Smashing Security podcast #360: LockBit locked out, and funeral Facebook scams

Did it involve a steamroller? No! Oh my god! An accident with a trouser press? Is that how you think I should die? I should get squished! I don't know. Squished! Could be a grand piano falling out of the first floor window. There's all sorts of possibilities. I could

die in my sleep really peacefully and fine. Can't really see you going that way. Wow!

Hello, hello and welcome to Smashing Security episode 360. My name is Graham Cluley. And I'm Carole Theriault. 360. Actually, you know what? I've got it mixed up because it's 180 that they say on the darts, isn't it? And this is 360. So it's not quite as exciting as I imagined.

I don't know. It's a whole circle, right?

It's how many minutes there are in a something or other.

Exactly. Six hours. Yeah. Before we kick off, though, let's thank this week's wonderful sponsors, Collide, BlackBerry and Vanta. It's their support that help us give you this show for free. Now, coming up on today's show, Graham, what do you got?

I'm going to be talking about bad vulnerability management by the cyber criminals.

Ooh, okay. And I'm going to be doing something I'm calling Facebook funerals and fraud. Plus, today we get to hear from BlackBerry VP Kieran Hollyoam, who is going to talk to us about AI for good and AI for bad. All this and much more coming up on this episode of Smashing Security.

Well, chums, huge news in the world of ransomware. Very exciting, because the FBI and the NCA, that's the UK's National Crime Agency, have made an announcement on the day of recording that they have delivered a catastrophic blow against the Lockbit ransomware group and its affiliates after a massive multi-year investigation, which they have called Operation Kronos. Don't you love these sort of butch, sort of Avengers-style names that they give their investigations? They don't call it Operation Lumpy Trousers.

Do you know what? The day they have Operation Barbie or something, I'm going to celebrate.

They might have to get permission from Mattel for that one baby. Well, Lockbit as I'm sure many of our listeners know is one of the most notorious ransomware operations out there. It's had lots of high profile targets like Foxconn the tech manufacturer make your Apple iPhones and Samsung phones, IT giant Ascension and the UK Royal Mail overseas deliveries of packages were being delayed a lot because they got hit by the ransomware.

When did they get hit? Last year, Royal Mail.

Yeah, last year. That's right. Last year they got hit.

I felt it. We seriously felt it. Did you not? Because we have a lot of things like The Economist delivered or Private Eye.

I think it was affecting deliveries going overseas rather than coming into the UK. Oh, wow. I think what you may be experiencing is the general decline of the British Royal Mail, which now takes weeks to deliver a postcard. Okay, crack on. Well, anyway, Lockbit are run like a major organisation. Some have even called them the Walmart of ransomware because they, it's quite a good little quote, isn't it? A little soundbite there, the Walmart of ransomware because they dwarfed all the other ransomware groups in terms of market share. They were the leader by quite a long way. Very organised, very professional.

If someone said, oh, my God, your fashion is so Walmart, would you feel flattered?

Potentially not. No, potentially. Maybe they would think that I'm just someone who's, you know, careful with my cash. That's true. Because, well, what does it matter? As long as you're clothed, as long as the essential parts are covered, does it matter who's made them? I don't know.

Well, hopefully not little children in countries where, you know what I mean?

Oh, good point. Yes. Okay. Fair enough. Yes, you don't want it done by sweatshops. Now, it's important to realise that a ransomware operation like Lockbit isn't being run by just one guy launching the attacks from his back bedroom surrounded by pizza boxes. Lockbit takes this familiar form now, which we're seeing more and more with ransomware gangs, of a ransomware-as-a-service operation, meaning that other criminals are paying to be affiliates. They are launching attacks. They're sharing a percentage of their criminal earnings with the original gang. And so identifying charging one Lockbit suspect doesn't necessarily mean the downfall of the entire criminal operation.

I suppose it depends who it is, right? If it's like the person who's making the tea, probably not. If it's the person who's in charge of all the passwords, maybe? Well, what has happened on this occasion is the authorities have seized complete control, it appears, over Lockbit's infrastructure. If you were arrogant, you would think, yeah, yeah, they're just sending this automatically. They have no idea. It's going to take them ages to process the data. They'll never get to us. We'll disappear before then.

