There are shocking revelations about a US Government data suck-up, historic security breaches at Windsor Castle, and the MOVEit hack causes consternation.
All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by The Cyberwire’s Dave Bittner.
Warning: This podcast may contain nuts, adult themes, and rude language.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
So Dave, you're American.
I am.
I am.
Land of the BattleBots.
What are you going to do about this? Are you just going to sit on your arse and just whinge about it on our podcast?
Smashing Security, Episode 326: Ride Royal Security Threats and Move It Mayhem, with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 326.
My name's Graham Cluley.
Smashing Security, Episode 326: Ride Royal Security Threats and Move It Mayhem, with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 326.
My name's Graham Cluley.
And I'm Carole Theriault.
And this week, Carole, we are joined by podcast royalty, aren't we?
Always. CyberWire's Dave Bittner. Hello. Hi, Dave.
Hi, nice to be here.
Yes, you're a very busy guy. You do a lot of shows. It's so cool.
We're very lucky. He doesn't do that many.
He does do a lot of shows.
I think he could crank out a few more each day if he really tried harder.
Sure. Why not?
He's not really tried hard enough. I'm sure his blood pressure could deal with it.
Yeah. My family doesn't need to see me. It's fine. Sure.
But before we kick off, let's thank this week's wonderful sponsors, Bitwarden, Kolide, and Hunters. It's their support that helps us give you this show for free.
Now, coming up on today's show, Graham, what do you got?
Now, coming up on today's show, Graham, what do you got?
I'm going to be talking about some right royal security breaches.
And what about you, Dave?
I have a revelation from the US government about how much data they're vacuuming up about their citizens.
And I like to move it, move it. All this and much more coming up on this episode of Smashing Security.
Now I realize after some, hang on a minute, I forgot something, didn't I?
Chums, chums, I realize, that's better, after some 325-odd episodes of Smashing Security, there are some areas of security that we haven't really touched upon enough.
Things, you know, there's some things where we've perhaps done a little bit too much. I'm thinking teledildonics.
Chums, chums, I realize, that's better, after some 325-odd episodes of Smashing Security, there are some areas of security that we haven't really touched upon enough.
Things, you know, there's some things where we've perhaps done a little bit too much. I'm thinking teledildonics.
Twitter.
That, yes, Elon Musk, anything related to him, ChatGPT. But there's some things, some things that maybe we haven't looked at enough.
And that is one of the things which I'd like to look at today is physical security.
And that is one of the things which I'd like to look at today is physical security.
Hmm.
Okay.
You can secure your networks, you can secure your gateways, your laptops, but how well are we doing at securing our company's buildings from attack, from preventing people from actually coming through the front door before stealing something from our corporation?
So I thought that'd be interesting to talk about. Now, regular listeners will be aware that I'm a big fan of British institutions, the things which made Great Britain great.
Doctor Who, the hovercraft, the World Wide Web.
You can secure your networks, you can secure your gateways, your laptops, but how well are we doing at securing our company's buildings from attack, from preventing people from actually coming through the front door before stealing something from our corporation?
So I thought that'd be interesting to talk about. Now, regular listeners will be aware that I'm a big fan of British institutions, the things which made Great Britain great.
Doctor Who, the hovercraft, the World Wide Web.
Invading loads of countries around the world for centuries.
Yes, yeah, hush, hush, hush. I mean, surely all of those—
Colonialism.
Surely, surely. Now, now, now. Surely, let's not dwell on those. But yes, there's been a bit of that as well. There's been other good things.
Gravity didn't exist before Isaac Newton invented it when the apple fell on his head. Didn't have that.
Gravity didn't exist before Isaac Newton invented it when the apple fell on his head. Didn't have that.
Sure.
We came long. We invented it. Thank goodness for that.
You know, there's that old joke about why do the British drink warm beer?
Hmm.
Because Lucas Electronics makes their refrigerators.
Oh, charming.
It's like complaining about our teeth.
Well, yes, or the reliability of a Jaguar car, right?
Fighting talk. Now, there are lots of wonderful institutions out here. One of them is, of course, the honors system. Which has been in the news lately.
Alexander Boris de Pfeffel Johnson, if you remember him, former Prime Minister.
Dave, if you don't remember him, he's the one who looks like a mayonnaise-covered potato dipped in a bucket of straw.
He's been handing out gongs recently to a bunch of his closest disciples.
Alexander Boris de Pfeffel Johnson, if you remember him, former Prime Minister.
Dave, if you don't remember him, he's the one who looks like a mayonnaise-covered potato dipped in a bucket of straw.
He's been handing out gongs recently to a bunch of his closest disciples.
Handing out what?
Gongs. Sort of awards, titles, damehoods.
Gongs. I've never heard that expression.
Have you not? No.
No, me neither.
Okay.
Oh, I hope I haven't said the wrong thing. It's definitely not dongs. I'm pretty sure it's gongs.
Yeah.
I was just thinking of a Chinese gong. And over here we had the Gong Show, but I never heard of gongs being used as some sort of honorific.
Interesting. Listeners, don't email me if I've got that wrong. All right? Just don't. I probably have. But anyway, the current prime minister, he wasn't very happy about it.
And it's been all a bit of a to-do about it all. But if you do become a knight, like the recently anointed Sir Michael Fabricant MP—
And it's been all a bit of a to-do about it all. But if you do become a knight, like the recently anointed Sir Michael Fabricant MP—
Shut up, has he?
He really has.
He got a knighthood?
Yes, from Boris Johnson.
Or Dame Priti Patel, who will be— Anyway, they basically have been awarded these great honours, which means that they'll be able to get tables in restaurants for the rest of their life, because they of course have provided services to what you'd get if you threw Donald Trump, a hay bale, and a thesaurus into a washing machine.
What we call Boris Johnson. And if you get one of those awards, you will get an invitation to go and receive the award at Buckingham Palace or Windsor Castle.
And King Charles will pin on the medal or clonk you on the shoulder with his sword and tell you to arise. Or the gong, right?
Or Dame Priti Patel, who will be— Anyway, they basically have been awarded these great honours, which means that they'll be able to get tables in restaurants for the rest of their life, because they of course have provided services to what you'd get if you threw Donald Trump, a hay bale, and a thesaurus into a washing machine.
What we call Boris Johnson. And if you get one of those awards, you will get an invitation to go and receive the award at Buckingham Palace or Windsor Castle.
And King Charles will pin on the medal or clonk you on the shoulder with his sword and tell you to arise. Or the gong, right?
The gong.
Yes, yes, he'll put the gong on you. He'll put the gong. Okay.
And I'm talking about Windsor Castle specifically because there have just been declassified by the National Archive a number of papers about a number of things to do with Windsor Castle, including a document which looks at security scares which have happened there over the years.
And I thought, well, that would be quite interesting for us to look at because I believe there's a lot we can learn by looking at things from the past, things which have happened in the past.
You know, history repeats itself, lessons which we can learn from this.
And I'm talking about Windsor Castle specifically because there have just been declassified by the National Archive a number of papers about a number of things to do with Windsor Castle, including a document which looks at security scares which have happened there over the years.
And I thought, well, that would be quite interesting for us to look at because I believe there's a lot we can learn by looking at things from the past, things which have happened in the past.
You know, history repeats itself, lessons which we can learn from this.
Yeah, a post-mortem, if you will.
So this has been covered in the Metro newspaper.
They got their hands on this dossier let out by the National Archive, and it contains details of security incidents dating back to the late 1960s, which have until now been a closely guarded secret.
So more than 5 decades. These things have been kept hush-hush.
So, what they found was that in the 3 years running up to February 1970, there had been 27 crimes committed on the grounds of Windsor Castle. Security incidents, if you like.
Most of these were petty thefts. So it might have been, for instance, I don't know—
They got their hands on this dossier let out by the National Archive, and it contains details of security incidents dating back to the late 1960s, which have until now been a closely guarded secret.
So more than 5 decades. These things have been kept hush-hush.
So, what they found was that in the 3 years running up to February 1970, there had been 27 crimes committed on the grounds of Windsor Castle. Security incidents, if you like.
Most of these were petty thefts. So it might have been, for instance, I don't know—
I took 2 croissants at breakfast instead of 1.
Get a souvenir, like you steal a spoon or something?
Well, don't you think? Everyone probably tries that.
