored Uber's data, and they agreed that the payment would go down on Uber's bug bounty.
So Uber's security team disguised the payment, saying this was just a regular bug which had been found, was reported via our bug bounty program.
So Uber's security team disguised the payment, saying this was just a regular bug which had been found, was reported via our bug bounty program.
We decided to pay very, very generously for it because we're those kind of people.
And responsible disclosure for the win.
Yeah.
So it appeared as though it was the work of ethical bug hunters.
And according to the DOJ, the hackers actually used their success in extorting money out of Uber as a bit of a selling point.
They went to Lynda.com, you know, that online training site, I think owned by LinkedIn.
And according to the DOJ, the hackers actually used their success in extorting money out of Uber as a bit of a selling point.
They went to Lynda.com, you know, that online training site, I think owned by LinkedIn.
Yeah.
What did they do there?
They also hacked into them via a similar route, via the GitHub route. And they said, look, we expect a big payment. This was hard work, which we did.
And we've already had one big corporation pay us close to 7 digits, they said, and all went well.
And we've already had one big corporation pay us close to 7 digits, they said, and all went well.
Close to 7 digits.
I suppose 6 is close to 7.
6 is close to 7, isn't it?
Let's not talk orders of magnitude, eh? It works for physicists. Why shouldn't it work for irresponsible bug bounty disclosure folk?
So Uber subsequently, they agreed to pay $148 million as settlement for concealing and badly handling the data breach.
And where does that money go? Goes to the DOJ?
Well, I think, I think, oh, the FTC. I think so. I don't think it ends up in the—
You don't bring it back to the people, the poor people whose data has been stolen.
I mean, maybe there was actually one of these suits filed, you know, where you get a class action representing people who may have been affected.
But still, you know, with so many millions of people, what was it, 57 million people affected, 148 million, $57 million is only— Two bucks each.
Yeah, yeah, it's well, a number close to three bucks each.
But still, you know, with so many millions of people, what was it, 57 million people affected, 148 million, $57 million is only— Two bucks each.
Yeah, yeah, it's well, a number close to three bucks each.
So you can't even get yourself a Starbucks.
So what we've got here, Uber seemingly concealing the theft of personal information of 57 million customers and drivers.
And rather than informing the people who are affected, they paid the hackers over $100,000 to keep quiet.
And rather than informing the people who are affected, they paid the hackers over $100,000 to keep quiet.
Yeah, not only not telling their customers who probably may be sharing passwords different places, so really naughty on that front, but not also telling the regulators.
Yeah, exactly.
Well, I think there's a bit of the story that you've missed, Graham, but apparently when this happened, it was right in the middle of a period where Uber was working with the regulator to come clean about a previous data breach.
Yes, I'm pretty sure that's in the story.
So obviously, if this had come out while they're in the middle of going, oh no, no, no, we've now got it all tickety-boo, you know, we've ticked all the boxes, it's all great.
Right at the cost of resolving the previous one, this thing came in, oh golly, we can't have two, let's reduce it to one.
So it seems that there's, I don't know whether that makes it better or worse, but it certainly makes it more complicated.
Yes, I'm pretty sure that's in the story.
So obviously, if this had come out while they're in the middle of going, oh no, no, no, we've now got it all tickety-boo, you know, we've ticked all the boxes, it's all great.
Right at the cost of resolving the previous one, this thing came in, oh golly, we can't have two, let's reduce it to one.
So it seems that there's, I don't know whether that makes it better or worse, but it certainly makes it more complicated.
So prosecutors allege that Uber's security honcho, Joe Sullivan deliberately concealed the hack from drivers to stop them—
Stop doing this right now!
Yeah, well, and but also to stop them defecting to rideshare.
That's probably what was said, I can imagine.
Exactly.
Can't handle this shit!
And the prosecutors claim that drivers were defrauded because money kept flowing into Uber, although naturally you would expect people maybe to switch.
They also say that Sullivan kept the hack secret due to his own ego. He didn't want to admit failure on his watch because it looked bad on his CV.
Now, Carole, I don't know if you remember, we've actually had dealings with Joe Sullivan.
They also say that Sullivan kept the hack secret due to his own ego. He didn't want to admit failure on his watch because it looked bad on his CV.
Now, Carole, I don't know if you remember, we've actually had dealings with Joe Sullivan.
Oh no, I do remember. And he was so, what I remember about our conversation with him was that he was so warm and charming and calm and very reasonable, I thought.
This was when he was at Facebook, wasn't it?
Yes, it wasn't that he pulled out the huge guns and started going, "Da da da da da da." He would never have done that. And I'm really pleased that he didn't do that.
That's right, yes. So what we've got here is two cases which have been going on. So the government have been investigating Uber and they've also been investigating Joe Sullivan.
Uber has been cooperating with the government and they are not a named defendant in the case against Joe Sullivan. So Joe Sullivan is now being prosecuted.
Uber, now under different management than when the hack happened, have washed their hands. They've agreed with the DOJ.
They've accepted and admitted responsibility for the acts which its employees did.
Regarding the breach, they say that they're going to run a comprehensive privacy program for the next 20 years.
They're assisting with the investigation and with the ongoing case against their former security chief, Joe Sullivan.
Uber has been cooperating with the government and they are not a named defendant in the case against Joe Sullivan. So Joe Sullivan is now being prosecuted.
Uber, now under different management than when the hack happened, have washed their hands. They've agreed with the DOJ.
They've accepted and admitted responsibility for the acts which its employees did.
Regarding the breach, they say that they're going to run a comprehensive privacy program for the next 20 years.
They're assisting with the investigation and with the ongoing case against their former security chief, Joe Sullivan.
Oh my God.
So he's been— he hasn't got very much support from his former employer.
He's sort of been thrown under the automotive device that's technically not a taxi.
I don't know if I feel very nicely about that though, either.
I really— it bugs me when companies just kind of point the finger at one solitary individual, where obviously this must have been discussed at some levels?
Or do you think it was just Joe that was in on this?
I really— it bugs me when companies just kind of point the finger at one solitary individual, where obviously this must have been discussed at some levels?
Or do you think it was just Joe that was in on this?
Well, I believe the claim is that Uber's senior management didn't necessarily know, and it was just Joe Sullivan and one of his colleagues—
Oh, geez.
—who had sort of done this on the side.
Because again, it is alleged that he wanted bad things not to happen under his watch, and wouldn't it be easier if the bug bounty were to handle all this?
Because again, it is alleged that he wanted bad things not to happen under his watch, and wouldn't it be easier if the bug bounty were to handle all this?
You know what? He's a great, charming guy, and I'm sure he'll sail through this with no issues.
He could, if he's convicted, face as much as 20 years in prison, but his sentence, chances are, if he is convicted, will be much lighter than that.
He is, by the way, a former federal prosecutor himself. So he'll understand what's going on the whole time. Yes, he does have a legal background.
Which maybe occasionally he tried to use against us in our past conversations. Maybe. He wouldn't. No, no, he was lovely.
He is, by the way, a former federal prosecutor himself. So he'll understand what's going on the whole time. Yes, he does have a legal background.
Which maybe occasionally he tried to use against us in our past conversations. Maybe. He wouldn't. No, no, he was lovely.
Duck, what are you going to talk to us about this week? Well, it's vacation season.
And you're definitely, if you're going overseas from Britain, going to either have packed or wish you packed all your digital devices to keep the kids quiet in the car while you're waiting to get on the train or the bus.
And you're definitely, if you're going overseas from Britain, going to either have packed or wish you packed all your digital devices to keep the kids quiet in the car while you're waiting to get on the train or the bus.
Just to keep them quiet. You feel occupied when you spend 3 days in Kent trying to get on the ferry, yes.
Yeah, why don't people just go to Kent for a vacation? It's a lovely place. And then you don't have to worry about it. Just go anywhere else.
But the point is that wherever you're going these days, you're almost certainly going to pack 1, 3, or 12 digital devices, possibly 1 or more for every member of the family.
Like, who would risk leaving the thing to distract the kids behind? Who would risk— you know, let's take the PlayStation, why not? It'll fit in the boot.
And everyone's got a mobile phone. I know someone who took a Roomba once.
But the point is that wherever you're going these days, you're almost certainly going to pack 1, 3, or 12 digital devices, possibly 1 or more for every member of the family.
Like, who would risk leaving the thing to distract the kids behind? Who would risk— you know, let's take the PlayStation, why not? It'll fit in the boot.
And everyone's got a mobile phone. I know someone who took a Roomba once.
What? They took a— They just didn't want to sweep or anything, so they just said, "Well, why not? I'm putting my stuff in the hall, so I'll take my Roomba." Yeah, okay.
Well, I think that makes my argument stronger for thinking about what you do before you travel. And so on Sophos Naked Security, we put together some travel tips.
Now, they're often the same every year, you know, do the obvious stuff. The problem is that people don't, and then they get alarmed. So the first two tips kind of go hand in hand.
One is, should I back up before I go? Well, that's a rhetorical question. Of course you should. You should be backing up anyway.
And the really important thing about making a decent backup, particularly if you make it onto, say, a removable drive and put it in the cupboard at home, it means you're not relying on having your whole life, say, on your phone.
You can remove some of the content from the devices you're taking with you so that if they get lost or stolen or inspected at customs or whatever it is, you have less on there.
So you're not trying to cheat anybody, you're just saying, why take absolutely every bit of information that I've got about myself with me when I don't need to?
