Smashing Security podcast #321: Eurovision, acts of war, and Twitter circles

Doesn't boudoir mean risqué? Well boudoir doesn't have to mean risqué does it?

What's risqué? A bit of nip showing? Like what do you mean? Goodness.

Gracious yes Carole, definitely a bit of nip showing. You know if there was photographs of me in my dressing gown with my smoking pipe and my slippers in my boudoir, not so risqué yeah.

It's risky enough for me not. Like do not want to see it I'm telling you.

Oh I think I now want to leave the car.

Smashing Security episode 321, Eurovision, acts of war and Twitter circles with Carole Theriault and Graham Cluley. Hello hello and welcome to Smashing Security episode 321. My name's Graham Cluley.

And I'm Carole Theriault. And Carole, this week we have a returning guest. He's not been on the show for quite a while but glad to have him back. Who have we got in the hot seat? It's journalist John Leyden. Welcome.

Thank you for having me.

It's so great for you to be here. Now what have you been working on since you've last been on?

Well so since I've last been on that must have been a couple of years ago, most of the time I was working for the Daily Swig which was part of PortSwigger. So unfortunately in March I was made redundant from that job so I've now embarked on the wild world of freelancing, tech journalism.

So you're a freelancer now?

I am, I'm a hired gun.

You are looking for more work, is this an ad? Is this an ad post for you?

I'm open for work, let's put it that way.

And in the past John, you've worked for all kinds of publications haven't you? You've worked for the Register for many years as their cybersecurity correspondent you were with. Was it CRN? I seem to remember.

I started off working for Network News. I wrote about networking and things like that. But that was a long time ago. I was with the Register for 17 years. So I had a lot of experience there.

Yeah, well, we always loved reading your articles. So, guys, if you're looking for a writer, this is the guy.

Why, thank you.

You're welcome. Now let's kick off this week. But first, let's thank our wonderful sponsors, Bitwarden, Kolide and Outpost24. It's their support that help us give you this show for free. Now coming up in today's show, Graham, what do you got?

I'm going to be letting you into my inner circle.

Your inner circle? I don't know if I want to go there.

John, what about you? I'm going to talk about war and peace, cyber attacks, insurance and very large payouts.

Okay, good. A light topic. And as we all know, Eurovision 2023 is upon us. Let's see if there's anything cyber to worry about. Plus, we have a featured interview with John Stock from Outpost24, explaining that while you might not be able to get your attack surface down to zero, you can reduce it dramatically by taking the correct steps. All this and much more coming up on this episode of Smashing Security.

Now, chums, chums, are either of you fans of wrestling? No. No? John, do you often boil yourself up?

Not especially. I did go to WrestleMania in the US, but that was back in the 80s.

Ah. Yes. The US version of wrestling is very different from the British version. I remember in the 1970s watching ITV. Obviously not at my house. We weren't allowed ITV.

Is that Big Daddy times?

Yes, Big Daddy and Giant Haystacks. Dickie Davies would be there as well. But I actually want to talk about the American WWE, World Wrestling Entertainment. I think they used to be called the WWF.

Yes, and for obvious reasons, yeah, they were told, back down, back down.

Duke of Edinburgh wanted to go around there and start shooting pandas or something. Anyway, I'm talking about the one which involves Dwayne The Rock Johnson, Stone Cold Steve Austin, Hulk Hogan.

Hulk Hogan, yes. All of that lot. The one who took down Gawker.

Oh, because they posted about his shenanigans, I think, didn't they? Well, if you are into WWE and in the world of entertainment wrestling, you would probably know of a chap called Vince McMahon. Have you heard of Vince McMahon? No.

I am the Lord, the master and God of all sports entertainment. Oh boy. And all that participate in any manner, whether or not it's in the ring or you buy a ticket, you will worship me.

He ran WWE for 40 years but very visibly he would be there in the ring in his suit. Sometimes there'd be a punch-up, he'd be in the middle of it. He's probably in his 70s by now but he was very much the big man of wrestling. He was running the show, he was the CEO. If you were interested in the backstage goings-on at WWE you may also be interested in a new book that's coming out all about Vince McMahon called Ringmaster. And it's been written by a transbian author Abraham Josephine Riesman.

A what? A transbian is a trans lesbian. This is how Abraham Riesman describes herself as a transbian author. Okay, I've never heard that term. Ever.

Yeah, this is, it's all right to call people transbians if they're comfortable being called transbians. Don't.

Yeah, it's only if other people understand what the heck you're talking about. But yes.

Exactly. Well, I just got it from her Twitter profile. This is what she calls herself.

Well, I'm very happy with that. That's great. Okay, so she's written a book about Vince. Can we call him Vinny just for fun?

Vinny. Vinny. Yeah, you can do that if you want. You can do that if you wish. When you were at WrestleMania, John, back in the 80s or the 90s, you may remember that WWE wrestlers, they don't wear many clothes, do they?

