Smashing Security podcast #383: The Godfather club, and AirTags to the rescue

I'm just always a bit suspicious of anybody who has a surname which is actually also a first name.

Fascinating.

Fascinating stuff.

I've missed this so much. I've missed this so much.

Smashing Security, episode 383, The Godfather Club and AirTags to the Rescue with Carole Theriault and Graham Cluley. Hello, hello. Welcome to Smashing Security episode 383. My name's Graham Cluley.

And I'm Carole Theriault. Did you guys miss us?

We've been on our holidays and we're back. So, Carole, you're not in your usual place.

No, secret mission.

You're on a top secret mission and might be for a while.

Yep.

Good luck with that mission.

Don't worry, the Yeti is still onside.

That's the important thing.

So let's kick this show off and thank this week's wonderful sponsors: 1Password, Sysdig, and Material. Now coming up on today's show, Graham, what do you got?

I'm going to be exploring a very 21st century way of catching a thief.

Mm, and I'm going to investigate just why is this hottie so into you. Plus, I had a chat with Maya Levine from Sysdig. She's a product manager there, and this is a company on a mission to make every cloud deployment secure and reliable. All this and much more coming up on this episode of Smashing Security.

Now, chums, nothing much happens in Los Alamos, New Mexico. Carole Theriault, are you familiar with Los Alamos? Have you ever been there? Have you ever heard of it?

Mm, heard of it. Know nothing about it. Educate me.

Do you know why you've heard of it? Because in the 1940s is where the US authorities developed and detonated the world's first ever nuclear weapons. That's the only reason why you would have heard of Los Alamos, I suspect.

Is it a fancy suburb now with loads of really rich houses or no one lives there at all?

Well, it's a fairly sleepy, dull town by all accounts. The biggest news might involve a pair of mismatched socks. Not much goes on there. As far as I know, there aren't any mutant pigeons or anything as a result of those nuclear tests way back when. But in the last few days, the headlines in Los Alamos have been shaken by a big story, a saga of thievery. Easy for me to say. And our story begins when there was a fed-up victim, someone who kept on discovering that their mail was being plundered. Their mail was being stolen. So they had a mailbox at the local post office, and they were expecting things to be delivered, and they didn't show up. And they were really determined to find out who was responsible. And so they hatched a cunning plan. And what they did was they decided to mail themselves something. And what they did was they put in the mail, addressed to themselves, that tiny technological wonder, known as the Apple AirTag.

So what do you mean they put— Okay, I don't understand. Okay.

Yeah, so they put an AirTag into an envelope, presumably a padded envelope or something, or some sort of package. They dropped it in the post to themselves. So it was going to get sent to their mailbox. And then they could find out where their mail went, if again, it was stolen. And so—

So this is not one letter going missing, but all their mail.

A lot of their mail was going missing. I guess the interesting-looking mail. Maybe not the boring mail. Maybe not the water bills. No one cares about that.

The ones with a little pretty picture on the outside with a little heart or something.

None of those ones offering you cruises around the Antarctic or, you know, all the junk which you receive. Well, one Monday morning, the trap had been set. And so this woman, she mailed herself this package containing the AirTag, essentially turning her parcel into a sort of like a homing beacon. So wherever it went, she'd be able to find out where it went, right? And the thieves took the bait. She went to go to her mailbox, there it's not there. Where's the mail? I should be receiving my— why haven't I received my mail? Is it because the mail service is rubbish or is it because someone has stolen it? Well, the AirTag provided, of course, the real-time coordinates, and it turned out that the stolen package led police deputies— I love this thing about deputies. We don't really have deputies, do we? In the UK.

No. So they're second in command deputies, is that right?

That's right.

Yeah.

And they went to the coordinates and they arrested a couple of people. They arrested Virginia Francesca Lara and Donald Ashton Terry. Now, there's a couple of things already a bit suspicious about those names. I don't know if you've noticed.

Yeah, they sound completely made-up names to me. I don't even believe they exist.

It could just be a random name generator, couldn't it? Yeah. Both of them have surnames which are actually first names. I'm just always a bit suspicious of anybody who has a surname which is actually also a first name.

Fascinating.

Fascinating stuff.

I'm sure you'll— I've missed this so much. I've missed this so much. Okay, cracking on.

Anyway, early morning, 7:17 in the morning, in fact, on East Sunrise Drive in Santa Maria, a nearby little town. The sun was shining, the birds were chirping, and these two unsuspecting individuals were blissfully unaware that their light-fingered adventures were about to come to a screeching halt because these deputies—

Did I write this?

Hmm?

You never use this many adjectives when you talk. This is ridiculous.

The squirrels were scrambling around the beautiful trees, but everything was going to come to a screeching halt because these deputies, they came along, caught them red-handed with the victim's mail, and they also found a treasure trove of other stolen post from over a dozen other victims. So it turns out—

So what, they're just taking them out of mailboxes or what?