And the flip side of that is, of course, don't think, well, I'm going on vacation, I might really need my phone, I'll sort of need it for boarding cards, I don't want to forget my lock code, I'll just go with 123400 or something that I'll easily remember in a hurry.
And so when you're going away, you might as well set yourself a decent lock code before you go.
You're allowed to write it down while you're at home and practice it for a few days or a week or so until you're comfortable with something which keeps your phone properly locked so that if someone runs off with it, they can't just guess what your code is, go in and see everything you've got on there.
Now, they're often the same every year, you know, do the obvious stuff. The problem is that people don't, and then they get alarmed. So the first two tips kind of go hand in hand.
One is, should I back up before I go? Well, that's a rhetorical question. Of course you should. You should be backing up anyway.
And the really important thing about making a decent backup, particularly if you make it onto, say, a removable drive and put it in the cupboard at home, it means you're not relying on having your whole life, say, on your phone.
You can remove some of the content from the devices you're taking with you so that if they get lost or stolen or inspected at customs or whatever it is, you have less on there.
So you're not trying to cheat anybody, you're just saying, why take absolutely every bit of information that I've got about myself with me when I don't need to?
And the flip side of that is, of course, don't think, well, I'm going on vacation, I might really need my phone, I'll sort of need it for boarding cards, I don't want to forget my lock code, I'll just go with 123400 or something that I'll easily remember in a hurry.
And so when you're going away, you might as well set yourself a decent lock code before you go.
You're allowed to write it down while you're at home and practice it for a few days or a week or so until you're comfortable with something which keeps your phone properly locked so that if someone runs off with it, they can't just guess what your code is, go in and see everything you've got on there.
Do you know, once my code for years was the phone number of my first boyfriend.
Ooh.
For real, yeah. So whoever had got that phone number, was that in the local—
Well, it was their childhood phone number, right? It was when, you know, so I doubt that's— It wasn't a mobile. Mobiles didn't even exist at the time.
The idea that even if you left off the area code, that's going to be 7 digits.
So, and given that if that was your first phone, that was by the standards of the day when people have lock codes like 11 or 3, you know, like one good digit, let alone 4.
That was probably quite good because at least it can't be guessed. But, you know, people going, oh, well, who needs a long lock code?
The problem on your phone is that the lock code is protected by the hardware on the phone. So, you know, for example, on an iPhone, you can say after 10 wrong ones, wipe the phone.
And I think we all agree it's largely impossible to extract the lock code from the phone or to bypass the lock code because of the hardware protection that exists these days in modern devices.
But that lock code, it can't be attacked offline. So someone can't take the phone and try a million times, they still only get 10 goes.
But if they can guess the lock code, then they can pretty much get in and that unlocks the decryption key for the device itself.
And lots of people just stay logged in in all their apps. They never actually log out.
So if you can open somebody's Facebook app or Twitter app or Instagram app or WhatsApp app or whatever, you kind of get straight into their accounts.
So, and given that if that was your first phone, that was by the standards of the day when people have lock codes like 11 or 3, you know, like one good digit, let alone 4.
That was probably quite good because at least it can't be guessed. But, you know, people going, oh, well, who needs a long lock code?
The problem on your phone is that the lock code is protected by the hardware on the phone. So, you know, for example, on an iPhone, you can say after 10 wrong ones, wipe the phone.
And I think we all agree it's largely impossible to extract the lock code from the phone or to bypass the lock code because of the hardware protection that exists these days in modern devices.
But that lock code, it can't be attacked offline. So someone can't take the phone and try a million times, they still only get 10 goes.
But if they can guess the lock code, then they can pretty much get in and that unlocks the decryption key for the device itself.
And lots of people just stay logged in in all their apps. They never actually log out.
So if you can open somebody's Facebook app or Twitter app or Instagram app or WhatsApp app or whatever, you kind of get straight into their accounts.
And there's nothing to stop a mugger or something if they wanted just to sort of brandish a knife or a screwdriver or something sharp and say, tell us your password so we can get into your phone.
I mean, that's the real weak link.
I mean, that's the real weak link.
Would you, Graham, or would you lose an eye? Would— I just want to know what your level of security, what your level is.
Of course I'd hand over my phone. Of course I would.
You'd hand over your whole life rather than just give an oral confession?
Yes, I don't want to lose my eyesight, or I don't want to be stabbed. Yes, I'd say willingly, go and please take this. Well, there is that.
And of course there's a famous XKCD cartoon about that, isn't there? You know, do you spend millions of dollars building password cracking tools?
Or do you buy a shifting spanner costing $5? It's hard to sort of regulate for that.
But I said at the start, if you've backed up your stuff and you've removed data that you genuinely don't need from your phone, then that minimizes that risk as well.
And you could also go to apps that you don't use often and actually log out on the phone, which means if someone does steal your phone and does force you to unlock it and then runs off with it, when they try and use those apps, they'll be faced with having to log into the apps all over again.
Or do you buy a shifting spanner costing $5? It's hard to sort of regulate for that.
But I said at the start, if you've backed up your stuff and you've removed data that you genuinely don't need from your phone, then that minimizes that risk as well.
And you could also go to apps that you don't use often and actually log out on the phone, which means if someone does steal your phone and does force you to unlock it and then runs off with it, when they try and use those apps, they'll be faced with having to log into the apps all over again.
And I think that works well, but you do need a password manager in order to do that because I have no problem if I go away of deleting apps off my phone because I can just reinstall the app, put back in my username and password, and bish bash bok, I'm back where I was, right?
The app doesn't live on my phone. The data doesn't live on the phone. Do you see what I mean?
The app doesn't live on my phone. The data doesn't live on the phone. Do you see what I mean?
Yes. Now password manager wasn't in the tips that we did for vacations in particular. But I agree with you. I think that it's kind of hard to do without one these days. Yeah.
So I don't say to people, look, they're compulsory, you have to use one. You might have some kind of fear about, well, what happens if my password manager gets compromised?
And the answer to that is there's no law that says if you use a password manager, you have to put every single password in the world into it.
So you might decide, well, accounts I only use occasionally, like my mortgage account or my this or my that, my pension account that I check up on once a month.
I'll log into those deliberately using, you know, something that I've locked away at home, for example.
So the nice thing about a password manager to me is not just that it picks great passwords every time and doesn't use your cat's name with two digits on the end, you know, or your first, second, and boyfriend's phone number.
The great thing is that it also protects you against old-school phishing attacks, which still work really well because the password manager can't be seduced by the fact that the site looks correct.
Oh, look, it's got exactly the right pixel-perfect backdrop. It's got exactly the right logo. It looks exact. It doesn't care what the site looks like.
It just says wrong URL, never heard of it. So it's not just that it won't help you, it can't go. Don't even know, never heard of it. Can't put in a password.
And so that's a great thing as well. Great.
And then the third thing that goes along with those two, of course, is that if you are traveling internationally, then you do have to think in advance.
Don't worry about it, prepare for it.
You do have to think in advance how you will conduct yourself at an international border if you're asked to reveal information that in your own country, or even once you are inside the country that you're planning to visit, you might have every right to say, I refuse to disclose it.
In other words, privacy rules can be quite a gray area in that sort of gray zone between leaving one country and entering the next, you know, totally at border control.
And certainly I know that the US and the UK, and they're by no means the only countries in the world, many countries have this, that they can ask you to show information, say, on your phone or your laptop.
They can ask you to unlock it. In fact, in some countries they might even say, look, we're going to make a forensic copy of your hard disk, so we want you to unlock it.
And you may decide that you don't like that and you're going to stick up yourself from a privacy point of view, but you need to research in advance what the side effect of that is likely to be, because you might just find that the immigration official is perfectly polite about it and says, that's your choice, but it's also our choice to refuse you entry to the country.
So we will securely transfer you to the departure lounge and you are welcome to get the next flight home.
And of course, once you've been refused entry to a particular country, that can make it very complicated to visit in the future. So don't be afraid about what's going to happen.
Just do your research beforehand.
And if you're going to a country where you find, wow, I don't like their privacy rules, I don't think I can agree with these, I think I'm going to shoot my mouth off and it's not going to end well, well, maybe pick a different destination.
Or just stay home.
So I don't say to people, look, they're compulsory, you have to use one. You might have some kind of fear about, well, what happens if my password manager gets compromised?
And the answer to that is there's no law that says if you use a password manager, you have to put every single password in the world into it.
So you might decide, well, accounts I only use occasionally, like my mortgage account or my this or my that, my pension account that I check up on once a month.
I'll log into those deliberately using, you know, something that I've locked away at home, for example.
So the nice thing about a password manager to me is not just that it picks great passwords every time and doesn't use your cat's name with two digits on the end, you know, or your first, second, and boyfriend's phone number.
The great thing is that it also protects you against old-school phishing attacks, which still work really well because the password manager can't be seduced by the fact that the site looks correct.
Oh, look, it's got exactly the right pixel-perfect backdrop. It's got exactly the right logo. It looks exact. It doesn't care what the site looks like.
It just says wrong URL, never heard of it. So it's not just that it won't help you, it can't go. Don't even know, never heard of it. Can't put in a password.
And so that's a great thing as well. Great.
And then the third thing that goes along with those two, of course, is that if you are traveling internationally, then you do have to think in advance.
Don't worry about it, prepare for it.