No, they don't wear many clothes. And there may be an element of orchestration in the fight, so I don't know. What? No.

Some fiction? Are you suggesting?

There could be some theatrics involved.

But that's part of the fun, though, right? That's why, I mean, I did used to watch, I did watch it as a kid because we only had about three channels. So if you wanted to watch TV and that happened to be on, that's what you watched. And, you know, even as a kid, you knew it was kind of fake.

Did you? I don't know. Anyway, some kids are crazy for it. Some grown-ups are crazy for it as well. The thing about WWE wrestlers, as we've ascertained, they don't wear very many clothes. They're presumably comfortable being photographed in the ring wearing their skimpy spandex outfits. I wouldn't be. I wouldn't want that. I wouldn't want people to photograph me in skimpy spandex stuff. I'm not giving my permission. Let me put that out there right now. If anyone gets hold of photographs like that, I don't want to see pictures of you like that, Carole, or John.

Do you know what? I am actually looking right now at WWE on Google Images. And it is astounding. It is really quite astounding how spandexy it actually is. There's a guy here with a fake sun and bat wings. So he puts his arms up and it makes him look like a whole sun. Probably for when they jump from the corner of the ring and glide down to do, I don't know the names. Anyway, back to authoress Abraham Josephine Reisman, who's written this book.

Doesn't boudoir mean risqué?

Well, boudoir doesn't have to mean risqué, does it?

What's risqué? A bit of nip showing?

Oh, goodness gracious. Yes, Carole, definitely a bit of nip, as you refer to it, showing would be. I was thinking, you know, if there was photographs of me in my dressing gown with my smoking pipe and my slippers in my boudoir, not so risqué.

It's risqué enough for me not to see it. I'm telling you.

I think I now want to leave the car.

Reisman took this risqué photographs and she posted it on her Twitter circles. As you do. And she said, as usual, as usually got no engagement. Now, do you know what a Twitter circle is?

I didn't know what this was. I'm going to guess. Can I guess? Is it a group, a category of friends? So it's not all your followers. It's just a group of them that can see what you're showing them. God, you're so clever. Oh, thank you very much. So many times I thought you're not, but in fact, you're a genius. You're absolutely right. Only the people inside the circles can see the images. Do they say that too? Yes. Absolutely. So it's only people who you've allowed to have access. With 1,500 of her closest friends in a specific circle.

She's posted up there. She says she got virtually no engagement. That's not that unusual these days on Twitter. I'm finding you don't get much engagement on Twitter anymore unless you got the blue tick. Those are the people who seem to be being promoted on Twitter. But when Reisman woke up the following morning, she found people who she didn't follow back, let alone were inside her Twitter circle, had liked this, as she put it, little bit spicy photograph.

Oh, missus. And she didn't make a mistake. That would be my first thing would be like, what did I do? Oh, no, no, no, no, no, no, no. No, no, no. She says she's been very careful about curating her circles to the people she thinks wouldn't mind. But she says the general public do not need to see me in my birthday suit, is what she's saying. But people did. Wow. So can we see these pictures? I'm kidding. I'm kidding.

Probably. Probably. So these private conversations where people are talking shit about each other, they're bitching about people, they're sharing explicit photos. You know, they think they're doing all this safely, but they're not.

Trusting Twitter under the wonderful tutelage of its CEO. He who shall not be named on this podcast. Let's not give him the oxygen of publicity.

Radio silence more likely than any other response.

You would think that, wouldn't you? Because, of course, Elon Musk, who shall not be named, Lord Voldemort himself, has fired the entire press team at Twitter. So yeah, you would expect them to be silent. And they were silent for a long time when people were contacting them. But they've just announced and acknowledged that a security incident did occur. They've emailed affected users. But in the meantime, any journalists who've been contacting the press team or have asked more questions about this security breach, which caused these private messages to appear for anybody, have got the automatic response, which has been in place for months now at Twitter's press office. If you email them, they reply back with an emoji, and they send you a poop emoji is their response.

It's more than you get when you contact Apple. Yeah, I suppose it's like received, you know.

Received and here's what we think of it. Yeah, so Twitter is just sending poop.

Well, it's self-describing itself I think, but anyway.

So they claim they fixed this bug, but I think a warning to everybody probably is once again, even if a website or a service claims it's going to keep your messages private, just simple screw-ups are going to carry on happening. And there's no detail as to what caused the problem, why it took Twitter close to a month to acknowledge the problem existed, let alone fix it. It's just radio silence on that as well. So not really very impressive.

It seems to me that the Twitter algorithm was promoting these supposedly private or restricted tweets to the world at large. That's how they ended up in people's feeds. And then these people replied and chaos ensued. So there was something in the algorithm that was promoting it to people. And the whole thing seems reminiscent of when Facebook had a feature where you could restrict your communication to just friends and whatever, and that's a barrier Facebook keep changing and wanting to push down all the time without really getting people's informed consent over it. So the bigger lesson seems to be if you post stuff on social media you can expect it to leak, frankly.