Maybe you're right. Maybe you're thinking they're just bluffing. Maybe you're thinking, yeah, I shouldn't be so worried about that. Whereupon you go to Lockbit's website on the dark web where they normally publish their leaks. And what you see there is that the police authorities are now dripping out information about how the gang operated and will carry on over the coming days. In fact, and this is really brilliant, if you fire up your Tor browser right now and go to the Lockbit leaks website on the dark web, you'll see what appears at first to be their regular catalogue of hacked companies. So what they do is they have a little gallery of different companies up there, and there's a countdown on it as to when they are going to release the information about those companies. That's what they normally have.

That's so gross.

Right. So that has now been replaced. Because when you read the words, what you actually find is now that gallery, the actual content on them, is actually a list of posts announcing what law enforcement agencies have done. And some of them have countdowns on them where they say, we're not telling you this yet, but we're going to be releasing this in the next two days or something.

This is when marketing is important, people. You may have really interesting data, but they've obviously combined with people to come up with this idea. There's a lot of different brains being involved in here.

Well, they are capturing the imagination of people online. You know, they are exploiting social media. They're posting up little videos. So this is the information they're going to be releasing. Sensitive information on Lockbit's cryptocurrency operations and their financing, their affiliate infrastructure, detailed analysis of future iterations of Lockbit. They're doing that in association with a cybersecurity vendor. Information about the exfiltration tool used to steal the data. Sanctions they're going to be taken against the group. A decryption tool, which has been developed by Japanese police. They've got information about five people have been charged in the States, including two Russian nationals. Jesus. Two of them they've got in custody. Thank you, Sharon. So two of these people are now in custody. Another two have just been arrested in Ukraine and Poland. More arrests seem likely. And they're even dripping information saying they're going to reveal the identity of the Lockbit gang's administrator. He's called Lockbit Sup. And they're saying, we're going to reveal that in a couple of days. And they've published screenshots of Lockbit's source code. It's back end admin panel, redacted images of negotiations that have taken place with victims. They've frozen over 200 cryptocurrency accounts.

This is fighting fire with fire, right? And it's also slapping you back in the face with the same shit you've been torturing everyone else with. It's really interesting.

Well, Lockbit's credibility is now in the drain, isn't it? And people are wondering, well, how did the police manage to do this?

That's what I'm wondering.

That's exactly right. Well, it appears the authorities were able to breach LockBit's infrastructure because they had a vulnerability in PHP, which they hadn't patched. So they hadn't applied a software patch.

We all have a little soft spot, even the bad guys. Wow.

It's very similar to, of course, what the gang does to break into companies to launch their ransomware in the first place. It's embarrassing, isn't it, guys? Very embarrassing. So if you've been hit by Lockbit, folks, you don't need, you definitely don't need to pay a ransom anymore. The authorities can help you decrypt your data. They've created this tool. If you are a victim in the UK, you can email the NCA at lockbit at nca.gov.uk.

Gorgeous.

If you're in the United States, I'll put links in the show notes. So if you're in the United States, go to a site called lockbitvictims.ic3.gov. And anywhere else in the world, go to nomoreransom.org where you can download a tool as well. So it's all really good news. You know, normally we have bad news, don't we, on the Smashing Security Podcast. Well, you often do. Me? I mean, there is a slight... Because, of course, this isn't the end of ransomware. Someone else is going to fill this vacuum. Someone else is going to move in there, we can imagine, and some of those criminals will probably carry on pursuing ransomware operations too. I think the way I'm going to tell you this tale is to imagine that I have passed away. I want you to imagine there's a very sad day that happened, right? Did it involve a steamroller? Oh, my God. An accident with a trouser press? Is that how you think I should die? I should get squished. I don't know. Could be a grand piano falling out of the first floor window. There's all sorts of possibilities.

I could die in my sleep really peacefully and fine.

That's what I was thinking. I can't really see you going that way. Are you expected to go? Wow.