You do have to think in advance how you will conduct yourself at an international border if you're asked to reveal information that in your own country, or even once you are inside the country that you're planning to visit, you might have every right to say, I refuse to disclose it.
In other words, privacy rules can be quite a gray area in that sort of gray zone between leaving one country and entering the next, you know, totally at border control.
And certainly I know that the US and the UK, and they're by no means the only countries in the world, many countries have this, that they can ask you to show information, say, on your phone or your laptop.
They can ask you to unlock it. In fact, in some countries they might even say, look, we're going to make a forensic copy of your hard disk, so we want you to unlock it.
And you may decide that you don't like that and you're going to stick up yourself from a privacy point of view, but you need to research in advance what the side effect of that is likely to be, because you might just find that the immigration official is perfectly polite about it and says, that's your choice, but it's also our choice to refuse you entry to the country.
So we will securely transfer you to the departure lounge and you are welcome to get the next flight home.
And of course, once you've been refused entry to a particular country, that can make it very complicated to visit in the future. So don't be afraid about what's going to happen.
Just do your research beforehand.
And if you're going to a country where you find, wow, I don't like their privacy rules, I don't think I can agree with these, I think I'm going to shoot my mouth off and it's not going to end well, well, maybe pick a different destination.
Or just stay home.
Stay home.
Or go tell the truth and only take the data you need. You're not trying to cheat anybody when you do that.
When you're going on vacation, you don't go to your safe deposit box and get out all the documentation, physical documentation you've ever acquired in your life from your birth certificate, your marriage certificate, your passport, your previous passport, your mortgage documents, all of that.
You don't get that and put it in an envelope and take it with you generally because you're worried you might lose it.
So my simple advice is, if your life's on your phone, why not leave it at home? Ooh, I see the t-shirt slogan now, Duck.
It's my theory that, you know, if you're going somewhere with beachfront cocktail bars, the cost of buying a burner phone for your trip is probably going to be lower than the first round of drinks that you have on day one, shortly after you arrive.
And you're perfectly entitled to do that. Sage advice.
Another thing that many countries apparently do now, I haven't traveled internationally well since before lockdown, is that, you know how they'll say, well, what's the address that you're going to?
And you're obliged, supposed to put the name of the hotel you've got booked so they know you've got somewhere real to go to.
And they want to know your home address and everyone's used to writing that down and they want your passport number and they want your phone number, a landline if you've got one.
But increasingly, many countries are saying, and we also want, you know, your email address and your social media handles.
And again, you need to decide, you know, what am I going to say when I get to the border?
Because if you go, oh no, I don't have any social media accounts, just write not applicable, and then you're on your vacation and you're sharing stuff on your actual social media account with all your buddies, when you come to leave the country, two and two might not make four.
If you entered making a formal claim, no, I don't have any social media accounts. And then it's obvious that while you were there, you were publishing stuff for the world to see.
Exactly.
You know, you would understand why an immigration or a security official in that country might up their suspicion of you, you know, even if you haven't really done anything wrong.
Well, you have if you've made a false statement when you entered the country. So think before you do that.
When you're going on vacation, you don't go to your safe deposit box and get out all the documentation, physical documentation you've ever acquired in your life from your birth certificate, your marriage certificate, your passport, your previous passport, your mortgage documents, all of that.
You don't get that and put it in an envelope and take it with you generally because you're worried you might lose it.
So my simple advice is, if your life's on your phone, why not leave it at home? Ooh, I see the t-shirt slogan now, Duck.
It's my theory that, you know, if you're going somewhere with beachfront cocktail bars, the cost of buying a burner phone for your trip is probably going to be lower than the first round of drinks that you have on day one, shortly after you arrive.
And you're perfectly entitled to do that. Sage advice.
Another thing that many countries apparently do now, I haven't traveled internationally well since before lockdown, is that, you know how they'll say, well, what's the address that you're going to?
And you're obliged, supposed to put the name of the hotel you've got booked so they know you've got somewhere real to go to.
And they want to know your home address and everyone's used to writing that down and they want your passport number and they want your phone number, a landline if you've got one.
But increasingly, many countries are saying, and we also want, you know, your email address and your social media handles.
And again, you need to decide, you know, what am I going to say when I get to the border?
Because if you go, oh no, I don't have any social media accounts, just write not applicable, and then you're on your vacation and you're sharing stuff on your actual social media account with all your buddies, when you come to leave the country, two and two might not make four.
If you entered making a formal claim, no, I don't have any social media accounts. And then it's obvious that while you were there, you were publishing stuff for the world to see.
Exactly.
You know, you would understand why an immigration or a security official in that country might up their suspicion of you, you know, even if you haven't really done anything wrong.
Well, you have if you've made a false statement when you entered the country. So think before you do that.
Good advice, Duck.
Good advice. And never reveal you've participated in a cybersecurity podcast. Yeah. Or don't, just boycott them. I think don't appear on them.
That'd be the most sensible piece of advice because there may be all kinds of bad things you've said on those in the past. [LAUGHTER] Carole, what's your story for us this week?
That'd be the most sensible piece of advice because there may be all kinds of bad things you've said on those in the past. [LAUGHTER] Carole, what's your story for us this week?
So my story was actually suggested to me by Dave Bittner. He put the seed in my head. Dave Bittner, friend of the show. Cyberwire host, and it all revolves around call centers.
So we have this globe of humans, right? Billions of us and all of us with different native languages.
And somehow it's been accepted by most that English is the preferred international digital language of choice. Can I say that? Would you guys agree with that?
So we have this globe of humans, right? Billions of us and all of us with different native languages.
And somehow it's been accepted by most that English is the preferred international digital language of choice. Can I say that? Would you guys agree with that?
It's my first choice.
It's my preference.
It's strange when you listen to people speaking a language that you don't understand at all, how much you can understand when they suddenly start talking about computers and phones and apps.
Yeah, yeah.
In amongst incomprehensible words where you can't even figure out where the word boundaries are, and then suddenly you start hearing familiar words like Facebook, two-factor backup.
It's strange when you listen to people speaking a language that you don't understand at all, how much you can understand when they suddenly start talking about computers and phones and apps.
Yeah, yeah.
In amongst incomprehensible words where you can't even figure out where the word boundaries are, and then suddenly you start hearing familiar words like Facebook, two-factor backup.
And I don't care really who you are, but if you're over, I don't know, 30, you've had to negotiate a call with someone that you found difficult to understand because maybe they have a different native language than you do, or they have a very strong regional accent that's different from yours, and it can all make it a struggle to understand what you are trying to understand.
And you guys have had this, right?
And you guys have had this, right?
I'd say that on support calls, the main language problem I've had is that the person on the other end wants to reach a different conclusion to you, whereby they can prove that it was your fault and close the call.
I haven't found the English to be a problem. I've found the jargon and the direction of the call to be tricky. That's the hard part.
Even in English, it seems that we've learned how not to speak plainly quite deliberately, you know, in order to sort of disguise what's really going on.
I haven't found the English to be a problem. I've found the jargon and the direction of the call to be tricky. That's the hard part.
Even in English, it seems that we've learned how not to speak plainly quite deliberately, you know, in order to sort of disguise what's really going on.
But the thing is, you can't really do much about, you know, your accent.
I certainly have been living in the UK for 20 years, still sound as Canadian as the day I was born, you know. Oh, you're not from America?
I certainly have been living in the UK for 20 years, still sound as Canadian as the day I was born, you know. Oh, you're not from America?
I believe, Carole, a lot of your Canadian friends, people back in the homeland, back in the plains of Manitoba.
Quebec, but yeah.
I think you sound like Her Majesty the Queen. They think you're terribly posh sounding, and they think you're like Helena Bonham Carter or something.
Yeah, okay. Yeah, I'm not sure about that. But you know what we're gonna do? We're gonna go back to the story now. So it's kind of something that's been a problem for a while.
So as far back as 2008, I found an article in Computerworld saying that IBM was looking to change or to address this problem.
So IBM's Indian research lab developed a web-based interactive language technology. You can see the language has changed so much, right? This is 2008.
To help people improve their English speaking skills.
And according to IBM, the system was based on advanced speech processing techniques that the company had devised for call centers in India to help improve the capability of its agents.
So it would evaluate grammar and pronunciation and comprehension and other spoken language skills, and then provide a detailed score for each category.
So as far back as 2008, I found an article in Computerworld saying that IBM was looking to change or to address this problem.
So IBM's Indian research lab developed a web-based interactive language technology. You can see the language has changed so much, right? This is 2008.
To help people improve their English speaking skills.
And according to IBM, the system was based on advanced speech processing techniques that the company had devised for call centers in India to help improve the capability of its agents.
So it would evaluate grammar and pronunciation and comprehension and other spoken language skills, and then provide a detailed score for each category.
Interesting, huh? All right. Okay.
And this was years ago. Yeah, 2008. Years and years ago.
Yeah. The understanding or the deliberate misunderstanding process, because sometimes it feels like that's what the other end is instructed to do.
Don't think what could have given me that idea.
Don't think what could have given me that idea.
And then I found this other company, Florida-based outfit called Accent Advisor, and this is all about accent reduction.
So they say on their site, quote, if you speak English as a second language, there's a good chance that your accent will stand in your way of communicating fluently with native speakers.
So many people assume that a mastery of English grammar and excellent vocabulary is enough to communicate in America. This is not often the case.
So they go on to say, correct native-level pronunciation or a firm grasp of the American accent is important for anyone who wants to live, work, and enjoy life in America. Hmm.
