Smashing Security podcast #320: City Jerks, AI animals, and is the BBC hacking again?

Eating an orange in the shower.

Yes, listeners, if anyone remembers, tell Graham, please. So this was a long— I don't even know how many years this is.

Oh, I've just found it. Episode 147.

There you go. A long time ago.

In fact, you posted a picture on Twitter.

Did I?

Smashing Security, episode 420. Smashing Security, Flawed Systems, and Fruity Fixes for Anxiety with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 420. My name's Graham Cluley.

And I'm Carole Theriault.

What's coming up on the show this week, Carole?

Before we kick off, let's thank this week's wonderful sponsors, MetaCompliance, Harmonic, and Vanta. It's their support that helps us give you this show for free. Now, coming up on today's show, Graham, what do you got?

Someone has deepfaked Trump's top aide.

And we're going to find out where the kids are getting their mental health advice. All this and much more coming up on this episode of Smashing Security.

Now, chums, chums, we all remember that witty chappy Oscar Wilde. Well, we don't actually necessarily remember it.

I never met him. I never met him.

No, exactly, exactly. Well, okay, all right, but we remember what he wrote, and most famously In The Importance of Being Earnest, he said that to lose one parent may be regarded as a misfortune. To lose both looks like carelessness. We went, ho ho ho, very funny, very funny. But what about if you keep suffering from a hack? Is that unfortunate or is that carelessness?

Don't know. I guess it depends on many of the situations you're going to tell us about. So the circumstances we need, we need the circumstances to make that decision.

What if you are working deep inside a place of paramount importance to keep secure. A place like the White House in the United States.

The White House. Okay.

The White House. The home of the President of the United States, the land of the free, God bless it, the home of the spear-phished. My story today is about a woman called Susie Wiles. Have you heard of Susie Wiles?

No.

She is the first ever female White House Chief of Staff. So she's Donald Trump's right-hand woman, his top aide.

Okay, see, shows you how much political press I'm reading.

Well, chiefs of staff, of course, they're the people who run the show behind the scenes. They crisis manage.

They're PAs that are paid properly.

Right. It's a big job. They gatekeep who gets access to the president. They coordinate messaging. They generally babysit the commander-in-chief's ego. And in recent weeks, according to the Wall Street Journal, a lot of people in Washington have been receiving messages from Susie Wiles. So, high-level Republicans, senators, governors, business executives, they've been receiving messages at their private phone numbers. These are some of the country's most influential people. They've been receiving messages from someone claiming to be Susie Wiles. And it's not just text messages. Some have received phone calls from her as well.

Okay.

And they say that the calls are from a voice identical to Wiles, originating from an unknown number. One imagines her private phone number.

Right. So they're getting these calls on their private number. That's not where they expect to hear from her. And it sounds like her on the phone. And— Right. And they're going, this is odd, because why are you calling me on my private number? For example.

Well, some of them are saying it's odd.

Right.

Some of them, however, are saying, well, it really sounds like her. And some of them, some of the ones who think it's odd are sort of squawking, deepfake, deepfake. They're assuming some shenanigans going on. Some of the recipients apparently realised these messages were suspicious because the texts and calls came from a number which they hadn't previously seen. And also because the impersonator asked if the conversations could be continued on another platform, such as Telegram.

Which, to be honest, sounds like it could be the start of a cryptocurrency or a romance scam. You know, why don't you slip into my DMs over here and we can carry on chatting there?

Or Susie's going to tell you something that's very, very secret.

A bit juicy.

A bit juicy. Exactly.

It could be. So some of these impersonation attempts apparently, they appear to have had political goals. For instance, a member of Congress was asked, "Can you give me a list of people who you think Donald Trump should pardon?" And in another, the impersonator tried to get their target to transfer cash to them. I don't know if that was in exchange for something.

I'm having trouble. Donald wants me to wear a blue dress.

I don't have one. Maybe you can help me out. I've lost my wallet.