All right then I'll be, okay. Okay, you think a piano is going to fall on my head. Okay, thanks, that's so great. Okay, moving on. Yes. Despite me not being on the socials, my people are. You know, people that like me, maybe even a listener or two. And they're sharing details on what happened and they're sharing lovely stories about my life. Like, oh, she was so funny and she was so patient with Graham.

Well, Carole, I certainly would have a few stories I'd be very, very willing to share on social media in the event of your death. In fact, there's some things.

What would you say? What would you say?

Well, Carole, there's some things that I frankly am not prepared to share while you're still alive and able to charge me with slander. But once you're dead, then I reckon it's a free-for-all. Then there's various videos, audio clips, various things. But finally, I can unleash everything. You want to know what she was like? Let me show you. Okay. So you're online doing all this sharing stuff, sharing all the videos, all the most embarrassing things I've ever said that you know that's happened to me. I want to make sure you're dead in case you call the lawyers. Because I've said all these things just based upon the report that you've died.

I was just thinking, you know, a very important co-host. He's played an important role in your pod life. Very important, yes. I'm washing my hair.

Exactly. Happy of a meeting. Okay, let's say it's a diarrhea moment. It's a moment that everyone can understand. Maybe you go on socials and you're like, sorry, and you do the little emoji.

I'm planning to have diarrhea that day, so I can't go to girls. I think it might improve your funeral, to be honest. Give everyone something else to think about.

I think it would be a good reason to not attend my funeral, okay? All right. I'm back. But you want to be there. You want to be there. It's complicated for you. You've got this poo issue. You want to, you know, pay your respects. But wait, you see in your feed, alongside a picture of me smiling from when I was about 32, right? Details of an online streaming of my kick-ass funeral.

Oh, perfect. So while I'm streaming, I can watch the funeral streaming on my laptop.

You could be in your restroom or loo, depending on where you live, right? And you could sit there with your iPad on your lap.

Maybe prop it up somewhere rather than have it that close to me.

A lot of people have white bathrooms. I might want to put a black curtain around stuff just to somber it up a bit. Maybe turn the lights off. Turn the lights off, yes. Put the mute button on because if you're on the loo, you know. Why wouldn't you? To show your respects, to say I'm here, present. I'm not like sitting there doing the dishes while I'm listening to your funeral.

Okay. I suppose it's important for me to be seen to be mourning your loss, isn't it? Because that'd be good for my image.

You are important in my life. I hate to say this, but it would matter, I think. Okay. Well, not to you any longer. You know? Maybe. Who knows? Who knows? I could haunt you if you don't show up. I'm just saying. Who knows? Yeah, I could share it with others. Yeah, yeah, yeah.

You might even be generous and go Sticky Pickles dudes and Art Musings dudes. You might do that at this point too, right? Get all the podcast people, a trifecta. Do you think

The streaming service can cope with that volume of people watching at the same time?

I don't know, Graham. I don't know. It won't be my problem. You might even record it for a future episode. Maybe give you a bump in listens at a time where you don't need to share any spoils.

That's good. Am I right? That's a great idea, actually. I like that idea. Yeah, yeah.

The day has come. You slap on a black t-shirt, black joggers just in case. Yep. And you click through to the live stream and you click through and it says, oh, you got to register first, right? And then you'll get the link. We don't want it. No scammers. They're scammers, dudes. They're scammers. And you're thinking, yeah, you know, I know all about that stuff.

So I have to log in as a legitimate mourner, I suppose.

And you're probably just going, sheesh, Jesus Christ, why did Carole choose this? Was this in her funeral requirements or is this her partner?

Yeah, exactly. Her partner has actually monetized her funeral. He's probably getting a kickback. You just have to register. Oh, okay. Okay. All right.

But you're right. I would like to monetize. So you're thinking ahead. You go through and it's like, you know, right, the live stream's about to start. Okay, yes. There's the whole live stream of Carole's Funeral. And there's a video player, like a streaming service. And there's like a little, like, you know, loading, loading, loading. And then it loads. And then there's a big button that says, watch live now.

Here it is. Finally. Yeah. Playing some emotional Canadian music.