So they say on their site, quote, if you speak English as a second language, there's a good chance that your accent will stand in your way of communicating fluently with native speakers.
So many people assume that a mastery of English grammar and excellent vocabulary is enough to communicate in America. This is not often the case.
So they go on to say, correct native-level pronunciation or a firm grasp of the American accent is important for anyone who wants to live, work, and enjoy life in America. Hmm.
Thoughts on that, guys? I think you'll find it's pronounced pronunciation, Carole, rather than pronunciation. If you want to be properly English.
I don't. I'm happy to be a lady of the world. And then the way they worked basically is they had accent coaches, right?
And they'd have accent reduction classes for private individuals and companies. And it's training, right? Just to help them with speech analysis and all this.
And they'd have accent reduction classes for private individuals and companies. And it's training, right? Just to help them with speech analysis and all this.
Every 12 minutes, do they burst into song like they do in My Fair Lady? It sounds like a sort of trope that's been an issue since the Industrial Revolution, isn't it?
Where your accent makes a big difference to how you're perceived rather than how you're understood.
Where your accent makes a big difference to how you're perceived rather than how you're understood.
Exactly where we're going with this. So I want you guys to think a little bit outside the box because I want to talk about this new approach to dealing with this problem.
And I want you guys to think what could possibly go wrong, Graham, to use your catchphrase. So this newer approach, thanks to three Stanford undergrads.
So these guys started a company to help the world understand, that's their catchphrase.
And the pain point that instigated this whole company was that after the pandemic kicked off, these students, or all the students at Stanford had to go home, right?
And one went back to Guatemala and decided to be a tech support guy.
And his mates were like, quote, "We told them that he'd be the best tech support person they'd ever had because he's the smartest guy we've met and always had a smile on his face.
But it totally didn't work out because the locals couldn't understand his accent." So a team of students dedicated their empty pandemic hours to building a solution.
They did a lot of research on what people have done in the past. So people have done voice conversion for deepfakes, and that technology is pretty advanced, they say.
But there's been little done in accent translation. So this company is called Sanas. The name like that, they could be a bidet company, but anyway.
And I've put a link in the show notes.
You can actually see a demo of this working because they say they have an algorithm that can shift English to and from American, Australian, British, Filipino, and Spanish.
And they've developed it using a neural network trained with recordings made for the most part by professional voice actors. But I want to see what you guys think.
And I want you guys to think what could possibly go wrong, Graham, to use your catchphrase. So this newer approach, thanks to three Stanford undergrads.
So these guys started a company to help the world understand, that's their catchphrase.
And the pain point that instigated this whole company was that after the pandemic kicked off, these students, or all the students at Stanford had to go home, right?
And one went back to Guatemala and decided to be a tech support guy.
And his mates were like, quote, "We told them that he'd be the best tech support person they'd ever had because he's the smartest guy we've met and always had a smile on his face.
But it totally didn't work out because the locals couldn't understand his accent." So a team of students dedicated their empty pandemic hours to building a solution.
They did a lot of research on what people have done in the past. So people have done voice conversion for deepfakes, and that technology is pretty advanced, they say.
But there's been little done in accent translation. So this company is called Sanas. The name like that, they could be a bidet company, but anyway.
And I've put a link in the show notes.
You can actually see a demo of this working because they say they have an algorithm that can shift English to and from American, Australian, British, Filipino, and Spanish.
And they've developed it using a neural network trained with recordings made for the most part by professional voice actors. But I want to see what you guys think.
Well, you know, Carole, I think you're speaking like a galah. I think that's the most stupid thing I've ever heard.
No, I think my concern with trying to control what people say exactly and just how they pronounce it, which you can usually work around if you do have some common understanding, is much less important than techies learning to speak or being willing to speak in plain English.
No, I think my concern with trying to control what people say exactly and just how they pronounce it, which you can usually work around if you do have some common understanding, is much less important than techies learning to speak or being willing to speak in plain English.
But plain English is difficult because there's no accent. There's no non-accent, right? There's no language that has that.
But the point is you could have the plummiest, the weirdest, the uppest, the downest, the leftist, the rightest, the northern hemisphere-est, southern hemisphere-est accent in the world, but if the phrases you've been instructed to trot out to who are making, in air quotes, "close the call," are just there to kind of make the conversation go your way, then does your accent really matter?
Mm-hmm. Graham, what about you?
I'm sorry, while Paul's been saying all that, I've been participating in the demo.
And it is very good at neutralising the accent, at least in the demo, which they're claiming is how their technology works.
But what comes out does sound rather robotic and characterless, doesn't it?
And it is very good at neutralising the accent, at least in the demo, which they're claiming is how their technology works.
But what comes out does sound rather robotic and characterless, doesn't it?
Yes, it does. And I was thinking about that as well. But then I had another thought, because I was thinking, "We don't need to do this. This is just too much.
This could be misused." You could then— This could be used by all kinds of phone people calling up, pretending to be in the neighbourhood, putting on a regional accent, and actually they're calling from 5,000 miles away.
This could be misused." You could then— This could be used by all kinds of phone people calling up, pretending to be in the neighbourhood, putting on a regional accent, and actually they're calling from 5,000 miles away.
Absolutely. Or, Carole, vice versa, couldn't they?
They could be local, but they could want to convince you that, oh no, I'm actually calling from overseas on behalf of a friend who's had an accident.
You know, the fakery doesn't just go with fitting in with the locals, it goes with fitting in with whatever backstory you've concocted for the scam at hand.
They could be local, but they could want to convince you that, oh no, I'm actually calling from overseas on behalf of a friend who's had an accident.
You know, the fakery doesn't just go with fitting in with the locals, it goes with fitting in with whatever backstory you've concocted for the scam at hand.
Yes. Okay, but take this example.
I was thinking about this and I was thinking, but you know what, this would be marvelous for the medical field when you're trying to do cutting-edge operations or something like that.
And the expert happens to be based in India, and another expert is based in Bucharest, and another expert somewhere else, and that they're all able to communicate robotically but extremely clearly.
Or when politicians get together for a global hoedown they have translators in there to help them understand everything.
And those translators obviously have pretty clear accents that are understandable to the person they're meant for.
So it's effectively trying to make this ubiquitous, I think, across the web. I don't know, I thought it was kind of interesting, but scary too.
I was thinking about this and I was thinking, but you know what, this would be marvelous for the medical field when you're trying to do cutting-edge operations or something like that.
And the expert happens to be based in India, and another expert is based in Bucharest, and another expert somewhere else, and that they're all able to communicate robotically but extremely clearly.
Or when politicians get together for a global hoedown they have translators in there to help them understand everything.
And those translators obviously have pretty clear accents that are understandable to the person they're meant for.
So it's effectively trying to make this ubiquitous, I think, across the web. I don't know, I thought it was kind of interesting, but scary too.
I've heard that in the busy sea lanes, the sort of shipping motorways that run through the English Channel, which are, I believe, the busiest sea lanes in the world, the sea can get quite rough in there, and you've got all the ferries and other boats trying to cross from England to France, and then boats steaming through in the other direction.
English is the basis of the language that ships use for communicating, but the vocabulary has been stripped down even for native English speakers so that there is no chance of you using a phrase that could be misunderstood.
So there's no politeness and there's no rules. No, it's not pirate speak.
Apparently, if you don't hear the person, then you don't say, 'Oh, I'm terribly sorry, old chap, could you say that again?' You just say, 'Say again?' Right.
And that's— there's no other way to ask the person to repeat themselves. And that way, you know, with huge ships closing in on each other unable to stop quickly.
You can see that in some cases, I can imagine that just simplifying the vocabulary rather than how you say it could be much more important.
Because that means that politeness is all very well when you're chatting to someone face to face, but it can lead to terrible misunderstandings when there's a crisis on.
And I guess all emergency responders are used to that as well. You look at how 911 or 999 people are trained to respond. They use standard phrases that can't be misinterpreted.
Do not hang up the phone.
English is the basis of the language that ships use for communicating, but the vocabulary has been stripped down even for native English speakers so that there is no chance of you using a phrase that could be misunderstood.
So there's no politeness and there's no rules. No, it's not pirate speak.
Apparently, if you don't hear the person, then you don't say, 'Oh, I'm terribly sorry, old chap, could you say that again?' You just say, 'Say again?' Right.
And that's— there's no other way to ask the person to repeat themselves. And that way, you know, with huge ships closing in on each other unable to stop quickly.
You can see that in some cases, I can imagine that just simplifying the vocabulary rather than how you say it could be much more important.
Because that means that politeness is all very well when you're chatting to someone face to face, but it can lead to terrible misunderstandings when there's a crisis on.
And I guess all emergency responders are used to that as well. You look at how 911 or 999 people are trained to respond. They use standard phrases that can't be misinterpreted.
Do not hang up the phone.
But I just want to say that these guys have just gotten a huge amount of money.
So with an investment of $32 million for a company, a startup company that started a year ago, okay, so some big dogs have gotten involved, including global supply chain companies, because they're very keen to making sure everything always, you know, slick and smooth as they try and get goods or services from one geography to another where there might be language barriers.
So, you know, watch this space.
So with an investment of $32 million for a company, a startup company that started a year ago, okay, so some big dogs have gotten involved, including global supply chain companies, because they're very keen to making sure everything always, you know, slick and smooth as they try and get goods or services from one geography to another where there might be language barriers.