So, how did this impersonator get the details of so many Suzy Wiles's contacts? And the answer to that is, well, we don't know. We don't know yet for sure. It's still being looked into. According to the Wall Street Journal, someone must have got hold of her contacts, either by hacking her phone or by doing something far more devious, I don't know, buying data from one of the 12,000 data brokers that are out there. Who'll sell your life for the price of tuppence ha'penny. You know, there are these big companies who of course, or it could have been some past data leak, who knows, which could have occurred. Wiles herself, according to CBS News, has told people that her phone has been hacked. So it's a little bit, oh my God, you know, all these people have received this message, I better warn people. You know, people do send out those warnings and quite right too, in my view, you should warn people if your phone or your email account has been hacked.

So basically she becomes aware that this is going on. She goes on to, what was that, CBS, you said?

And says, "I was hacked." Well, no, she hasn't been on CBS. She's been telling people privately, but according to the Wall Street Journal, according to CBS, they say that they've spoken to people who say Wiles told them that her phone had been hacked.

Right, okay, okay. So word on the street is her phone's been hacked, but she's making these phone calls that don't make much sense, and people are thinking that makes sense if she's been hacked, right?

Right, so people are thinking, "What is going on here, and how has she been hacked?" The FBI has launched an investigation. The White House says it's taking the matter very seriously. Well, you know, I understand that. I take flossing very seriously. Once a year, in a blind panic, just before a dentist appointment, you know, I suddenly will start flossing so that when the dental nurse says, "Have you been flossing?" "Yes, I have," I say. "Yes, I flossed every morning and every evening in the last two days." That's so you.

That's very you.

Oh, come on, most people surely.

Jesus.

Do you do it every day?

Not every day, but a little bit more regularly than once a year. Yeah, quite a bit more.

Okay. Well, apparently this impersonator, this fake Susie Wilder, I don't know if it's a deepfake or not. You know, I'm always suspicious when people say, "Oh, it was deepfake. It was definitely a deepfake who did this." And you think, well, it could just be someone who's really good at accents.

It could be a ventriloquist.

A ventriloquist on the phone. You know, that's— you can move your lips, you know, when you're speaking on the phone.

Not in a FaceTime call. Okay, okay.

It wasn't a FaceTime. It wasn't a FaceTime. But yes, I take your point. You're completely right. Anyway, apparently the impersonator's still at it. They're texting away, even while the real Suzy Wales has been accompanying Trump when he popped over to the Middle East recently to pick up a gold-plated jumbo jet for himself. In fact, the impersonator has been so prolific that some White House staffers are said to be joking about how busy the fake Suzy Wiles is, and have suggested that the fake should perhaps do the job of the real one because of the impressive work ethic. Right now, despite what you imagine—

Which is what exactly?

Right now, despite what you may imagine, the idea that a foreign government might be involved in this is being downplayed. But maybe that's because, you know, when they rang up their targets, they didn't have— again, I don't know how they know that.

Does she have a teenage kid?

Oh, I see what you mean. Or a grandchild, something like that.

Yeah, we've seen this. We've seen this before where, you know, kids in a strop will, who are much more au fait with the technology than the older counterparts, can make parents look a little bit silly in front of their work partners.

Yeah, because Auntie Susie or Grandma Susie or whatever, you know, has got a passcode of 1234 to unlock her phone. That may be the case. Now, Donald Trump himself has been asked about this. He said, well, how do you feel about someone cloning Susie Wales? He was asked by the media. And he responded by saying, "No one could do her job better than her. She's the best. I don't believe it's happening. It's not possible. No one could copy her."

Wasn't it on Telegram?

It was on a Signal chat.

Oh, Signal, Signal. Yeah, similar, similar, similar kind of service. Yeah.

Yeah, absolutely. And supposedly, confidential messages sent by members of the cabinet ended up in the hands of hackers because they were using an app that was supposed to properly enforce end-to-end encryption, that was a separate incident, but didn't. And poor old Suzy Wales, even she has been hacked before. During last year's presidential campaign, an Iranian hacking group broke into her email account and gained access to a research dossier on none other than JD Vance. They were trying to work out who Trump's running mate should be. And so they're putting together sort of, you know, the pros and cons of everybody. And this document was leaked about JD Vance. And of course, that was embarrassing. Now, at the time, US authorities, they blamed that hack and leak operation on, as I said, Iran's Islamic Revolutionary Guard Corps. They said that it was aimed at undermining Trump's campaign. So better luck next time, guys, with that. So I think what we need to be clear on is that if you are in a position of political importance, your cybersecurity really, really matters. And if you are likely to receive a communication from someone in a position of authority, double-check. Some of these people apparently did. They rang up the real Suzy Wales, or they contacted her to say, was this really from you?