Yeah.
Don't you think? If you get an invitation to Buckingham Palace—
Well, come on.
What about the royal toilet paper? Wouldn't you want to pinch some of that roll?
Take a roll? What, take a few sheets in my bag? No.
Take an extra few sheets, right? So when you're using a couple of sheets, I don't know how many you use, you could tear off another couple.
And put them in my pocket.
Put them in your pocket or your purse, and then bring them— Ask the Queen.
Ask the King to sign them.
Well, that may be a bit of a giveaway. I don't know.
But you could— It's probably going to be quite high-quality— I remember flying on an airline once, and I was sort of bumped up into premium economy.
And they gave me these sort of metal salt and pepper shakers, and on the bottom of them it said, "Stolen from Virgin Airlines." Because obviously they were anticipating that everyone would say— Maybe the same thing happens at the palaces as well.
I don't know. So there's lots of petty theft going on.
But in January 1967, there was a small Chinese vase on public display in the Garter Throne Room, which suddenly, poof, went missing.
But you could— It's probably going to be quite high-quality— I remember flying on an airline once, and I was sort of bumped up into premium economy.
And they gave me these sort of metal salt and pepper shakers, and on the bottom of them it said, "Stolen from Virgin Airlines." Because obviously they were anticipating that everyone would say— Maybe the same thing happens at the palaces as well.
I don't know. So there's lots of petty theft going on.
But in January 1967, there was a small Chinese vase on public display in the Garter Throne Room, which suddenly, poof, went missing.
Oh, a caper.
And no one knew what happened. Was it stolen? Was it somebody who had got in and maybe hadn't set off the pressure triggers under the carpet?
Maybe they'd bounded from side to side rather than touching the ground.
Or was it a clumsy maid who'd sort of broken it with her feather duster and just thought, "Oh crumbs, I'm gonna lose my job.
I'll just have to wipe them up into my pinny and get rid of the remains elsewhere." No one knows to this day. It's a mystery.
Maybe they'd bounded from side to side rather than touching the ground.
Or was it a clumsy maid who'd sort of broken it with her feather duster and just thought, "Oh crumbs, I'm gonna lose my job.
I'll just have to wipe them up into my pinny and get rid of the remains elsewhere." No one knows to this day. It's a mystery.
Diving through a web of lasers.
Yes.
Thom Cruise. I blame him too.
It could be. It could be. I mean, it is one of the central mysteries of British history.
America has its Dealey Plaza, it has its Texas Book Depository, and the grassy knoll, we have the Chinese vase which just disappeared from the Garter Throne Room.
And then in March 1967, someone, which according to the declassified report, they call it a mental patient, that was the terminology at the time, was found wandering around in the courtyard, having followed an employee through what's called the advance gate.
So they tailgated. And so, you know, we talk about that now, people coming into your building.
Well, it was happening back in the '60s as well, people were doing that in order to get somewhere where they shouldn't be and potentially being a security threat.
And this problem of unauthorised people in the grounds of Windsor Castle, that actually continues to this day, not just in this declassified report, because in April last year, there was a Spanish woman who managed to get into the grounds of Windsor Castle's Royal Lodge where one of our favourite members of the royal family, Prince Andrew, lives.
Very popular, Prince Andrew.
America has its Dealey Plaza, it has its Texas Book Depository, and the grassy knoll, we have the Chinese vase which just disappeared from the Garter Throne Room.
And then in March 1967, someone, which according to the declassified report, they call it a mental patient, that was the terminology at the time, was found wandering around in the courtyard, having followed an employee through what's called the advance gate.
So they tailgated. And so, you know, we talk about that now, people coming into your building.
Well, it was happening back in the '60s as well, people were doing that in order to get somewhere where they shouldn't be and potentially being a security threat.
And this problem of unauthorised people in the grounds of Windsor Castle, that actually continues to this day, not just in this declassified report, because in April last year, there was a Spanish woman who managed to get into the grounds of Windsor Castle's Royal Lodge where one of our favourite members of the royal family, Prince Andrew, lives.
Very popular, Prince Andrew.
Managed to get into the grounds?
She got into the grounds.
We don't know how?
She got past security. Oh yeah, we do know how.
Oh, you're going to tell us. Okay, okay, okay. Yes.
So, what she did was, this woman, she was in her 40s. The way in which she— That's relevant. Well, it is actually, because of who she claimed to be.
Okay, okay, sorry.
Yeah, so, well, that's right, because what she did was she walked up to the security gate, and there's obviously security teams there, you know, they obviously take the security of the royal family very carefully.
Hiya, I'm here to see Prince Andrew!
That is uncanny.
Is that what happened?
I know, I'm picturing the guys in the red jackets and with the big bear fur hats.
Yeah, because they protect all royals, right? Oh absolutely. They went, she went up to the security gate and she said, "Hi, I'm here to have dinner with Prince Andrew."
Oh my gosh.
And she was allowed in without showing any ID, no questions asked, no checks made.
They did say, "What's your name?" And she said, "Irene Windsor." I mean, it could have been Irene Saxe-Coburg-Gotha or whatever.
They did say, "What's your name?" And she said, "Irene Windsor." I mean, it could have been Irene Saxe-Coburg-Gotha or whatever.
Is that why he dated her? Because the Windsor, it's oh, she's obviously classy.
Ah, well.
The security guards even paid her cab fare.
So she'd got there by taxi, and she said, "Oh, could you pay my taxi for me?" And obviously, that sort of behavior, they thought, well, only someone who's dating a member of the royal family or someone somehow associated with the royal family would have the cheek to ask the security guards to pay for her taxi.
And so they believed.
So she'd got there by taxi, and she said, "Oh, could you pay my taxi for me?" And obviously, that sort of behavior, they thought, well, only someone who's dating a member of the royal family or someone somehow associated with the royal family would have the cheek to ask the security guards to pay for her taxi.
And so they believed.
And I don't want to piss off Prince Andrew, so I may as well pay it out of my meager salary. Yeah.
And so they paid for the taxi and said, "Go ahead.
Go up the drive and you'll get to the lodge to have your dinner." And she walked around for about 40 minutes before anyone became suspicious and called the real police.
Now, it was claimed that she was allowed in so easily— there was a guy who runs a security— he was at a cybersecurity event, and he actually runs a company which provides protection for celebrities and VIPs.
And he said the reason why this happened is that Prince Andrew is such a pain in the ass.
Go up the drive and you'll get to the lodge to have your dinner." And she walked around for about 40 minutes before anyone became suspicious and called the real police.
Now, it was claimed that she was allowed in so easily— there was a guy who runs a security— he was at a cybersecurity event, and he actually runs a company which provides protection for celebrities and VIPs.
And he said the reason why this happened is that Prince Andrew is such a pain in the ass.
Of course.
If you've ever worked for him, he's a totally unpleasant character.
And security would've been terrified of asking him, "Is anyone turning up?" Because he would've just bitten their head off.
So again, here's something you can learn at your own company about how to better protect yourself.
If someone just wanders in with all the bravado, whether they're a Spanish woman in their 40s claiming to date the CEO or not, that they have to have their proper ID and authenticate themselves before they gain access.
And finally, from this dossier, another story from the late 1960s. 24 members of the RAF in Windsor, and a woman who they were presumably trying to impress as well.
They decided it would be a real jape to break into Windsor Castle and steal one of the cannons.
And security would've been terrified of asking him, "Is anyone turning up?" Because he would've just bitten their head off.
So again, here's something you can learn at your own company about how to better protect yourself.
If someone just wanders in with all the bravado, whether they're a Spanish woman in their 40s claiming to date the CEO or not, that they have to have their proper ID and authenticate themselves before they gain access.
And finally, from this dossier, another story from the late 1960s. 24 members of the RAF in Windsor, and a woman who they were presumably trying to impress as well.
They decided it would be a real jape to break into Windsor Castle and steal one of the cannons.
That's practical.
I have been to Windsor Castle before.
Yes.
Yeah.
Those cannons aren't small.
These are 24 presumably very inebriated members of the RAF crew.
I would— I still—
Their judgments.
Even with 25 of them, including the woman, I imagine they won't be able to lift that.
Right.
Maybe they had access to one of Britain's great hovercrafts or some other device to assist them. I don't know.
I was gonna say drone.