So, you know, watch this space.
So Carole, I've got a question. Obviously, I don't need this technology because there's nothing wrong with my accent. I don't have one.
But are you going to start using this on the podcast maybe to make yourself easier to understand?
But are you going to start using this on the podcast maybe to make yourself easier to understand?
Yes, because many people have complained actually, haven't they?
Gigamon is the leading deep observability company.
It offers a deep observability pipeline that harnesses actionable network-level intelligence to amplify the power of observability tools, enabling companies to conquer blind spots and overcome the threat of today's sophisticated ransomware attacks.
Gigamon's latest report into the state of ransomware reveals how insider threats are evolving, what impact cyber insurance and blame culture are having on the cybersecurity industry, and why deep observability is the new frontier for tackling the ransomware crisis.
So what are you waiting for? Download the report today at www.gigamon.com/smashing. That's www.gigamon.com/smashing. Smashingsecurity.com/smashing.
And thanks to Gigamon for supporting the show.
It offers a deep observability pipeline that harnesses actionable network-level intelligence to amplify the power of observability tools, enabling companies to conquer blind spots and overcome the threat of today's sophisticated ransomware attacks.
Gigamon's latest report into the state of ransomware reveals how insider threats are evolving, what impact cyber insurance and blame culture are having on the cybersecurity industry, and why deep observability is the new frontier for tackling the ransomware crisis.
So what are you waiting for? Download the report today at www.gigamon.com/smashing. That's www.gigamon.com/smashing. Smashingsecurity.com/smashing.
And thanks to Gigamon for supporting the show.
Bitwarden is an open-source, cross-platform password manager trusted by millions of individuals, teams, and organizations worldwide for secure password storage and sharing.
Not only does Bitwarden offer enterprise-grade security, conducting regular third-party security audits, and is compliant with Privacy Shield, HIPAA, GDPR, CCPA, SOC 2, and SOC 3 security standards.
This is pretty slick stuff. You can get started with a free trial of a Teams or Enterprise plan at bitwarden.com/smashing. That's bitwarden.com/smashing.
Or you can try it for free across devices as an individual user. That's bitwarden.com/smashing. And massive thank you to Bitwarden for sponsoring the show.
Not only does Bitwarden offer enterprise-grade security, conducting regular third-party security audits, and is compliant with Privacy Shield, HIPAA, GDPR, CCPA, SOC 2, and SOC 3 security standards.
This is pretty slick stuff. You can get started with a free trial of a Teams or Enterprise plan at bitwarden.com/smashing. That's bitwarden.com/smashing.
Or you can try it for free across devices as an individual user. That's bitwarden.com/smashing. And massive thank you to Bitwarden for sponsoring the show.
Thanks this week to our sponsor, SolCyber, who believe that it shouldn't just be the Fortune 500 that benefit from top-of-the-line cybersecurity.
They make managed security affordable and accessible to all small to medium-sized organizations. Check out SolCyber's foundational coverage services.
They include ransomware assessment and training, advanced email protection, endpoint detection and response, Active Directory abuse prevention and lateral movement detection, and 24/7 security operations center capability.
As a SolCyber Foundational customer, you also get access to expedited cyber insurance coverage and discounts of up to 30% off your premiums.
Mention Smashing Security and you'll get 1 month free for every 12 months you subscribe to SolCyber's foundational coverage services.
Visit smashingsecurity.com/solcyber to learn more. That's smashingsecurity.com/solcyber. And thanks to SolCyber for sponsoring the show.
They make managed security affordable and accessible to all small to medium-sized organizations. Check out SolCyber's foundational coverage services.
They include ransomware assessment and training, advanced email protection, endpoint detection and response, Active Directory abuse prevention and lateral movement detection, and 24/7 security operations center capability.
As a SolCyber Foundational customer, you also get access to expedited cyber insurance coverage and discounts of up to 30% off your premiums.
Mention Smashing Security and you'll get 1 month free for every 12 months you subscribe to SolCyber's foundational coverage services.
Visit smashingsecurity.com/solcyber to learn more. That's smashingsecurity.com/solcyber. And thanks to SolCyber for sponsoring the show.
And welcome back.
Can you join us at our favorite part of the show? The part of the show that we like to call Pick of the Week.
Pick of the Week. Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something, could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish.
It doesn't have to be security related necessarily, better not be. And my pick of the week this week is not security related.
I think everyone really is a big fan of the rude curse word, saying something rude, having some sort of offensive phrase. Not me.
The amount of stuff I've heard coming from your potty mouth over the years is quite extraordinary.
And in fact, I thought maybe you need some inspiration, maybe you need some new ones.
And that is why I have found, and I will include a link in the show notes to a page which is all about compound curse words.
What someone has done is they've taken data from Reddit comments and they've analysed the frequencies of different compound insults.
So, I love it, your buttheads, your dirtwads, your weasel boys, your wankpuffins. Wank nozzle. So they've created a matrix, effectively. Douche wit, yes.
And they've also, they're showing how frequently these different phrases are used. So something like dumbass, for instance, or scumbag, very commonly used.
Of course, something like poop goblin, not often used. Do you want that to be your nickname, that clue? Well, I don't know.
And they've also analysed whether dictionaries are keeping up with all these things, because some dictionaries have included a number of curse words, but some are not being represented in dictionaries and therefore probably unlikely to be accepted on a Scrabble board as well.
And I think that is something which we might want to look into as well. So I am including, I've put into the show notes here some links.
You guys can choose your own favourites here as well, absolutely, so you can have a trump nozzle.
It doesn't have to be security related necessarily, better not be. And my pick of the week this week is not security related.
I think everyone really is a big fan of the rude curse word, saying something rude, having some sort of offensive phrase. Not me.
The amount of stuff I've heard coming from your potty mouth over the years is quite extraordinary.
And in fact, I thought maybe you need some inspiration, maybe you need some new ones.
And that is why I have found, and I will include a link in the show notes to a page which is all about compound curse words.
What someone has done is they've taken data from Reddit comments and they've analysed the frequencies of different compound insults.
So, I love it, your buttheads, your dirtwads, your weasel boys, your wankpuffins. Wank nozzle. So they've created a matrix, effectively. Douche wit, yes.
And they've also, they're showing how frequently these different phrases are used. So something like dumbass, for instance, or scumbag, very commonly used.
Of course, something like poop goblin, not often used. Do you want that to be your nickname, that clue? Well, I don't know.
And they've also analysed whether dictionaries are keeping up with all these things, because some dictionaries have included a number of curse words, but some are not being represented in dictionaries and therefore probably unlikely to be accepted on a Scrabble board as well.
And I think that is something which we might want to look into as well. So I am including, I've put into the show notes here some links.
You guys can choose your own favourites here as well, absolutely, so you can have a trump nozzle.
You put them in any direction. You don't have to go XY, right? You can go YX as well. Waffle twat, waffle twat.
Or twat waffle. I don't know, whichever suits you best. But anyway, I'm a big fan of the wankpuffin, of course you are. But there's lots of others there as well.
It tickled me, and I've been playing a lot of Scrabble lately, so I've been looking for some more words to use.
And so it's been quite helpful to me, and that is why it is my Pick of the Week.
It tickled me, and I've been playing a lot of Scrabble lately, so I've been looking for some more words to use.
And so it's been quite helpful to me, and that is why it is my Pick of the Week.
Have you ever used the word quijibo in a Scrabble game yet?
As used by the Melissa virus. For a bald North American ape, it comes from a Simpsons episode, doesn't it? You guys, yeah, so there we go, really nerdy there, I know.
Duck, what's your Pick of the Week?
Duck, what's your Pick of the Week?
Well, I had a few words, so I had to sort of thin them down, and I decided that I would go, I don't think maritime is the right word because that refers to the sea, and where I live is quite a long way from the sea, but it is riverine.
And that is, I discovered a delightful pastime which is very enjoyable probably the first, second, and maybe the third time you do it.
And in all my life, this is the very first time I've done it, so it was great.
And that was, I happened to be riding my bicycle around a lot to go around the river and that, because this time of year, gorgeous wildflowers, birds singing, all of that stuff in the early evening.
And a boat was puffing along into a lock. It was Pinkhill Lock, actually. And I glibly said, I'll do the gates, and so I got to do the lock gates.
It's not a, they're not narrowboats on the River Thames.
The locks are much wider, so they've generally got two gates, and some of them are electrified, but the electricity gets turned off after hours.
And this one is still mechanical, so you have to do all the work yourself, swinging these great, have you ever done that, Graham?
And that is, I discovered a delightful pastime which is very enjoyable probably the first, second, and maybe the third time you do it.
And in all my life, this is the very first time I've done it, so it was great.
And that was, I happened to be riding my bicycle around a lot to go around the river and that, because this time of year, gorgeous wildflowers, birds singing, all of that stuff in the early evening.
And a boat was puffing along into a lock. It was Pinkhill Lock, actually. And I glibly said, I'll do the gates, and so I got to do the lock gates.
It's not a, they're not narrowboats on the River Thames.
The locks are much wider, so they've generally got two gates, and some of them are electrified, but the electricity gets turned off after hours.
And this one is still mechanical, so you have to do all the work yourself, swinging these great, have you ever done that, Graham?
I messed around on locks? No, I haven't.
No.
Oh, I did a lot as a kid in Ottawa. To get from the Ottawa River up to the canal, the Rideau Canal, there are 8 locks in between them.