But she works for United States government of America. Surely there is a very robust and intelligent cybersecurity team that has not been dismantled by a previous tech. Ah, yes. Oh, maybe that's the problem.

I think—

Darn it. All I'm saying is you're making it sound as though it's her fault that she's been hacked twice. But maybe she's being left to her own devices and doesn't know a lot about this stuff. She's really good at her job, potentially, but not good at the cyber stuff.

Maybe she should ask her grandkids for some help with that. Who knows if there's no one else in the office who can help her. Carole, what's your story this week?

Okay, well, bad news, clearly, because despite the advancement that we see day after day in tech these days, it seems that both adults and young people feel their well-being is getting worse. Yeah, this is according to Mind, one of the leading mental health charities in the UK dedicated to supporting people experiencing mental health problems. And they put out a report last year that had pretty bleak findings. So in England, for instance, it's 1 in 4 will experience mental health problems at some point. And there's a real life and death impact here because Mind's report says that life expectancy of people with severe mental illness will have a life expectancy of 15 to 20 years shorter.

That's a lot. That's huge.

It's a fifth of a life. So, okay, one might think if you're concerned that you have a mental illness, go get help. Well, the first thing is let's go private, for example. So private care is not cheap.

No.

So in-house care is at least £1,000 a week in the UK.

Sorry for being dim. What does in-house care, does that mean you are residential?

Yeah, they want to keep you in for a week or a month, or maybe say you had an addiction, you need to go and deal with that. It takes maybe 6 weeks, 8 weeks. Yeah, so that's £1,000 a week. Oh, crumbs. That is pricey.

Right. And I think we can agree this is not available to the vast majority of UK residents because as of April 2024, the median gross annual salary, so this is before tax, for full-time employees in the UK was £37,430. So if you do the maths, it doesn't work out. There's no way the average person in the UK could pay for private if there was a serious mental health issue.

No, no.

But hey, lucky us, lucky us, in the UK we have the National Health Service, the NHS.

Thank goodness. Yes.

Right? But guess what? Right now they are not able to deal with the problem.

Because they're not given enough financial assistance by the government, right? There's not enough money being invested in the NHS.

Well, the supply-demand balance is off. And you're right, that is part of the reason. Mind says the scale and severity of mental health needs is spiraling. But many can't get the quality care that they need when they need it. So for example, let's say you were feeling desperate, say something awful. And people would say to you, get some help, or you might even for weeks, I'm gonna, and you finally bring yourself to be able to ask for help. And you're told that you'll get an appointment in, I don't know, a month's time, two months' time.

Well, yeah, it could be longer than that even, couldn't it? It could be a long, long time before you get to see a professional.

And another problem to your point is there's not enough staff. And I hate saying thanks Brexit, but thanks Brexit. And oh, thanks coronavirus. Neither of these positively impact the mental health services here in the UK. In Mind's report, they cited that there are more than 25,000 vacant posts in England for the mental health workforce. And that has a domino effect because there's 2 million people on the waiting list for NHS mental health support in England alone. And it's worse for kids. I know this is a joyous story, but you have to give the context before I get to my main bit. Mind says 1 in 5 school-age kids have mental health difficulties. That's 20 flipping percent.

Yes, it is.

1 in 5. I did my maths right, right?

Yeah, you know, you did really well there, I have to say.

It gets even worse because those kiddos with mental health difficulties are significantly more likely to be bullied. So it's a nice double whammy. Between us— between us, huddle everybody, huddle. But I have a friend with an 8-year-old who is in the process of getting help because there's been numerous accidents at school and at home because of a particular mental health issue. And the kids, of course, bully and tease and cajole. And the teachers, even if they were desperate to help, wouldn't necessarily have the training or the time to devote to a single child in a class of God knows how many. And they've been on waiting lists for professional help for more than a year, and they can't afford to go private. And they've been finally— they've been quoted privately $240 an hour, right? And it needs to be weekly. It's heartbreaking. I mean, of course, this kid is not alone. According to Mind, only a third of kids were able to access treatment last year in England, those that try to seek it out. So all this to say, we have this kind of vacuum happening where kids and adults need to get help. So where do you go? What do you do if you can't afford to go private and you are on a waiting list that is way too long for your particular requirement?