Yeah, so the message if you've got something private, don't put it on Twitter. Don't put it on the internet, it'll stop maybe. I think the emoji sums it up.

Yeah, maybe it was an internal complaint not meant for the journalist but just explaining their state of feeling, you know, it's an emotional response. Why can't they just plug it into ChatGPT and then it'll generate response and whatever.

I wonder if anyone's done that yet. Of course they have. John, what's your topic for us this week?

What I'd like to talk about today is a very important legal ruling that came down from the US concerning a high-profile cyber attack which dates back to 2017. It was NotPetya, which is a strain of file encrypting ransomware which affected Windows machines across the world. Many, many enterprises were affected by this.

It's huge, it was huge. So this targeted the update mechanism of a piece of Ukrainian accountancy software that anybody who traded in Ukraine needed to report VAT and so on, so forth, called MeDoc. But because it targeted anybody who had any business in Ukraine, lots of international companies, as well as the Ukrainian government and Ukrainian businesses were affected.

So in all this probably cost companies billions, didn't it? This ransomware attack in terms of disruption, in terms of ships not sailing, not delivering goods, stuff.

Not arriving. Yeah, it...

Questions from journalists not being answered and having to resort to emojis instead.

They didn't even have to resort to emojis. Basically, all the computer systems all these companies relied on became non-operational. This wasn't really ransomware. It was designed to destroy systems, to encrypt things and just render them useless. So all these companies were left without any information on how to do their work. Nobody could talk to each other while the people involved on the sys admin site were frantically trying to contain the outbreak and to restore systems. If it happened now, I think people would be in a slightly better position. But this was something that was an almost unprecedented attack in its scale and its speed, so that's why so many companies were caught on the hop. DHL had parcels they couldn't send out. Maersk didn't know what was happening. In the case of Merck, the pharmaceutical giant, it was left with systems that were completely non-operational. So that's the background to the story. What's the news, you ask? Well, the news is...

Yeah, John, what's the news? What is it? Well, you started off your story by talking about... I very eloquently got straight to the point.

Okay. He always does.

Always do. Always do.

Okay. So Merck had an insurance policy which covered it for all risks. So it went to insurers and it had eight insurers at least, and it said to them, "Well, we've suffered this damage, which we can document for you. It affected 40,000 of our computers, shut down our production facilities, left us without any apps. It was terrible. We would like to be compensated, please."

So they've been caught out by exactly the same thing as each and every one of us is caught out by whenever we try and make an insurance claim and you look at the small print, you find out, actually, we're not going to cover you for this detail. Now, in this particular case, they're saying because it was an act of war, because it was allegedly done by the Russians, therefore it's nothing to do with us. And even though you've been giving us millions to pay for insurance, we're not going to give you a handout. Yeah, it sounds like pretty much part of the course for insurance companies to me. Yeah, it does. They had a comprehensive policy and the insurance companies were trying to use the small print to argue that they weren't liable to pay out.

And what was the reason? Do you know what the reason was? Did they say, "No, no, no, you can't use this act of war clause"? Is that basically what happened? They decided that the act of war clause didn't apply. And what's happened last week was that the appeal court has upheld the earlier court's decision. So I think what I read, I may be wrong about this, so correct me, John, if you've heard differently. I think I heard it said that for it to be an act of war, there had to be some physical element to it, some sort of physical, violent, kinetic activity, which may well have saved the bacon of Merck in this case for saying, "Well, it wasn't an act of war then." Yeah, it sets a precedent for that. It's surely something insurance...

I mean, other insurance companies watching this, and indeed whoever Merck next turns to...

Are sending each other poop emojis right now.

Because, you know, the insurance companies are going to say, "Well, we're not going to fall for this one. We don't want to do a $1.4 billion..."

But they already have taken the money, Graham, right? So insurance companies got on the bandwagon about five years ago thinking, I'm sure this and other tiny little clauses would get them out of having to do any mega payouts. I'm sure people are freaking right now in the insurance company because of this precedent being changed.

I mean, the risk has changed. And the calculation that they used when these policies were set up no longer applied. What the appeals bench said, and this is the key point of it, is that the NotPetya attack is not sufficiently linked to a military action or objective as it was a non-military cyber attack against an accounting software provider.

Yeah, I see, yeah. So it wasn't a direct attack. It was an attack via this accounting software for Ukrainian or people doing business in Ukraine. Yeah. So this has quite big implications, not just for the victims of NotPetya or other cyber attacks, but for how the whole insurance market works. Hang on. Hang on. So Lloyds are saying insurance won't cover cyber attacks that occur during wars. Cyber attacks from now onwards. Well, hang on. There are wars happening all the time. Are they

relating them to wars? Are they saying if this is a direct result of the war, we're not covering it? Or are they just saying, if there's a war going on, no coverage for anybody.

We're not going to pay out. We're not paying out anymore. Any insurance. It's interesting.