Well, what it could be is maybe they've got a link to the post office where the mailbox is. Maybe they've been able to access it that way. It's a little bit unclear as to whether the mailbox is actually at the home of the person who wanted the AirTag, or whether it is at the post office. It's unclear what kind of mailbox we're talking about.

Okay, so they're just stealing— we don't know how they steal it. They steal all this mail from everybody. And what are they looking for?

Allegedly.

Allegedly. Allegedly.

Well, what they're after probably is— I'm sure we all remember the story about my lost Amazon delivery of the iPhone. So high-value items are being put in the post all the time these days. These are the days of online e-commerce when you're buying all your technology, you're buying expensive things, they're coming through the post rather than you going to department stores.

And so are they coming in the post?

Yes.

Expensive items, we're doing it through couriers, whether it's signed, sealed, or—

Yes, but they're still going to deliver it to somewhere, aren't they? They're going to deliver it to a mailbox wherever you've chosen, because you're out at work or whatever, wherever you want them to leave it. And so it depends on what your particular setup is. But sometimes it will be the mail service which is doing this, sometimes it will be couriers or whoever it is, but the point is that people are intercepting deliveries. They're stealing packages because they think, well, once we've done this, we'll sell it on the black market, we'll chuck it on eBay, we'll try and make ourselves some money, and maybe the big tech companies will just take it on the chin.

I wonder what they were charged with. Is the felony opening someone else's mail or theft or?

So they've been charged with intent to commit fraud, fictitious checks. So maybe some of the information they were able to grab from the post allowed them to commit identity theft, credit card theft, conspiracy as well. Terry, the man, has also been charged with burglary, as well as credit card theft, identity theft, and so on and so forth. But I think what we're seeing now is people being more inventive with their use of technology to confront criminals, to deal with these sort of situations where you have things taken from you. So the sheriff's office, they've been commending this victim, saying, you know, really ingenious, your use of technology.

Yeah, they put out their little press release. They said this is really clever and everything, and also what they really appreciate is that she didn't go round to the address and face them face to face.

She didn't go in with her guns blazing like Arnie style. Exactly. Because if someone's committing criminal acts, which has been alleged here, then there is the potential that they won't take very kindly to you coming up the drive and saying, 'Oi, what are you doing?'

She left it to the professionals.

And everybody gets good PR.

Everyone gets good PR. The only bad news is for this chap Terry — he's been hit with a bail bill of $460,000. Huge amount. Half a million dollars is his bail because it's been suggested he's been up to so much not-goodery, whereas Lara has only been hit with a $50,000 bail bond. But this is the thing, right? AirTags — AirTags, fantastic for tracking lost items, but they can also sadly be used for tracking living humans as well. And it struck me that if you were stealing post which contained an AirTag, there is a chance that the AirTag will actually give the game away, because they have built into these things these days a method to actually warn people that they are being stalked, that there is an unknown tracker following them. So if you pick up an AirTag which is owned by somebody else and is not paired with your Apple iPhone, your iPhone after a while will give you a little alert saying, "Huh, seems to be an AirTag near you," and you might even hear the AirTag begin to beep occasionally as well, which makes it a not great device for tracking someone. So great if you want to stop stalking. Not so good if you want to find something, or if you want to track where something which has been stolen from you has gone. Do you see what I mean?

If there's someone with ears and a phone in the vicinity. Oh, you mean the fact that

Well, who hasn't got a phone? Who these days is going anywhere without a phone?

I'm assuming that's rhetorical. I don't know. she used an AirTag?

Well, most people are carrying a phone.

I don't think I'm used to our show anymore. I find it all a bit strange. Yeah, no, I don't know. I was looking into AirTags for my cat, you see. To prove what was going on, right? I thought that would be really useful. They're huge. They're too huge. And then, you know, she's an indoor-outdoor cat. So, you know, she gets caught somewhere. Big AirTag. I don't know. Anyway.

Yeah. I don't necessarily think they're great for pets, but people do slip them into the handbags of ex-girlfriends or into people's cars and things if they want to track things.

I know loads of parents that do it to their kids.

Really? Yeah.

Yeah. Well, I'm just thinking they do have a phone. They're not going to leave that behind. You're going to know already where they are.

The thing is, it can get complicated because if you have someone in your close proximity, if you have someone riding in your car and they're carrying something that's tagged. So my son, for instance, right, his mum has put an AirTag into his school satchel thing. So if I'm driving him around in the car and his AirTag is not connected to my phone, I get warned that there's an unknown tracker following me. And it's yeah, it's my son next to me. And although I can say, stop those annoying warnings for a day from coming up because I don't care about the unknown tracker, there's no way to permanently shut it off. It'd be really nice if there was a way to mark that individual tag as just ignore that one forever. So I don't have to worry about it.