You go to the internet, use a search engine, right?

You hit the socials, Graham.

Of course. Okay.

And according to an article in The Guardian this past weekend, we don't want that for adults and especially not for kids. So the article's findings reveal that of the top mental health videos on TikTok, more than half were spewing huey.

Spewing? So they were spewing huey?

It's hard to say.

Spewing huey. Okay. Nonsense.

Yep. Some might seem innocuous, there's recommendations for eating an orange in the shower to cure anxiety. Now, you might remember that this was my pick of the week donkeys years ago.

What, eating an orange in the shower? That was your pick?

Yes. This was— yes. Listeners, if anyone remembers, tell Graham, please. So this was a long— I don't even know how many years. But the idea was not for anxiety. It was just because oranges are, you know, disgustingly messy. And often people love to eat them, but hate getting all gross, you know, that sticky juice all over them. So why not eat one in the shower like a primal being that you are, and then it just rinses off and delicious.

I've just found it. Episode 147.

There you go. A long time ago.

In fact, you posted a picture on Twitter.

Did I?

Are those your feet? I can see orange peel in a shower with your— I doubt it.

I doubt I would have put my actual feet. It's probably AI.

Hang on. I'm just going, all right. I'm just—

You do some recon?

I'm just wondering. There's actually a Reddit group all devoted to the—

I think that's where I learned it, because at the time I was on Reddit a bit too much.

Anyway, carry on, Carole.

Thank you. According to mental health experts, advice like this is not just wrong, but they can actually harm people who are seeking real help.

I'm sorry, I've been— I've slightly lost the thread. How is eating an orange in the shower supposed to help you? Isn't there a danger you could slip on the orange peel in the shower and do yourself harm.

It's not a banana.

No.

The idea is that they're just peddling basically snake oil.

Oh, I see.

To say, this is what's going to happen. This will help you with your anxiety if you just do this.

Okay, so it's not true. It's what I like to call spewing huey on TikTok.

Now, I know we're not surprised by that, but if you're very desperate and need mental health advice, and you can't find it.

Or if you have a lot of oranges to sell, that'd be the other.

No, this is just one, but some of them are actually, you know, take these supplements, do these things.

Oh golly, right.

And it's a bit like a phishing scam but for your mental health, because there's short snappy videos that hook people with clickbaity tips, yeah, an orange in the shower for anxiety. But they oversimplify the serious issues of trauma, depression, anxiety. Eating disorders have ramped up hugely in the last 3 years in the UK.

I kind of feel like if you've got a mental health or anxiety issue, probably the last place on earth you want to be is on TikTok.

Where should they go, Graham?

Well, not on bloody TikTok.

I agree, but where are you gonna go if you're a kid? You're gonna go to TikTok. You're gonna go to Insta.

Oh, I suppose so.

YouTube.

Yeah.

Mental health experts are concerned that some even pathologize normal feelings. So maybe you're nervous before an exam. Normal, normal. Maybe you're sad because your parents are getting divorced. Normal. But they pathologize normal feelings, making people think they have disorders that they may not have. So if you are feeling mentally in need, they may lead you down a rabbit hole of BS. And if you're not mentally ill, you might start thinking that you are. This is the concerns the experts have.

Right.

The Guardian reports that politicians and mental health professionals are sounding the alarm here, and they are. So MPs called the situation damning and want stronger regulations to protect people from this digital content. The UK Online Safety Act is supposed to help. I don't know what your views are on it or if you've worked with them recently, but word on the street is it's not super effective for tackling false or harmless content, right?

Yeah.

TikTok, for their part, say they're working with the World Health Organization and the NHS to remove dangerous posts, but— and they claim that they're taking down videos to discourage medical help, but experts say it's not enough because it's like patching one vulnerability, right? So you're just basically taking them down when they show up. You take down one, 10 more show up. So your advice is right. If you're looking for mental health support online, don't go to TikTok because misinformation spreads faster than truth. We know that. And for good advice, I will put a list of reputable online services in the show notes that you can check out. Mind is very good in the UK. The NHS also has some really good pages on it. It doesn't mean you necessarily can see someone directly, but they might be able to advise you on what to read, where to seek help until you get your appointment.

