Someone’s election-fiddling is uncovered with an Apple AirTag, a cyber scandal rocks Germany, and a swindler steals a fortune due to trains being delayed.
All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by runZero’s Chris Kirsch.
Plus don’t miss our featured interview with Akamai’s Patrick Sullivan talking about how retailers can better thwart bots this holiday season.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Let me get my head around this. So there is this nonprofit group called Cybersecurity Council of Germany, which isn't to be confused with the Cybersecurity Council of Germany.
Exactly.
Right. So there's two of them.
They have dashes in different places.
So Protelian, they're members of the Cybersecurity Council in Germany as well.
Yeah, but they're not part of the Cybersecurity Council in Germany.
No, no, don't get it confused with Cybersecurity Council of Germany.
And there's this bigwig who somehow set up the Cybersecurity Council of Germany, not to be confused with the Cybersecurity Council of Germany.
And there's this bigwig who somehow set up the Cybersecurity Council of Germany, not to be confused with the Cybersecurity Council of Germany.
Actually, I think he's part of both.
This is very confusing. Smashing Security, Episode 294: The Virgin Trains Swindler, Cyber Clowns, and AirTag Election Day Bargain with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security, Episode 294. I'm Graham Cluley.
Hello, hello, and welcome to Smashing Security, Episode 294. I'm Graham Cluley.
And I'm Carole Theriault.
And who have we got joining us this week, Carole, on the show?
We have the CEO of RunZero, Chris Kirsch. Welcome to the show, Chris.
Hello, and thanks for having me.
Now, last time you were on, Chris, you were the CEO of a differently named company. What's happened?
Yeah, why did you lose your job, Chris?
What happened?
It's always nice to have softball questions, right? No, we changed the company name from Rumble to RunZero.
There is another company called Rumble that we thought would never cross our paths because they're in a very different space and they decided to go public on the NASDAQ.
So we decided to rename and we're now RunZero.
There is another company called Rumble that we thought would never cross our paths because they're in a very different space and they decided to go public on the NASDAQ.
So we decided to rename and we're now RunZero.
So they were the right-wing porn video site or something. Is that right? Or you didn't want to be associated with them?
You said that, but it's business as usual for you guys other than the other name.
Yes, absolutely. Yeah.
And RunZero is a great name. Thank you.
Yeah. It was bloody hard to find a good name. I actually wrote a blog post about that just for any founders out there who are trying to figure out how to name their company.
You can find that up on our blog.
You can find that up on our blog.
Oh, links in the show notes.
But you know what, boys? I think we digress. I think we need to kick this show off. But before we do that, we need to thank this week's sponsors, Bitwarden, Akamai, and Collab.
It's their support that helps give you the show for free. Now, coming up on today's show, Graham, what do you got?
It's their support that helps give you the show for free. Now, coming up on today's show, Graham, what do you got?
I'm going to ask the big question, the big question being, am I a bit of an ass?
Okay, done. Okay, next. What about you, Chris?
I've got a new Cold War story for you.
Ooh, okay. And with me, we are going to be jumping on a train and hoping it arrives on time. Plus, we have a featured interview with Patrick Sullivan.
He is CTO of Security Strategy at Akamai. So all this and all that and much more coming up on today's episode of Smashing Security.
He is CTO of Security Strategy at Akamai. So all this and all that and much more coming up on today's episode of Smashing Security.
Now, chums, chums, I feel like I've already shot my load on this one, but I'm going to ask the big question. Am I? No. Am I a bit of an ass? I think I might be. I think.
What do you mean, yes?
What do you mean, yes?
I can't believe you've mentioned ass and shooting your load at the same time.
I mean, Chris, you don't know me that well. I mean, you've just heard me on the podcast. Do you think I'm a bit, you know, am I?
I do want to get invited back to the show.
Let's move on. Anyway, I'll tell you a story. I'll tell you a story about something that was happening to me a few years ago.
A few years ago, I was living somewhere else and I'd take the dog out for a walk and, you know, there we go. La di da, you know, it's wonderful.
And I'd go past the village notice board and there was something tacked onto the village notice board which I didn't like. I thought, I don't like that.
A few years ago, I was living somewhere else and I'd take the dog out for a walk and, you know, there we go. La di da, you know, it's wonderful.
And I'd go past the village notice board and there was something tacked onto the village notice board which I didn't like. I thought, I don't like that.
You're not going to tell us what it is?
All right, I'll tell you what it was. What it was was an invitation for people saying, are you interested in philosophy and economics?
It said, would you like to come along to a friendly get-together where we'll have tea and coffee and cakes and we'll talk about philosophy and economics?
It said, would you like to come along to a friendly get-together where we'll have tea and coffee and cakes and we'll talk about philosophy and economics?
Do they also serve Kool-Aid?
Well, well, exactly, Chris. Exactly. I recognized what group had actually put this together.
Okay. It's not that all philosophers are Kool-Aid drinkers.
No, necessarily not. I was just making sure.
Yeah. Okay.
But I'd read a book back in the 1990s written by a couple of investigative journalists about this innocuous sounding group, which claimed to be a school of economic science.
And I didn't really like what I read. And I was reading this pamphlet on the noticeboard and I thought, that's from this group.
I thought, they're just claiming to be handing out orange juice and talking about philosophy, but I know it's something else.
So I thought, right, I'm going to take down that poster because I don't want anyone going along to that meeting. So I would take it off the noticeboard, right?
And then I'd go by again a few days later with my dog and the person had put up a new poster and stuck it on. Maybe they used staples this time.
And I think, right, I'm taking that down, right? So I'd rip it off, I'd shove it down the front of my trousers, and off I'd go on my dog walk. And I'd do this every few days.
I'd see another one. So there was this battle going on.
And I didn't really like what I read. And I was reading this pamphlet on the noticeboard and I thought, that's from this group.
I thought, they're just claiming to be handing out orange juice and talking about philosophy, but I know it's something else.
So I thought, right, I'm going to take down that poster because I don't want anyone going along to that meeting. So I would take it off the noticeboard, right?
And then I'd go by again a few days later with my dog and the person had put up a new poster and stuck it on. Maybe they used staples this time.
And I think, right, I'm taking that down, right? So I'd rip it off, I'd shove it down the front of my trousers, and off I'd go on my dog walk. And I'd do this every few days.
I'd see another one. So there was this battle going on.
So you're wondering, because you were deciding for everybody else that this was inappropriate and you were taking it down, and it was obviously pissing off the original person, and they didn't know why you were taking it down because you hadn't contacted them to tell them anything.
I hadn't. No, 'cause I was scared.
Okay, and you're asking if you're an ass, right? Is that the question? Yes, I'm an ass. Okay, okay, okay. Yep, yep, carry on, carry on, yep.
Well, so do you think I am or not?
Graham, you're putting us in a very difficult position here. I purport to be a buddy of yours. Yes, this is the wrong show.
Well, come on. Yes, but as my buddy, you can tell me if I've been inappropriate. Anyway, I don't know whether I was right to do it or not. Yes, of course I was right to do it.
But I was reminded of what I'd done when I read this story on Forbes this week about signs that some people had put up in their front gardens.
But I was reminded of what I'd done when I read this story on Forbes this week about signs that some people had put up in their front gardens.
Okay.
And that evaporated. They disappeared. So, we have to travel over to North America.
Okay.
Where there is apparently an affluent suburb northwest of Philadelphia where hundreds of political campaign yard signs have been going missing.
People have their yard sign up in their front garden. We don't do it as much over here in the UK. I mean, we do a bit.
People have their yard sign up in their front garden. We don't do it as much over here in the UK. I mean, we do a bit.
We do a bit, but we tend to put them inside windows because our houses are much closer to the roads in cities, certainly.
Yeah, you don't really have a front lawn, right? Yeah.
Yeah. Yeah. Or a very small one compared to America. Yeah.
But over there in this rather schmutzy neighborhood.
Leafy.
Yeah, it's probably delightful. People put out their little things saying who they want people to vote for. They go to bed and it's still there.
They wake up in the morning, it's gone. It's vanished.
And some of the people who noticed that their signs had disappeared were contacting the cops to file a report saying, "Hey, you know, wait, this thing has disappeared from my front lawn." And obviously the cops leap into action.
Yeah.
They wake up in the morning, it's gone. It's vanished.
And some of the people who noticed that their signs had disappeared were contacting the cops to file a report saying, "Hey, you know, wait, this thing has disappeared from my front lawn." And obviously the cops leap into action.
Yeah.
If you were a police officer, you'd be like, "Yes, yes. Okay, that is priority. I have a few murders, but you know what?
Let me put them on ice and I'll come and deal with this." We won't worry about the Philadelphia Strangler.
Let me put them on ice and I'll come and deal with this." We won't worry about the Philadelphia Strangler.
Yeah. We're not gonna worry about him or anything else that's going on. This is— We're gonna send some cars around. They fingerprint the place.
Yeah, priority number one. We'll be there in 5 minutes.
Yeah, yeah. Well, anyway, when people filed a report, the cops said, oh yeah, yeah, we know where they are.
Oh.
Yeah. What you gotta do is go to the local strip mall, and you know where the nail bar is? Well, go behind the nail bar, and there you'll find this large dumpster.
And that's where all the signs are.
And that's where all the signs are.
Said the cops.
Said the cops. They knew where they'd gone. Not because the cops had put them there, but because someone else had already found out about them.
And this information went to 75-year-old Arlene Talley, who's a member of the Chester County Democratic Committee. She was interested as to what happened to the signs.
She went to where the police said. She found the dumpster, and she found 118 stolen political signs. All of them supporting Democratic candidates.
And this information went to 75-year-old Arlene Talley, who's a member of the Chester County Democratic Committee. She was interested as to what happened to the signs.
She went to where the police said. She found the dumpster, and she found 118 stolen political signs. All of them supporting Democratic candidates.
Of course.
All those you know, horrible progressive causes reproductive rights and Black Lives Matter, or really offensive stuff.
We should definitely want to clear up a sign if it was proposing that sort of— oh goodness me!
Anyway, so all these signs which were obviously, you know, sort of slightly left of— well, left of right. Now, how did the cops know they were there?