Yeah, totally. Because I could piggyback on your son's AirTag and add another AirTag into your whatever, car or whatever.

You'd just be getting these warnings going, "Oh God." Or the other scenario is maybe you catch a coach each day or you catch a train each day and there's some random guy who gets on the train at the same time as you and he's got a tag. And so again, you begin to think that there's someone tracking you, but in fact it's just a guy in the vicinity. And wouldn't it be handy if you could say, "Just don't worry about that one." And the other issue with these AirTags is, well, up until very, very recently, this has really been an Apple thing, right? The Apple AirTag is considered the sort of premier tracking device for lost devices and the rest of it. But Androids didn't really work with it. And of course, many, many people have Androids rather than iPhones. But there is, I can tell listeners, there is an Android app which is actually written by Apple and developed by Apple in the Google Play Store called Tracker Detect. So if you want to find out if someone has left an AirTag in your vicinity, you can open Tracker Detect on your Android phone and ask it to scan for trackers, and it will tell you if there's anything nearby which isn't paired with your devices. Now of course you've got to prompt it to do that, which is kind of inconvenient compared to how Apple phones just warn you if you're being tracked. And it also doesn't track other kinds of trackers those ones from Samsung or Tile and others. But the other good news is earlier this year Apple and Google teamed up to create an industry specification designed cross-platform, cross-industry to detect unwanted location trackers, making it possible to alert users on both iOS and Android if they're being tracked. They announced this, I think it was in May. It's in the latest versions of iOS and it's beginning to roll out on Android as well for some users. It's not completely gone global yet. Right.

Question.

Yes.

Does it include apps that might be surreptitiously installed

No, no. That's Jonathan

on said person's phone? No, no. This is purely for sort of the hardware location trackers. So anything on your phone, that's going to have to be handled by something different.

Frakes is Riker.

Are you trying to say teeth?

Thief. Apparently I don't say the F on the end of thief. I should say thief, she says, rather than thief. Is it bad? I don't know.

I'm staying out of that for obvious reasons.

Carole, what's your story for us this week?

Okay. Okay, so I'm going to set the scene. I'm going to make you, Mr. Cluley, be our protagonist here. But you have to cast your mind back to when you were a single man.

Okay.

One looking for a little romance.

All those weeks ago. Yes.

Yeah. Perhaps looking for a hot flame to warm your wrinkly cockles. Something that.

My cockles are—

See, everyone knows that AI didn't write that, Graham. Everyone knows. And what does one do in modern times if one wants to launch the search for passion? You hit the apps, right? You go online dating, don't you?

That is what the young people are doing, isn't it? What do you mean wee nodes?

That's what you did. You're not that young. It's what I did. Yeah, yeah. So imagine you, Graham, you're on one of these many popular dating apps, whatever. So, you know, Tinder, Bumble, Hinge, OkCupid, whatever. And you meet this attractive woman.

Yes. Yeah.

And you're, "Ooh, she looks interesting." And it's your lucky day because she doesn't swipe left or whatever you do, right? She seems to be into you.

Excellent.

And I mean, you have to admit you're, you know, maybe not, I don't know. I don't know how to say this.

No, go ahead. Just say what you're thinking.

No, I'm just saying, let's say you thought she was a 9.5 out of 10, right?

Yeah. Okay.

And you would maybe consider yourself a what, do you think?

Right. No, I'm interested in what you think.

7.5? 7.9?

I think that's very generous.

And they're fab if you have hearing loss. Now, the ones I tried, I think it was an earlier model, or maybe there's lots of different types. Okay. So, but she's into you and you're kind of, so you might be thinking, what's going on here? Is this a scam or something? Is this feeling a bit weird? So what was— They all have different things. The one I had had no microphone, right?

Or maybe she's just very deep. Maybe she's seen my inner beauty. Maybe that's what she's seen.

So, and I think I bought them for about $100, $150, something like that. I bought them for a friend, but I don't want them for me because I really need a mic if I'm going to be using these. Okay.

Okay. So as you're an expert here, so what would you do at this stage, right? Just to make sure, because you're kind of thinking she's out of my league. Oh, well, I'd probably do a little bit of OSINT, a little bit of open source intelligence. I'd be Googling around, I suppose.

Yeah, reverse image search, maybe?

Yes, exactly. So we'd look up her image, see if it's attached to her name. Maybe we'll look at her LinkedIn profile, something like that. Maybe look up her on social media, see if she's left any reviews on any restaurant websites. See if she— I may be able to get an indication of how she expects to be looked after and maintained if she goes to lots of beauty salons or something like that. You know, if she's leaving reviews of all sorts, you know, all I would guess.

Okay, so you're going deep, deep, deep. I was thinking more— I'm just thinking more they haven't asked me for money. Reverse image search reveals nothing's fake, for example, in this situation. She doesn't live abroad. She doesn't have a dangerous job. Hang on.