Yeah.

But there you go. TikTok's not the place.

And your local library might be a great resource as well for information. And maybe there are support groups which you can join to, which may be advertised at the library. This is a worry I have now, though, with the advent of AI, right? So in the older days when you had to write a book by literally writing it.

So look out, look for a book which was published before 2023, I think is your suggestion.

Exactly. Yes, basically. Yes.

AI tools are everywhere and employees are feeding them sensitive data, often without realizing the risks. And some of these tools train on that data, others store it insecurely.

And that's where Harmonic Security comes in. They give security teams total visibility into how AI is being used across their orgs while making sure sensitive data never leaks into GenAI or AI-powered SaaS.

Their secret? Specialized pre-trained small language models that detect sensitive data in real time without the endless false positives of traditional DLP. No complicated regex, no training on customer data, just instant, accurate protection.

Yeah, because with Harmonic, you don't have to hope employees follow your AI policy. You can enforce secure, responsible GenAI use without slowing anyone down. Help your workforce embrace GenAI securely. Visit Harmonic.security to learn more. That's Harmonic.security.

Now, the folks at MetaCompliance know that real cybersecurity starts with your people. That's why their approach is different. They don't just deliver generic cybersecurity training, they personalize it.

That's right. Every employee gets content tailored to their role, location, and level of risk. It's engaging, it's relevant, and most importantly, it drives real behavior change. MetaCompliance has created a free security awareness planner, your 12-month roadmap to building a culture of cyber awareness. It's designed to save you time, increase staff engagement, and make it easy to plan meaningful campaigns that reduce risk.

Whether you're just starting out or looking to improve your current program, this planner gives you a clear, structured path to follow, and it's completely free. Download it today and take the first step towards smarter, more effective cyber awareness. Just visit metacompliance.com/planner. That's metacompliance.com/planner.

And thanks to MetaCompliance for sponsoring the show.

Now, Carole, according to Vanta's latest State of Trust report, cybersecurity is the number one concern for UK businesses. And of course, Vanta can help you with that.

Whether you're a startup growing fast or already established, Vanta can help you get ISO 27001 certified and more without any of the headaches.

You see, Vanta allows your company to centralize security workflows, complete questionnaires up to 5 times faster, and proactively manage vendor risk to help your team not only get compliant, but stay compliant.

So stop stressing over cybersecurity and start focusing on growing your business in 2025. Check out Vanta and let them handle the tough stuff. Head to vanta.com/smashing to learn more. That's Vanta, V-A-N-T-A.com/smashing. And thanks to Vanta for sponsoring Smashing Security.

And welcome back, and you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.

Pick of the Week. Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security related necessarily.

Better not be.

Well, my pick of the week this week is not security related. My pick of the week this week is an app. Now, Carole, do you use any of those bookmarking or read-it-later type apps on your computer?

Okay, so I think I do.

Okay.

But I've never found the reading list where it's kept. I've never gone and looked, right?

Oh, so you bookmark things into something, but you never actually go to see what it is that you bookmarked?

No, because I'm a busy girl. You know, lots of stuff going on.

Well, I've been using for some time one called Pocket.

Yeah, I used Pocket for a decade. We used to use that when I used to work full-time.

Yeah. And Pocket was— it was bought up, I think, by Mozilla. But Mozilla has recently announced that it's shutting it down, closing it. Goodbye. And that's really sad because it not only kept things which I might want to read later, but it also presented them in a really attractive way rather than with loads of ads and pop-ups. You know, you could just read the bloody article, which is what you wanted to do, right? And you could read it offline if you wish to.

Yeah. So what I do, you're right. So I have often my— I do it kind of bespoke by slapping in information into Notes. Right. That's what I use. It doesn't work very well, but that's what I do.

Well, I've been looking for an alternative to Pocket, and I posted up on LinkedIn and Bluesky and all those sort of places saying, well, hey, look, Pocket's shutting down. What are people using? A number of people came out with suggestions and I have chosen one of them and I'm really rather happy with it.