Well, it's because one victim had had the foresight to attach a $30 Apple AirTag to their sign, perhaps realizing—
We should definitely want to clear up a sign if it was proposing that sort of— oh goodness me!
Anyway, so all these signs which were obviously, you know, sort of slightly left of— well, left of right. Now, how did the cops know they were there?
Well, it's because one victim had had the foresight to attach a $30 Apple AirTag to their sign, perhaps realizing—
There's the technology angle I was waiting.
Perhaps realizing that they might be stolen. Yeah.
So you remember, I think it was last time I was on, I brought you the story of how somebody sent a letter to the German intelligence services and unmasked their location and who was connected to whom and so on, right?
So guess it works all around.
So guess it works all around.
That's right.
But my question though is, if the police knew that they were in that dumpster, why didn't they just hang out by the dumpster and wait for somebody to come by to drop them off?
Because they're very busy dealing with the Strangler. I mean, it's not their— obviously their top priority.
Seriously, Chris, if you were in charge of the cops, they could have gotten their nails done at the nail salon at the same time.
Seriously, Chris, if you were in charge of the cops, they could have gotten their nails done at the nail salon at the same time.
You know, it's not a hardship posting.
Exactly. And also, what's irritating about all this is the cops say, oh yeah, we know where they are, they're in the dumpster on 49th and 50th, or whatever, wherever it is.
But then you have to go get them yourself.
But then you have to go get them yourself.
Yeah.
Right? You're not—
Well, you think you should send a squad of police cars, right? And how are they going to know who to deliver them to?
Oh, I just think they— Do they know who is behind it?
They haven't found out yet. They are apparently examining CCTV footage, but so far it hasn't caught any of the troublemakers.
They think— The police theory is it's mostly kids, as some homes also had their mailboxes damaged.
They think— The police theory is it's mostly kids, as some homes also had their mailboxes damaged.
I can't believe someone's Google Nest or whatever, you know, Amazon Ring doorbell didn't catch these idiots.
Yeah, well, it would be good if they had, wouldn't it? It'd be good if they had.
So we're all familiar with this idea of AirTags being used to help find lost items like bikes, lost luggage, and of course being used to track and stalk people, or that story which Chris gave us before, an extraordinary story from Germany about finding out where top secret apartments may actually be based.
But, you know, these AirTags can be used in all kinds of ways. So my son, it turns out, I didn't know this, my son has got an AirTag.
He's got it on his phone or his school bag or something. And so they built into AirTags this means by which you can be warned if a tag is following you.
So if someone's planted one in your car, for instance.
So we're all familiar with this idea of AirTags being used to help find lost items like bikes, lost luggage, and of course being used to track and stalk people, or that story which Chris gave us before, an extraordinary story from Germany about finding out where top secret apartments may actually be based.
But, you know, these AirTags can be used in all kinds of ways. So my son, it turns out, I didn't know this, my son has got an AirTag.
He's got it on his phone or his school bag or something. And so they built into AirTags this means by which you can be warned if a tag is following you.
So if someone's planted one in your car, for instance.
Exactly. We've done that story before as well.
And then it'll go bleep, bleep, bleep, bleep.
So I'm finding this really annoying because I'm obviously carting my son around all the time with his school bag, getting him to school or, you know, to his tutor or something.
And all the time I'm getting these messages popping up on my phone saying, "Ooh, there appears to be an AirTag which is tracking you.
It's been traveling around with you." It's like, well, yeah, I know it's been, this is my, and I've got no way of saying, "Well, don't bug me about that one.
Stop bleeping at me all the time."
So I'm finding this really annoying because I'm obviously carting my son around all the time with his school bag, getting him to school or, you know, to his tutor or something.
And all the time I'm getting these messages popping up on my phone saying, "Ooh, there appears to be an AirTag which is tracking you.
It's been traveling around with you." It's like, well, yeah, I know it's been, this is my, and I've got no way of saying, "Well, don't bug me about that one.
Stop bleeping at me all the time."
Oh, really?
You see?
No, there must be a way. There's gonna be a listener who's gonna get in touch.
You could get an Android.
No, no, that is not the, that's not what you should do.
Are you crazy?
I think you need to Google how to stop an AirTag blinking at me. I'm doing it right now for you.
Right, well, yeah, well.
Go to Settings, Bluetooth, and turn Bluetooth on. Go to Find My app, tap the Me tab, turn on tracking notifications, and turn on airplane mode. Done.
Oh, all right, I'll give that a try.
Yeah, just put your phone in airplane mode all the time. You'll also have fewer scam callers, you know.
I do it, I do it a lot.
Melissa Schusterman, she is a state representative hoping to be reelected in next month's midterms. And she's one of those who had her signs stolen.
She has said she's blaming it all on MAGA, Make America Gruesome Again. She says, we will not let the radical MAGA right intimidate us.
Double the amount of signs taken will go back up. Now that seems to me like we could end up with an exponential rise of signs on people's front lawns if this keeps on happening.
And I don't know what's gonna happen with the dumpsters either, but it's just gonna keep on and on.
She has said she's blaming it all on MAGA, Make America Gruesome Again. She says, we will not let the radical MAGA right intimidate us.
Double the amount of signs taken will go back up. Now that seems to me like we could end up with an exponential rise of signs on people's front lawns if this keeps on happening.
And I don't know what's gonna happen with the dumpsters either, but it's just gonna keep on and on.
Yeah, but you know, you also took down that sign on the notice board all the time. So I'm, you know, that seems like—
We know what camp you're in, Graham.
Escalation that doesn't help either side.
Do you think they should have kept on putting up two signs for the cult up on the side and then four just to keep me busy?
Just make them really big.
My trousers would be bulging from the number I've stuffed into my pockets.
You could have done two things, I think, that would have been better. One, you could have put up your own sign explaining what that sign meant and why you thought it was a bad idea.
And gotten a little bit of controversy going on in town.
And gotten a little bit of controversy going on in town.
Oh yeah.
Right? Or you could have gone to the local newsletter, newspaper, whatever, and said, this is why I think this sign should be taken down.
Oh yeah.
You should have talked to me.
Yeah, that's a great idea.
Thanks, Chris.
But the real question— Yeah, the real question though is the UK is the capital of the CCTV surveillance, you know, system.
So I can't even find people who pick up signs all over the city and put it in a dumpster. Oh, this was in the US, right?
So I can't even find people who pick up signs all over the city and put it in a dumpster. Oh, this was in the US, right?
I'm completely off.
Yeah.
Yeah.
Yeah.
Yeah.
Yeah. Yeah.
Yeah.
This is great stuff for you to cut out of the podcast.
Of course.
Just cut out all the stuff where I say dumb stuff. Right?
We do that with Carole every week. Wow.
Wow.
I am an arse, aren't I?
Yes.
Chris, what have you got for us this week?
So I live in the US, so it's not as close to me as it is to you. But there is this thing going on with Russia and Ukraine and everything right now. So, you know—
We've heard.
Things have cooled off a little bit with Russia and they're not invited to the party anymore.
And there've been some weird things happening in Germany, for example, the German railway system was halted for 3 hours earlier this month due to a failure of the digital train radio system.
They chalked that up as sabotage and, you know, maybe that's Big Brother Boris meddling with things, right? Just to set the scene for—
And there've been some weird things happening in Germany, for example, the German railway system was halted for 3 hours earlier this month due to a failure of the digital train radio system.
They chalked that up as sabotage and, you know, maybe that's Big Brother Boris meddling with things, right? Just to set the scene for—
Oh, that Boris. Sorry. Sorry. When you're British, we had a horrible flashback to another Boris.
Should we call him Ivan? Vlad? Yeah. Anyway, so the story I'd like to tell today is one about a German software company called Proteleon. They're based in Berlin.
They make all sorts of things like VPNs, endpoint security. I think they have a managed detection and response service. So kind of finding anomalies on your network.
And they're the typical kind of small or medium-sized German company selling German software to German enterprises and, you know, sometimes around the world.
And so this German TV station looked at them. They had a lead somewhere and they saw that the Protelion software was also sold by a company in Russia called Infotex.
And so they're like, hold on, this is a little weird. Shouldn't that be under sanctions? And, you know, is that still allowed?
And so they wanted to phone them, but they thought, no, no, we'll just go by their offices and, you know, ask them in person, you know, and tell them, hey, the Russians have pirated your software.
They're selling that in Russia and trying to figure out what's going on.
So when they arrived at the offices in Berlin to warn them that their software was being sold in Russia, the Protelion doorbell says, please ring the bell for Infotex.
So that's a bit weird.
They make all sorts of things like VPNs, endpoint security. I think they have a managed detection and response service. So kind of finding anomalies on your network.
And they're the typical kind of small or medium-sized German company selling German software to German enterprises and, you know, sometimes around the world.
And so this German TV station looked at them. They had a lead somewhere and they saw that the Protelion software was also sold by a company in Russia called Infotex.
And so they're like, hold on, this is a little weird. Shouldn't that be under sanctions? And, you know, is that still allowed?
And so they wanted to phone them, but they thought, no, no, we'll just go by their offices and, you know, ask them in person, you know, and tell them, hey, the Russians have pirated your software.
They're selling that in Russia and trying to figure out what's going on.
So when they arrived at the offices in Berlin to warn them that their software was being sold in Russia, the Protelion doorbell says, please ring the bell for Infotex.
So that's a bit weird.
The name of the Russian company.
The name of the Russian company. This is, I think, another callback to the story I told last time.
It's kind of like, what is it with people who are trying to hide their tracks that they are in the same building and kind of like referencing each other's bells?
You know, tradecraft's really gone downhill. So also what was weird is that if you look up the CEO of Protelian, he is formerly the head of Infotex Germany.
So they actually just rebranded Infotex Germany as Protelian.
It's kind of like, what is it with people who are trying to hide their tracks that they are in the same building and kind of like referencing each other's bells?
You know, tradecraft's really gone downhill. So also what was weird is that if you look up the CEO of Protelian, he is formerly the head of Infotex Germany.
So they actually just rebranded Infotex Germany as Protelian.
Ah, you've got to be careful of these companies which rebrand themselves, don't you, Chris?
There can be difficulties.