And when I was a kid, they were all hand-cranked.
And when I was a kid, they were all hand-cranked.
So yeah, one of the reasons, Carole, that I didn't want to put this in is I thought, oh golly, anyone who's lived in the Quebec/Ontario area near what counts for a river in Canada, you know, when you see something like Isis Lock on the Thames, which is 7 feet wide and the water's about 2 feet deep, you must go, that's not a lock, that's not even a ditch, that's not even a puddle, what is this?
So I was hoping that you would not mention the St. Lawrence the Seaway or Mary or wherever, the Soo Locks. But these you can do all by hand. It's very cool.
And you know what's really weird is the River Thames did not have proper locks, what they call pound locks.
You'll actually seal off a section of water to let it up and down until about the 1920s.
Most of the navigation was done with what are called flash locks, which is basically there's just a channel with a weir, and you basically run the rapids. That's insane.
I kid you not. When you want to come upstream, they just— you basically row your boat up to the water pouring over and attach ropes, and a few hefty fellas—
So I was hoping that you would not mention the St. Lawrence the Seaway or Mary or wherever, the Soo Locks. But these you can do all by hand. It's very cool.
And you know what's really weird is the River Thames did not have proper locks, what they call pound locks.
You'll actually seal off a section of water to let it up and down until about the 1920s.
Most of the navigation was done with what are called flash locks, which is basically there's just a channel with a weir, and you basically run the rapids. That's insane.
I kid you not. When you want to come upstream, they just— you basically row your boat up to the water pouring over and attach ropes, and a few hefty fellas—
Yeah, lift the keel, Fred! Lift it all the way!
Well, that's the thing with canal boats in the UK. Don't have any keels, do they? Because the canals are only about 2 feet deep.
So the water's so shallow that they're basically totally unsteady. Anyway, I did the lock, and I think I left it correct.
Upper gates closed, bottom gates open, lock empty so the walls can dry out.
Very cool, and I thought it was great, and it'll be great for the next two times, and then I suspect I might start to shirk my duties. I think it dulls fairly quickly.
Eight locks in a row, I think by the third one you'd be going, oh no, not even halfway.
So the water's so shallow that they're basically totally unsteady. Anyway, I did the lock, and I think I left it correct.
Upper gates closed, bottom gates open, lock empty so the walls can dry out.
Very cool, and I thought it was great, and it'll be great for the next two times, and then I suspect I might start to shirk my duties. I think it dulls fairly quickly.
Eight locks in a row, I think by the third one you'd be going, oh no, not even halfway.
Cool. Carole, what's your pick of the week?
Well, this past week I went away to camp in deepest, darkest Constable country near Colchester and Ipswich, all in order to meet one of my watercolor— well, I don't know, I guess I can say heroes— Andy Evansen.
And you know, to improve what I doing, you know, painting watercolor.
So I went to this place called Dedham Hall, and it's a place I'd never heard of, but today it is my pick of the week because this is a beautifully amazing quaint hotel and art retreat in this lovely village of Dedham.
And it's run by Jim and Wendy. So big hello to you two if you're listening. And they are the most incredible welcoming and organized people I've ever seen.
They were working all the time. They've been doing it for 30 years, and they're just a joy. And Wendy's an incredible cook. Lemon tart night was a big deal, right?
Everyone was going mental for it. And they also host art retreats, which is what I was doing. And I met amazing people, students and artists at the top of their game.
Steve Hall was there. So he gives classes around the UK and also at Dedham Hall. And he was there because he wanted to see Andy Evans paint. So it was all very cool.
I met loads of amazing people.
And there's this one guy named Jacek, and he did this LiDAR thing on me, a 3D capture of me on a rock while we— I was in a boatyard trying to paint a boat, and I did a horrific job.
But I've put it in the show notes so you can take a look at it.
And you know, to improve what I doing, you know, painting watercolor.
So I went to this place called Dedham Hall, and it's a place I'd never heard of, but today it is my pick of the week because this is a beautifully amazing quaint hotel and art retreat in this lovely village of Dedham.
And it's run by Jim and Wendy. So big hello to you two if you're listening. And they are the most incredible welcoming and organized people I've ever seen.
They were working all the time. They've been doing it for 30 years, and they're just a joy. And Wendy's an incredible cook. Lemon tart night was a big deal, right?
Everyone was going mental for it. And they also host art retreats, which is what I was doing. And I met amazing people, students and artists at the top of their game.
Steve Hall was there. So he gives classes around the UK and also at Dedham Hall. And he was there because he wanted to see Andy Evans paint. So it was all very cool.
I met loads of amazing people.
And there's this one guy named Jacek, and he did this LiDAR thing on me, a 3D capture of me on a rock while we— I was in a boatyard trying to paint a boat, and I did a horrific job.
But I've put it in the show notes so you can take a look at it.
So I'm looking at this right now, Carole. And so what we have here is basically you've been sort of photographed in 3D, sat on some— a couple of rocks or something.
Yeah, yeah, just— I mean, a whole— yeah, it's kind of weird without the surrounds, but there you go.
I can zoom in on you in rather extraordinary detail. Yeah, my finger— yeah, I've had a good look around. There's nothing rude, so you've chosen well here.
You covered yourself up in the appropriate places. But it's kind of amazing.
You covered yourself up in the appropriate places. But it's kind of amazing.
He's going to put it on Twitter, so I'll put the link up on the show notes and we'll retweet it out if you want to see it. But it's kind of cool.
How did he do this? Did he have to walk around you or something?
It's an app. It's an app. Yeah, yeah, we'll connect to him via Twitter.
So this is using the LiDAR in a phone. You don't need special hardware?
No, just on his phone. The only problem was I had to sit very still for about 2 minutes for him to do it.
That wouldn't be easy for you. So it took him 3 times. Your hair's looking very purple.
It is very purple at the moment. Yeah. Anyway, the whole thing was a life-changing week for me. I loved it, loved it, loved it.
So my pick this week is Dedham Hall Hotel and Artist Retreat, and links in the show notes, and check it out because they're amazing.
So my pick this week is Dedham Hall Hotel and Artist Retreat, and links in the show notes, and check it out because they're amazing.
So no need to catch a ferry, people can just go there. You can just drive.
It took 2.5 hours to drive there from Oxford. No biggie.
No environment-burning plane trip, no border crossing. Nope.
You can even get there by train and they'll pick you up at the train station and bring you.
They didn't ask for your passwords or anything that, didn't ask you to unlock your devices, though I helped quite a few of them, some of the artists, because it turns out they're not necessarily super au fait with technology.
So once they found out I did this, I was—
They didn't ask for your passwords or anything that, didn't ask you to unlock your devices, though I helped quite a few of them, some of the artists, because it turns out they're not necessarily super au fait with technology.
So once they found out I did this, I was—
Are they all listening now, Carole, do you think? Do you think they're now loyal listeners?
Probably, yeah. Yeah.
Hi guys! It's true, isn't it, that sometimes when people find out you're a cybersecurity expert, you get to feel what I imagine is to be a doctor or a surgeon, you know?
Can you just look at me appendix scar? It's been throbbing a bit.
You know, I've got a strange rash on the underside of my— Do you mind if I take my shoes and socks off and take a quick look at it in public? You do get a lot of questions.
Can you just look at me appendix scar? It's been throbbing a bit.
You know, I've got a strange rash on the underside of my— Do you mind if I take my shoes and socks off and take a quick look at it in public? You do get a lot of questions.
Yeah, but they were extremely grateful. They were super grateful. Very cool. So I had no problem doing it.
And if you can stop any, even one of them falling for a scam at any time in the future, a job well done.
Right?
Now, Carole, you've been busy this week. You've been chatting to Iain Farquhar from Gigamon, haven't you?
Yes, I have. We talk about all things ransomware and zero trust in depth. Deep observability, which is a word I had a lot of trouble saying in the interview. Thank God we edit.
Observability, observability, observability. But check it out, guys. It was really fun.
Alrighty, listeners, today we are talking about the current state of ransomware, and we are with Iain Farquhar. He is Global Field CTO at Gigamon.
Thank you for coming on the show, Iain. I know you must be very busy. I know you've been up since the very early morning today. Thank you for having me on. I appreciate it.
So Gigamon's paper called State of Ransomware for 2022 and Beyond looks into insider threats, blame culture, which I'm super interested in, and of course, zero trust.
And let's be honest, cybersecurity professionals around the world are currently facing some serious challenges and the exacerbation of ransomware, I'm sure, is not helping reduce pressure.
Let's talk maybe about the insider threat first. You know, how is it going inside?
Observability, observability, observability. But check it out, guys. It was really fun.
Alrighty, listeners, today we are talking about the current state of ransomware, and we are with Iain Farquhar. He is Global Field CTO at Gigamon.
Thank you for coming on the show, Iain. I know you must be very busy. I know you've been up since the very early morning today. Thank you for having me on. I appreciate it.
So Gigamon's paper called State of Ransomware for 2022 and Beyond looks into insider threats, blame culture, which I'm super interested in, and of course, zero trust.
And let's be honest, cybersecurity professionals around the world are currently facing some serious challenges and the exacerbation of ransomware, I'm sure, is not helping reduce pressure.
Let's talk maybe about the insider threat first. You know, how is it going inside?
I mean, the interesting thing about insider threat for me is that this is not new, but it's definitely ramping up in focus.