Cute.

It is an app called Matter, which is a more modern read later app for the iPhone, iPad, and web. I think it isn't available at the moment for Android. Sorry, Android users. It lets you do the things you'd expect so you can save anything. Not just articles, but also threads and PDFs, and it will extract the text and present it in an attractive way for later reading offline if you wish on any of your devices. It will also read out articles for you.

Can you choose the voice like you used to be able to on Waze?

Yes, you can choose. Yeah, you can't have Elvis or something reading you the articles. It doesn't do that. But yeah, you can read out the articles for you, which is sometimes nice. So actually what I can now do— You know how we all love to listen to podcasts. I listen to podcasts when I'm going to sleep. I can put an article on and I've listened to it and it can carry on playing. It also lets you highlight parts of the article you're interested in. And this may interest you. It will also take your favorite podcasts or YouTube videos and not only transcribe them so you can quickly skip through, you can just see where the bit you're interested in and say, play it from here by looking at the text. It can summarize them for you. So if, for instance, Smashing Security has been going on for 45 minutes and you wanted to know if it was worth listening to or not, it will summarize the interesting bits for you. And you can even use AI to ask questions about the content of these articles or podcasts or YouTube videos, which I think is pretty handy.

Mm-hmm.

So I'm now a signed-up subscriber to Matter. It's also a very elegant app. It's beautiful. I'm really impressed with it. It's really easy to use. I'm paying, I think, $79.99 for my annual subscription.

Geez, you're fancy.

Well, I like to read, you know, I like to read things and it's useful for my work as well. And you can even import your old Pocket archive before they shut it down completely and close it off forevermore. And that is why Matter is my pick of the week.

Interesting.

Carole, what's your pick of the week?

Well, my pick of the week is not security related, but it's kind of technologically related. It's from The Register that have this cute wee regular-ish feature that showcases tech support snafus. And this one gave me a bit of a giggle. So our hero is referred to as Neville, and Neville told The Register about a job he took back in the '90s in which he supported systems that produced 3D images from CAT and MRI scanners.

Okay.

Now because this was the '90s, the systems displayed these images on a 19-inch cathode ray tube monitor. Big beige giant boxes that radiated heat fiercely. You remember. I remember.

Yes. Oh, yeah, yeah, yeah.

Yeah. Now despite the inelegant hardware—I don't know, it was pretty elegant at the time. But radiographers, radiologists, and surgeons found the images very useful, right, to help diagnose patients, plan surgical operations, the whole lot. Yes. So anyway, a client calls in one day, presumably from a medical outfit, complaining about their ginormous monitor. It seems it would sometimes render the images in shades of brown that made it hard for the medics to do their work. Okay, so Neville sends someone out to swap the monitor out because important client. But a day later, the problem recurs. So Neville's company dispatches another new display. Again, a complaint. So Neville decides it's time for the big guns, right? He's the only man for the job. And he goes there personally to fix the problem once and for all. You're right. So he arrives, right? And he sits down in front of the offending screen and finds it in perfect condition. And then this doctor comes in and closes the door and you see, you see, it's brown. It's brown. And Neville responded by opening the door, at which point the brown disappeared. When he closed the door, the brown hue returned because it was basically just reflecting the door's unpainted wooded finish. Oh. So you can imagine he escaped the room, you know, mortified the doctor. But you see, in the old days, my point of this being my pick of the week is in the old days, see, our computer dramas were pretty manageable, right? They're even sweet. They were sweet. Not like today's digital Armageddon. You know? So my pick of the week's to the good old days and to this cute, cute, cute little support call that ended in—can you imagine driving home after handling that?

Oh my goodness. You'd be giggling your butt off. Tremendous. Well, that just about wraps up the show for this week. You can find Smashing Security on Bluesky, unlike Twitter, which wouldn't let us have a G. And don't forget, don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.

And huge, huge shout out to our episode sponsors, MetaCompliance, Fanta, and Harmonic. And of course, to our wonderful Patreon community. It's their support that helps us give you this show for free. For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 419 episodes, check out smashingsecurity.com.

Until next time, cheerio. Bye-bye. Bye.

Mm-hmm.