Who knows what they might be hiding?
Damn, I've been caught.
Okay, yeah.
And by the way, the German army was also in their building, in that same building, which is also a tad weird. So it turns out Infotex is not reselling the German software.
Infotex is the original equipment manufacturer of the Protelian software. It gets more interesting.
Infotex also supplies the software to the FSB, and the Russian intelligence services also helped develop the encryption algorithms for that software.
Doesn't that make you feel warm and fuzzy?
Infotex is the original equipment manufacturer of the Protelian software. It gets more interesting.
Infotex also supplies the software to the FSB, and the Russian intelligence services also helped develop the encryption algorithms for that software.
Doesn't that make you feel warm and fuzzy?
Hang on, but this is VPN software and endpoint security software is what we're talking about here.
Excellent, right? Awkward.
Excellent.
Yeah, yeah. The founder of that company is actually an ex-KGB officer.
Of course he is.
Who recently got a medal from our friend Vlad.
Stop.
For over 10 years of excellent services to the country.
So this is another sticky pickle.
Oh my God, yeah. There is so much more to unpack though, Carole.
Okay, I'm listening.
Okay, so Protelian is also a member of the, and repeat after me, Cybersicherheitsrat Deutschland e.V. So, the Cybersecurity Council of Germany.
Okay, Cybersecurity Council of Germany. Okay.
That's easy to repeat, yeah.
So there is a Cybersecurity Council of Germany, Cybersicherheitsrat, which is part of the German Ministry of Defense, but it's not that one.
So we'll do a little pub quiz, Carole and Graham. You know, you're used to pub quizzes, right?
Like in the UK, you're asked who won the Eurovision Song Contest 1974 or something like that?
So we'll do a little pub quiz, Carole and Graham. You know, you're used to pub quizzes, right?
Like in the UK, you're asked who won the Eurovision Song Contest 1974 or something like that?
ABBA, Waterloo at Brighton.
Yes, exactly.
Wow.
I am impressed. So in Germany, our pub quizzes aren't as much fun. Our pub quizzes are more like, what does E.V. stand for?
E.V.? Oh, this is part of their name.
Part of their name, yeah.
E.V. of the Cyberstiftung Deutschland. E.V. I have no idea. Does it mean not really, or we're actually Russian, or something like that?
Fake, fake.
So it's the— It means eingetragener Verein, which means it's a non-profit, right? So it's not part of the government.
Today we learned. Good, yeah.
Ah, so it's actually a private lobbying group by the same name of the Cybersecurity Council of Germany as part of the Ministry of Defense.
So no room for confusion at all there, right?
So no room for confusion at all there, right?
Right, and they're not taking advantage of that confusion either.
No, no, no.
They wouldn't. They wouldn't, of course they wouldn't.
So Chris, when you had this sort of name dilemma yourself with your company where your name was also being used by this company, you just changed your name.
Whereas this organization appears to almost be exploiting the fact that they have—
So Chris, when you had this sort of name dilemma yourself with your company where your name was also being used by this company, you just changed your name.
Whereas this organization appears to almost be exploiting the fact that they have—
You might say that. Yes, you might say that.
Right.
So this lobbying group, there's a few of those in Germany, and they typically include both vendors of security solutions and very large enterprises, and they kind of collaborate and they try to influence government legislation and hold events and all of that jazz.
So same with this group here. Some of the very large German enterprises were in there. And it's very hard, as you said, to distinguish the two cybersecurity councils of Germany.
So same with this group here. Some of the very large German enterprises were in there. And it's very hard, as you said, to distinguish the two cybersecurity councils of Germany.
Yeah.
For anybody in Germany or even abroad.
Right.
Especially because their founding president is a gentleman by the name of Arne Schoenboom.
Now, Arne, he's the son of a German, former German minister, also coincidentally the person who was the first commander who integrated the East German army into the West German army, the Bundeswehr.
So, you know, somebody who has a lot of political clout and former ties to Russia, maybe, I don't know.
And so his son Arne is now the current chief of the BSI, which is the German intelligence agency for cybersecurity.
Now, Arne, he's the son of a German, former German minister, also coincidentally the person who was the first commander who integrated the East German army into the West German army, the Bundeswehr.
So, you know, somebody who has a lot of political clout and former ties to Russia, maybe, I don't know.
And so his son Arne is now the current chief of the BSI, which is the German intelligence agency for cybersecurity.
Yeah.
Okay. The real BSI.
The real BSI, right?
The BSI is quite respected, isn't it?
I mean, yes. It is respected. It's a very decent agency and they collaborate a lot with industry and so on to keep industry safe and provide guidelines airlines and so on.
So it's a respectable agency. He himself, not so respected in the industry.
He's got no background in information security to the point that he got dubbed as the cyber clown by German media.
So it's a respectable agency. He himself, not so respected in the industry.
He's got no background in information security to the point that he got dubbed as the cyber clown by German media.
No.
So he's only there because his dad was powerful.
I would think so.
Yes.
And so he founded this lobbying group and then, you know, when it came out that, oh, Protelian had these ties to Russian intelligence, he wrote a little note to his employees at the BSI and said, oh, any BSI employees shouldn't attend any events by the Cybersecurity Council.
He's trying to divide the group saying, let's not intermingle.
Let's not intermingle.
And by the way, his successor also was interviewed on TV that, oh, you have to stay in touch with all of the relevant players in cybersecurity, and that includes the Russian and Chinese intelligence services.
And by the way, his successor also was interviewed on TV that, oh, you have to stay in touch with all of the relevant players in cybersecurity, and that includes the Russian and Chinese intelligence services.
What?
Which I thought was a little bit weird.
Okay, let me get my head around this. So there is this nonprofit group called Cybersecurity Council of Germany, which isn't to be confused with the Cybersecurity Council of Germany.
Exactly.
Right?
So there's two of them.
Yeah, they have dashes in different places.
So Protelian, who clearly have Russian links and Russian intelligence services helped develop their encryption algorithms and they supply software for the FSB, et cetera, et cetera.
They're members of the Cybersecurity Council in Germany as well. Yeah.
They're members of the Cybersecurity Council in Germany as well. Yeah.
But they're not part of the Cybersecurity Council in Germany.
No, no, don't get it confused with the Cybersecurity Council of Germany.
And there's this bigwig who's a clown who somehow set up the Cybersecurity Council of Germany, not to be confused with the Cybersecurity Council of Germany.
And there's this bigwig who's a clown who somehow set up the Cybersecurity Council of Germany, not to be confused with the Cybersecurity Council of Germany.
Actually, I think he's part of both.
Oh, is he on both? Is he in both the cyber— This is very confusing. What's going on here? What's the end game here, do you think, Chris?
I don't know. I think it's intelligence services, obviously creating software that might be backdoored, might have weak encryption algorithms and so on, right?
So the FBI is also investigating Infotex and not just, it's not just an issue in Germany.
So this is actually, should be relevant to a lot of your listeners, but more importantly, look at your vendors and figure out if they are of good provenance.
Maybe drive to their offices, look at the doorbell.
So the FBI is also investigating Infotex and not just, it's not just an issue in Germany.
So this is actually, should be relevant to a lot of your listeners, but more importantly, look at your vendors and figure out if they are of good provenance.
Maybe drive to their offices, look at the doorbell.
Yeah, ring the doorbell, see what it says.
Yeah, do your supply chain due diligence, right?
And if you are a Russian company working undercover, effectively not advertising the fact that you are a Russian company, perhaps maybe don't advertise it quite so brazenly and so incompetently.
Yeah, it was a lot for their security, doesn't it? Yeah, OPSEC is pretty bad.
Yeah, it was a lot for their security, doesn't it? Yeah, OPSEC is pretty bad.
Their OPSEC was really, really bad. I mean, having the same CEO of the German subsidiary, it's just, it just boggles my mind that this really worked.
And by the way, the head of the BSI is now probably getting fired, per a message of the German interior minister. So that's gonna put an end to that.
So no more clownery in German cyber.
And by the way, the head of the BSI is now probably getting fired, per a message of the German interior minister. So that's gonna put an end to that.
So no more clownery in German cyber.
We found though, we found due to our recent politics that sometimes the replacement or incumbent can be, I don't know what the word is.
You have a point, Carole.
You have a point. Yeah.
Watch this space is maybe better.
Yeah. All right. Carole, what do you have for us?
Wait, that's my bit. Oh.
Oh, sorry.
Carole, what have you got for us this week?
Okay, so we often talk about scammers breaking into computer systems by either using stolen credentials or social engineering tactics or taking advantage of vulnerabilities.
But let's not forget about employees, some of which can get up to no good in plain sight and no one's the wiser. Meet Shahid Anwar. He is a 36-year-old from Rugby, England.
And yes, that is apparently where the game of rugby was first conceived.
But let's not forget about employees, some of which can get up to no good in plain sight and no one's the wiser. Meet Shahid Anwar. He is a 36-year-old from Rugby, England.
And yes, that is apparently where the game of rugby was first conceived.
How clever.
So there's another little fact for you for your pub quizzes.
Yeah.
And that is the sport where players get cauliflower ears. And I just wanted to give you a screenshot of a bunch of cauliflower ears in the notes.
Yes, I was very much wondering what you were sending us here.
They're pretty outrageous looking, aren't they? You'd think there'd be plastic surgery for something like that.
Wow.
It can be a pretty rough game.
Yes.
Rugby. Yeah.
Now, as far as I know, Shahid did not play rugby or have cauliflower ears, but—
Okay, then why this intro, Carole? I'm really curious.
Because he's from Rugby. Because he lives in the same town.
Wow.
Yes. You learned a lot of good facts when I put my stories together. You're very welcome. And he was a customer resolution specialist within an agency within Virgin Trains.
Customer resolution specialist. What's a good job title?
Yes.
Does he just work in the complaints department? Is that what it means?
Kind of. Chris might not know this, but UK trains have a reputation of not always being on time.
I have to say, when Chris said that the German train system had been disrupted for 3 hours, I just thought, quite a good day. Yeah, not bad at all.
I moved from Switzerland to the UK at one point, and I had lived up in the Alps, and we had a very good train system there.