I mean, I used to do DLP years and years ago, I did a huge focus on DLP, 2008 to 2013.
A lot of that was about insider threat, and then we pivoted as an industry and we focused on advanced persistent threats, and we kind of forgot about it, but it never went away.
Now, the focus here is on, of course, ransomware threat actors, ransomware teams, ransomware crews are now using insiders as one more way to get into the organization.
But we've always had an insider threat. We need to start focusing more on it.
I mean, I used to do DLP years and years ago, I did a huge focus on DLP, 2008 to 2013.
A lot of that was about insider threat, and then we pivoted as an industry and we focused on advanced persistent threats, and we kind of forgot about it, but it never went away.
Now, the focus here is on, of course, ransomware threat actors, ransomware teams, ransomware crews are now using insiders as one more way to get into the organization.
But we've always had an insider threat. We need to start focusing more on it.
But this insider threat though, is it fair to say that you can divide it into two different camps? Like the malicious actor, but you also have the duped actor inside the company?
Well, arguably, you actually have even three because you also have an actor, the non-malicious insider who just messes up really badly.
They write some huge amount of data onto a USB key that they're not meant to do, and then they lose it. Somebody picks it up and that data is breached.
So you've got this multiple ways of dealing with vectors that a threat could enter your organization through an insider.
And governments have been dealing with insider threats for years. That's what security clearances are about.
But we don't really actually look at this out in non-government enterprise. Maybe it's time that we did.
They write some huge amount of data onto a USB key that they're not meant to do, and then they lose it. Somebody picks it up and that data is breached.
So you've got this multiple ways of dealing with vectors that a threat could enter your organization through an insider.
And governments have been dealing with insider threats for years. That's what security clearances are about.
But we don't really actually look at this out in non-government enterprise. Maybe it's time that we did.
Yeah, because I'm guessing what you're describing, if you have all these threats that are inside, that can lead to a blame culture, right?
Absolutely. One of the things that we do is we talk to a lot of CISOs all around the world. Before COVID I traveled a lot and starting to travel again.
There is definitely an issue of blame culture. A lot of CISOs feel very, very strongly that they can be held to account.
If they have built a solid infrastructure, but they still get breached, they can be tarred personally, and that worries a lot of them.
You hear stories, for example, about CISOs who ask for an investment.
They get denied, and then they'll say something like, right, I need an email from the CFO or the CEO saying, I've told you this, you decided not to invest in it.
That's a terrible situation to be in. The blame culture has really got to end because it is very useful to understand when an organization has been breached.
It allows the customers of that organization, the people, to respond to it appropriately. If they don't, that's bad.
There is definitely an issue of blame culture. A lot of CISOs feel very, very strongly that they can be held to account.
If they have built a solid infrastructure, but they still get breached, they can be tarred personally, and that worries a lot of them.
You hear stories, for example, about CISOs who ask for an investment.
They get denied, and then they'll say something like, right, I need an email from the CFO or the CEO saying, I've told you this, you decided not to invest in it.
That's a terrible situation to be in. The blame culture has really got to end because it is very useful to understand when an organization has been breached.
It allows the customers of that organization, the people, to respond to it appropriately. If they don't, that's bad.
Do you find that there are a lot of companies that try to hide if they get into trouble? I mean, honestly, I'm being honest, I did this when I was working in a corporation.
I might do something bad and then go, "Oh, God, I shouldn't have done that," and try and hide my tracks rather than going to the IT guys and going, "Okay, I have to be honest.
Do you know what happened?" So how do you get around that?
I might do something bad and then go, "Oh, God, I shouldn't have done that," and try and hide my tracks rather than going to the IT guys and going, "Okay, I have to be honest.
Do you know what happened?" So how do you get around that?
Well, the standard way is we've got mandatory breach disclosure laws, and generally they tend to work in the areas where they are present, that they are very effective.
They not only allow people who are affected by breaches to deal with this, but they also support investments.
People don't want to be subject to them because one of the things we found out in this paper is that 33% of organizations actually see ransomware as mostly a reputational issue.
So if your reputation is going to be affected by being mandatorily exposed, that's definitely going to drive behaviors.
It's going to drive people towards better data governance and better protecting information that they hold.
They not only allow people who are affected by breaches to deal with this, but they also support investments.
People don't want to be subject to them because one of the things we found out in this paper is that 33% of organizations actually see ransomware as mostly a reputational issue.
So if your reputation is going to be affected by being mandatorily exposed, that's definitely going to drive behaviors.
It's going to drive people towards better data governance and better protecting information that they hold.
Now, so you're thinking that the head honchos of companies, like the board and senior team, are they taking this super seriously because they're so worried about a reputational kick in the nuts?
I shouldn't say that. Kick in the shins.
I shouldn't say that. Kick in the shins.
Kick in the pants. Yes, yes, they are taking it seriously. And the board definitely is looking at ransomware as a risk to the business.
You know, 9 out of 10 boardrooms, 89% of boards see ransomware as a priority concern. That was one of the findings in this paper.
You know, 9 out of 10 boardrooms, 89% of boards see ransomware as a priority concern. That was one of the findings in this paper.
That's huge. That's really huge. I think about 5 years ago, that would have been half that number, if not less.
Yeah, yeah.
And so reputation is the big key. They're worried about it. Are they investing?
They definitely are, but exactly what they're investing in varies.
So you've got, for example, the top area investment seems to be more cybersecurity tooling, and that's absolutely a legitimate approach.
You know, one of the things that I love to see is defense in depth. We tend to forget about that with security tooling, or a lot of people do.
I think in that we assume that security tools are perfect. No, they're not.
Therefore, the more coverage we have, the more visibility we have, the more observability of our network we have, the better, the more likely we are to catch the incidents, to catch the issue.
Issues that are causing it, but that's not the only thing. You've got security awareness and training. That's about half of people are doing that.
And security awareness and training is a great approach. And I do a lot of security awareness and training, not only in my job, but also as a volunteer to other organizations.
The problem is, is that a really good attacker will still get around that. There was an organization I used to work with many years ago.
It was a large government supplier in the US that used to use the most punitive, absolutely vicious security training where they would train their staff and then they would have an internal tiger team that would attack their own staff.
And you got one freebie, you got one freebie, and if you failed, if they successfully attacked you, you had to go and do a 4-hour training course and update.
If you did the second one, you had to go and report to a vice president.
So you've got, for example, the top area investment seems to be more cybersecurity tooling, and that's absolutely a legitimate approach.
You know, one of the things that I love to see is defense in depth. We tend to forget about that with security tooling, or a lot of people do.
I think in that we assume that security tools are perfect. No, they're not.
Therefore, the more coverage we have, the more visibility we have, the more observability of our network we have, the better, the more likely we are to catch the incidents, to catch the issue.
Issues that are causing it, but that's not the only thing. You've got security awareness and training. That's about half of people are doing that.
And security awareness and training is a great approach. And I do a lot of security awareness and training, not only in my job, but also as a volunteer to other organizations.
The problem is, is that a really good attacker will still get around that. There was an organization I used to work with many years ago.
It was a large government supplier in the US that used to use the most punitive, absolutely vicious security training where they would train their staff and then they would have an internal tiger team that would attack their own staff.
And you got one freebie, you got one freebie, and if you failed, if they successfully attacked you, you had to go and do a 4-hour training course and update.
If you did the second one, you had to go and report to a vice president.
It's like getting in a speed trap in the UK. If you get caught speeding, you've got to do the courses, you lose the points, you can get fined, the whole nine yards.
Oh yeah. Wow, extremely punitive. Nonetheless, they still were unable to get it below 10%. There's still 1 in 10 they were still able to hit them.
Now bear in mind, that also means 90% success. Yeah. So what 1 in 10 means, 9 out of 10 they didn't hit. So it's a useful tool, but it's not the only tool.
Defense in depth is so important.
Now bear in mind, that also means 90% success. Yeah. So what 1 in 10 means, 9 out of 10 they didn't hit. So it's a useful tool, but it's not the only tool.
Defense in depth is so important.
Well, yeah, before we get into defense in depth, tell me about cybersecurity insurance.
I'm just interested, as we're talking about the senior management team, are they buying into that concept? Is that something worthwhile?
I'm just interested, as we're talking about the senior management team, are they buying into that concept? Is that something worthwhile?
Oh, absolutely.
Cyber insurance is a huge issue now, and certainly this international survey, and in Australia and Singapore, 9 out of 10 organizations have cyber insurance against ransomware.
And in fact, one quarter in Asia Pacific. That was their only approach. The problem is we're aware of organizations that simply can't afford it anymore.
The premiums are going through the roof, and the cyber insurance companies are asking a huge amount of details about the risk remediations that these organizations have in place.
Cyber insurance is a huge issue now, and certainly this international survey, and in Australia and Singapore, 9 out of 10 organizations have cyber insurance against ransomware.
And in fact, one quarter in Asia Pacific. That was their only approach. The problem is we're aware of organizations that simply can't afford it anymore.
The premiums are going through the roof, and the cyber insurance companies are asking a huge amount of details about the risk remediations that these organizations have in place.
I'm not surprised.
We heard of one story of a 3-page survey going to 57 pages between last year and this year. Wow.
And that was the diligence the insurance company was using to determine what premium they should be charging.
And that was the diligence the insurance company was using to determine what premium they should be charging.
And of course, that's very costly to a company because you have to have legal eagles go through that.