It's going to be that the premiums are going to go up if people want the coverage.

Yeah, that's always the answer, isn't it?

Yep. The other implication of this is that insurance companies will be very, very interested in attribution of future cyber attacks.

Yeah. And we all know how easy that is. Oh, yeah. It never, ever goes wrong. Never, ever. Carole, what have you got for us this week?

Well, I know you guys love a quiz. Oh, great. I know you do. And I know our listeners love quizzes. So I'm kicking off my story with You Think You Know Eurovision. Okay. You're going to know more about this international contest than you ever thought possible by the end of my story. Are you guys fans of the show? So listeners that don't know Eurovision, it really is. There's people that hate it and there's people that love it. I'm in the love camp.

I don't normally watch it. I liked it in the old days when it always used to go wrong when people dialed in their votes. So they'd say, okay, Vienna, do you have your votes, please? And you'd get some cleaning lady on the other end. And, you know, it was always just a shambles.

It still is. You still have live, you know, live from the square and there might be 80 mile winds hitting them in the face.

Maybe, maybe. It's all a bit too slick. And it goes on for hours and hours and hours now, doesn't it? So I'm not a huge fan these days.

Three hours. Yeah, well, that's hours and hours for me. John, what about you?

I quite like it. I don't regard it as unmissable. What I used to do is, you know, have the show on and then not really be watching the acts, but be on social media laughing at people's observations about the acts.

A modern viewer. I think now everyone's allowed to sing in whatever language they want, so they can sing in English. I used to enjoy it when they had to sing in their own language. And then I would put the subtitles on for the translation. And the lyrics on some of the songs were hilarious.

That's not because the lyrics were hilarious. That's because the translation of the lyrics were hilarious.

Sure. Sure. I used to greatly enjoy that, I must admit. Anyway, on with the quiz.

Okay. Let's do a little quiz. No cheating. That means no ChatGPT, no Googling, no search engines. And I've made them fairly easy so you could try and make it. So what decade did Eurovision first air? See, not what year, what decade?

I'm going to go 1950s. I was going to say 1958.

Okay. Well, I said decade, Graham. And Leyden, you answered first. So, yes, 1950s Lugano, Switzerland, with seven songs. And the contest was one of the earliest attempts to broadcast a live televised event to a large international market.

Surely things like the World Cup preceded that for an event broadcast to a large international audience.

I said one of the earliest attempts. Stop being picky, John. Covered my ass there.

Whose quiz is this, John?

I'm sorry I'm putting my place. How many countries are competing this year? No Googling.

Too many. About 30. Hang on, are you including the semi-finals and things like that and the knockout rounds?

Yeah, all the rounds I guess. About 35 probably including Australia for some unfathomable reason.

Leyden you're very... 38. 37, you're just copying John, Leyden. Because you know he knows more about it than you.

No, I was closer than you.

What song did the UK put forward last year in Eurovision 2022?

Oh, it was that guy with the long hair. I don't know. Sam something, was it? Sam Ryder. Something about Spaceman. Well done. I'm on fire here.

I didn't know that one at all. And you should know that because we came in second last year, the UK. I mean, the previous year, we got a whopping nul point. So we came second to Ukraine's Kalush Orchestra. The song was called Stefania. It was a mashup of traditional Ukrainian folk music with a modern rap and hip hop twist. Oh, love that. And normally, if you win Eurovision, what honor do you get as a country?

You get to host the next concert. Correct. Sorry, I'm having to jump in now. John getting all the points.

We should have a buzzer. You could just honk or something. Now, for obvious reasons, Eurovision will not be held in the Ukraine, the actual winners of last year, because there's a fucking war going on. So the show airing this weekend will be coming live from Liverpool, thanks to the BBC. It's the first Eurovision Song Contest to be held in how many years?

Well, it was held last year. Since 94, something like that. Yeah, 25 years. So you do the maths. I'm too lazy. Yeah, since Bucks Fizz won, I think.

No, Dana International won last time it was in the UK, and it was in Brighton. I only know that because a friend of mine went. There you go. You see. I trust him, man. I'm sure he's right. Listeners, you let us know.

Well, the irregularities that they detected some people in Greece who weren't voting for Cyprus and some people in Cyprus who weren't voting for Greece, because that would be irregular. It's changed slightly in that there's now a jury that kind of tops up the voting of the nation in question. And there were some irregularities. They didn't go into it and they didn't name any countries, but six countries subsequently lost their voting rights, which were Azerbaijan, Georgia, Montenegro, Poland, Romania, and San Marino.

A couple of hours.

Yes.

I was going to say three and a half months. All right. Okay. 90 minutes. Well done, John. 90 minutes. That sounds weird phrasing. Yes. Do I mean denial of service attacks, maybe? I can imagine that happening against Ticket Insights.