Then I moved to the UK, and I think the British rail system divides snow into 4 categories, and they can't operate in 3 of them.
Then I moved to the UK, and I think the British rail system divides snow into 4 categories, and they can't operate in 3 of them.
If you think the snow's bad, just wait until leaves fall off trees.
So do you want to take a guess at what percentage of trains are delayed in the UK? This is based on the last recorded 6-month period.
It's probably not as bad as we are saying. Don't come with facts. We like our stereotypes.
I'm coming with facts. What do you think?
What does delay actually mean? How do they define delay?
They delay it by being a minute or more late.
Oh my God. I'm going to say 80%.
They claim 25%, 1 in 4.
Yeah, right.
And apparently, so I thought, Chris is on the show. Let me just compare this to Germany, because in 2021, they were boasting that 82% of their trains were on time.
But apparently due to your crazy flooding and strikes and issues that you've had, your numbers are now in the same boat as ours this year.
But apparently due to your crazy flooding and strikes and issues that you've had, your numbers are now in the same boat as ours this year.
Don't come with facts, I love the stereotypes.
And because of these frequent delays in the UK, train services like Virgin Trains have a scheme available to offer commuters in the UK what they call a pay and delay scheme, which is a really weird name.
But basically it means that you can apply for refunds if a train is canceled due to strikes or it's late or whatever.
And according to money-saving experts, people are not actually applying for these refunds to the tune of £100 million.
But basically it means that you can apply for refunds if a train is canceled due to strikes or it's late or whatever.
And according to money-saving experts, people are not actually applying for these refunds to the tune of £100 million.
Hmm.
So back to Shahid. Now, Shahid, remember, works in the department. What department, Graham?
The customer resolution thingy.
Customer resolution. Yes, that's where he works. And he's looking at all this stuff and looking at all this money that is not being claimed.
This is genius.
And something that you may not know, because I didn't share it, other than he lives in Rugby, is that he's facing personal financial difficulty.
Oh.
So he's looking at all these cash, right? And because he works in customer resolution, he's seeing that these legit claims are not being made.
And maybe this is where he decides to do something about it. So this all kicks off in 2016. He starts submitting false refund claims.
Some of his tactics include creating photoshopped tickets. He created over 100 PayPal accounts and multiple email aliases to manage this racket.
He managed to pull off more than 1,500 refunds by taking advantages of design weaknesses in the pay and delay scheme. Some were as small as £9.10.
The biggest one I could see was £746. That's what he was able to claim. In all, he did this for 3 years and amassed £116,000 in this time.
And maybe this is where he decides to do something about it. So this all kicks off in 2016. He starts submitting false refund claims.
Some of his tactics include creating photoshopped tickets. He created over 100 PayPal accounts and multiple email aliases to manage this racket.
He managed to pull off more than 1,500 refunds by taking advantages of design weaknesses in the pay and delay scheme. Some were as small as £9.10.
The biggest one I could see was £746. That's what he was able to claim. In all, he did this for 3 years and amassed £116,000 in this time.
Oh my goodness.
And he was working on a further £50K at the time of his arrest.
And apparently when arrested, he said he was so relieved to be finally arrested because he felt he'd gotten addicted to this.
So, two things which blew my mind, which I haven't mentioned.
And apparently when arrested, he said he was so relieved to be finally arrested because he felt he'd gotten addicted to this.
So, two things which blew my mind, which I haven't mentioned.
Yeah.
One is during this swindle, he actually left Virgin Trains, so was no longer working within the department, but he carried on ripping them off.
He didn't need to work with them anymore, I imagine.
He just could guess what trains were late.
What?
He just would guess. Yes, he just would go, I know the train from Birmingham to London at this time is always late.
I'm just gonna submit a refund request for it with a fake Photoshop ticket.
I'm just gonna submit a refund request for it with a fake Photoshop ticket.
Oh my goodness, that's ballsy.
Two, okay, so I did a bit of the maths on the money, okay? So let me just get this out to you guys right now. So basically say let's round it to like you made about 100K in 3 years.
So let's say like 33K a year. So 2.5K a month or about 600 a week, okay? Those are your numbers. So 600 a week.
So one of his claims when he got arrested is what they were saying, well, what did you spend the money on?
So let's say like 33K a year. So 2.5K a month or about 600 a week, okay? Those are your numbers. So 600 a week.
So one of his claims when he got arrested is what they were saying, well, what did you spend the money on?
Train tickets?
No, that would have been so good. No, he spent it on groceries, he claims.
Cauliflower?
Yes, that's how we get back to it. No, he spent it at his two preferred UK food stores, Graham, in the UK. £600 a week for him and his wife, right?
Yeah.
Can you guess what the two shops were?
Waitrose, because that's quite expensive.
Yes.
Waitrose and Lidl? Aldi?
How did you guess? I can't believe you guessed. The second one is Iceland.
Iceland. Same kind of thing.
So I found that hilarious. Waitrose and—
Yeah.
You know, what was he buying those things for his other family members?
You have the Iceland stuff.
We're getting the really nice rack of lamb and the—
So Waitrose is high-end and the other one is low-end, or—
Oh yeah, well, Iceland is considered maybe more cost-effective.
Waitrose is lovely. You'll get a little thigh massage when you go in there. It's gorgeous.
And then a bill for £150 for a shop that should cost you £40. But it is a lovely experience, right?
Oh yeah, it's gorgeous.
So, Shahid has been lucky, however, because he got a suspended sentence.
The judge was unhappy that he had been arrested in 2019 but only charged 2022, which, you know, that's a long stress period for not knowing if you're going to be charged or not.
The judge was unhappy that he had been arrested in 2019 but only charged 2022, which, you know, that's a long stress period for not knowing if you're going to be charged or not.
Yeah, it's the pay and delay scheme.
But, and I wonder if the fact that he'd spent the money at supermarkets and that he was very apologetic rather than buying a flashy Maserati and a gold medallion worked in his favor as well.
He helped the economy. He was leveling up.
Stop. Exactly.
So best takeaway here is if you are in the UK and you find yourself on a delayed and canceled train, even if it's due to strikes, which we've had a lot of recently, go check up on how you can reclaim a refund.
These details are in the episode webpage on Smashing Security.
So best takeaway here is if you are in the UK and you find yourself on a delayed and canceled train, even if it's due to strikes, which we've had a lot of recently, go check up on how you can reclaim a refund.
These details are in the episode webpage on Smashing Security.
Because train fares are expensive. I mean, it costs a fortune. In this country to be transported like a piece of cattle. Yes.
In cramped— I mean, they wouldn't actually transport cattle in as inhumane conditions as they do people. People on trains in this country. So, but yeah, it's a good idea.
Good tip, Crow.
In cramped— I mean, they wouldn't actually transport cattle in as inhumane conditions as they do people. People on trains in this country. So, but yeah, it's a good idea.
Good tip, Crow.
You're very welcome.
You're very welcome. Every day, billions of people around the world connect with their favorite brands online through shopping, gaming, banking, learning, and more.
Every second, the internet gets more chaotic, more cyber threats. Securing entire ecosystems, clouds, apps, APIs, and users, that grows more complex.
Causing friction that slows innovation and hampers agility. With Akamai, cybersecurity can become an engine for innovation and growth.
Whether you want to achieve unmatched security with Akamai's suite of app and API protection, or embrace a zero-trust architecture, Akamai can help.
With insights from the world's most distributed compute platform, Akamai delivers unique security research on the latest attacks and trends on everything from ransomware as a service, gangs like Conti, DDoS attacks, phishing attacks, to help you protect your business.
Where else can you take advantage of insights from 7 trillion DNS queries per day? Learn more about Akamai and their security research. Visit their website, akamai.com/smashing.
That's A-K-A-M-A-I.com/smashing.
Every second, the internet gets more chaotic, more cyber threats. Securing entire ecosystems, clouds, apps, APIs, and users, that grows more complex.
Causing friction that slows innovation and hampers agility. With Akamai, cybersecurity can become an engine for innovation and growth.
Whether you want to achieve unmatched security with Akamai's suite of app and API protection, or embrace a zero-trust architecture, Akamai can help.
With insights from the world's most distributed compute platform, Akamai delivers unique security research on the latest attacks and trends on everything from ransomware as a service, gangs like Conti, DDoS attacks, phishing attacks, to help you protect your business.
Where else can you take advantage of insights from 7 trillion DNS queries per day? Learn more about Akamai and their security research. Visit their website, akamai.com/smashing.
That's A-K-A-M-A-I.com/smashing.
Bitwarden's open source password manager that is trusted by millions of individuals, teams, and organizations around the world has just announced its October release.
And it is chock full of goodies.
Features, which include password-protected encrypted export, which allows you to export your vault in an encrypted format using the password of your choice.
Plus, there's the mobile username generator. It's finally here. They also have DuckDuckGo email aliases available.
And here's a little insider scoop for you: they're working with DuckDuckGo to get macOS browser integration in the forthcoming DuckDuckGo macOS browser.
Want to try these features out? I don't blame you. Visit bitwarden.com/smashing. That's bitwarden.com/smashing. And thank you to Bitwarden for sponsoring the show.
And it is chock full of goodies.
Features, which include password-protected encrypted export, which allows you to export your vault in an encrypted format using the password of your choice.
Plus, there's the mobile username generator. It's finally here. They also have DuckDuckGo email aliases available.
And here's a little insider scoop for you: they're working with DuckDuckGo to get macOS browser integration in the forthcoming DuckDuckGo macOS browser.
Want to try these features out? I don't blame you. Visit bitwarden.com/smashing. That's bitwarden.com/smashing. And thank you to Bitwarden for sponsoring the show.
If you're considering a third-party audit like SOC 2 or ISO 27001, then you should be prepared to answer some tough questions about endpoint security.
Auditors want to know that you have a system in place to monitor and maintain compliance across your fleet, which means showing that your staff are using things like disk encryption, screen locks, password managers.
If you're not quite sure how you'd go about proving all that, then you need Kolide.
Kolide's an endpoint security tool for Mac, Windows, and Linux devices that gives you the visibility you need to meet your third-party and internal compliance goals.
Best of all, Kolide doesn't resort to spying on workers or locking down devices.