Do you think? Hang on. The image search doesn't find anything at all? So I can't find any—

No, it does.

Oh, okay. So it's not a fake image. That would be a red flag to me is if there's no one who looks like her out there at all, then I'd think, hmm. How many fingers has she got, you know?

Okay, so the lady you found online passes this test of yours. Excellent. And she wants to meet you in person, and she's asked you, Graham, to visit, you know, a well-known area in town. So it's not go down to this dodgy place, or it's in public, you know, nice place. So you get there, right, Mr. Cluley getting there?

I'm feeling very bold if I did that. I'd certainly demand a few games of Scrabble online first before we did anything like that. But all right, so I'm feeling bold. Yeah, I'm feeling brave.

Yeah, you meet her. Yeah, right, right across departments. Most people are kind of stuck in their fishbowl, but you're going across everywhere. Yeah. She's looking as good as she did on the online, right?

I'm looking 7 point, if I'm lucky. Yeah.

That's— okay, so the cloud, that's your thing. I remember when that term was brand new, and today I think everyone uses it, right? Everything makes use of it, and it's still growing all the time. It's like, is it different from a traditional environment, or are there big differences? You suggest the nearby Pizza Express, you know, because you're a class act, but she insists on going to this higher-end place. Let's say it's called the Godfather Lounge.

Hang on. Godfather Lounge. That begins to worry me. Is it called the Godfather Lounge because they've got meatballs stuck inside their inner cheeks and they're talking like Marlon Brando with his cotton wool? Is it some sort of criminal establishment?

Well, interesting you should say that. You tell me. So, you know, you're not a super wealthy guy. I mean, you're wealthy, but maybe 7.5, right, on the wealthy scale?

Well, not compared to Geoff Bezos.

In the cloud, people are leaving their keys all sorts of places, in exposed text that they're uploading to GitHub, in serverless code files and infrastructure as code file templates and all of these places that seem a little bit obscure, maybe you don't think about, but attackers actually know to look for them there. So typically that's how they start is they get some kind of access. Once they're in your cloud environment, then they start what we call enumeration or reconnaissance.

You know, I imagine there's a lot of guys and gals listening to this going, oh, God, if only I

No, I'm going to be 0.000001, aren't I?

It's basically, what can I access with the current credentials I have? What other credentials can I get access to? They're trying to spread like a virus.

could convince my C-levels to understand how important this is and to give me the budget and the resources to Okay, so you check the menu. You check the menu at this place, The Godfather Lounge, and it's pricier than Pizza Express, but you know, it's not insane, and you've saved for the situation, and you don't want to come off as cheap because, you know, she's a good 9.8. So you sit down.

They're trying to get as far as they can, as deep as they can into your cloud assets. And then usually the motivation is financial. So they'll execute crypto mining or ransomware or phishing, data exfiltration that they'll sell on the darkweb.

You sit down. You ogle each other because she, you know, she's hot. make this happen. What advice would you have for them in that instance?

Whatever it is, there's usually a financial motivation behind kind of their end goal there.

Are there tablecloths in this joint?

Yes, yes, it's The Godfather Lounge.

This is an industry where we can help each other. We are stronger if we are supporting each other. Nobody should be shamed for undergoing a breach, right?

Oh, sorry, sorry, of course it is. Of course there's tablecloths.

We can all learn from what was the thing that tripped you up, what was the thing that allowed the attackers to kind of take control of your systems. And I'm very proud of Sysdig's threat research team, which discovers new attacks all the time and always kind of shares that information. We had one recently where attackers were targeting people's AI models in the cloud and we called it LLM jacking.

I imagine they have to wash them every night to clean up all the blood.

Basically what they did was they managed to get into cloud environments through credentials and stuff. And then once they were there, they're targeting these LLM models that were hosted by cloud providers, things like Anthropic's Claude. And then they would sell access to these compromised LLMs and leave the cloud account owner to foot the bill for that. That's new, right? That's using new technologies. But sharing this kind of thing, I think, is critical for the industry as a whole so we can all learn from it.

She's looking at you, probably fascinated with your ginormous eyebrows, right? And you look at the menu, you look at the menu, and it's a bit more than you expected, but it's okay. It's okay. You order your favorite. You're ordering a cranberry juice on ice, right? And she orders a drink you've never heard of. You know, do you know what a Negroni is or a Sidecar or a Julep?

I know they're all cocktails. I wouldn't know what goes in them.

Exactly. So you have no idea. You're like, okay, fancy schmancy, whatever. Anywho, you're sitting there sipping your drinks, eyebrow waggling. And she pops off to the loo, right, to check her lippy.

Okay.

And comes back and, Graham, it's drama, drama. She comes back all panicked saying, "Sorry, sorry, sorry, emergency at home. I'm so sorry. I gotta go. I gotta go." And she dashes off.

Leaving me with the bill.