So my question to you, I'm gonna give you a quick question, right? I just want you to— Put your minds together here. 24 people. How did they gain access?
Did they dig a tunnel, create a human pyramid, or build a giant horse made out of wood and leave it outside the front gate? What was their way of breaking into Windsor Castle?
Did they dig a tunnel, create a human pyramid, or build a giant horse made out of wood and leave it outside the front gate? What was their way of breaking into Windsor Castle?
Is one of them the right answer? Question one.
It is.
Oh, well, obviously creating a human pyramid, because when you're drunk and you don't— That's the quickest of them. The others would require planning and tools.
Yes, tools, sweat.
Any group of drunk people can create a human pyramid. You don't even need to plan it. Just walk out, waltz up to the fence, and over you go.
Says the voice of experience. And you're absolutely right, Dave. They created a human pyramid and they managed to get into Windsor Castle.
So even if you've got enormous walls outside of your building or barriers protecting your network, human ingenuity sometimes might be able to get past.
So even if you've got enormous walls outside of your building or barriers protecting your network, human ingenuity sometimes might be able to get past.
You know, it would have been funnier if you had said a giant badger. Just saying.
Did they get the cannon?
No, they—
Turns out they couldn't get it over the wall.
Right.
Right.
Although they've got a cannon, they could have put a hole in the wall.
That's probably the plan. Dave, what have you got for us this week?
So I have a story. This is widely reported. I'm using the coverage from Wired.
This is article written by Del Cameron, and this is about a report that recently came out from the Office of the Director of National Intelligence, the ODNI, which reveals that the federal government is buying all kinds of data about our citizens.
So, no. I know, right? So this is a report that was generated back in January of 2022. It was classified. And Senator Ron Wyden, who's here in the US, is one of the folks who—
This is article written by Del Cameron, and this is about a report that recently came out from the Office of the Director of National Intelligence, the ODNI, which reveals that the federal government is buying all kinds of data about our citizens.
So, no. I know, right? So this is a report that was generated back in January of 2022. It was classified. And Senator Ron Wyden, who's here in the US, is one of the folks who—
He's the bête noire of anyone trying to keep something secret, isn't he? Or tech companies who are scooping up your data. He's always the one.
He's the one who understands this stuff. And, you know, if we are ever going to get any sort of federal privacy legislation, it will probably come from him.
Yeah.
So what this report revealed is that there are many, many agencies within the federal government who are buying what they're describing as open source intelligence, which is information that they can buy from third-party providers.
About people's location, about all sorts of personal information about ordinary citizens.
And the problem here is that in order for these agencies to get this information by traditional legal means, they would've had to have gotten a warrant.
About people's location, about all sorts of personal information about ordinary citizens.
And the problem here is that in order for these agencies to get this information by traditional legal means, they would've had to have gotten a warrant.
What a pain.
But if they buy it from a third party, no warrant required.
What they do need is a—
Just a bit of wonga.
Well, and a purchase order, presumably, which can be more difficult to get out of your company sometimes than an actual federal warrant.
That's true. That's true. So obviously this has a lot of folks who are concerned about privacy upset and it calls into question, should they be allowed to do this?
I think it also calls into question, do we need some sort of federal privacy legislation here in the US?
I think it also calls into question, do we need some sort of federal privacy legislation here in the US?
Oh, come, come, come, come.
Yes. Yes.
What outrageous talk is this?
But where I wanted to go with this was I wanted to ask the two of you, because you all live under the cozy blanket of GDPR and—
But do we though? Do we still?
Well, that's where I'm going with this. I really want to know do you feel as though that makes a difference?
Is your— do you feel as though your privacy is indeed protected in a way that, say, us Americans is not because you have GDPR?
Do you feel as though you're still being tracked by advertisers? Do you feel as though if people wanted to, they could buy this sort of location information about you?
Where do you stand on that?
Is your— do you feel as though your privacy is indeed protected in a way that, say, us Americans is not because you have GDPR?
Do you feel as though you're still being tracked by advertisers? Do you feel as though if people wanted to, they could buy this sort of location information about you?
Where do you stand on that?
But my question is, so I'll answer that in a second, but my question is actually, I'm not sure where the UK stands since it's departed from the EU.
Mm. Good, good point.
Well, I think for a lot of companies at the moment, because they're having to support EU customers who are under the umbrella of GDPR, it's a lot simpler for them to provide that same kind of layer of protection and the way in which they behave with your data as they would do with any other part of the world, including the sunny uplands of Britain.
Now it is outside of Europe.
But there have been some tech companies who've actually deliberately decided, oh my God, it's real pain having to deal with GDPR and it gives us these disadvantages.
Now Britain has come out of the European Union, we can siphon off that data and process it in a different way from the rest of Europe.
And that does worry me that some may well be doing that in order to take greater advantage of us.
So, do I feel, I don't know, I think, I mean, in some ways this story, who's binging? Who is that? Me.
Now it is outside of Europe.
But there have been some tech companies who've actually deliberately decided, oh my God, it's real pain having to deal with GDPR and it gives us these disadvantages.
Now Britain has come out of the European Union, we can siphon off that data and process it in a different way from the rest of Europe.
And that does worry me that some may well be doing that in order to take greater advantage of us.
So, do I feel, I don't know, I think, I mean, in some ways this story, who's binging? Who is that? Me.
Okay, I literally just put my phone on do not disturb to make sure I didn't get any messages while we were calling. I thought I forgot to do it.
And as soon as I turned it on, 4 messages from you just came in.
And as soon as I turned it on, 4 messages from you just came in.
Oh.
Which I have not read. Right, right.
That's probably me messaging you saying, remember to turn your phone off.
Yeah, exactly.
Nice.
Nice.
Anywho, as you were saying.
Anyway, anyway, anyway.
So the interesting thing for me about this story about the US, you know, authorities buying up all this data is, does this rather suggest that all those things Snowden complained about, about the US agencies being in bed with these big tech companies and siphoning off this data, maybe we don't have to worry about that anymore because it sounds like maybe the tech companies aren't providing it any longer and find it more difficult.
And so it's now come down to commerce. Maybe the tech companies have realized, oh, we've got a value on this.
We can actually sell this to the US authorities instead of them actually being plugged into our servers.
So the interesting thing for me about this story about the US, you know, authorities buying up all this data is, does this rather suggest that all those things Snowden complained about, about the US agencies being in bed with these big tech companies and siphoning off this data, maybe we don't have to worry about that anymore because it sounds like maybe the tech companies aren't providing it any longer and find it more difficult.
And so it's now come down to commerce. Maybe the tech companies have realized, oh, we've got a value on this.
We can actually sell this to the US authorities instead of them actually being plugged into our servers.
Hmm. What do you think, Carole?
I am a huge fan of GDPR. I don't think it's implemented beautifully at the moment. It is super annoying to have the websites come up.
I don't know, you may not have this, Dave, but for us, every time you go to any website, you are presented with a form saying, do you consent to all our cookies?
Or do you want to go and review? And they're all implemented differently, which drives me nuts.
Why wouldn't there be a standardized way of saying, this is what you need to show people? Yes, no, decline, you know? So I find that very frustrating.
And I'm one of those idiots that go through every single time I go to a website, I go and reject what I can.
I don't know, you may not have this, Dave, but for us, every time you go to any website, you are presented with a form saying, do you consent to all our cookies?
Or do you want to go and review? And they're all implemented differently, which drives me nuts.
Why wouldn't there be a standardized way of saying, this is what you need to show people? Yes, no, decline, you know? So I find that very frustrating.
And I'm one of those idiots that go through every single time I go to a website, I go and reject what I can.
Do you know that there are now browser add-ons which will automatically answer those forms for you.
My God.
So just spring up for a split second and then disappear. How well they behave on it, I don't know.
I would love that. Can you send me a link?
I'll send a link.
That could have been your pick of the week. I would have said that was the best pick of the week on the planet. Okay, I want one of those definitely for someone like me.
I'm not saying they're great. They may have problems.
And who knows what they're collecting, but yeah.
Right.
But I'll put a link in the show notes.
You can give away your rights in an automated way now.
Exactly, exactly.
But I do think that someone has to hold the giants to account. And it takes something as big as GDPR to do it. Now, is it perfect? Fuck no.
But it's better than what we had, which was nada.
But it's better than what we had, which was nada.