Maybe. Maybe. Bryan Adams' Summer of 69 is blasting out. Bit of Alanis. And you press the button, right? Watch live now. Yeah. And you sit tall because, you know, you're on video on the loo, as we said earlier. So the camera is very carefully angled. You then have to enter your credit card information to watch my funeral. And you're thinking, of course, that's why. Carole's trying to make a buck after she's dead.

Making money out of it once again.

And you'd be wrong, Clue, because the whole thing. No, it's your partner making a buck. You're not going to make any money out of it. Carole, have you not worked out how death actually works? You don't get to keep your bank account.

Oh, you're right. Well, the whole thing is not true. It's a whole nasty, disgusting scam making the rounds with increased ferociousness. You mean you're not really dead? Well, no. Actually, I am really dead. So it's targeting people that have deceased, finding their information in public forums. Yes. And this is all according to Joe Cox from 404 Media. So these scummy douchebags are grabbing information and the mugshot of the person who's passed.

Your mugshot is pretty shocking. So, I mean, I think mugshot is a good word.

And then they're populating pages of the grieving with offers of an online streaming option for the funeral.

Wow. For people who can't be bothered to get there.

Well, or people that live 10,000 miles away or 2,000 miles away or have eight kids or whatever. Fair enough, yeah. And you're thinking, I want to show my respects. Yeah, that's fair enough. So you click on it. Yeah. And you're actually going down a nefarious path run by jerks who are trying to get your credit card information and information from you, your registration information. And what's more even confusing is in some cases, these funerals are being live streamed. And this is how the information is being passed along through word of mouth, through groups. Yeah. According to 404 Media, Facebook is awash with scams that direct visitors to fake live streams of funeral services, preying on relatives and friends of the deceased.

Whoa, whoa, whoa. Are you saying Facebook is doing a bad job of policing something that's going on on its network?

Just wait to these words. Tell me what you think. Just give me two paragraphs and then tell me what you think. Okay. There have been pockets of media coverage of these funeral scams over the last year or so, but the scam appears to have ramped up, says 404 Media. Beyond the U.S. outlets, Australia, the U.K., and Ireland, as recently as last week, have all reported on the scams. And this Irish one is particularly stomach-churning because the deceased person was six years old. Oh. Like it's just, so 404 Media sent a specific Facebook account that was peddling such bogus funeral streaming services to Meta, right? The parent company of Facebook. Yes. And a spokesperson responded in an email. Are you ready? Yeah. Quote, we don't allow this content on our platform and remove the page brought to our attention. Oh, good. Okay. So that says to me they are being reactive in their process as opposed to proactive. Don't you think? They're saying, you tell me about it, we'll take it down. Otherwise, you know, we're busy.

That, I'm afraid, is their approach, isn't it?

It's not good enough. No. When 404 Media asked for comment from Meta that requests include the specific question of whether Facebook proactively searches for accounts involved in this sort of scam, Meta did not answer the question directly and instead said it encourages people to report the content to the company and to the police.

I think they have answered the question there, haven't they? So there's no proactive stuff. Yeah. It sounds to me, pardon mon anglais, horseshit. Cheval poop. Exactly.

Maybe leave explicit instructions in your will that you do not want to be live-streamed, or you don't want anyone who has a Facebook account being invited to your funeral.

What's the problem with the funeral being live-streamed? Like, my family's all around the world, right? Like, my family and my good friends, and they may not be able, like, if I die at a ripe old age, they're all in their lives, they're going to be, like, in their 80s and 90s.

I suppose if they couldn't get a visa or something. Yeah. Okay. I can understand why people would pay to watch. You know, it's going to cost me so much petrol driving half an hour to go to Carole's funeral, or I could pay a fiver and stay at home and watch it in my undies. With Silence AI, the team at BlackBerry are helping you keep one step ahead, stopping more attacks earlier and with less effort than other solutions in the market, and that's independently tested and proven. The lightweight AI offers broad coverage, consistently low false positives and quick threat responses, supporting endpoints seamlessly. Now many solutions boast about how little time it took them to respond after a threat emerged, but with BlackBerry's Silence AI you'll find out how long before, and it can be months or years, it has already protected its customers. Staying One Step Ahead is central to everything BlackBerry does. And in fact, it's your 24 by 7 AI-driven security partner. So visit smashingsecurity.com slash BlackBerry to find out more. Thanks to them for supporting the show.