Instead, it works with end users to resolve issues and relies on their cooperation and informed consent.
You can meet your security goals and pass your audit without compromising on privacy. Visit kolide.com/smashing to find out how.
If you follow that link, they'll also give you a goodie bag just for activating a free trial. That's K-O-L-I-D-E dot com/smashing. And welcome back.
Can you join us at our favorite part of the show? The part of the show that we like to call Pick of the Week.
Auditors want to know that you have a system in place to monitor and maintain compliance across your fleet, which means showing that your staff are using things like disk encryption, screen locks, password managers.
If you're not quite sure how you'd go about proving all that, then you need Kolide.
Kolide's an endpoint security tool for Mac, Windows, and Linux devices that gives you the visibility you need to meet your third-party and internal compliance goals.
Best of all, Kolide doesn't resort to spying on workers or locking down devices.
Instead, it works with end users to resolve issues and relies on their cooperation and informed consent.
You can meet your security goals and pass your audit without compromising on privacy. Visit kolide.com/smashing to find out how.
If you follow that link, they'll also give you a goodie bag just for activating a free trial. That's K-O-L-I-D-E dot com/smashing. And welcome back.
Can you join us at our favorite part of the show? The part of the show that we like to call Pick of the Week.
Pick of the Week.
Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security related necessarily.
Better not be.
Well, my pick of the week this week is slightly security related because that is allowed under the rules of pick of the week. Doesn't have to be security related. Oh gosh.
Just because I did it last week, honestly.
I'm sure you've been following the Fat Bear Tournament, the competition.
Hold on, hold on, Graham. I thought we had a strict no tautology rule on this podcast. I'm throwing out really fancy grammar— is it grammar terms?
Oh, so you think saying fat bear is saying—
Fat bear, yeah.
Is unnecessary.
I mean, there is a bear week in Provincetown, Massachusetts. You know, close to where I live. And do you know what they mean by bears?
I do. I married one.
Is this big cuddly men? With a beard?
Big cuddly hairy men.
Yeah.
Yeah.
Go listen to Sticky Pickles' last episode if you want to learn more about them.
So it's an aesthetic. It's one that escapes me a little bit, but it's an aesthetic. Yeah, it's gorgeous. Carole, thanks for saving the day.
I am talking about real animals. That type of fat bear. That's what's kind of— the grizzlies.
Is this because it's the— it's because they're about to go into hibernation, so they're all eating tons right now?
Well, look, you know, obviously the bears are gorging around. They're finding any food they can get hold of.
The ranger's not going to like it, but if they steal a little ham— I used to watch TV a lot. I used to watch Yogi Bear and Boo Boo. I know all about bears at Jellystone Park.
And so I know the antics which they get up to. And apparently the rangers at Katmai National Park and Reserve, they have been holding for some years now Fat Bear Week.
Where they try and work out what the most popular bear is. And they've been running this online as well. You can vote if you want.
A few Sundays ago, there was a semifinal round between a roly-poly bear, which they've nicknamed Holly, codename 435. So they've all got numbers.
And there's also an airplane-sized bear called 747. And you had to decide which was your favourite fat bear. Now you're wondering, why am I mentioning this?
Well, the reason it came to my attention is there has been some election fraud going on.
The ranger's not going to like it, but if they steal a little ham— I used to watch TV a lot. I used to watch Yogi Bear and Boo Boo. I know all about bears at Jellystone Park.
And so I know the antics which they get up to. And apparently the rangers at Katmai National Park and Reserve, they have been holding for some years now Fat Bear Week.
Where they try and work out what the most popular bear is. And they've been running this online as well. You can vote if you want.
A few Sundays ago, there was a semifinal round between a roly-poly bear, which they've nicknamed Holly, codename 435. So they've all got numbers.
And there's also an airplane-sized bear called 747. And you had to decide which was your favourite fat bear. Now you're wondering, why am I mentioning this?
Well, the reason it came to my attention is there has been some election fraud going on.
Oh dear.
There has. This is the word from Katmai National Park. They detected attempted election fraud in the poll between these two bears. They said that we have discarded the fake votes.
So apparently they were avalanched with emails, lots and lots of emails coming from several IP addresses, which were all voting for Bear 435, who did win, to her credit, in 2019, the Fat Bear Week Championship.
Yeah. But they said, no, no, no, a lot of these were actually fake votes. So someone has been trying to rig the Fat Bear competition. And I think that is a warning for all of us.
So apparently they were avalanched with emails, lots and lots of emails coming from several IP addresses, which were all voting for Bear 435, who did win, to her credit, in 2019, the Fat Bear Week Championship.
Yeah. But they said, no, no, no, a lot of these were actually fake votes. So someone has been trying to rig the Fat Bear competition. And I think that is a warning for all of us.
Is there a prize? Do you get to ride the bear? No, come on.
You know what a bear is.
You don't trust— Yes.
Have you not seen that movie with Leonardo DiCaprio? You don't mess with a bear.
I have stayed in Canada, on Vancouver Island, and the place I was at had a hot tub, and right beside the hot tub was this long bear stick.
So if you're sitting there in the soup looking delicious, like little dumplings for a bear, you could try and poke it off with this stick. It's ridiculous.
So if you're sitting there in the soup looking delicious, like little dumplings for a bear, you could try and poke it off with this stick. It's ridiculous.
How did that work out for you?
Is that how you met your husband?
Yes, I harpooned a great one.
No poking in the hot tub.
I think we've had enough of that.
That's Chris's type of bear, I think. Anyway, they have now added a CAPTCHA to their systems to try and weed out fake votes.
Capturing bears in the wild. Oh God, another one to cut out.
Anyway, I think, well done to that. I like the idea of them having this fat bear competition and raising awareness of the bears. It's a little bit of fun, but you know what?
Why on earth was someone trying to rig the vote? What is going on?
Why on earth was someone trying to rig the vote? What is going on?
I wonder if any bear-like men could go there during this week and just wander around the park and try and get captured, you know, and actually have men compared, you know, versus bears in it.
I'm sure there's a website for that, Carole. I'm sure.
Rule 34.
Why is someone throwing all this spam at bears as well? What's going on? It's very, very strange. Anyway, what's your pick of the week?
All right, my pick of the week is pimEyes.com.
So some of you might know that I have an interest in OSINT, open source intelligence, which is basically, you know, using public sources to figure out stuff about companies, people, etc.
And on Twitter, I saw somebody, you know, posting a list of, hey, here are some cool new OSINT sources, and PimEyes was one of them. And it's a reverse image search engine.
So you can where you can put in a picture instead of typing out a term you do on regular Google.
You put in a picture and then it shows you other places where that picture is from or similar pictures and so on.
And PimEyes has a particular flavor of reverse image search, which includes face recognition.
So you can put in somebody's picture and it'll find other pictures of the same person just through face recognition.
So some of you might know that I have an interest in OSINT, open source intelligence, which is basically, you know, using public sources to figure out stuff about companies, people, etc.
And on Twitter, I saw somebody, you know, posting a list of, hey, here are some cool new OSINT sources, and PimEyes was one of them. And it's a reverse image search engine.
So you can where you can put in a picture instead of typing out a term you do on regular Google.
You put in a picture and then it shows you other places where that picture is from or similar pictures and so on.
And PimEyes has a particular flavor of reverse image search, which includes face recognition.
So you can put in somebody's picture and it'll find other pictures of the same person just through face recognition.
Oh my goodness.
Are they using the Clearview AI to do this?
Carole, you're not wrong. That's exactly the same kind of application, right? Same kind of technology.
And I actually tested that and I tried to, you know, get onto the Clearview platform and I couldn't get in. So that was actually, you know, reasonable protection.
It's still, you know, concerning from a privacy perspective and so on, but at least it wasn't available to your average Joe.
Now, PimEyes, on the other hand, is available to the average Joe at a bargain basement price. So I wanted to try out the platform. It's $30 a month for the lowest tier.
There's also a free search, which means you only see other pictures, but you can't click through to the sources, and they're only the face with everything else pixelated out.
So I gave it a test drive, and it works surprisingly well. You can add 1, 2, or 3 pictures or more to improve the quality of the search.
And then you get across the internet all publicly available pictures of that person.
And I actually tested that and I tried to, you know, get onto the Clearview platform and I couldn't get in. So that was actually, you know, reasonable protection.
It's still, you know, concerning from a privacy perspective and so on, but at least it wasn't available to your average Joe.
Now, PimEyes, on the other hand, is available to the average Joe at a bargain basement price. So I wanted to try out the platform. It's $30 a month for the lowest tier.
There's also a free search, which means you only see other pictures, but you can't click through to the sources, and they're only the face with everything else pixelated out.
So I gave it a test drive, and it works surprisingly well. You can add 1, 2, or 3 pictures or more to improve the quality of the search.
And then you get across the internet all publicly available pictures of that person.
While you've been speaking, Chris, I have uploaded a picture, a face to it. I chose the face of someone called Carole Theriault. So I've just uploaded her picture.
And it has found a number of other pictures of Carole. And I thought, well, maybe they've worked out that that is Carole Theriault in the picture, maybe they've done that.
And so they then searched for Carole Theriault. But they've also found pictures of someone who looks very much like Carole Theriault. I have to say—
And it has found a number of other pictures of Carole. And I thought, well, maybe they've worked out that that is Carole Theriault in the picture, maybe they've done that.
And so they then searched for Carole Theriault. But they've also found pictures of someone who looks very much like Carole Theriault. I have to say—
My doppelganger?
She does look equally sarcastic in this photograph. I have to say, she does look very, very unimpressed. It's quite extraordinary. I'll just put it in the show notes.
Carole, there you are. That looks like you. I've just Googled. I don't know if you can see that, but there you are.
Carole, there you are. That looks like you. I've just Googled. I don't know if you can see that, but there you are.
Oh, it's coming.
Oh yeah.
Oh yes.
Like Carole Theriault. You can, you know, but—
I need to find her.
I've also seen something which is tagged as a potentially explicit result. I can tell PimEyes, that most definitely is explicit. It's not potentially explicit.
It's quite revolting.
No, I'm not gonna share that one. My God. Anyway, but yeah, it's extraordinary.