The BBC writes, Booking.com confirmed to BBC News that some accommodation partners had been targeted by phishing emails, but denied that it had suffered a security breach. The way it worked, the phishing scams used WhatsApp, probably due to its end-to-end encryption capabilities. And the story goes this. So guy books a hotel for the event, then he gets contacted on WhatsApp by someone claiming to be the receptionist, asking initially if he needed parking, and then claims that there was an issue with his payment. And the guy said, oh, I thought this must be okay, he told BBC News. I got a text message from my bank, and I then had a phone call from them saying that someone was trying to scam me out of money. So he thought it was all okay, and there was the phone call. The bank stopped it happening. So you've got these kind of things. So you've got people who are attending who have to watch out for phishing scams, but are there bigger concerns? And it seems there is because it was brought up in the House of Commons only last week. The golden locked conservative MP for Lichfield, Michael Fabricant. Oh, for God's sake. Asked the Commons.

Listeners, just look him up and you'll know why I'm reacting that.

Look, I don't think we should comment about his, you know.

I'm not talking about his hair. I'm talking about his wig. He asked, he said, last year, during the Eurovision Song Contest, Russian agents attempted to interfere with the voting that was made for Ukraine. And he cites this correctly. Italian police thwarted hacker attacks by pro-Russian groups during the semifinal and final of Eurovision Song Contest in Turin 2022. During voting and the performances, the police cybersecurity department blocked several cyber attacks on network infrastructure by the Killnet Hacker Group and its affiliate Legion, the police said. I think Fabricant is almost correct. It's just one syllable you've got slightly wrong. Fabricant says in the Commons, this year, of course, we're hosting Eurovision Song Contest, and he wants to know what is a department doing to ensure that the integrity of the voting will be maintained. And he's not alone in being concerned because soon after experts from the National Cybersecurity Center were called in after the government and Eurovision organizers raised concerns that the competition could be a digital front for the Ukraine war. Or not as the case might be. I think I personally, I'm not gonna be tuning in. I'm not I don't think I'm gonna be about it. Well I just you know it's.

Just music it's fun it's country. I'll tell you my.

Favorite story about Eurovision very quickly which is as you know it costs money to put on the competition. So the host nation, I don't even know why the UK is doing this year because we've got this cost of living crisis going on. Couldn't we have combined the Eurovision contest and the King's coronation? We could have made them the same event. I reckon we could have done it. That would have been easy. It's close enough in time. Anyway, back in the eighties, Ireland kept on winning the Eurovision song contest because everyone loves Ireland and they have a lovely brogue and the rest of it. But Ireland couldn't afford to run the competition every year. So they deliberately chose a folk duo singing a rather sappy song. They put it forward as their entry, thinking we don't want to win this year because it'll cost us a fortune. We can't afford it.

Wasn't this a plot in Father Ted?

Yeah, this is probably... My lovely horse.

Running in the fields. These guys won it and so Ireland had to host for a third year. Right I'm watching it. You know what I'm doing on Saturday? I'm watching it. I'm going to make my DIY voting cards. We're going to have a great old time.

Can I just highlight show, Graham? You might find something new.

No, he's just a grumpy. This week's sponsor, Outpost 24, delivers smarter cyber risk management, making it easy to identify security gaps in your attack surface and prioritize the vulnerabilities that matter. With Outpost 24, you get the most complete view of your attack surface and threats targeting your organization, helping your security team understand what's real, what's dangerous, and what's important to fix in the environment right now. Application security, vulnerability management, cyber threat intelligence, they've got it all covered. They can even protect your remote workforce and critical data by blocking weak and almost already compromised passwords. Sign up for a free attack surface assessment from Outpost 24. Get insights into exposed domains and web applications, leaked credentials and more. Sign up for your free attack surface assessment at smashingsecurity.com slash Outpost 24. That's smashingsecurity.com slash Outpost 24. Now there's some big news from our sponsor, Collide. Collide, if you are an Okta user, they can get your entire fleet up to 100% compliance. Smashing security listeners, did you know that Bitwarden is the only open source, cross-platform password manager that can be used at home, on the go, or at work. Bitwarden's password manager securely stores credentials spanning across personal and business worlds. And every Bitwarden account begins with the creation of a personal vault, which allows you to store all your personal credentials. These are unique and secure passwords for every single account you access. And it's easy to set up. It's easy to use. I honestly love Bitwarden. I use it at home, use it at work, use it on the go. Get started with a free trial of a Teams or enterprise plan at bitwarden.com forward slash smashing. Or you can even try it for free across devices as an individual user check it out at bitwarden.com forward slash smashing and thanks to Bitwarden for sponsoring the show.

Welcome back can you join us at our favorite part of the show the part of the show that we like to call pick of the week pick of the week pick of the week pick of the week is the part of the show where everyone's saying could be a funny story a book that they've read a TV show a movie a record a podcast a website or an app whatever they wish. It doesn't have to be security related necessarily. It better not be. Well, my pick of the week this week is not security related. My pick of the week is a podcast. It's actually a collection of podcasts because I support this particular chap on Patreon which means I get to listen to all of his podcasts including the episodes he doesn't release to the general public and I also get early listening to episodes months before they are released to the great unwashed. And the name of this chap is Toby Hadoke. And what does Toby Hadoke talk about? Toby Hadoke's time travels is all about Doctor Who.