Leaving you with the bill.

Is this a scam? Is it just nobody actually goes?

No, it's just a fun story. I thought I'm gonna ease myself into Smashing Security. Forget the security angle. Just go with some love thing. Yes, there's a scam coming. Good. So she dashes off, right? And you're sitting there. Okay. And then, of course, you're presented with a bill, as you predicted. And so looking at the menu, you could kind of work out that it'd probably be about whatever. Let's say you expected to pay 20, 30 quid. The bill is 600 quid. Yeah.

Have we eaten anything at this stage? Has this just been the drinks?

You just had your cranberry soda, right? And she's ordered a few drinks.

That's quite expensive.

A few shooters, maybe a few shooters. Yeah, it's expensive.

It's quite expensive.

It's quite expensive, right? So what do you do now? So you're in this Godfather lounge. What do you think happens?

I'm terrified. What do the waiters look like? Are they heavies? Are they— have they got cauliflower ears?

You get some staff and bouncers cracking their knuckles, shifting their stance to more imposing.

But wouldn't you leave a bad review on TripAdvisor? To the restaurant afterwards, warning, 'cause I would definitely have to— Would you?

Would you?

Yes, but—

Godfather Lounge.

Well, yeah, but if— Godfather Lounge.

Okay, you might.

You don't think I should? You don't think I should?

No, I was just questioning whether, 'cause I know you are a committed runner, right? You've talked about that in the show before. Would you just try and escape, you know, lightning fast, Clark Kent style?

I don't think I'm quite as fast as Clark Kent. No, I'm not Superman.

Okay.

So, and I'm also, I'm not very lithe, to be honest. I'm not sure, I'd have to sort of oil myself down in cod liver oil or something, you know, just to slip past.

Yeah. What do you think the scam is?

Well, the scam is that she's obviously in cahoots with the restaurant. Her job is attract gullible podcast hosts to come on a date. And then cough up an inordinate amount of money when she's just run off, probably to get the next guy in the door.

Yes, this is called being tabled. And journalist Deepika Bhardwaj took to Twitter to expose the scam just last week. Our journalist accuses this upscale Mumbai club, the Godfather Lounge, and other nearby high-end drink places of being kind of, I guess, grand poobahs of this scam. The girls seem to be responsible for luring in the tables, or the victims, the male dates.

Yeah.

And reportedly get 15 to 20% of the total bill as a kickback. So it's if y'all have 15 drinks, 15 shots. And in some ways, this seems really old school to me, right? Get some hot women to lure men into clubs, then fleece them for all you can.

Oh no, that's never happened before, Carole. That's— it's never happened that a beautiful woman has scammed a gullible, overweight, middle-aged man.

And thanks to this online spotlight, because of this journalist, the authorities are now investigating this club. So typically, we— I think we think of romance scam victims as being women, don't we, as the prime target, not men. Would you agree with that?

Oh, that's interesting, actually. I wonder what I do think. No, I think— I think it's pretty much even.

Hmm. Well, I always thought it was more women that were the big prey for this. But it turns out, according to Barclays Bank, published a report late July, right, a few months ago.

Right, right. And I think there are a lot more men on dating apps than women as well, is the impression I've always had.

They also say that 1 in 3 are more open to dating during the summer months. So you guys in the Northern Hemisphere, if you think you need some love in your life, you better get your skates on or your roller skates on. Not winter yet. And if you are doing all this and you want to do your due diligence, check the episode show notes. I'm sharing a few checklists to make sure you're as safe as possible when you're navigating these dangerous dating waters.

It's a great reason, though, isn't it, to say to your date, oh no, let's go to KFC or Burger King.

I want to make sure you're not scamming me.

Exactly. I'm going to go somewhere really cheap and nasty. Rather than that Swiss restaurant that you fancy.

Okay, but if it's a first date and you're fancying the person, you might do some smoochy-woochies.

On a first date, Crow?

With KFC breath? Barf.