Yeah, I mean, we've got the Fourth Amendment, which protects us from unreasonable searches and seizures. And it's something we take very seriously. And this is an end around that.
And to me, it reflects that the pace at which government functions is much slower than tech. That's not news to anybody.
But should government organizations be allowed to do this end around to gather this information?
Now, on the other hand, in a way, we've all opted into this through EULAs, but— and I'll put that in air quotes because we haven't really— and that's where the regulatory regime can come in and sort of save us from ourselves.
If it were to say you can't gather this information, then the information wouldn't be there for the government to collect. To me, that's the solution here.
And to me, it reflects that the pace at which government functions is much slower than tech. That's not news to anybody.
But should government organizations be allowed to do this end around to gather this information?
Now, on the other hand, in a way, we've all opted into this through EULAs, but— and I'll put that in air quotes because we haven't really— and that's where the regulatory regime can come in and sort of save us from ourselves.
If it were to say you can't gather this information, then the information wouldn't be there for the government to collect. To me, that's the solution here.
So, Dave, you're American.
I am. Land of the BattleBots.
What are you going to do about this? Are you just going to sit on your ass and just whinge about it on our podcast? Are you going to go up on the streets?
Are you going to get a placard written? Are you going to storm any buildings? What are you going to do about this?
Because we're always moaning about things, but are we going to change anything? Are we going to write to our congressman or something or whatever it is you do over there?
Are you going to get a placard written? Are you going to storm any buildings? What are you going to do about this?
Because we're always moaning about things, but are we going to change anything? Are we going to write to our congressman or something or whatever it is you do over there?
Yeah, I'm busy.
Yeah, I got a lot of podcasts to record, Graham.
I'm busy. I got stuff to do.
Carole, what have you got for us this week?
I like to move it, move it. So we're talking about MOVEit. It's a service from a company called Progress, or formerly known as Ipswitch.
And according to its very own website, MOVEit, quote, is the leading secure managed file transfer software used by thousands of organizations around the world.
To provide complete visibility and control over file transfer activities.
It goes on to say it enables your organization to meet compliance standards, easily ensure the reliability of core business processes, and most importantly, secure the transfer of sensitive data between partners, customers, users, and systems.
Right. And plus, they have a ton of badges on their homepage.
And according to its very own website, MOVEit, quote, is the leading secure managed file transfer software used by thousands of organizations around the world.
To provide complete visibility and control over file transfer activities.
It goes on to say it enables your organization to meet compliance standards, easily ensure the reliability of core business processes, and most importantly, secure the transfer of sensitive data between partners, customers, users, and systems.
Right. And plus, they have a ton of badges on their homepage.
There you go. Sold.
I don't actually recognize who is the giver of these badges because it's only got a logo that I was unable to do an image reverse search to find out.
But it's the leader, best usability, best relationship, best ROI, most implementable, top 50. So it sounds impressive.
You know, if you were going to look at them as a potential customer because somehow you didn't want to use HTTPS, you know, you would meet compliance requirements.
Governments, your businesses won't fall prey to nasty scammers, which is great because then you can share all your more sensitive information with others without a worry that it might get into the wrong hands.
But it's the leader, best usability, best relationship, best ROI, most implementable, top 50. So it sounds impressive.
You know, if you were going to look at them as a potential customer because somehow you didn't want to use HTTPS, you know, you would meet compliance requirements.
Governments, your businesses won't fall prey to nasty scammers, which is great because then you can share all your more sensitive information with others without a worry that it might get into the wrong hands.
Sure.
So it's a hallelujah moment for, I'm sure, many companies.
And maybe this is why award-winning, quote unquote, payroll firm Zelis was so impressed by the product and the awards and the wording, decided to implement MOVEit as part of its business.
And maybe this is why award-winning, quote unquote, payroll firm Zelis was so impressed by the product and the awards and the wording, decided to implement MOVEit as part of its business.
Yeah.
Now, however, under these awards and promises of great security, there was unfortunately a zero-day vulnerability in the MOVEit code, an undiscovered vulnerability that allowed a notorious hacking group known as Clop to infiltrate its system and hoover up data.
And this is where our hallelujah moment becomes an oh poopy moment, I think.
And this is where our hallelujah moment becomes an oh poopy moment, I think.
I think it was Clop, not Plop.
See, that would have been good. You see, I wasn't on my game today. So it seems as if zero-day vulnerability was initially noticed by Mandiant.
This is the threat intelligence people now part of Microsoft.
And they reported that they saw behaviors that seemed very in line with extortion attacks, like in other words, ransomware, but there didn't seem to be a demand for cash.
Or at least right away, but it did come a week later on the 6th of June, says Mandiant.
The Russian-linked threat actors, Clop, or Clap if you'd like to call them that, published a statement claiming responsibility for this activity and threatened to post stolen data if victims didn't pay the extortion fee or the ransomware.
Yeah, yeah. But what's unusual about this is that they didn't just go after Progress, the makers of MOVEit, right?
So when you have a ransomware, you often will hit the, you know, the people that you've attacked. You'll say, hey, give me money and I'll get your files back or whatever.
But they also went after MOVEit customers, customers like Zelis.
And Zelis too issued a statement because they said, we can confirm that a small number of our customers have been impacted by this global issue.
And we are actively working to support them.
And it says, you know, it makes very clear that all Zelis-owned software was unaffected and there's no associated incidents or compromises to any other part of our IT estate because they're in a bit of a panic, right?
This is the threat intelligence people now part of Microsoft.
And they reported that they saw behaviors that seemed very in line with extortion attacks, like in other words, ransomware, but there didn't seem to be a demand for cash.
Or at least right away, but it did come a week later on the 6th of June, says Mandiant.
The Russian-linked threat actors, Clop, or Clap if you'd like to call them that, published a statement claiming responsibility for this activity and threatened to post stolen data if victims didn't pay the extortion fee or the ransomware.
Yeah, yeah. But what's unusual about this is that they didn't just go after Progress, the makers of MOVEit, right?
So when you have a ransomware, you often will hit the, you know, the people that you've attacked. You'll say, hey, give me money and I'll get your files back or whatever.
But they also went after MOVEit customers, customers like Zelis.
And Zelis too issued a statement because they said, we can confirm that a small number of our customers have been impacted by this global issue.
And we are actively working to support them.
And it says, you know, it makes very clear that all Zelis-owned software was unaffected and there's no associated incidents or compromises to any other part of our IT estate because they're in a bit of a panic, right?
Yeah.
And hear that, a small number of customers. That's what caught my eye.
Well, that's what they always say. That's phase one.
A small number of customers.
Yes. Yeah.
So let me—
We won't give you a percentage. We're just— it's a very small, small number.
It's only got— it's a percentage, but it's only probably got two digits in it, a very small number of digits in the percentage.
It's only got— it's a percentage, but it's only probably got two digits in it, a very small number of digits in the percentage.
Your security is important to us.
Exactly. So I thought I'd name a few customers and you could tell me if you even heard of them.
Oh, okay.
Because, you know, tiny small number of customers. Yeah, a ton. Okay, so British Airways.
Okay, rings a bell.
Never heard them. Never heard of them, no.
BBC.
Vaguely, vaguely.
Yeah.
Boots?
Jaguar? HSE? Iceland? Not the country, but the department. Do you remember, Graham? Graham and I once were having a conversation and he was telling me about this, what, this pop star.
I can't remember her name. What was her name?
I can't remember her name. What was her name?
Kerry Katona.
She was hired as the representative of Iceland.
Yeah, that's right. Yeah.
And Graham was talking about this and I was like, why would the country Iceland have her? And we went on for about 10 minutes and I just go, I don't understand.
And then we realized we were talking about the supermarket, not the country. Oh, okay.
And then we realized we were talking about the supermarket, not the country. Oh, okay.
I'm not familiar with that supermarket. Interesting.
Yeah.
Basically a lot of frozen stuff.
Lucky you. Lucky you. Yeah. It's not great.
Hey, hey, it is great. You watch your tongue. You haven't been there in a while. I'm a fan.
So other companies include Dyson, Range Rover, Transport for London, and, you know, of course, the pièce de résistance, Ofcom itself.
But it's way bigger than this because from my research, I believe all the companies I've listed were Zelis users, right? Using the payroll for the company.
So Zelis provides this payroll system, but what about all the other MOVEit customers?