Also, I looked at some sites where they found somebody's and it did not have the person's name on it.
So that shows me that they really do face recognition and don't just pivot over the name that they might find somewhere.
But it does also, and you've just proven this, Graham, it does also have quite a lot of false positives.
So the further down you get in the search, the probability of this being the same person goes down.
And when you get towards the end, a lot of adult sites and a lot of et cetera, right? There's so many things that can go wrong with that technology.
So for example, you might, as an employment screen, put somebody's LinkedIn picture in here, and you might find some false positives, right?
Where you think, oh, this person had some other parts of their career that's not on LinkedIn. Or you might find some revenge porn out on different sites.
That's become unfortunately very common now. And so, you know, just from a professional profile to going to false positives and real leaked nudes is very, very fast now.
But also, if you think about a stalker just out in the public, if they snap a picture of somebody, that means that they can now probably find their Facebook pretty quickly and identify who that person is.
And, you know, that could increase stalking. On the flip side, you could also take a picture of a stalker and identify who they are.
You could also think of Charlottesville, January 6th, you know. Yeah. All of these events where people were trying to figure out who somebody is online.
So that shows me that they really do face recognition and don't just pivot over the name that they might find somewhere.
But it does also, and you've just proven this, Graham, it does also have quite a lot of false positives.
So the further down you get in the search, the probability of this being the same person goes down.
And when you get towards the end, a lot of adult sites and a lot of et cetera, right? There's so many things that can go wrong with that technology.
So for example, you might, as an employment screen, put somebody's LinkedIn picture in here, and you might find some false positives, right?
Where you think, oh, this person had some other parts of their career that's not on LinkedIn. Or you might find some revenge porn out on different sites.
That's become unfortunately very common now. And so, you know, just from a professional profile to going to false positives and real leaked nudes is very, very fast now.
But also, if you think about a stalker just out in the public, if they snap a picture of somebody, that means that they can now probably find their Facebook pretty quickly and identify who that person is.
And, you know, that could increase stalking. On the flip side, you could also take a picture of a stalker and identify who they are.
You could also think of Charlottesville, January 6th, you know. Yeah. All of these events where people were trying to figure out who somebody is online.
And often getting it wrong.
And often getting it wrong.
And vilifying people.
Even with that website, there is no guarantee that they will get it right because they're false positive. So there is also a whole lot of—
And are they going to be held accountable if someone is misidentified and there is some kind of weird— and you go to them and they'll go, hey, it wasn't us.
We just scraped the web. We're just providing this service. Nothing to do with us, gov.
We just scraped the web. We're just providing this service. Nothing to do with us, gov.
I'm sure they have plenty of disclaimers.
But they're charging for that service.
Yeah.
Yeah.
Anyway, yeah, I feel iffy about this.
Yeah, I think it's— well, it's the kind of thing you only really want people maybe in law enforcement to use and with an understanding as to the consequences.
I'm now searching for a photo of myself and I'm finding an alarming number of photos of me. Thankfully I—
I'm now searching for a photo of myself and I'm finding an alarming number of photos of me. Thankfully I—
Any naked?
Well, not yet, but—
Because there is one that someone took under a toilet stall once.
Let's not talk—
Maybe you should load up that picture and see if it's online.
This is— now, Chris, I've seen that there is the option to opt out, but in order to opt out, it says you have to upload a clear photograph of your face, which presumably they then are going to add to their database.
Yeah.
Yeah.
And not let you see it. Yeah. Well, thanks for that Pick of the Week, buddy.
Blimey. Carole, what's your Pick of the Week?
I have a spooky Pick of the Week in honor of our upcoming Halloween season. Now, before I get to that, have either of you ever seen the original Exorcist?
No.
From 1973?
I'm not good with scary movies.
No?
God, it is extremely scary. And it was directed by crazy director William Friedkin and written for the screen by William Peter Blatty, who actually also wrote the book.
So if you don't like scary movies, maybe you like scary books. 1971 Exorcist, the book. I watched it when I was quite young, and I had nightmares for weeks afterwards.
The little girl that's fully under the control of evil forces haunted me. It was awful, but it stayed with me. It's considered, I think, one of the scariest.
So if you don't like scary movies, maybe you like scary books. 1971 Exorcist, the book. I watched it when I was quite young, and I had nightmares for weeks afterwards.
The little girl that's fully under the control of evil forces haunted me. It was awful, but it stayed with me. It's considered, I think, one of the scariest.
You've never been the same, have you? It scarred you.
Now, English film critic, acclaimed Mark Kermode, has named The Exorcist his favorite film of all time.
Now, my pick of the week is not The Exorcist, but Mark Kermode's 1998 documentary on the movie, which has been re-released on iPlayer in full, and it's called The Fear of God: 25 Years of The Exorcist.
Now, my pick of the week is not The Exorcist, but Mark Kermode's 1998 documentary on the movie, which has been re-released on iPlayer in full, and it's called The Fear of God: 25 Years of The Exorcist.
What is iPlayer?
iPlayer is kind of like Netflix but for BBC programs.
Is it available internationally? Do you know?
There are ways of accessing it.
I mean, obviously, who knows what they might... There's this great German company called Proton that offers a VPN service that might be able to help with that.
Yes. Now, I just watched this documentary. All I can say is flippin' heck. It is a top, top, top documentary with jaw-dropping moments.
The amount of information that Kermode was able to get out of all the interviews is gobsmacking.
And he manages to interview almost everyone who is either directing, writing, or acting in the film, including an actual priest who is based in New York.
Now, I know you guys haven't seen the film, but there's a lot of words I've read and heard about how this movie was cursed, right?
Which is great kind of PR for the film itself to think that. But after you watch this documentary, you sure as heck believe it.
Okay, a few things I will cover without ruining the documentary is that, of course, because this was filmed way back in— when was it? '73?
The amount of information that Kermode was able to get out of all the interviews is gobsmacking.
And he manages to interview almost everyone who is either directing, writing, or acting in the film, including an actual priest who is based in New York.
Now, I know you guys haven't seen the film, but there's a lot of words I've read and heard about how this movie was cursed, right?
Which is great kind of PR for the film itself to think that. But after you watch this documentary, you sure as heck believe it.
Okay, a few things I will cover without ruining the documentary is that, of course, because this was filmed way back in— when was it? '73?
1970? Yeah, about then, I think.
'73. There's a lot of stunts. There's a lot of things that happen in the film, right? And they're obviously not digital.
And you have the person explain how we decided to do the stunts.
And he had to just create and rig up these insane contraptions to throw people around or, you know, to yank them or bounce them or topple them over.
And it's so disgusting how little care was given to the young, especially the young girl who's playing the main girl.
And you have the person explain how we decided to do the stunts.
And he had to just create and rig up these insane contraptions to throw people around or, you know, to yank them or bounce them or topple them over.
And it's so disgusting how little care was given to the young, especially the young girl who's playing the main girl.
So I think I've seen— I think I've seen a documentary about The Exorcist before. It may even be this one that I saw. It was quite some time ago.
And the director was bonkers, wasn't he?
And the director was bonkers, wasn't he?
Yes, yes. Friedkin comes across as extremely bonkers. Now, he's quite respected. He did The French Connection, very, you know, big acclaimed film.
There was a lot of deaths on set during the production, way, way, way too many to consider anything close that could normally happen in any kind of situation.
There was a lot of deaths on set during the production, way, way, way too many to consider anything close that could normally happen in any kind of situation.
People died while they were making the movie.
Yes. And more than one. Like many more than one. And Kermode goes through them all and explains what happened. As far as they know. Yeah.
Friedkin and the writer are both really intense and passionate people and they come across as people that would stop at nothing to get what they wanted.
And that's the problem, is that everyone else paid the price and he goes down in the hall of fame because now it's an acclaimed film. Anyway, the documentary is just astounding.
I love, love, love, love, loved it.
So I would recommend that you try and watch The Exorcist first before you watch the documentary to get a better sense of everything if you can, but it is scary.
But the documentary again is The Fear of God: 25 Years of The Exorcist, currently available on BBC iPlayer and maybe even available for sale in other places.
But that is my spooky pick of Cool.
Friedkin and the writer are both really intense and passionate people and they come across as people that would stop at nothing to get what they wanted.
And that's the problem, is that everyone else paid the price and he goes down in the hall of fame because now it's an acclaimed film. Anyway, the documentary is just astounding.
I love, love, love, love, loved it.
So I would recommend that you try and watch The Exorcist first before you watch the documentary to get a better sense of everything if you can, but it is scary.
But the documentary again is The Fear of God: 25 Years of The Exorcist, currently available on BBC iPlayer and maybe even available for sale in other places.
But that is my spooky pick of Cool.
Thank you very much, Carole. Now, you've been chatting to the folks at Akamai this week, haven't you?
Yeah, I spoke with Patrick. Great interview. We talk all about retail and bots and what you can do to stop them. Check it out. Well, listeners, today we have Patrick Sullivan.
He is CTO of security strategy at tech giant Akamai. Now, Patrick has nearly 30 years of tech experience under his belt and is also a bot expert.
And he's going to help us understand how retailers, as they gear up for the holiday season, can better thwart the bot problem. Patrick, first, welcome to Smashing Security.
Delighted you're here.
He is CTO of security strategy at tech giant Akamai. Now, Patrick has nearly 30 years of tech experience under his belt and is also a bot expert.
And he's going to help us understand how retailers, as they gear up for the holiday season, can better thwart the bot problem. Patrick, first, welcome to Smashing Security.
Delighted you're here.
Yeah, thank you for having me.
Fantastic. Now, honestly, I have never thought about bots in terms of the retail industry. It's because I've never worked in it, I guess.
And I know that Akamai has done a lot of research on this last year. But first, I thought maybe you could just define what a bot is. I mean, are they inherently bad?
Just for us to all visualize it?
And I know that Akamai has done a lot of research on this last year. But first, I thought maybe you could just define what a bot is. I mean, are they inherently bad?
Just for us to all visualize it?
Yeah, that's a great question.
So the, you know, a bot is just a bit of automation that's performing a task on behalf of the bot operator and the bots themselves, obviously, they're not benevolent or malevolent by nature.