You have to have technicians to go through all the systems to make sure they're meeting all the stipulations in order to be covered. Absolutely. Yeah, right.
So this is why deep observability is so vital.
You have to have technicians to go through all the systems to make sure they're meeting all the stipulations in order to be covered. Absolutely. Yeah, right.
So this is why deep observability is so vital.
Could you maybe explain that concept for our wonderful listeners? So deep observability is a really interesting concept.
There is the existing industry concept of observability, which is the old concept of logs, events, metrics, and tracing. And we've been doing that for a lot of years.
Essentially, it reports about the inside of a system, a workload, a cloud instance. Deep observability looks at it from the outside.
It looks at a cloud image from the outside, looking at what it is doing on the network.
Now, one of the first things a good attacker will do when they break into a workload is they'll turn off logging. I mean, you can go and read the Mandiant report.
That's one of the first things the attacker that breached SolarWinds did. They turned off logging and cleared the logs. That's in their reports.
The first ever incident response I did, I'm almost ashamed to admit this, in 1989, fine. I saw them turning off logging. They turned off syslog.
So, you know, this is an old attacker TTP. On that basis, you've got to look at logging. While it's essential, and I'm not saying don't do it, it's not good at catching attackers.
If once they violate a workload, once they get in, they compromise something, be it ransomware, be it an advanced threat two-factor, they are going to compromise logging.
How do we deal with that? We go back to defense in depth.
We look at what that workload is doing from the outside, and they can't easily compromise that because that workload still needs to generate traffic, and that's what deep observability is.
There is the existing industry concept of observability, which is the old concept of logs, events, metrics, and tracing. And we've been doing that for a lot of years.
Essentially, it reports about the inside of a system, a workload, a cloud instance. Deep observability looks at it from the outside.
It looks at a cloud image from the outside, looking at what it is doing on the network.
Now, one of the first things a good attacker will do when they break into a workload is they'll turn off logging. I mean, you can go and read the Mandiant report.
That's one of the first things the attacker that breached SolarWinds did. They turned off logging and cleared the logs. That's in their reports.
The first ever incident response I did, I'm almost ashamed to admit this, in 1989, fine. I saw them turning off logging. They turned off syslog.
So, you know, this is an old attacker TTP. On that basis, you've got to look at logging. While it's essential, and I'm not saying don't do it, it's not good at catching attackers.
If once they violate a workload, once they get in, they compromise something, be it ransomware, be it an advanced threat two-factor, they are going to compromise logging.
How do we deal with that? We go back to defense in depth.
We look at what that workload is doing from the outside, and they can't easily compromise that because that workload still needs to generate traffic, and that's what deep observability is.
I mean, it kind of makes sense in a way, if I can make it more colloquial.
If you had a burglar come in, the first thing they'd want to do is turn off CCTV or video recording, right, in order to get away doing what they want to do without any evidence.
It makes perfect sense.
If you had a burglar come in, the first thing they'd want to do is turn off CCTV or video recording, right, in order to get away doing what they want to do without any evidence.
It makes perfect sense.
Indeed, some burglars will go to the power board and pull the fuse, right? That is to shut down any cameras, right?
Exactly. So talk to me about Gigamon. Talk to me about what you guys can offer to help companies get this deeper insight into their system.
So what Gigamon is about is getting access to the traffic, the network traffic, the deep observability traffic, be that on a physical network from 10 megabit Ethernet right through to 400 gigabit Ethernet in the cloud, or in a public cloud, or in private cloud.
All of these environments have network traffic. All of these environments we can do deep observability in.
So if your environment is on-prem, hybrid, multi-cloud, private cloud, public cloud, it doesn't matter.
We can deliver the traffic from those environments and deliver them to the tools needed to detect the ransomware, to detect the insider threats, to detect all of the stuff that are a risk to your organization.
All of these environments have network traffic. All of these environments we can do deep observability in.
So if your environment is on-prem, hybrid, multi-cloud, private cloud, public cloud, it doesn't matter.
We can deliver the traffic from those environments and deliver them to the tools needed to detect the ransomware, to detect the insider threats, to detect all of the stuff that are a risk to your organization.
And that is what Gigamon does. And I'm guessing in providing that information, you have to parse it in a way that it's easily interpretable by whoever's receiving that information.
Yeah, if you don't do that, the tool that is consuming that is wasting its time.
It's hard enough as it is to detect threats without dealing with overwhelming a tool with useless data.
It's hard enough as it is to detect threats without dealing with overwhelming a tool with useless data.
And what about the concept of zero trust? What are your thoughts on that, Iain?
I am absolutely fascinated.
I spend a lot of my time doing zero trust, and I think it's an amazing concept because it gets us away from all of those security assumptions like good people inside, bad people outside that just aren't realistic.
One of the things I will say is that if you are doing zero trust with just normal observability, well, you're probably not looking at it.
You should be looking at normal observability, deep observability, and as much information about risk as you can derive. Then you will achieve a really good outcome.
I spend a lot of my time doing zero trust, and I think it's an amazing concept because it gets us away from all of those security assumptions like good people inside, bad people outside that just aren't realistic.
One of the things I will say is that if you are doing zero trust with just normal observability, well, you're probably not looking at it.
You should be looking at normal observability, deep observability, and as much information about risk as you can derive. Then you will achieve a really good outcome.
Amazing. You can learn more about all this by getting your mitts on their latest research. This is Gigamon's paper, State of Ransomware for 2022 and Beyond.
And it looks into insider threats, blame culture, and of course, zero trust. And it's yours for free by visiting gigamon.com/smashing.
That's Gigamon, G-I-G-A-M-O-N, dot com forward slash smashing. And all that I have to say is thank you so much, Iain Farquhar, Global Field CTO for Gigamon.
And it looks into insider threats, blame culture, and of course, zero trust. And it's yours for free by visiting gigamon.com/smashing.
That's Gigamon, G-I-G-A-M-O-N, dot com forward slash smashing. And all that I have to say is thank you so much, Iain Farquhar, Global Field CTO for Gigamon.
Thank you so much for having me. It's been awesome.
Well, that just about wraps up the show for this week. Duck, I'm sure lots of our listeners would love to follow you online or find out what you're up to.
What's the best way for folks to do that?
What's the best way for folks to do that?
They can find me on Twitter @duckblog, or they can find me on the web at nakedsecurity.sophos.com.
Sophos.com. Terrific. Oh, my old baby. And you can follow us on Twitter @SmashingSecurity, no G, Twitter and LastPass have a G, and we also have a Smashing Security subreddit.
And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast apps such as Overcast, Spotify, and Apple Podcasts.
And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast apps such as Overcast, Spotify, and Apple Podcasts.
And massive shout out to this episode's sponsors, Bitdefender, Gigamon, and Soul Cyber. And of course, to our wonderful Patreon communities.
It's thanks to them all that this show is free.
For episode show notes and sponsorship information and guest lists and the entire back catalog of more than 284 episodes, check out smashingsecurity.com.
It's thanks to them all that this show is free.
For episode show notes and sponsorship information and guest lists and the entire back catalog of more than 284 episodes, check out smashingsecurity.com.
Until next time, cheerio. Bye-bye.
Bye. Last show next week for the summer. Bye. Who's crying? Don't cry, guys.
Don't cry. Don't cry.
Well done. Thank you very much, Duck. You're a rock star, Duck.
I learned some rude words.
What, ass monkey or whatever?
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Paul Ducklin – @duckblog
Show notes:
- Uber Enters Non-Prosecution Agreement Related to 2016 Data Breach — US Department of Justice.
- Former Uber Security Chief Joe Sullivan Must Face Driver Fraud Charges — Bloomberg.
- Uber to pay $148 million in data breach settlement — TechCrunch.
- Uber paid hackers $100,000 to keep data breach quiet — Graham Cluley.
- Uber CISO's trial underscores the importance of truth, transparency, and trust — CSO Online.
- 7 cybersecurity tips for your summer vacation! — Naked Security.
- Sanas demo.
- Sanas Raises $32M for Breakthrough AI Technology for Real-Time Accent Translation — Sanas press release.
- This 6-Million-Dollar AI Changes Accents as You Speak — IEEE Spectrum.
- Call centre workers can use AI to mimic your accent on the phone — New Scientist.
- A little less accent, a little more customer service — ComputerWorld.
- What Is Accent Reduction? — Accent Advisor.
- Compound pejoratives on Reddit – from 'buttface' to 'wankpuffin' — Colin Morris.
- Melissa computer virus — Wikipedia.
- Dedham Hall.
- 3D capture of Carole Theriault — Polycam.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsored by:
- Bitwarden – Password security you can trust. Bitwarden is an open source password manager trusted by millions of individuals, teams, and organizations worldwide for secure password storage and sharing.
- Gigamon – Gigamon is the leading deep observability company. Download their latest report into the state of ransomware to learn why deep observability is the new frontier for tackling the ransomware crisis.
- SolCyber – SolCyber delivers Fortune 500 level cybersecurity for small and medium-sized enterprises. If the bad guys aren’t being discriminating about who they’re attacking, how can you settle for anything less?
Follow the show:
Follow the show on Bluesky at @smashingsecurity.com, on the Smashing Security subreddit, or visit our website for more episodes.
Remember: Subscribe on Apple Podcasts, or your favourite podcast app, to catch all of the episodes as they go live. Thanks for listening!
Warning: This podcast may contain nuts, adult themes, and rude language.