So other companies include Dyson, Range Rover, Transport for London, and, you know, of course, the pièce de résistance, Ofcom itself.
But it's way bigger than this because from my research, I believe all the companies I've listed were Zelis users, right? Using the payroll for the company.
So Zelis provides this payroll system, but what about all the other MOVEit customers?
Yeah.
I mean, it's crazy.
So the US Cybersecurity and Infrastructure Security Agency issued an advisory on Wednesday regarding Clop's campaign to exploit the MOVEit service, warning the gang had historically compromised more than 3,000 US-based organizations and 8,000 global organizations.
So these guys are well known and seems fairly successful in terms of stealing cash from people.
So the US Cybersecurity and Infrastructure Security Agency issued an advisory on Wednesday regarding Clop's campaign to exploit the MOVEit service, warning the gang had historically compromised more than 3,000 US-based organizations and 8,000 global organizations.
So these guys are well known and seems fairly successful in terms of stealing cash from people.
Yeah.
So just to recap, the MOVEit software has a vulnerability. Companies that directly use the MOVEit service were obviously impacted. I get that.
But of course, so were their own customers. So customers like the ones we've just listed.
So you have all these pretty, in some cases, massive companies who they themselves don't use MOVEit software from Progress, having to deal with the fallout, informing customers, issuing statements, taking the heat from journalists and people like us who want all the details.
So it's a really interesting supply chain nightmare, isn't it?
But of course, so were their own customers. So customers like the ones we've just listed.
So you have all these pretty, in some cases, massive companies who they themselves don't use MOVEit software from Progress, having to deal with the fallout, informing customers, issuing statements, taking the heat from journalists and people like us who want all the details.
So it's a really interesting supply chain nightmare, isn't it?
Oh, it absolutely is. And it's so bad, of course, for the image of the companies whose data has been affected.
So the British Airways, the Boots, the BBCs of this world who've been impacted by this, because of course the headline simply says data leak involving BBC, say, payroll data.
But the BBC, it's not like they ran any vulnerable software. They simply were using a supplier who themselves were using some third-party software which had the bug in it.
I just feel sorry for everybody. I feel sorry for everybody. Yeah, because ultimately it's Clop who are the big poo-poo heads, to use your terminology, for They're the plops.
So the British Airways, the Boots, the BBCs of this world who've been impacted by this, because of course the headline simply says data leak involving BBC, say, payroll data.
But the BBC, it's not like they ran any vulnerable software. They simply were using a supplier who themselves were using some third-party software which had the bug in it.
I just feel sorry for everybody. I feel sorry for everybody. Yeah, because ultimately it's Clop who are the big poo-poo heads, to use your terminology, for They're the plops.
Yeah.
Yeah.
Well, and it points to this movement we've seen here with our federal government for SBOMs, which are software bills of materials, to have it listed, all of those third-party dependencies.
So at least, you know, going in, this is who we use for this, this is who we use for that, so that you can have your due diligence done ahead of time.
So at least, you know, going in, this is who we use for this, this is who we use for that, so that you can have your due diligence done ahead of time.
These are S-bombs, not F-bombs. Is that right? Right. Okay.
Correct. Correct. No, F-bombs are what Carole drops when she's had a few too many. S-bombs are software bills of materials.
Carole?
Carole. Sorry. I am so careful about pronouncing your name right. And the one time I screw it up, you call me on it.
It's only because we're recording it.
And you know, my sister is named Carole, so this is not easy for me.
I will also add that Progress Software, the folks who make MOVEit, they, we covered this yesterday on the influential CyberWire podcast, that they have disclosed a new, a second bug.
I will also add that Progress Software, the folks who make MOVEit, they, we covered this yesterday on the influential CyberWire podcast, that they have disclosed a new, a second bug.
Yes, I was just gonna get to that. Exactly.
Yes, I think from what I'm reading, and of course, this is huge, there's loads of writing on this, but they seem to have gotten a lot of cyber experts to help them.
This is Progress, right? So to try and help them handle the situation.
Looking at the websites of Progress and Zealous and others, they seem to be having advisories right on the homepage, lots of information about the CVs that are available.
All that seems pretty good for me. And yes, there you go. Another niggle pops up. Another issue is spotted in the MoveIt software.
So companies had to issue another advisory, another patch. It's a bit of a nightmare, but I'll tell you the thing that bugs me the most, right?
So you've got this company that's affected and they're like, oh shit, wherever you are in the chain, you're affected.
And what the Clop people are saying is, look, pay us or we're going to actually post this information to give it to everybody. So it's out there.
So your private info is now no longer private. In terms of zealous, where it's payroll, you're an employee making what, $15,000, $20,000, $40,000 a year, you know, doing your job.
You know, if you're working at the airport, you're maybe working in baggage handling. You're maybe just saying hi. Oh, you want to move to first class? You're doing all that.
And what now? Your data is gone. And what's BA, if it were BA, what is their responsibility towards that? You know, how are individuals protected from it?
And as far as I'm concerned, they're not. Because we say don't pay, right? That's our advice as well. We say don't pay the ransom.
Yes, I think from what I'm reading, and of course, this is huge, there's loads of writing on this, but they seem to have gotten a lot of cyber experts to help them.
This is Progress, right? So to try and help them handle the situation.
Looking at the websites of Progress and Zealous and others, they seem to be having advisories right on the homepage, lots of information about the CVs that are available.
All that seems pretty good for me. And yes, there you go. Another niggle pops up. Another issue is spotted in the MoveIt software.
So companies had to issue another advisory, another patch. It's a bit of a nightmare, but I'll tell you the thing that bugs me the most, right?
So you've got this company that's affected and they're like, oh shit, wherever you are in the chain, you're affected.
And what the Clop people are saying is, look, pay us or we're going to actually post this information to give it to everybody. So it's out there.
So your private info is now no longer private. In terms of zealous, where it's payroll, you're an employee making what, $15,000, $20,000, $40,000 a year, you know, doing your job.
You know, if you're working at the airport, you're maybe working in baggage handling. You're maybe just saying hi. Oh, you want to move to first class? You're doing all that.
And what now? Your data is gone. And what's BA, if it were BA, what is their responsibility towards that? You know, how are individuals protected from it?
And as far as I'm concerned, they're not. Because we say don't pay, right? That's our advice as well. We say don't pay the ransom.
Whose advice?
You know, not good advice. I would say my advice.
I think we've talked about this many times in the show, and I think lots of people say don't pay the ransoms because if you pay the ransoms, you're just encouraging the whole model.
I think we've talked about this many times in the show, and I think lots of people say don't pay the ransoms because if you pay the ransoms, you're just encouraging the whole model.
Yeah, but you know, I'm sort of a bit agnostic on that. I'm not sure. I think there's many occasions when you should pay the ransom, which may be—
When's that?
Well, when it's the case that you're going to bloody well lose your business if you don't. Pay the ransom or people are going to lose their jobs.
I think it's very easy for people just to say you should never ever pay ransoms. It's like, oh, hang on, people could lose their livelihoods or people's debt.
I mean, you know, I think maybe this is just a bit— and if you've got cyber insurance as well, which is going to cover you, perhaps if you're lucky enough that insurance does cover you, then I'd like to see as a cyber insurance company that's going to say that in the small print today.
I've never had an insurance company pay me for anything, to be honest. I mean, you know, I've never succeeded.
So, you know, but if you were that one person who managed to get your insurance company to pay up, then maybe that would be great.
I think it's very easy for people just to say you should never ever pay ransoms. It's like, oh, hang on, people could lose their livelihoods or people's debt.
I mean, you know, I think maybe this is just a bit— and if you've got cyber insurance as well, which is going to cover you, perhaps if you're lucky enough that insurance does cover you, then I'd like to see as a cyber insurance company that's going to say that in the small print today.
I've never had an insurance company pay me for anything, to be honest. I mean, you know, I've never succeeded.
So, you know, but if you were that one person who managed to get your insurance company to pay up, then maybe that would be great.
Yeah. So, so Clop ransomware gang says it's going to start releasing data of companies who haven't contacted it by tomorrow. This is day of recording.
So the June 14th, and originally apparently it was supposed to be June 12th, but that was a national holiday in Russia. So, you know, yeah, exactly.