They really kind of take on the motivation of the operator, right? So it's really the humans that kind of define the motivation.
And to your point, we see, you know, very benevolent, you know, bots that help us crawl the web to search out.
And when we, you know, commit a search, it helps us find a relevant web page, right?
So the, you know, a bot is just a bit of automation that's performing a task on behalf of the bot operator and the bots themselves, obviously, they're not benevolent or malevolent by nature.
They really kind of take on the motivation of the operator, right? So it's really the humans that kind of define the motivation.
And to your point, we see, you know, very benevolent, you know, bots that help us crawl the web to search out.
And when we, you know, commit a search, it helps us find a relevant web page, right?
Right.
I know on one of your shows you mentioned, you know, people leveraging bots to thwart fraudsters, you know, coming to dating sites and that type of thing.
Yeah, it was a few weeks ago.
Yeah, hilarious. And, you know, on the other end of the spectrum, you know, we see them leveraged pretty heavily for fraud. Unfortunately, they're part of the toolkit for fraudsters.
And then between those two extremes, there's a whole kaleidoscope of, you know, shades of gray that are maybe not 100% good or 100% bad.
It's a matter of perspective, some somewhere in between.
And then between those two extremes, there's a whole kaleidoscope of, you know, shades of gray that are maybe not 100% good or 100% bad.
It's a matter of perspective, some somewhere in between.
Do we have any idea about how many bots are out there versus people? Is that even a question I can ask in terms of legit accounts?
It is. So we see, you know, on a daily basis we're seeing about 40 billion requests from bots.
So it's, the good news is, you know, that's a staggering total, but that's still, you know, a minority request.
Most interactions are still driven by human beings, you know, on their phones all day or, you know, on their laptop.
But it's— that is a massive volume for website operators to deal with.
So it's, the good news is, you know, that's a staggering total, but that's still, you know, a minority request.
Most interactions are still driven by human beings, you know, on their phones all day or, you know, on their laptop.
But it's— that is a massive volume for website operators to deal with.
Absolutely. Okay, so now we know how these things can be used.
Maybe you can share some of the research findings that Akamai were able to sniff out in their research and just help us understand what retailers are facing in this space.
Maybe you can share some of the research findings that Akamai were able to sniff out in their research and just help us understand what retailers are facing in this space.
Yeah, absolutely.
So, you know, a lot of areas when you're sort of deep into the domain, you know, there are people that live near the Arctic Circle that have dozens of names for snow to describe sort of the different consistencies.
It's very similar with bots. We've got all kinds of different names for various types of bots, but maybe in retail, there's probably 3 big categories we could talk about.
You know, one would be scrapers that are coming through and pulling down all the information from the site.
Second, there's a category of bots that are really heavily focused on fraud. So there we see account takeover as an area of focus.
And then maybe the one that's most visible to sort of the casual web user is what we would call inventory grabbing bots.
And you're confronted with these bots when you try to purchase anything online where the inventory is limited, right?
So if you're trying to buy concert tickets or, you know, a fancy pair of shoes or a handbag, or these days even much more mundane things.
You know, in the physical world, when demand exceeds supply, you get a queue.
In the online world, when that phenomenon of demand exceeds supply, you get bots and sort of an arms race to see who can consume that inventory most quickly.
So, you know, a lot of areas when you're sort of deep into the domain, you know, there are people that live near the Arctic Circle that have dozens of names for snow to describe sort of the different consistencies.
It's very similar with bots. We've got all kinds of different names for various types of bots, but maybe in retail, there's probably 3 big categories we could talk about.
You know, one would be scrapers that are coming through and pulling down all the information from the site.
Second, there's a category of bots that are really heavily focused on fraud. So there we see account takeover as an area of focus.
And then maybe the one that's most visible to sort of the casual web user is what we would call inventory grabbing bots.
And you're confronted with these bots when you try to purchase anything online where the inventory is limited, right?
So if you're trying to buy concert tickets or, you know, a fancy pair of shoes or a handbag, or these days even much more mundane things.
You know, in the physical world, when demand exceeds supply, you get a queue.
In the online world, when that phenomenon of demand exceeds supply, you get bots and sort of an arms race to see who can consume that inventory most quickly.
So what would happen in that instance would be I'd be trying to get my hands on this ticket, the bot would beat me and get there first, and then what, try and resell them to me at a premium price perhaps?
Or I would be more motivated to pay more 'cause there's no supply anymore?
Or I would be more motivated to pay more 'cause there's no supply anymore?
Correct. So, you know, there are entire industries, you know, there are people that operate these bots that go to work in an office every day.
But if you think about sort of the arbitrage opportunity for sneakers, that's probably the most visible. There are really, really limited inventory, extremely popular sneakers.
And if you're able to buy them from the retailer, you can instantly sell those on an exchange at a massive markup.
But if you think about sort of the arbitrage opportunity for sneakers, that's probably the most visible. There are really, really limited inventory, extremely popular sneakers.
And if you're able to buy them from the retailer, you can instantly sell those on an exchange at a massive markup.
Right.
So this annoys the retailers, of course, but it also annoys the consumer because they've got to shell out a lot more cash to get their, you know, their kids that special Christmas present that they're looking for this year.
So this annoys the retailers, of course, but it also annoys the consumer because they've got to shell out a lot more cash to get their, you know, their kids that special Christmas present that they're looking for this year.
That's right. Yeah, so it does impact the consumer experience, and you're exactly right. The retailers care deeply about this, right?
I mean, obviously either way they're making a sale at the full price, whether it's a bot or a consumer.
But within the retailers, there are some of the brightest people in security focused on thwarting these bots and helping to ensure a human being has the best shot possible of buying that, one of their legitimate loyal consumers.
That's who they want to be able to purchase these things. They really don't want to see this secondary market where their loyal customers have a bad experience.
That's the worst thing possible for a retailer.
I mean, obviously either way they're making a sale at the full price, whether it's a bot or a consumer.
But within the retailers, there are some of the brightest people in security focused on thwarting these bots and helping to ensure a human being has the best shot possible of buying that, one of their legitimate loyal consumers.
That's who they want to be able to purchase these things. They really don't want to see this secondary market where their loyal customers have a bad experience.
That's the worst thing possible for a retailer.
Yeah, of course. And of course brand reputation might be impacted there as well, of course. Okay, okay. I think I've got the picture now. So this is Cybersecurity Month.
We're still in October and maybe we need to go down the route of what people can do to try and fix this.
So should we start with retailers in terms of them and what, how they can help manage this?
We're still in October and maybe we need to go down the route of what people can do to try and fix this.
So should we start with retailers in terms of them and what, how they can help manage this?
Absolutely. So I think what we're confronting here is a very determined adversary, these bot operators that are very well resourced, right?
I mean, we kind of touched on the profit motive. So there are very, very clever people building these bots.
I mean, we kind of touched on the profit motive. So there are very, very clever people building these bots.
So to your point, if you're operating a website, there's a couple steps that you need to do.
I mean, first and foremost, you need to be able to detect, is this a human being or is this a bot on the other end?
And there's a lot of technology that we've developed over the years here, everything from looking at passive data to active detections of, you know, is the physics of the way the keyboard is being used and the mouse, the way that the phone is being oriented, does that appear to be human as we model that, or does that appear to be automation, right?
I mean, first and foremost, you need to be able to detect, is this a human being or is this a bot on the other end?
And there's a lot of technology that we've developed over the years here, everything from looking at passive data to active detections of, you know, is the physics of the way the keyboard is being used and the mouse, the way that the phone is being oriented, does that appear to be human as we model that, or does that appear to be automation, right?
So there's a lot of work there in detection. And then the next step is categorizing, right? We've talked about all these different types of bots.
Obviously, you want your Google bot that's searching the site to get right through to help your search rankings.
Obviously, you want your Google bot that's searching the site to get right through to help your search rankings.
The fraudsters, you want to deceive them, maybe send them a misleading message, but you could block them if you wish.
And then the gray bots, we see things like airlines where every bot that comes in costs them a little bit of money because they have to go have a paid query to a reservation system.
So maybe there you serve them some information that's slightly stale so you don't incur the cost, but the bot gets what they want as well.
You think about sort of that detection categorization and then have a menu of responses available to you.
And then the gray bots, we see things like airlines where every bot that comes in costs them a little bit of money because they have to go have a paid query to a reservation system.
So maybe there you serve them some information that's slightly stale so you don't incur the cost, but the bot gets what they want as well.
You think about sort of that detection categorization and then have a menu of responses available to you.
So you actually use subterfuge basically with gray bots.
Yeah, and I think for the really malicious bots, you really want to confuse them, right?
So a lot of what they're doing is they're testing credentials to see if they can take over somebody's account.
So if you detect that it's a bot, even if they put in the correct incorrect credentials for one of your users, you don't want to tell them that we're blocking you.
You would just say these credentials don't work.
So a lot of what they're doing is they're testing credentials to see if they can take over somebody's account.
So if you detect that it's a bot, even if they put in the correct incorrect credentials for one of your users, you don't want to tell them that we're blocking you.
You would just say these credentials don't work.
You give them the exact same message that you would give them if the credentials were invalid, right? To confuse them.
Yeah, so you're trying to waste their time a bit so they don't just create a new account and go attack in a different way.
Correct. And also maybe you can drive up their costs. There are things that you can do that will cause them to burn more CPU and memory to drive up their cost.
And frustrate them further, right?
And frustrate them further, right?
Maybe they would go to another site that's less expensive for them.
If they're operating these botnets at the scale of millions of requests and you're causing their compute cost to go up a bit, that may be the most damaging thing you can do to them because it gets to the economics of what they're trying to pull off.
If they're operating these botnets at the scale of millions of requests and you're causing their compute cost to go up a bit, that may be the most damaging thing you can do to them because it gets to the economics of what they're trying to pull off.
And so, customers that are working with Akamai in order to detect these bots and to categorize them to allow the good ones in and to thwart off the bad ones and to kind of obfuscate the gray ones so that they run around chasing their tails.
Are they seeing cost savings? Are they seeing streamlining? Because it's such a big deal, they're seeing huge advantages.
Are they seeing cost savings? Are they seeing streamlining? Because it's such a big deal, they're seeing huge advantages.