Funny I hadn't heard of it.

And he's a very funny guy. He's a stand-up comedian. He's an actor. He's a writer. And he's also a complete Doctor Who fanatic. And he puts out several podcasts a week, all of which I listen to, which include episode commentaries where people challenge him to find out something which they really liked about a particular episode so he watches it in real time. And he knows an awful lot about every single actor in Doctor Who, including the third Cyberman on the left and other things he may have done in the past. And it's just wonderful, uplifting, positive stuff about Doctor Who. Not like that boring stuff called Eurovision. Well, I think if you are a Doctor Who fan, you should really check out Toby Hadoke and his podcasts. And if, like me, you like him, then just for a few quid every month, you can support him as well and get the real hardcore stuff, the really geeky stuff, which he sometimes puts out as well. Anyway, I love it. I'm sorry, Toby. I love his dog Bernard as well. He also posts up a weekly photograph of his dog Bernard. And that is why it is my pick of the week. John, what's your pick of the week?

Okay, I'm going to offer a fairly practical pick of the week. Now, over the last couple of years, I've been involved in home renovations. Fun. Yes. Lots of builders, lots of disruption, lots of things going on. And one of the things that really helped me navigate through this was a site called mybuilder.com. So how that works is it makes it easy to find local trades people and it's free to use for homeowners. And you would post a job, you select the category of the job. It could be anything from plumbing to kitchen fitting to a full renovation. And then trades people in your area will respond to it and you can check out their reviews, their profiles, see if you want them to come around and have a look at the job. And once you meet then you can agree your price. You can get, you know, it's far easier to contact these people this way I found than it would be just to rely on word of mouth or just to go through the yellow pages. I found it a lot easier than trusted trader to work through, for example.

This is really useful, John, because every one of us have this type of thing. I mean, obviously, this is only good for people in the UK, but I'm sure these kind of services exist in other countries. And it's, yeah, this is really, I'm bookmarking this. So this is a great recommendation. Yeah, it's really, you know, I've used it for over two years, and the vast majority of the jobs are put out there, it found people for them. Some jobs, you get swamped with people looking to do them. Others, you know, it's quite difficult to find people.

Cool. And I'm seeing on the site. So for listeners who are in other parts of the world, they are a member of something called Home Advisor International. So they have a sister site at homeadvisor.com if you're in America and homestars.com if you're in Canada. And here's my favorite in Germany, MyHammer.de.

Oh well that's wonderful. I didn't know that. Well that's a great recommendation. Thank you John for MyBuilder.com.

Carole, what's your pick of the week? My pick of the week was going to be the Eurovision Song Contest but I was able to make it slightly security related so I'm going to choose something else. And I was thinking what do I choose and I decided to choose the Oxfordshire Art Weeks as my pick of the week. Sounds awesome.

Yeah. And if we're really lucky, by the time the show goes live, I am hoping that you will be able to vote on favorite artworks, which I would really love if you would do. It's not that it goes anywhere, but it helps tell me which ones might be more popular than others so I can help me decide which ones are displayed for the exhibition. So that's a little favor, but maybe you might enjoy it too. So there you go. Oxfordshire Art Weeks, my pick of the week. And if you get a chance to come down and see our little corner of the UK, do it. But if you can't make it, go to my website. So it's carole.wtf, C-A-R-O-L-E.wtf. and go vote on some favourites. And thank you.

Fantastic. Done some terrific paintings up there, I have to say. And you've updated it recently. Around about 150 pictures.

I think probably about 60 or 70 are new from last time I posted. I just only do it once a year, it seems. I hate this bit. I hate the website.

Updating bit so much. Fantastic. Well, I've been to some exhibitions run by Oxfordshire Art Weeks in the past, and they've always been good fun going around to people's houses and checking out. You were at my house last year. I was indeed. And I look forward to checking out some of your art in the flesh as well, Carole, if I get the opportunity. Wow, sounds sincere. Okay. Well, I try. Carole, you've been speaking to the folks at Outpost 24 this week.

Yes, I have. I was speaking with John Stock from Outpost 24. Check it out. So listeners, I would like to introduce you to John Stock. He is the director of product management Outpost 24. Thank you so much for coming on Smashing Security. Thanks for having me. You sound like you have a very busy and stressful job because from what I understand you're managing all the feature implementations, the timelines, the testing and everything else for the suite of cybersecurity services that are offered by Outpost 24. Like this includes things like risk-based vulnerability scanning and application security testing and pen testing and red teaming and training certification, managed service. I mean, do you have time for family and hobbies?