Does your email security solution fit your alert budget? Relying on built-in controls or traditional blockers will inevitably lead to more noise than your instant response team can handle. Well, Smashing Security takes a pragmatic approach to email security, stopping new flavors of phishing and pretexting attacks before reaching the user's mailbox, while searching through everyone's mailbox for similar messages in a campaign. What gets surfaced to your team are the highest-value cases to investigate, with all the context and reach consolidated into a single view. Remediations are a breeze with Material Security. So go try it out for yourself at smashingsecurity.com/material. That's smashingsecurity.com/material. And thanks to Material Security for supporting the show. Modern threat actors have weaponized cloud automation to accelerate taking only 10 minutes to fully execute an attack in the cloud. As organizations continue to shift into larger and more complex cloud estates, legacy detection and response frameworks are no longer sufficient at stopping cloud attacks. Well, Sysdig delivers fast and effective multi-cloud detection and response, or CDR, capabilities to empower analysts against these accelerated and complex cloud threats. Powered by Falco, analysts gain the visibility, context, and real-time security capabilities traditional EDR and on-prem tooling fail to deliver. Learn more about how to stop advanced attacks at cloud speed. Visit smashingsecurity.com/sysdig for more information. That's smashingsecurity.com/sysdig. And thanks to Sysdig for supporting the show. Quick question: do your end users always, and I mean always without exception, work on company-owned devices and IT-approved apps? I didn't think so. So my next question is, how do you keep your company's data safe when it's sitting on all of those unmanaged apps and devices? Well, 1Password has an answer to this question, and it's called Extended Access Management. 1Password Extended Access Management helps you secure every sign-in for every app on every device, because it solves the problems traditional IAM and MDM can't touch. Go and check it out for yourself at 1password.com/smashing. That's 1password.com/smashing. And thanks to the folks at 1Password for supporting the show. And welcome back. Can you join us at our favorite part of the show? The part of the show that we call Pick of the Week.

Pick of the Week. Pick of the Week. Pick of the Week is the part of the show where everyone chooses something they like. Better not be. Well, my Pick of the Week this week is a bit of a nitpick actually. So my wife's been watching a show on Amazon Prime. I don't like it. I'm not a big fan of it.

Well, you know what? I've got a bit— I enjoy elements of it, but sometimes it goes a bit over the top, doesn't it? It's very gory and it's also kind of pervy. It's also a bit— I find it a little bit— maybe I'm just too old for it.

Yeah, it's just not my thing at all. I'm not into the Marvel stuff though. I'm not into any of the superhero stuff. Well, it's got a bit of a twist on the regular superhero thing because the central premise is that there's this corporation which basically owns all the superheroes and they're adored by the public, but in reality, the superheroes are really dreadful human beings. And I like that bit of it, but there's something else which, other than the sex and the over-the-top gore, which really pulls me out of the drama. The guy with the beard.

That's right. Yep.

Yeah. Yeah.

And he's known as Monsieur Charcuterie by the character Frenchie.

He's Riker. He's Riker from Star Trek. No, I'm not mixing up the actors. I'm saying he's playing that kind of character, don't you think? The big kind of beardy.

Wait, they've both got big beards? Yes. Is that what you're saying?

I like the hirsute gentleman. So, you know.

Yes. Okay. All right. Yes. So anyway, the issue I've got with Karl Urban playing this character of Billy Butcher is that his accent is nothing I've ever heard before. I was watching—

It's the worst.

It's terrible. I was watching it and I thought, is he American? Is he meant to be British? Is he Australian? And I actually had to search on the internet to find out what this character was supposed to be, because I couldn't work out what on earth accent is that meant to be. And apparently he's speaking with a Cockney accent, according to the internet, from the East End of London.

Yeah, just, just, I know. My husband watches it occasionally. The accent is terrible.

It is terrible.

Terrible, terrible.

Just so listeners at home can appreciate this, I'm going to play you a little bit of audio. Oh, there he is. You were spot on about him. There I was filling up the motor, I turn around, the little git had done a runner. There he was, filling up the motor. It's even bad by Guy Ritchie standards. I've never heard a Cockney accent this ever before in my life, and for that reason, this accent and the fact that it's completely making it impossible to watch this show if it weren't even for the sex and the gore as well. That is my nitpick of the week. Whoa. Carole, what's your pick of the week?

I'm chilling out with a family member the other day, right? And I can see something her hair, kind of around her eyes or whatever. And they're these little wee nodes in front of her ears. I don't know. So I'm, what is that? And she's, oh, I'm listening to classical music while we chat. I'm thinking, whoa, rude, right?

Background music, I guess. But I'm like, I can't hear anything. And these things are not going into her ear holes. These were bone conduction headphones. Beethoven had a pair of these.

Not a pair of Shokz, but he used a conducting baton between his teeth as he played the piano. And the baton allowed the sound vibrations made by the piano to travel through to his inner ear so he could still hear the notes.

Ah, don't you love Beethoven?

Well, I just love that story. So why do I love these? Now, there are other brands. These are the only ones I've tried. They are fab if you don't want to be isolated in an environment, say you're driving or you're running or you're biking or hanging out chatting to boring people like me.

So that's why I was going to ask. So unlike headphones, which sort of take your attention and isolate you a little bit, so these are just kind of giving you background music and you just—

Yeah, they're fab if you want to protect your ears from noise damage.

What do you need a mic for? What, do they link up to your phone as well?

Yeah, it's all Bluetooth, right? So you can then—

Oh, I see. Okay. Right. Okay. So then you can— Yeah.

So then if I'm listening to whatever, and then you call me to go, "Carole, let's talk about the show," I can ignore it. No, no, I can, but I can just transfer over and I can talk with you and I have to hold my phone microphone to my face.