Yeah, I mean, obviously it starts with the user experience that you touched on, right?
You wanna make sure that your legitimate loyal customers have the best possible experience online. That's vital for a retailer.
But certainly there are IT cost savings, you know, if you're having to fight the bots, you know, a human defender versus a manual bot, that's really expensive because it takes a lot of humans.
But, you know, for a busy period, if you're having a limited inventory launch, or if it's the peak sales period around Cyber Monday, Christmas, which is coming, the last thing you want is a crush of humans and bots to bring your site down, right?
I mean, obviously, if you can pull these bots out of that demand cycle, and it's not consuming resource within your data center or your cloud compute, that ensures uptime and good experience for your legitimate users.
You wanna make sure that your legitimate loyal customers have the best possible experience online. That's vital for a retailer.
But certainly there are IT cost savings, you know, if you're having to fight the bots, you know, a human defender versus a manual bot, that's really expensive because it takes a lot of humans.
But, you know, for a busy period, if you're having a limited inventory launch, or if it's the peak sales period around Cyber Monday, Christmas, which is coming, the last thing you want is a crush of humans and bots to bring your site down, right?
I mean, obviously, if you can pull these bots out of that demand cycle, and it's not consuming resource within your data center or your cloud compute, that ensures uptime and good experience for your legitimate users.
And is there any way for retailers who are not sure they have a bot problem - is it really clear when they have one, or can it be so sneaky that it can actually bypass them and they have no idea?
Yeah, that's a great question. You know, we often see this phenomenon where a very clever bot operator can operate for a long period of time without being detected.
And then often you'll get maybe more of a clumsy bot operator that comes in and they're extremely noisy and they're impacting the availability of the site.
So we go in there and, you know, targeting the very noisy bot.
But then once you have the precision tools to look, you'll see under the covers, hey, there were several other operators that have been visiting your site and conducting bot activity below the noise floor for some period of time, right?
And those are typically more sophisticated, more of a cause for concern than the really noisy bots that are out there.
So that happens all the time where it will be sort of below the radar.
And then often you'll get maybe more of a clumsy bot operator that comes in and they're extremely noisy and they're impacting the availability of the site.
So we go in there and, you know, targeting the very noisy bot.
But then once you have the precision tools to look, you'll see under the covers, hey, there were several other operators that have been visiting your site and conducting bot activity below the noise floor for some period of time, right?
And those are typically more sophisticated, more of a cause for concern than the really noisy bots that are out there.
So that happens all the time where it will be sort of below the radar.
And what about consumers?
So, you know, a lot of people are gonna be spending hundreds, if not thousands, in the new holiday if they've got the spare cash to buy gifts for their loved ones.
How do they avoid getting into a tangle where they lose out on something that they really need or wanna get?
So, you know, a lot of people are gonna be spending hundreds, if not thousands, in the new holiday if they've got the spare cash to buy gifts for their loved ones.
How do they avoid getting into a tangle where they lose out on something that they really need or wanna get?
You know, one of the things we touched on briefly was the fraud use of these bots, right?
And we call that credential stuffing where basically you have an engine that's these bots that somebody either rents or buys or they build themselves.
And then the fuel for that engine is credentials from breach sites.
So everybody listening today has seen some site that they visited and establish a login get breached over the last eight, nine years.
Well, what happens is those credentials on those sites are resold, right? So there are researchers say there's about 25 billion credentials up for sale that you can go purchase.
And then that becomes the fuel for these bots where they just test those credentials to see if people have reused their credentials from one site to the next.
So the probably the primary thing that we can do as consumers is to use a unique password for every site, right?
That will really limit your exposure to somebody breaching one site that you visit and then attempting that same credential pair across every other site on the internet, billions of times a day.
And then to help facilitate that, a password manager could be helpful. There are a number of things you can do there. Avail yourself of MFA if that's an option on the site.
All of those things make it more difficult. But if there's one takeaway, it would be, I know password hygiene is annoying.
But unique passwords are probably the number one thing that we could do to thwart the mass-scale automated credential stuffing that we see out there.
And we call that credential stuffing where basically you have an engine that's these bots that somebody either rents or buys or they build themselves.
And then the fuel for that engine is credentials from breach sites.
So everybody listening today has seen some site that they visited and establish a login get breached over the last eight, nine years.
Well, what happens is those credentials on those sites are resold, right? So there are researchers say there's about 25 billion credentials up for sale that you can go purchase.
And then that becomes the fuel for these bots where they just test those credentials to see if people have reused their credentials from one site to the next.
So the probably the primary thing that we can do as consumers is to use a unique password for every site, right?
That will really limit your exposure to somebody breaching one site that you visit and then attempting that same credential pair across every other site on the internet, billions of times a day.
And then to help facilitate that, a password manager could be helpful. There are a number of things you can do there. Avail yourself of MFA if that's an option on the site.
All of those things make it more difficult. But if there's one takeaway, it would be, I know password hygiene is annoying.
But unique passwords are probably the number one thing that we could do to thwart the mass-scale automated credential stuffing that we see out there.
Yeah, fantastic. Is there anything else you'd like to add before we close, Patrick?
No, I think that was sort of the key piece.
I mean, I would say it may be frustrating as a consumer when you're impacted by these bots when you're trying to purchase an inventory, but I can assure you there are people working very hard at retailers to try to give humans their very best shot at purchasing these things.
It's not a cynical effort on the part of the retailers. They're working very hard to give humans their very best shot relative to these bots that are out there.
I mean, I would say it may be frustrating as a consumer when you're impacted by these bots when you're trying to purchase an inventory, but I can assure you there are people working very hard at retailers to try to give humans their very best shot at purchasing these things.
It's not a cynical effort on the part of the retailers. They're working very hard to give humans their very best shot relative to these bots that are out there.
Amazing. Now listeners, especially those of you in the retail space, I am sure you want to learn more about Akamai and their security research and their services.
And you can do this for free by visiting akamai.com/smashing. That's Akamai, A-K-A-M-A-I, .com/smashing.
And Patrick Sullivan, CTO of Security Strategy at Akamai, thank you so much for sharing your insights with us.
And you can do this for free by visiting akamai.com/smashing. That's Akamai, A-K-A-M-A-I, .com/smashing.
And Patrick Sullivan, CTO of Security Strategy at Akamai, thank you so much for sharing your insights with us.
Thank you.
Great stuff. And that just about wraps up the show for this week. Chris, I'm sure lots of our listeners would love to follow you online and find out what your company's up to.
What's the best way for folks to do that?
What's the best way for folks to do that?
So if you want to follow me personally, Chris_Kirsch on Twitter, and runzero.com if you want to check out the cyber asset management solution.
We have a free version for companies under 256 assets, so check that out. Thank you.
We have a free version for companies under 256 assets, so check that out. Thank you.
Super duper. And you can follow us on Twitter at Smashing Security, no G, Twitter must have a G.
And we also have a Smashing Security subreddit, and don't forget to ensure you never miss another episode.
Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Google Podcasts.
And we also have a Smashing Security subreddit, and don't forget to ensure you never miss another episode.
Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Google Podcasts.
And massive shout out to this episode's sponsors, Bitwarden, Akamai, and Kolide. And of course to our wonderful Patreon community, it's thanks to them all that this show is free.
For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 293 episodes, check out smashingsecurity.com.
For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 293 episodes, check out smashingsecurity.com.
Until next time, cheerio, bye-bye, bye, auf Wiedersehen.
Graham, you know how you were looking at that, what was it called, PimEyes or whatever it was. And you were looking at pictures of me.
And then you made a comment that there was something really naked and nudie. Can you just confirm it was not me?
And then you made a comment that there was something really naked and nudie. Can you just confirm it was not me?
Oh yeah, it wasn't you, Carole. Well, I don't know. I mean, it's a bit difficult to tell.
Graham.
From that angle.
Graham. It was categorically not me.
It categorically was not you.
Yes.
I'm pretty sure. Yeah.
Thank you very much.
Just to stress.
Just making, underlining and bold.
And neither was it me, because possibly it wasn't just one person involved.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Chris Kirsch – @chris_kirsch
Episode links:
- The rundown on becoming runZero: What I learned rebranding a company – Chris Kirsch on the runZero blog.
- Tweet by Melissa Shusterman – Twitter.
- Apple AirTag Used To Find Over 100 Stolen Democratic Campaign Signs, Police Say – Forbes.
- Wie eine russische Firma ungestört Deutschland hackt – ZDF Magazin Royale on YouTube.
- German cybersecurity chief investigated over Russia ties – AP News.
- German cybersecurity chief sacked following reports of Russia ties – The Guardian.
- Fraudster swindled Virgin Trains out of £116,000 in ‘sophisticated’ scam – MSN.
- Virgin Trains worker, 37, swindled rail firm out of £116,000 in ‘delay and repay’ compensation scam by photoshopping tickets to exploit flaw in system – Daily Mail.
- Train delays:How to claim if it’s late or cancelled – Money Saving Expert.
- How many trains arrive on time – Gov.uk.
- Employee swindled Virgin Trains out of £116,000 in delay and repay compensation scam – Birmingham Mail.
- Fat Bear Week 2022.
- ‘Fat Bear Week’ Hit By Voter-Fraud Attempt – Rolling Stone.
- PimEyes – Face search engine.
- The Fear of God: 25 Years of the Exorcist – BBC iPlayer.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsored by:
- Kolide – the SaaS app that sends employees important, timely, and relevant security recommendations concerning their Mac, Windows, and Linux devices, right inside Slack.
- Bitwarden – Password security you can trust. Bitwarden is an open source password manager trusted by millions of individuals, teams, and organizations worldwide for secure password storage and sharing.
- Akamai – Make the most of Cybersecurity Awareness Month by connecting with Akamai’s experts on how you can achieve unmatched security. Where else can you take advantage of insights from 7 trillion DNS queries per day?
Support the show:
You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.
Become a Patreon supporter for ad-free episodes and our early-release feed!
Follow us:
Follow the show on Bluesky at @smashingsecurity.com, or on the Smashing Security subreddit, or visit our website for more episodes.
Thanks:
Theme tune: “Vinyl Memories” by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