This episode of Smashing Security is sponsored by Collide. Wouldn't it be great if a device which lacked compliance or lacked security was denied access to your organization's SaaS apps and other resources? Because this would mean that the hackers who had nabbed the unlucky employee's credentials, for example, could not gain access to your assets. It would effectively lock them out. Welcome to Collide, a world where access is only given to approved secure devices. As the administrator, you can manage every operating system, even Linux, from a single dashboard. Another bonus of Collide, employees can often fix their own problems without involving IT support, meaning less resources are needed to effectively operate a more secure environment. Collide is the device trust solution for companies with Okta. Collide ensures that if a device is not trusted or it's insecure, it is denied access to your cloud apps. Learn more at collide.com slash smashing. That's K-O-L-I-D-E dot com slash smashing. And huge thank you to Collide for sponsoring the show. Smashing Security is also sponsored by Vanta. Managing the requirements for modern security programs is increasingly challenging and time-consuming. Enter Vanta. Vanta gives you one place to centralize and scale your security program. Quickly access risk, streamline security reviews, and automate compliance for ISO 27001, SOC 2, and more. You can leverage Vanta's market-leading trust management platform to unify risk management and secure the trust of your customers. Plus, use Vanta AI to save time when completing security questionnaires. Smashing Security listeners, you get 20% off Vanta. All you lucky sausages have to do is visit vanta.com slash smashing to claim your discount. That's V as in Victor, A-N-T-A dot com slash smashing. And thanks to Vanta for sponsoring the show. And welcome back. And you join us at our favourite part of the show, the part of the show that we like to call Pick of the Week. Mm-hmm.

And I said that I was very annoyed about the subtitles on One Day on Netflix because every time one of the lead characters happens to go like that, do a little mouth click, it would say clicks mouth. And I'm afraid my nitpick of the week, this week, Carole, is you and a few Smashing Security listeners. Because after that episode was broadcast, some Smashing Security listeners got in touch. Matthew G., for instance. Hi, Matthew. I've got a nitpick with him. And I've also got a nitpick with someone who called themselves insane in the brain.

Yeah, I don't have any problem with them either.

They suggested I might have goofed up the settings in my Netflix app, and that's why it was saying things like, bright instrumental music is playing, and clicks mouth.

What they were suggesting is that you had also, like, audio description stuff on. So not just the, you know, the translation or the subtitles, but also the audio descriptions. Yes. Okay.

Right. Thank you. Thank you very much. You have just hanged yourself.

I was explaining it for everyone else. I know you're very angry, so maybe.

Well, you have now, I'm afraid, given me all the evidence I needed. And furthermore, I saw you reply to some of these people, gleefully agreeing with them. Yes. And saying you should have picked me up at the time. Yeah. But no, I spent some time investigating this issue. I've gone back and I have checked. And on Netflix, on one day, in English, there are no subtitle options available, other than the ones which also tell you irrelevant information about keys jangling and lip smacking.

How many of you are right now hitting your keyboard to show that Graham is wrong? Meanwhile, I have also learned... So I went back and I watched an episode, or a little part of an episode, and sure enough, I came up and I looked at all the subtitle options and there's nothing there. Yeah. No, it's fun for me. It's so fun for me every week. It's so fun for me. Carole, do you have a pick of the week? I do have a pick of the week. And, you know, sometimes I have them and I'm thinking this is not his bag, right? I think it might be some listeners' bags, but I don't think it's your bag. But this one, I think it's in your wheelhouse. I think it's up your street. I think, you know. All right. Well, let's see. Okay. It's a movie called Fingernails. Ooh. I would refer to it as an eccentric sci-fi romance with a teeny tiny dark underbelly and comedic bits. So, you know, you and your partner are happy, right? You're in a happy place. That's all good. You might even use the term in love. Yes, absolutely. Right. Perfect. Okay. Good, good, good. Now, what if there was a love institute in downtown Oxford? Right. Where you could certify scientifically through the state of analysis and bio samples, whether you were really, really, really in love and she was really, really, really in love with you. Would you want to be tested?