So the June 14th, and originally apparently it was supposed to be June 12th, but that was a national holiday in Russia. So, you know, yeah, exactly.
They need to take off.
But what — did you see their webpage? So they have — they've posted up their steps on the webpage of what victims have to do. It's amazing, isn't it? There's 7 steps.
So step 1, if you have MOVEit software, continue to step 2, else leave. Email our team, unlock, and gives the address, right?
And our team will email you with dedicated chat URL over Tor. Secure. So we don't want to be — we don't want anyone listening to this. That's how we're going to be secure.
And if we don't hear from you until June 14th, we'll post your name on this page. So it keeps going on and on. You can look at it on the show notes.
So step 1, if you have MOVEit software, continue to step 2, else leave. Email our team, unlock, and gives the address, right?
And our team will email you with dedicated chat URL over Tor. Secure. So we don't want to be — we don't want anyone listening to this. That's how we're going to be secure.
And if we don't hear from you until June 14th, we'll post your name on this page. So it keeps going on and on. You can look at it on the show notes.
Let's not forget that the Clop ransomware gang, this is a major initiative for them because they've got data from so many companies.
This is going to be a big job for them to deal with.
And maybe they'll be hiring people on Fiverr and the like, maybe people who've been made redundant from companies who've previously had ransomware attacks and made them unemployed, maybe the ransomware gangs will actually begin to employ people to handle future ransomware.
I'm just mad today. I think it's the heat in this room, Carole.
This is going to be a big job for them to deal with.
And maybe they'll be hiring people on Fiverr and the like, maybe people who've been made redundant from companies who've previously had ransomware attacks and made them unemployed, maybe the ransomware gangs will actually begin to employ people to handle future ransomware.
I'm just mad today. I think it's the heat in this room, Carole.
So let me ask you this. If you're one of the companies who has fallen victim to this, if you're British Airways or you're Jaguar or all those —
Indirectly fallen victim. Yeah.
Right. Because of a third-party provider. Is the proper attitude these days in terms of your security posture to assume breach in terms of your risk equation?
Is it proper to assume that your third-party vendors are likely to be popped?
Is it proper to assume that your third-party vendors are likely to be popped?
I think so.
And I think when you're writing contracts with these people, you need to double-check their security and make sure that the same standards you have in place at your organization are also in place at their organization as well.
I think many providers now are being asked to make those sort of commitments.
And I think when you're writing contracts with these people, you need to double-check their security and make sure that the same standards you have in place at your organization are also in place at their organization as well.
I think many providers now are being asked to make those sort of commitments.
In terms of Zelis, for example. So it's a payroll company, right? Loads of people want payroll companies or payroll software.
And, you know, I've heard of Zelis before today — it's a well-known payroll company. And so loads of people will be using that and then suddenly just going, oh, shit.
But again, Zelis is a victim as well. It wasn't in their code, right?
And, you know, I've heard of Zelis before today — it's a well-known payroll company. And so loads of people will be using that and then suddenly just going, oh, shit.
But again, Zelis is a victim as well. It wasn't in their code, right?
No.
So it's a bit of a nightmare all around.
And the funny thing is, is the Clop Kings should have been a thing of the past because in 2021, the hackers were arrested, the alleged Clop hackers were arrested in Ukraine in a joint operation between Ukraine, US, and South Korea.
And at the time, authorities claimed to have taken down the group, which they said was responsible for extorting $500 million from victims around the world.
But as Joe Tidy wrote in BBC, it has continued to be a persistent threat.
And the funny thing is, is the Clop Kings should have been a thing of the past because in 2021, the hackers were arrested, the alleged Clop hackers were arrested in Ukraine in a joint operation between Ukraine, US, and South Korea.
And at the time, authorities claimed to have taken down the group, which they said was responsible for extorting $500 million from victims around the world.
But as Joe Tidy wrote in BBC, it has continued to be a persistent threat.
There's always another clop floating around which you just can't flush away.
So there you go. Well, the advice, guys, the advice is not complicated. If you use MOVEit, apply the up-to-date patches pronto.
There was one, I can't remember who wrote it, but they were going, we encourage our customers to install the, you know, and I'm going, don't encourage — don't put that on the 15th paragraph going, we would like to encourage our customers.
Don't do that. Just say install the fucking thing.
So yeah, so MOVEit Cloud customers and MOVEit Transfer customers, I think Cloud had been patched, but you want to review your audit logs for signs of unexpected or unusual file downloads.
There was one, I can't remember who wrote it, but they were going, we encourage our customers to install the, you know, and I'm going, don't encourage — don't put that on the 15th paragraph going, we would like to encourage our customers.
Don't do that. Just say install the fucking thing.
So yeah, so MOVEit Cloud customers and MOVEit Transfer customers, I think Cloud had been patched, but you want to review your audit logs for signs of unexpected or unusual file downloads.
Yeah. I wonder how many people are moving it to other companies.
Exactly. Exactly. It's kind of a bit of a nightmare. And I think I couldn't find a list of all the companies.
I would have loved that, you know, as they're saying, you know, here are all the companies that are affected.
Of course, they don't want to do that because they're getting everyone else in the shit, I guess. But you kind of want to know who is everyone. Give me the list of all the companies.
I would have loved that, you know, as they're saying, you know, here are all the companies that are affected.
Of course, they don't want to do that because they're getting everyone else in the shit, I guess. But you kind of want to know who is everyone. Give me the list of all the companies.
Also, their commercial rival is going to contact all of their customers and say you're currently a customer of theirs.
I didn't think about that. It's a pickle. It's a sticky pickle. Yeah.
There's nothing worse than relying on a legacy SIEM that your security team has outgrown, especially when it impacts your ability to detect real incidents.
Well, Hunters is a security operations center, or SOC, platform built to empower your security team to reduce risk, complexity, and costs.
With Hunters, you can ingest and normalize as much data as you have at a predictable cost.
You can automatically cross-correlate data logs from your entire security and IT stack to connect and track events throughout your organization, and you can leverage out-of-the-box and always up-to-date detections that cover 80% of security use cases.
Using Hunters, a CISO at a leading online retailer tripled the amount of data ingested by her security team while cutting costs from a legacy SIEM provider by 75%.
Visit hunters.security to learn how your organization can move beyond SIEM with Hunters. That's hunters.security, and thanks to them for sponsoring the show.
Well, Hunters is a security operations center, or SOC, platform built to empower your security team to reduce risk, complexity, and costs.
With Hunters, you can ingest and normalize as much data as you have at a predictable cost.
You can automatically cross-correlate data logs from your entire security and IT stack to connect and track events throughout your organization, and you can leverage out-of-the-box and always up-to-date detections that cover 80% of security use cases.
Using Hunters, a CISO at a leading online retailer tripled the amount of data ingested by her security team while cutting costs from a legacy SIEM provider by 75%.
Visit hunters.security to learn how your organization can move beyond SIEM with Hunters. That's hunters.security, and thanks to them for sponsoring the show.
Smashing Security listeners, did you know that Bitwarden is the only open-source, cross-platform password manager that can be used at home, on the go, or at work?
Bitwarden's password manager securely stores credentials spanning across personal and business worlds.
And every Bitwarden account begins with the creation of a personal vault, which allows you to store all your personal credentials.
These are unique and secure passwords for every single account you access. And it's easy to set up. Easy to use. I honestly love Bitwarden.
I use it at home, use it at work, use it on the go.
Get started with a free trial of a Teams or Enterprise plan at bitwarden.com/smashing, or you can even try it for free across devices as an individual user.
Check it out at bitwarden.com/smashing. And thanks to Bitwarden for sponsoring the show.
Bitwarden's password manager securely stores credentials spanning across personal and business worlds.
And every Bitwarden account begins with the creation of a personal vault, which allows you to store all your personal credentials.
These are unique and secure passwords for every single account you access. And it's easy to set up. Easy to use. I honestly love Bitwarden.
I use it at home, use it at work, use it on the go.
Get started with a free trial of a Teams or Enterprise plan at bitwarden.com/smashing, or you can even try it for free across devices as an individual user.
Check it out at bitwarden.com/smashing. And thanks to Bitwarden for sponsoring the show.
Now there's some big news from our sponsor Kolide. If you are an Okta user, they can get your entire fleet up to 100% compliant. How do they do that? You're asking yourself.