So would you prefer to have these than those? I don't know if you have a pair of AirPods at the moment or don't you? You would rather have this?

Because I keep losing one AirPod. I don't know, don't ask me why, it's ridiculous, but at least these are connected as one. So they're Bluetooth, they're wireless, but they sit around your neck. So it's a one-piece affair, which I much prefer over the AirPods. I like not having my ears isolated. Anyway, this sounds cool. Check them out. I'm pretty amazed by them. They're called Shokz, S-H-O-K-Z. I saw them in Best Buy. I was able to try them out there. Quite fun. So there you go. There's my pick of the week.

How long do the batteries last?

Different levels, it seems, for different buys, but there's a brand new pair coming out imminently from what I saw today. And I think I saw 12-hour battery life.

Oh, okay. So you could charge them every couple of days maybe. And how much do these kind of things cost? Is this hundreds of dollars or is it—

No, no. I think the lower-end ones maybe are about $100, $150, and then the higher-end ones maybe up to $300. But no more than that. I think I saw the brand new ones in the UK for, I think I saw them for £170 when I was looking online today. Very cool though, Cluj. Try them. I think you'd be really impressed. I don't know.

I think I'm thinking, would it be bad for their image if I started wearing them and using them?

Now we have an interview.

Yes, we do.

Yes. Chatted with Maya Levine. She knows everything cloud. She's from Sysdig and she talks about the complexities and the differences of securing the cloud. Check it out. So listeners, today we welcome Maya Levine, a product manager at Sysdig, the company on a mission to make every cloud deployment secure and reliable. Maya Levine, thank you so much for being here on Smashing Security. It's an honor to chat with you today.

Thank you so much for having me.

Well, we want to learn about you, so maybe first you can tell us a bit about you and how you ended up in your current role as product manager at Sysdig.

Sure. So I studied computer science at university, and out of university, I took a role as a security engineer at a different cybersecurity company called Check Point. I moved into technical marketing engineering and then eventually into product management here at Sysdig. So it's been a journey all around, but in cybersecurity, and a big focus is cloud security for me.

What's the best thing about being a product manager?

I think it's just working with people. You have to really kind of communicate and be at the center of so many teams. So you really get to establish relationships with different people. There are definitely big differences, and with the shift of going to cloud, which now almost everybody is at least, at least has some kind of cloud presence. I think we also, as an industry, need to be shifting our mindset about the security. The old secure the perimeter mindset is not really as relevant for the cloud where everything is so interconnected and you have all of these different services and applications that are all talking to each other in different ways.

The cloud is complicated, right? And we often try when things are complicated to provide a kind of simple interface to allow people to get over that hump. But do you think that actually people think it's much simpler than it actually is, in terms of an environment? Because you're right, it talks to everything, right? There's so many different passwords and different identities that can get in and out of it.

I mean, I don't know many people who think of it simple, it's easy to deploy The automation is there, and that's a huge benefit of the cloud. It allows us to build applications in a really quick and resilient way. things, right? The speed is there. But the con of that is that you have all of these things that are happening and maybe deploying and maybe running that you don't even know about.

Yeah, totally. So maybe you can tell us a bit about the types of attacks you typically see, how do bad actors typically get in into a cloud resource of some sort?

Sure. Before I talk about kind of the techniques, I will say that one major difference and major challenge of being in the cloud is that we're seeing that the average cloud attack takes about 10 minutes to execute start to finish. So often attacks start with some kind of compromised credentials or identities or secrets or keys. I love the metaphor of attackers are looking for the keys under the mats.

Mm-hmm. Security has been around for a long time. Does this environment require us to think about security differently than we would have in a traditional kind of network server environment?

Yeah, because cloud attacks are so fast, right, within 10 minutes, that means that our ability to detect and respond to attacks also need to be quick. And so there's two real elements of security that everybody needs to think about. There's the prevention part of it, which how can I configure my environments in a strong way to prevent anybody from being able to get in in the first place? And then there's the detection part of it, which is the harsh reality is you can't prevent everything, right? There's new methods that attackers come up with all the time. There's vulnerabilities that haven't even been disclosed yet. There's the concept of zero-day attacks, which is things that we don't necessarily know about. So we do actually need the ability to detect when things are happening that are malicious and that are suspicious in the cloud very quickly. Within 5 seconds, you really need to be alerted of something happening so that you can take maybe 5 minutes to correlate and then 5 minutes to initiate some kind of response. The truth is that we need to defend at the same speed that they are attacking. So that gives us about 10 minutes, right, that we need to be able to respond.

And if you act that fast, I mean, you could basically save your customer's data being taken or a huge bill on ransomware or prevent, you know, not giving away to the ransomware and having the data just be leaked somewhere.