It sounds like an episode of Black Mirror. It sounds absolutely horrific. I think that is a very good thing to think, right? So in the movie Fingernails, this is by Christos Nikou, we find the glorious, and she is really glorious, Jessie Buckley. She plays Hannah, teacher, right? In a committed but unexciting relationship with this guy, Ryan, who's played by Jeremy Allen White. Right. Well, I might not love someone if they've had their fingernail pulled off. Maybe I really love their fingernails.

Well, it depends which one. What if you love their index one, but not their pinky one? You might go, hey, go for it. Good point.

Get rid of that manky one. Could I offer them a toenail instead? That's what I asked. You see? Much easier. Carole, can I ask a question about Fingernails?

I have boundaries now. I'm not taking on any of your garbage. Deal with it.

Well, it sounds like an interesting pick of the week. Now, you've been chatting to the folks at BlackBerry this week, haven't you?

I have. Kieran Holium. He's a VP at BlackBerry, and he talks to us about AI from the profesh defensive side and also from the attacker side. Check it out. All right. So today we welcome Kieran Holyome to Smashing Security. Kieran is a vice president of cybersecurity at BlackBerry, looking after the UK, Ireland and emerging markets. It's a big job. So welcome to the show, Kieran. Thanks, Carole. Lovely to be here. Yeah, well, I'm so glad you're here because we are talking artificial intelligence. And I personally would really like to better understand how AI is used in threats from your point of view at BlackBerry, but also in defense. So it's amazing to have an expert in the room. So thank you so much for being here. So first, can you tell me a little bit about you so our listeners can understand, how did you end up looking after cybersecurity at BlackBerry?

I've been working in the IT industry for about 25 years, helping customers and organizations solve problems with technology. And about, I don't know, 10 years ago, 12 years ago, I decided to jump into the dark side, if you like, and come across the cybersecurity information technology sphere. And I call it the dark side because I think, you know, 10 years ago, security was seen as a bit of a blocker and a bit of a, they always say no to stuff. And, you know, that's certainly my experience. And I didn't understand why. So I thought I'd dip my toe into cybersecurity and get an understanding of what was exactly going on and why, and have really, really enjoyed the past 10, 12 years in this part of the world of IT, especially as it's, you know, the ascendancy of how critical it is for organizations now to get the right cybersecurity posture. Because if you're not doing that, your business or organization is at significant risk, right?

It's true. And you're totally right about it being a bit of a blocker 10 years ago. I worked in the market for 15 years, and I remember traveling my first time out with my fully locked down computer from the cybersecurity firm I worked at, and I couldn't get access to the hotel no matter what I tried. We had three experts trying. Ridiculous. So I'm glad times have changed. So we're here to talk about artificial intelligence, the big hot term of the day. And when people talk about AI today, they typically mean generative AI, like ChatGPT and other language models. But artificial intelligence as a technology has lots of guises, right?

Yeah, I think it's a really important point. You know, as you say, there's a lot of talk about AI right now, but not all AI is created the same. A lot of the models we see today that call themselves AI are really not AI and they're not mature enough or good enough for today's challenges. You see this by the outcomes that they produce. So when we talk about generative AI, that's about the interaction and providing people with the information they need. From our side, we also talk about preventative AI and that's really, really important. And we feel that you can't really exist in the world of cybersecurity AI if you're not being able to do the preventative and the gen AI as well. You know, I think a lot of leading cybersecurity companies talk about AI and we looking outwardly into the market, see models being used and then we see how they fail or they're not able to do what they're supposed to be doing. In fact just recently I think a couple of weeks ago there was an imaginatively named new technique for hacking called Pool Party. I love the names Pool Party. Do you think they just sit around you know coming up with these names? Anyway Pool Party, and it was basically a new way of injection techniques that enable you to go in and trigger malicious code. Now, we would have expected a lot of organizations out there that are using AI, inverted commas, to be able to detect and stop this from executing. In fact, the report that you can find online shows that leading EDR companies in the world were unable to detect and prevent Pool Party. And that really is AI really AI at that point, because if it's generative AI, it's not going to stop it executing, right?