Well, if a device isn't compliant, the user can't log into your cloud apps until they fix the problem. It's that simple.
Kolide patches one of the major holes in zero trust architecture, which is device compliance.
Without Kolide, IT struggles to solve basic problems like keeping everyone's OS and browser up to date.
Unsecured devices are logging into your company's apps because there's nothing there to stop them.
Kolide is the only device trust solution that enforces compliance as part of authentication, and it's built to work seamlessly with Okta.
The moment Kolide detects a problem, it alerts the user and gives them instructions on how to fix it. If they don't fix the problem within a set time, they are blocked.
Kolide means fewer support tickets, less frustration, and most importantly, 100% fleet compliance. Visit kolide.com/smashing to learn more or to book a demo.
That's k-o-l-i-d-e dot com slash smashing. And welcome back and you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
Well, if a device isn't compliant, the user can't log into your cloud apps until they fix the problem. It's that simple.
Kolide patches one of the major holes in zero trust architecture, which is device compliance.
Without Kolide, IT struggles to solve basic problems like keeping everyone's OS and browser up to date.
Unsecured devices are logging into your company's apps because there's nothing there to stop them.
Kolide is the only device trust solution that enforces compliance as part of authentication, and it's built to work seamlessly with Okta.
The moment Kolide detects a problem, it alerts the user and gives them instructions on how to fix it. If they don't fix the problem within a set time, they are blocked.
Kolide means fewer support tickets, less frustration, and most importantly, 100% fleet compliance. Visit kolide.com/smashing to learn more or to book a demo.
That's k-o-l-i-d-e dot com slash smashing. And welcome back and you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week.
Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security related necessarily.
Could be a funny story, a book that they read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security related necessarily.
Better not be.
Well, my pick of the week this week is not security related. I would like to cast you back in time again, 4 years ago in episode 126, 200 episodes of Smashing Security.
Oh, I remember it well.
Yes, we spoke about zombie chickens with Mark Stockley in that episode. Yes.
Now, my pick of the week that week was a movie I'd been to see, which I thought was absolutely bloody brilliant, called Spider-Man: Into the Spider-Verse.
And what I can tell you is now, 4 years later, there's a sequel, and it's equally brilliant.
Now, my pick of the week that week was a movie I'd been to see, which I thought was absolutely bloody brilliant, called Spider-Man: Into the Spider-Verse.
And what I can tell you is now, 4 years later, there's a sequel, and it's equally brilliant.
Yeah.
It is incredible. I'm not into superhero movies. I find them really, really boring.
Do you watch them and go, I could do that?
I could do that. No, I just fall asleep. I just fall asleep. If I ever see another washing machine fighting another washing machine in some Transformers flick, for goodness' sake.
But Spider-Man: Into the Spider-Verse is a Spider-Man movie which is completely animated, and it is beautiful all the way through it.
You think, well, if I were to pause this movie, every single frame, you just think that is an absolute work of art. A whole variety of— have you never seen one of these? No.
But Spider-Man: Into the Spider-Verse is a Spider-Man movie which is completely animated, and it is beautiful all the way through it.
You think, well, if I were to pause this movie, every single frame, you just think that is an absolute work of art. A whole variety of— have you never seen one of these? No.
Okay.
I saw it over the weekend, and Graham is spot on. Every frame in this film is a painting.
Yeah. Wow! It's absolutely— if you are into art, Carole, I heard a little dicky bird told me that you might be. I would recommend it, but ideally go and see the first one.
So the first one's called Into the Spider-Verse. The one that's just come out is called Across the Spider-Verse.
So the first one's called Into the Spider-Verse. The one that's just come out is called Across the Spider-Verse.
Is that streamable? Because I'm on holiday in a remote location at the moment.
The first one is.
Into the Spider-Verse will definitely be streamable. You may not have to pay for it either if you subscribe to a streaming service, and it's fantastic.
And I'm not a Spider-Man fan, but I would imagine that if I were a Spider-Man fan, there must be so many in-jokes and so many little references which are just zooming past me.
But it doesn't matter, I still absolutely love it. And Carole, if you need any further endorsement, you can check out what Mark Kermode said about this movie as well.
And I'm not a Spider-Man fan, but I would imagine that if I were a Spider-Man fan, there must be so many in-jokes and so many little references which are just zooming past me.
But it doesn't matter, I still absolutely love it. And Carole, if you need any further endorsement, you can check out what Mark Kermode said about this movie as well.
Oh, I do like him.
Completely raved about it. I know you're a fan of his. But so yes, I am.
Tell me, Dave, what did you think? Did you like the film as well, as a plot and as a movie?
Yes.
No, I am. Yes, absolutely. Yeah. It may be better than the original, and I think the original was one of the best movies I've ever seen.
I've been living under a rock.
You just don't see it coming, this animated Spider-Man movie. But it is just an artistic achievement. It is brilliant and it is bold.
Both in the storytelling, but just the style of the art is unlike anything you've seen before. And they swung for the fences, and they hit the ball out of the park.
It is just amazing what they've been able to do here.
Both in the storytelling, but just the style of the art is unlike anything you've seen before. And they swung for the fences, and they hit the ball out of the park.
It is just amazing what they've been able to do here.
I wasn't expecting this sequel to be as good as the original, but it really is. And as Dave says, possibly even better, actually.
And there is going to be a third part coming out next March. And— I can't remember if it's Mark Kermode or someone else, but I certainly sort of believe in this.
There are people who are saying this could be the greatest trilogy of movies there's ever been. What?
And there is going to be a third part coming out next March. And— I can't remember if it's Mark Kermode or someone else, but I certainly sort of believe in this.
There are people who are saying this could be the greatest trilogy of movies there's ever been. What?
This is insane, guys. Okay.
Okay.
I'll check it out. I will check it out. I'll check it out.
So my pick of the week is Spider-Man: Across the Spider-Verse.
But if you don't want to go to the cinema, check out your streaming services and maybe you can see the original Spider-Man: Into the Spider-Verse.
First of all, because they both are amazing movies.
But if you don't want to go to the cinema, check out your streaming services and maybe you can see the original Spider-Man: Into the Spider-Verse.
First of all, because they both are amazing movies.
Yes, and I will add that if you can see this in the cinema on a big screen, do so.
That's what I did over the weekend, and it is a film that deserves to be seen on as big a screen as you can see it on.
Yeah, it just washes over you, and it really is something to see.
That's what I did over the weekend, and it is a film that deserves to be seen on as big a screen as you can see it on.
Yeah, it just washes over you, and it really is something to see.
So I'll take the big hairy man out for a date in the movie theater when I'm back in civilization.
There you go. Give him a nice bucket full of popcorn.
People might think he's a spider, Carole. That's the only danger.
Maybe a hedgehog.
Dave, what's your pick of the week?
So my pick of the week is related to one of my favorite things in the world, which are the Muppets.
Longtime Muppet fan from my early days watching Sesame Street, and then of course The Muppet Show and The Muppet Movies.
Well, the Muppets are back, and the Muppets are owned by Disney these days, and Disney has put out a 10-episode series called The Muppets Mayhem. And this is the story of Dr.
Teeth and the Electric Mayhem, which is one of the all-time great band names ever.
And the story is that long ago when the Electric Mayhem were formed, they were given a recording contract, but they never got around to making an album.
And now it's been 35, 40 years, and someone calls them on it and says, "We gave you several hundred thousand dollars a few decades ago, and we want our album." And so this is all about the Electric Mayhem coming together to try to make their album.
And it is really funny. It captures the spirit of the Muppets that I would say has been missing for a long time.
The original spirit of The Muppets, where it was funny but also heartfelt.
And you felt as though these characters were grounded in reality and that they genuinely care for each other. And this has all of that. It's well-written.
It feels authentic Muppet content. There are a ton of hilarious cameos, as Muppets tend to have. Again, it's 10 episodes. It's on Disney+. The Muppets Mayhem. Highly recommended.
And that is my pick of the week.
Longtime Muppet fan from my early days watching Sesame Street, and then of course The Muppet Show and The Muppet Movies.
Well, the Muppets are back, and the Muppets are owned by Disney these days, and Disney has put out a 10-episode series called The Muppets Mayhem. And this is the story of Dr.
Teeth and the Electric Mayhem, which is one of the all-time great band names ever.