No. Yeah, I make time. So yeah, wife and two kids keep me very busy. The kids have a social life. I don't. So I'm busy taking them to football and cricket and everything. But no, I keep myself stress-free with Lego and photography. And there's a few very different things there, and none of them involve too much outside stuff. But I'm quite lucky. I live in Devon, so I'm 20 minutes from the beach and have Dartmoor on my doorstep. So I get a lot of outside time and enjoy that. Yeah, so for our— International listeners, Devon is a beautiful county in the UK. I absolutely love it. But we digress. I want to talk to you about being a director of product management. So it's really funny. I was actually talking to a customer last week. I traveled up to sunny London to go and spend some time with them.

Mean, just this weekend, I had a neighbor come over and wanting to do some scanning and couldn't get her cloud account working. So she was just like, oh, I'll just bring over my USB and slap it in your machine. And I'm like, whoa, no, no, no, no, no. You feel very, I—

Don't know. I—

Felt a bit awkward saying that, but there you go.

But it's funny because those are the little things that make people aware, oh, is that bad? Those of us who've worked in security for years and then someone says, oh, can I just stick my USB in? And you're like, no, you're not carrying me anywhere near my laptop with your USB. Just get out of my house.

So when you're explaining how the whole landscape has kind of shifted under the feet of all these organizations, I'm imagining what comes with that is that they have less insights on how their whole network looks and, you know, because it's so disparate.

Yeah. I mean, I used to be a, back in the day at a university, I was a network engineer and I remember the day of printing out an A0 sized network map because it was huge on a big plotter. And now, well, you'd need something massive because your network is no longer those cables and wires and routers and switches in your building. It's everything else outside and probably most of the Internet as well, including parts you didn't really know existed, are probably now part of your, you know, you've got stuff there. Because I know from speaking to our marketing department a lot, things get thrown up and pulled down. You know, there's advertising campaigns and all these things where you go to a third party and they'll spin something up and then that's now yours and it's got your name plastered all over it and you're responsible for it. But guess who's the first person to know? It's that security person who's responsible for it. Exactly, yeah. So those things are, you know, it's got your name, it's your problem. And one of the, it's the whole thing of the asset management used to be the job of an asset manager. And then suddenly everyone's turned around and gone, you're a security person. You need to know where everything is because if it gets hacked, that's your problem. You know, CISOs need to know where everything is. And they can't just say, oh, it's all in our CMDB. It's all in our IPAM because it's not.

I think, I guess what I'm hearing is that it's basically impossible to have 100% visibility of the entire network and the potential attack surface that comes with it.

Absolutely. Yeah, it's, you can get close. So it's possible to get close, but, you know, 100% is going to be impossible. You know, if you just rely on a CMDB, maybe you're like 60%, 70% of the way there. That's quite a good step forward. You know where the laptops that you've bought should be, you know, where the devices you've bought should be. But that doesn't take into account, you know, developers love them to bits because we couldn't do any of the stuff we do about a good team of developers. However, you know, there's instances where they throw things up in the cloud because they just need to test it. And then, oh, it works. And they're so happy it works. they walk away and forget about it. Or we've had quite a few customers we've been talking to where that's happened way too many times because things have been thrown up and they've forgotten about it or they've thrown it up and it hasn't worked. So they've left it there and worked on it and then they're running vulnerable services because they've just thrown it up to solve a problem without thinking, how is that secure?

But that seems to me like that's what most people do. There's someone in most companies that does that approach, hopefully not working in security to your point.

No, no, hopefully not. But yeah, there's always, you know, we all come across that thing. What's the easiest way to solve this problem, right? And as a product manager, that's the kind of thing that I'm all about solving problems. How can I solve this problem? And sometimes it's really easy. I'll just need to document it. Other times it's like, yeah, let's just throw this up and test it. And you throw something up in a cloud. Now, if you're good, you go to your cloud people and go, hey, I need to do some testing on this. And they're like, okay, we'll provide you an instance. They provide it and you get it for a set amount of time and then they kill it down and you know, it was secure while you were testing it. But yeah, there's nothing stopping me going into my own cloud account, throwing something up and putting it in, having Outpost 24 all over it and forgetting about it and paying the bill every month and it being associated with the organization, which I would point out I would never do because too many people get angry at me.

So this seems a good time to pivot to Outpost 24's Vulnerability Prediction Technology or VPT. What can you tell me about that?

Yeah. So I mean, one of the big challenges you get, so when you're in security, you're scanning your stuff, right? Everybody runs vulnerability scanning. I'm not saying everybody likes it. You one does it by choice. You do it because the auditors have said you've got to do it. There's a regulation that says you've got to do it. Or you need to check that your security, your base level security is pretty good. But no one does it because they think it's an exciting thing to do. And you find out what your vulnerabilities are. And you get a CVSS score. Now, CVSS scores are great. But they don't have any context really in them. You know, you get a score from zero to then zero. Ignore it. 10. It's really bad. But that's not really looking at the risk. It's just looking at what's the potential threat of that vulnerability. It doesn't matter if no one's ever going to build an exploit for it. If it's potentially really bad, then it will still have a high score, even though it could be almost impossible to build an exploit for it. And it's probably not worth everybody working at the weekend to try and patch it. So the idea between time VPT is it uses our threat intelligence technology that we have and actually looks at what are the real world threats of this vulnerability so rather than just yeah there's the CVSS score 10 we must fix it it's like okay let's look are there any threat actors actually talking about this vulnerability itself is it used in any malware yeah how much is it being discussed on social media, those kinds of things. Because, yeah, you often find that just the social side of things is quite a good indicator of whether something's going to be big or small.