Okay, so that's what it is. So you're surprised that people that wave the AI banner weren't able to stop this. It makes it complicated, though, for us outside the market, I think. Yeah, it's really complicated. I think we kind of lose a lot of people along the way because we start talking in IT speak and cybersecurity speak. And I think if the AI at a higher level is really to be understood by the general public and organizations, we need to do that education piece as to what AI is and how it propagates and the good and bad. AI can be used for good, and I think that's a really important topic as well. But from being used for bad and how do you defend against that perspective, not all AI is the same. And how you apply different models is really important. AI will have a tremendous impact. It's not going, it's having a tremendous impact on the future, right? And that's especially true when we talk about cybersecurity from a defensive posture perspective. BlackBerry have been using AI for over a decade now. And in a space as broad as cybersecurity, it's really important to recognize that, as you just said, different AI models can be good at solving different problems. And when it comes to threat defense, from our side, two general categories, right, as we've talked about. Predictive AI, where AI models can automatically stop threats. And automatic is the important point there, right? They make their own decisions. So automatically stop and anticipate threats and zero-day activity before they happen. So the predictive model effectively goes in very early in the sort of kill chain or attack sequence, makes a high confidence decision that that is a malicious activity, and then stops it and proactively stops the attack and shields the user organization from that threat. These sort of predictive models don't converse with people. They're not chatbots. They're not friendly, right? They're sort of math models that we all think of. But then on the other side, we've got this generative AI, as you mentioned. Now, these models are sort of designed to interact with people and their purpose really is to make sense of large amounts of information and to give that individual they're interacting with or that organisation they're interacting with the ability to speed up the understanding the situation, give them the knowledge base, and then enable them to make sort of better and informed decisions. But generative AI models, gen AI models, don't proactively stop attacks on their own. Right, okay. So if we talk about the threats that you see at BlackBerry, do you have a category that you now call artificial intelligence threats? Is that how, or is there more granularity in that? I think if you look at the world of the threat actors right now, I would suggest every single one of them is using AI in one way, shape or form, right? So it's not a case, and I guess the sophistication levels vary. So if you've got nation state, then I would say they're heavily invested in AI. If you've got your backroom hackers, then they're probably using some form of AI to either make their attacks more frequent, i.e. speed them up or speed to market, if you like, get them out there quicker, or secondly, make them more effective. So I do think that every attack really has probably these days got some form of AI in it. Yeah, it makes sense, too, because I mean, I know lots of developers that when they write a little bit of code, the first thing they do is run it through some AI chatbot, as you call an interactive one, to just see if there's any mistakes, right? So why wouldn't the bad guys do that, too? And I guess to your point, they're also probably using, can I say, penetrative AI as opposed to preventative. So they're using kind of AI models to try and get in to bypass traditional security. A hundred percent, yeah. I think certainly the most frequent attacks we're seeing are that generative pre-trained transformer. So we know that best as ChatGPT, but there are others out there like WormGPT, for example. And they're designed to do exactly what you just said, run some code through, do it as quickly as possible, get it out, test it, bring it back, do the same again. Just keep doing it until you hit the jackpot and get through and are able to sort of ransomware someone. So I think if you look at it on an axis of one is volume, one is efficacy, what GPT or AI gives you is the ability to do both quicker. So you can get more volume out there and have more efficacy. And that's the scary thing. The ability for organizations to be able to scale to that demand without using and deploying AI themselves is a real scary thought. Yeah, and if you think about it, like you were saying, BlackBerry has been in the AI space or working with artificial intelligence for at least a decade. How many technology firms out there have just jumped on the bandwagon, right? Okay, so tell me, how is BlackBerry able to harness the power of AI as a component of cybersecurity? Because without it, we're sitting ducks, I'm guessing, in this new world. So we need it.