And the story is that long ago when the Electric Mayhem were formed, they were given a recording contract, but they never got around to making an album.
And now it's been 35, 40 years, and someone calls them on it and says, "We gave you several hundred thousand dollars a few decades ago, and we want our album." And so this is all about the Electric Mayhem coming together to try to make their album.
And it is really funny. It captures the spirit of the Muppets that I would say has been missing for a long time.
The original spirit of The Muppets, where it was funny but also heartfelt.
And you felt as though these characters were grounded in reality and that they genuinely care for each other. And this has all of that. It's well-written.
It feels authentic Muppet content. There are a ton of hilarious cameos, as Muppets tend to have. Again, it's 10 episodes. It's on Disney+. The Muppets Mayhem. Highly recommended.
And that is my pick of the week.
God, it's going on my list as well. Because I loved The Muppets as a kid. I was— there was— that was the show that I would not miss.
It was, I think it was Saturday at 7 or something. It played and—
It was, I think it was Saturday at 7 or something. It played and—
It was when The Muppet Show was on, it was the most popular show in the world.
Really? I loved it.
You know who are my favorites, but they don't show up in The Muppets movies? Bert and Ernie.
They're your favorites?
They only seem to be—
No, those are Sesame Street Muppets.
I love Bert and Ernie.
Yeah, sure. They're hilarious. They're great.
Yeah, they're Laurel and Hardy.
They are.
Little gay couple living together.
That's what I. Yeah. Why not?
Yeah. Yeah, they're wonderful.
No strings. Carole, what's your pick of the week?
Well, my pick of the week is the mic that I am talking on now. I am away from my studio. I am in a very handmade area to try and do this recording with the best sound.
So if you think the sound is, hey, that's not bad, Carole, I'm using the Rode NT-USB Mini. And Graham, I think you've got one of these as well, don't you? I didn't know that you did.
But after I bought it, I told you, you're, oh yeah, I got one myself.
So if you think the sound is, hey, that's not bad, Carole, I'm using the Rode NT-USB Mini. And Graham, I think you've got one of these as well, don't you? I didn't know that you did.
But after I bought it, I told you, you're, oh yeah, I got one myself.
Yeah, I have one for when I'm travelling, if I need to do a podcast or something, rather than my normal. Oh, well, they are. You do too?
See the trifecta.
The ultimate endorsement. Dave's got one.
There you go. So people, for us, I think it cost me £80 or £90, so about $100. Dave, would that be about right?
Yeah, yeah.
It is so clever and simple and great. And my favorite bit of it is the whole magnetic base component of it.
So it can just slot into its base, but there's a little tiny magnet that holds it together. But when you want to put it in your bag, you can take it right off.
No unscrewing, none of that crap. Plus you can put it on a Rode arm or any other arm, right? It's simple. I mean, there's not much to talk about other than it's really small.
It's solid. It's cleverly designed. And I think it's just a beautiful piece of machinery. And if the sound's good, listeners. Yeah.
So it can just slot into its base, but there's a little tiny magnet that holds it together. But when you want to put it in your bag, you can take it right off.
No unscrewing, none of that crap. Plus you can put it on a Rode arm or any other arm, right? It's simple. I mean, there's not much to talk about other than it's really small.
It's solid. It's cleverly designed. And I think it's just a beautiful piece of machinery. And if the sound's good, listeners. Yeah.
And for travel, it's lightweight. Yeah. It's got good sound, it travels well. And it's cheap enough that if for some reason you were to lose it, it wouldn't be the end of the world.
Yeah. And I've been recording here as we've done this recording, I've heard myself pop a bit, which is something because I don't have my pop filter with me.
It does say it has a built-in one, but I have heard myself pop a little. So you do have to be a little bit careful or be an editing queen like me.
It does say it has a built-in one, but I have heard myself pop a little. So you do have to be a little bit careful or be an editing queen like me.
Yeah.
But honestly, I think it's a really good piece of kit for the price. I recommend it. And I love that it fits in a bag simply, easy, tiny, doesn't take up any space.
It's solid, isn't it? You don't think it's going to fall apart?
Yeah, yeah. Anyway, so my pick of the week this week is the Rode NT-USB Mini. It's got my vote.
Fantastic. Well, that just about wraps up the show for this week. Dave, I'm sure lots of our listeners would love to follow you online and find out what you're up to.
What's the best way for folks to do that?
What's the best way for folks to do that?
They can go to our website. It is n2k.com. That's the letter N, the number 2, the letter K dot smashingsecurity.com.
Hmm.
Oh, nice short domain name there. And you can follow us on Twitter @smashingsecurity, no G, Twitter doesn't allow us to have a G. And you can also look for us up on Mastodon.
And also don't forget to ensure that you never miss another episode. Follow Smashing Security in your favorite podcast apps such as Apple Podcasts, Spotify, and Overcast.
And also don't forget to ensure that you never miss another episode. Follow Smashing Security in your favorite podcast apps such as Apple Podcasts, Spotify, and Overcast.
And huge, huge, huge thank you to this episode's sponsor, Kolide, Cyber Hunters, and Bitwarden. And of course, to our wonderful Patreon community.
It's thanks to them all this show is free.
For episode show notes, sponsorship info, guest list, and the entire back catalog of more than 325 episodes, check out smashingsecurity.com.
It's thanks to them all this show is free.
For episode show notes, sponsorship info, guest list, and the entire back catalog of more than 325 episodes, check out smashingsecurity.com.
Until next time, cheerio. Bye-bye.
Bye. Bye-bye.
There you go. It's a wrap. Very nice.
Thank you, Dave. Thanks for joining us. Appreciate it.
Of course.
Yeah.
Safe travels, Carole. Corral. Corral. Corral.
Corral.
Corral.
Thanks, Dove.
You can call me Crawley tonight.
Can I call you Crawley?
Yeah, of course you can. But that's my nickname. I used to be a swimmer, you know, front crawl. Crawley.
Oh, I always imagined it was because of creepy. I thought creepy Crawley. I didn't think of front crawl.
You know, my name in Australian is D-I-V-E.
Dive.
Dive. Say it. Dive. Right.
Dive. Dive.
That's my name in Australian. Dive. Good day, Dive.
I'm calling you that from now on.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Dave Bittner:
Episode links:
- Declassified files reveal ‘large number’ of security scares at Windsor Castle – Metro.
- Intruder at Windsor: Security 400 scared of unpleasant Andrew’ to turn away fantasist – Express.
- The US Is Openly Stockpiling Dirt on All Its Citizens – Wired.
- I don’t care about cookies browser plugin.
- MOVEit hack: Media watchdog Ofcom latest victim of mass hack – BBC News.
- BBC, BA and Boots issued with ultimatum by cyber gang Clop – BBC News.
- Ukrainian police arrest multiple Clop ransomware gang suspects – TechCrunch.
- BBC and British Airways affected by data breach at payroll company Zellis – The Record.
- BA, Boots and BBC staff details targeted in Russia-linked cyber-attack – The Guardian.
- Zero-Day Vulnerability in MOVEit Transfer Exploited for Data Theft – Mandiant.
- MOVEit Transfer and MOVEit Cloud Vulnerability – Progress.
- MOVEit announces second vulnerability; Minnesota schools agency breached with original bug – The Record.
- An Update on the Steps We are Taking to Protect MOVEit Customers – Ipswitch.
- Spider-Man: Across the Spider-Verse – IMDB.
- Spider-Man: Across the Spider-Verse trailer – YouTube.
- The Muppets Mayhem – Disney+.
- The Muppets Mayhem trailer – YouTube.
- NT-USB microphone – Rode.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsored by:
- Bitwarden – Password security you can trust. Bitwarden is an open source password manager trusted by millions of individuals, teams, and organizations worldwide for secure password storage and sharing.
- Kolide – Kolide ensures that if your device isn’t secure it can’t access your cloud apps. It’s Zero Trust for Okta. Watch a demo today!
- Hunters – A SOC platform, built to empower your security team to reduce risk, complexity and costs.
Support the show:
You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.
Become a supporter via Patreon or Apple Podcasts for ad-free episodes and our early-release feed!
Follow us:
Follow the show on Bluesky at @smashingsecurity.com, or on Mastodon, on the Smashing Security subreddit, or visit our website for more episodes.
Thanks:
Theme tune: “Vinyl Memories” by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