And it's like, you know, your VPT kind of gives you just the edge, doesn't it? On the attack surface that you can't basically fully lock down because you're not fully aware of it for whatever reason.

And it allows you to focus on what's important. I think that's the key thing, right? If I've got a million vulnerabilities, and to be honest, the size of some organizations, that's not unheard of. You know, it's not a bad thing. You just can't fix everything. But if they've got a million and they're like, oh, we don't know where to start. There's a couple of ways to start. It's okay, what's the stuff that's most likely to be exploited and maybe is exposed, right? So internally, we all talk about the internal threat, and I know it's still high. But if you look externally, there's billions of people externally and maybe hundreds to thousands internally. So, you know, obviously, internet-facing stuff is like the Wild West out there. So that's the priority. And stuff that, you know, likely has that exploit available, yes, that's the stuff you should prioritize. So it's where do you get the most bang for your buck in terms of remediation? Where can you make the most difference without paying six months' worth of overtime in a weekend? And that's all it is. It's trying to bring the focus into your business risk rather than just saying, oh, yes, this formula says that these are all really potentially high risk. So taking away from potential risk to actual risk.

It's funny. It reminds me of when I got my true corporate business legs was when a co-worker explained to me. I was like, how do you manage like this list of 80,000 things I have to do by tomorrow? What, you know, how do I do it? She goes, you bring it to your boss and you say, you prioritize it and then just go and do it. And I thought, that's so genius. So that's kind of what you guys are doing. You're kind of prioritizing it and giving, you know, giving the people that are responsible for security, the chance to focus on the biggest fish.

Yeah. And it's understanding your risk appetite as well. So this is another thing that I've always, I kind of talk to a lot of customers about is what is your risk appetite? And most organizations don't actually know what their risk appetite is because I always say, oh, you'd never catch me doing a bungee jump because my risk appetite is not that high. It's way too dangerous. But actually things I have done like scuba diving and even driving every single day are way more dangerous. If you look at the deaths per million people, they are way more dangerous than a bungee jump. Like driving to work is the most dangerous thing I can do.

Just try walking. No, there's limits there. That's wonderful. Is there anything you'd like to add?

One, understand what your risk appetite, how much risk you're willing to accept. And two, make sure you get when you're remediating vulnerabilities. Don't panic. Don't think, oh, I've got a million and I've got to fix and I've got to do them all now. It's what can you fix and get the most value out of? What can you do to impact your business in terms of risk and reducing that risk as easy as possible?

Brilliant. Now, listeners, you will be thrilled to learn that Outpost24 is offering a free attack surface assessment. So this will give you insights into things like domain and web applications exposed on the internet, staging applications in clear text form that may be putting you at risk, old and vulnerable components in use, leaked credentials, and you'll even get an attack surface risk rating and recommendations. So you can sign up for your free attack surface assessment at smashingsecurity.com/outpost24. And thank you so much, John Stock, Director of Product Management, for coming on the show and giving us a bit of your time.

Thank you for having me. It's really fun. Brilliant. Terrific stuff. And that just about wraps up the show for this week. John, I'm sure lots of listeners would like to follow you online, and maybe there are some folks who would like to hire your cybersecurity expertise if they need some content written. What's the best way for folks to do that?

You can find me on Mastodon or Twitter or LinkedIn.

And you can follow us on Twitter at Smash Insecurity, no G, Twitter won't allow us to have a G, and also Smashing Security has a Mastodon account. And don't forget, to ensure you never miss another episode, follow Smashing Security in your favourite podcast app, such as Apple Podcasts, Spotify and Overcast.

And huge, huge shout out to this episode's sponsors, Collide, Outpost24 and Bitwarden. And of course, to our wonderful Patreon community. It's thanks to them all that this show is free. For episode show notes, sponsorship information, guest list and the entire back catalogue of more than 320 episodes, check out smashingsecurity.com.

Until next time, cheerio bye bye bye adios.

Yes. I tell you what, we got through an episode called Number 321 without mentioning Dusty Bin or the...

No, Ted Rogers, Ted Rogers, wasn't it? Ted Rogers, that's the one. Ted Rogers and Dusty Bin. Oh, we missed a trick there. Definitely. Carole, have you heard of Dusty Bin and 321? No. They're too young, I think. She probably wasn't in the country when that was on. No. It's another ITV thing as well. It's probably on after the wrestling. Oh, I see.