Yeah, I mean, there's all sorts of things that you could probably prevent and contain and stop kind of the spread of these attackers within your environments. But the point here is that if you're being alerted an hour later, even 15 minutes after something happened, that's almost too late to be able to actually stop and make a difference. And I don't want to pretend that being able to respond this quickly is easy, right? But we do need to kind of take advantage of automation in the cloud, just like attackers are taking advantage of it for their attacking purposes. So where possible, try to do automated response actions, make sure that you get all of the data and deliver it to the right people if you do need manual actions happening. But basically, the speed at which you need to be notified about something wrong and be able to respond to it, that's going to be a huge challenge for people in the cloud.

So, you're a product manager at Sysdig and an expert in cloud. So, tell us, how does Sysdig approach this that you think is really cool and that you think listeners really need to know about?

The actual live, real-time detection piece, right? Being able to know about something actually in real time and having that information be pushed to whatever the systems are that you use, that's key. That's a big part of it. I also think that we're doing interesting things around correlation. So a lot of attacks are taking advantage of mismanaged identities or secrets or that kind of stuff. And if you're following a user's actions, you can often see, really paint the picture of what the attacker did, right? If they logged in or managed to get credentials of a specific user and then use that user to execute all of these things, being able to put that all together and kind of show you in consequential order, these are the actions that were taken, really helps incident responders be able to understand what happened, what other resources they maybe need to look at, what's the scope of this attack. There are many, many documented cases in the past few years of companies who had to pay millions and millions of dollars daily in fees. I mean, I can think of MGM Grand a couple years ago, right there, they had an attack that happened which brought down so many of their systems, and I think it was over $8 million in damages per day for them. So if you're comparing numbers, right, I don't love saying coming at it with the fear factor, but the truth is, is that if you're not investing in security, you might end up having to pay much more in damages. But it is, it's a complex thing and I would say not just investing in tools is important, but also investing in your people. And the complexity of environments that we're asking people to understand just keeps increasing, right? And so really getting the time to train and learn and understand all of the intricacies of different environments can help. I mean, I can think of an attack recently that the Sysdig Threat Research team discovered where they were— these victims were— they did everything right. They had a policy in place to not allow users to create new access keys, but one of the parts of the policy was case sensitive. So they ended up— they wrote the right policy. They just had a lowercase a instead of an uppercase A. And so the attacker was able to use the user anyway. So that's just an example that I can think of where even when you're trying to do the right things and you're putting these security things in place, there's all this level of detail that you really need to get into to be able to actually have the prevention in place. And that's why I emphasize the— you can't always prevent everything. The good news is that on the detection side, often attackers are doing the same kinds of actions, right? They're following kind of the same playbooks. So we know what to look for, basically.

If someone was listening right now and they're going, oh, Sysdig sounds pretty good, but I bet it's really hard just to get it on board, you know, get it infiltrated into our system so that we can actually, you know, get some return from it, what would you say to them?

I would say that we have many different types of, you know, onboarding connections that you can do to integrate security into your systems. We have an agent that you can deploy, but we also have an agentless connection method. So it's pretty easy to test out, and no matter what security vendor that you have, I just wanted to really emphasize how important it is to be thinking about security in the cloud as its own beast, as its own different thing. It is not the same as your on-premise environment. We've seen many threat actors be able to move laterally from your cloud systems onto your on-premise servers. So yes.

Yeah, scary stuff. Totally. I have to say, I have to commend you because I was taking a look around your site, the Sysdig site, and you are very, I think, generous both in the amount of information you share about how to better protect yourself, both on your blog and other places on the site. And I thought that was really good. You know, listeners who are listening to this thinking they're interesting, they can actually just go there and read up, right? And that's Was that a conscious decision on your end to kind of share so much? Because it's unusual, you know, to have actual information rather than marketing spiel. Power in numbers. I agree. Maya, this has been such a fascinating conversation. Is there anything you want to add before we wrap up?

The last thing I'll just say is that almost every single breach involved some kind of insecure identity or secret or key. I would urge people again to invest in security, invest in real-time detection, and invest in actually narrowing down the amount of permissions that you give the people in your company. So if those credentials get leaked somehow, the impact is not going to be as high.

Brilliant advice. I couldn't agree more. Listeners, you can learn how to stop advanced attacks at cloud speed, Sysdig style, by visiting sysdig.com/smashing. That's sysdig.com/smashing. And this was Maya Levine, product manager at Sysdig Security. Thank you so much, Maya, for taking the time to speak with us today.

Thank you for having me.

Super stuff. And that just about wraps up the show for this week. You can follow us on Twitter @SmashingSecurity, no G, Twitter allows to have a G. And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.

And huge thank you to our episode sponsors, Materia, Sysdig, and 1Password. And of course, to our wonderful Patreon communities. Thanks to them all that this show is free. For episode show notes, sponsorship info, guest list, and the entire back catalog of more than 382 episodes, check out smashingsecurity.com.

Until next time, cheerio. Bye-bye. Bye.