I think we're sort of at kind of an inflection point, really. There's going to have a profound impact on technology, security, and humanity as a whole. And as I've just talked about, I think AI can be good, and it should be seen as a whole good. We can make some medical advances. We can make things easier and accessing services and things. That's all brilliant, right? But fundamentally, we have to really get to grips with the security element underneath it. And I think the democratization, if you like, or the consumerization of AI, which is now easily available to everybody, you know, previously, if you had the resources or the finances to go and buy it, you could, but now everyone can use it. That lower entry or barrier to entry is really going to start seeing in the market, in the world, the prevalence of AI in everything we do. So, you know, we're already seeing it. Those AI and the various actors are using AI, you know, to get better and faster at phishing and social engineering and goodness knows what. And then we've got this other thing that hangs over us, which is, you know, polymorphic malware, which in itself scares me. You know, it's inherent ability. And if those that don't know what it is, it has its inherent ability to mutate itself in its appearance, to continuously to get around all of the security measures we put in place to deal with that. So we couple the AI as effectively a consumer, downloadable consumer, consumable effectively, polymorphic malware, and then we throw that at organizations that are still trying to do signature updates. It really does scare me. So organizations must, must act now to make sure that they get AI in their vernacular, in their lexicon of cybersecurity defense. Otherwise, they're going to be outpaced and unfortunately they will suffer.

Are you able to give us a few things that people should look out for? So imagine, you know, you're using traditional scanning methods. You realize it's not enough. You want to kind of up your game and get something that's going to help you that has AI involved. What things to look for? Because I'm sure there's some maybe less reputable or quality software out there, and maybe there's things they can look out for.

Clearly, I'd say come and talk to BlackBerry. That's my job. But I think outside of that is act now. I think the few things that we need to do is act now. AI is here to stay. It is here. It is being used today to cause financial harm to organizations and individuals. So act now. There is a lot of great stuff that the NCSC in the UK do around AI and what's coming and their judgments and all that sort of stuff. Go and read that and then reach out to organizations that have been doing this for a long time. And the reason I say that deliberately is that the models that we talk about are very sophisticated and they take time to learn and build on experiences. You know, for years and years, we've been throwing billions of data points at our models for over 10 years. And our models are exceptional at being able to prevent stuff. So go and talk to those organizations that have been doing this for a while. Make sure that those organizations fit into your environment okay and what I mean by that is it's very easy to go and buy from an organization that on paper is fantastic but do they fit your culture and your organization's ability to move at the pace that you want to for example so that's really important but number one is act now, number two is make sure that the organization you're talking to is the right fit. And lastly, the last thing I would say is act now. It's really, really important. I cannot stress that enough. We are seeing daily activity whereby, you know, AI is being used. And if you're still relying on, you know, old DAT updates or signature-based scanning, you will get hacked. It's not a case of when, it's just you will get hacked. And I think the other phrase is when will this attacking end? Probably never, right?

Yeah, this is definitely not the time to act like an ostrich and put your head in the sand. It's basically what I'm hearing here. Act now. 100%. Act now. Kieran Holliam, Vice President of Cybersecurity at BlackBerry. Thank you so, so much. Listeners, you can learn more about artificial intelligence and how BlackBerry is harnessing its power and defending against its threats by visiting smashing security.com slash blackberry. That's smashing security.com slash blackberry. Thanks so much. Awesome. Thanks very much.

Very, very cool. And that just about wraps up the show for this week. You can follow us on Twitter at smash insecurity. No G. Twitter announced to have a G. We also have a Mastodon account. And don't forget to ensure you never miss another episode follow Smashing Security in your favorite podcast app such as Apple Podcast, Spotify and...

Overcast and huge thank yous to our episode sponsors that's BlackBerry Collide and Vanta and of course to our wonderful Patreon community it's thanks to them all that this show is free for episode show notes sponsorship info guest list and the entire back catalog of more than 359 episodes check out smashing security.com

Until next time cheerio bye bye bye.

Graham, I'm really sorry. My voice is still cracky.

Do you think the end is near? Can you give me some warning?

I'm gonna croak my voice is croak and yeah no I'm just apologizing to any listeners that made this far I'm sorry my voice is not repaired yet.

Some people like that some people like it when a you know a woman gargles with you know whiskey and razor blades it's like a you know sexy kind of sound isn't it some hate it though.