Transport for London (TfL) suffers a cybersecurity incident and tells its 30,000 staff they will all have to their identities verified… in-person. Who might have been behind the attack and why? Meanwhile, Donald Trump’s curious relationship with cryptocurrency is explored.
All this and Demi Moore is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault.
Warning: This podcast may contain nuts, adult themes, and rude language.
(This episode was recorded before the former US President survived a second assassination attempt)
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Well, he doesn't even use computers, does he? Tends to write his tweets or Truth Social posts on Post-it notes. Yeah, and other people type them in for him.
No, he famously doesn't use email and things like that, does he?
No, he famously doesn't use email and things like that, does he?
Yeah, well, you see, a person after my own heart.
Smashing Security, episode 385. TFL Security derailed, and is Trump the king of crypto? With Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 385. My name's Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 385. My name's Graham Cluley.
And I'm Carole Theriault.
And Carole, it's a little bit different this week, isn't it? Because we're recording this a few days earlier than normal in our schedule.
Yeah, because normally we do it on a Tuesday and push this out Wednesday midnight UK time. But this week we are recording on Sunday.
Sunday night, my time. After my bedtime, this is. And you're in another part of the world.
Yeah, secret mission. You don't need to.
Okay, we'll get on with it, shall we?
Yes, yes, yes. But before we kick off, let's thank this week's wonderful sponsors, 1Password, Vanta, and Flashpoint. Now, coming up on today's show, Graham, what do you got?
I'm going to be talking about the Bakerloo Blues and a Piccadilly panic.
Very cute. And I'm going to drill into the recent crypto revival. All this and much more coming up on this episode of Smashing Security.
Chums, chums, let me tell you a story because on Monday, September 2nd, Transport for London, also known as TfL, they are the team responsible for public transport in London, the Underground, the trains, the buses.
They revealed they were dealing with what they called an itsy bitsy little— well, they didn't describe it like that. It was a cybersecurity incident. That's what they said.
They revealed they were dealing with what they called an itsy bitsy little— well, they didn't describe it like that. It was a cybersecurity incident. That's what they said.
Dun dun dun!
And it turned out the previous day, the Sunday, they'd identified some suspicious activity on their systems.
But not to fear, they said, because there was currently no evidence that any customer data had been compromised.
But not to fear, they said, because there was currently no evidence that any customer data had been compromised.
Phew!
Sigh of relief.
Yeah, the trains are going to crash, but don't worry, your data's safe.
No, no, no, no, no. This isn't a Bruce Willis movie, Carole.
No, no, sorry, that's misinformation. I was just being facetious.
So nothing like that happened. No impact on the travel services. They're working closely with the NCA, the National Crime Agency, and others to respond to the incident.
And of course, the fact that they said they were unable to comment any further, oh, that led to lots of speculation. It was pouring diesel onto a bonfire of speculation.
Could it be ransomware? Had they suffered a, I don't know, a Brent Cross site scripting flaw or a two-team— what is a pun? Brent Cross, which is a tube station.
Brent Cross Site Scripting Flaw. Do you get it? Brent Cross Site Scripting Flaw, or—
And of course, the fact that they said they were unable to comment any further, oh, that led to lots of speculation. It was pouring diesel onto a bonfire of speculation.
Could it be ransomware? Had they suffered a, I don't know, a Brent Cross site scripting flaw or a two-team— what is a pun? Brent Cross, which is a tube station.
Brent Cross Site Scripting Flaw. Do you get it? Brent Cross Site Scripting Flaw, or—
It's always the best jokes that need an explanation, I think. Yes.
How about this one? A tooting business email compromise, better known as a tooting BEC, or tooting BEC. If you know your tube stations, what I've said there was really, really funny.
But never mind. No.
But never mind. No.
The puns.
The puns are writing themselves today rather than having a professional to write them for them.
Anyway, the silver lining in all this was that they hadn't seen any evidence that customer data had been accessed, which remains the case, marvelously, until they did reveal last week that customer data had been compromised.
Of course, often in the instant aftermath of a cyber breach, you may not realize quite what the extent of it may be.
Anyway, the silver lining in all this was that they hadn't seen any evidence that customer data had been accessed, which remains the case, marvelously, until they did reveal last week that customer data had been compromised.
Of course, often in the instant aftermath of a cyber breach, you may not realize quite what the extent of it may be.
So did they not know? That there was any data breach, or did they know and they were just keeping it hush-hush, do you think?
Oh no, I think it can be hard to tell. I think first it's really hard to tell what files may have been accessed, where they may have gone, what they may have taken.
It's not like stealing the crown jewels and there's a gap. You know, it's data that potentially has been just copied.
So in their words, they said very little, very little customer data has been taken out.
It's not like stealing the crown jewels and there's a gap. You know, it's data that potentially has been just copied.
So in their words, they said very little, very little customer data has been taken out.
I thought they said very little.
Oh well, they did say very little and they said very little. OK. In both meanings, yes. And you and I, we've travelled on British transport and around London.
Of course.
We've suffered very little delays from time to time, haven't we?
Some delays. Occasional delays.
Occasional delays. Sometimes it can be hours and hours and hours. So you don't always trust them when they say, you know, it's always very, very small problem, very small problem.
Right.
So the question was, how much customer data was taken?
Give us specifics, please.
And they said, well, listen, they said there's a problem. They said the problem is the situation is evolving.
We would have said that when we did our PR comms days. If we were in this situation, we would have said this exactly.
But now we're cybersecurity podcasters, so we can make fun of this. They said this.
I'm not making fun of it. I understand. I feel their pain. The media is just hounding them. They are trying desperately to work out what the fuck happened. They are effectively victims.
And that victimization is going to be passed on to users. And it's a shit show of a situation. And the media is like, what happened? What happened? How many customers?
And that victimization is going to be passed on to users. And it's a shit show of a situation. And the media is like, what happened? What happened? How many customers?
Well, I wondered whether it was evolved in a good way, because sometimes things evolve in a good way, don't they?
Like we have opposable thumbs and we can, you know, do things which chimpanzees can't do or dolphins can't do.
Like we have opposable thumbs and we can, you know, do things which chimpanzees can't do or dolphins can't do.
Wow.
Ride bicycles, for instance. But I've also seen Alien, and that evolved in quite a bad way. Anyone who saw John Hurt's chest explode in that movie will remember.
So, you know, that, that great documentary.
Yeah, factual documentary. That's right. So they said, although there's been very little impact on our customers so far, the situation is evolving.
Our investigations have identified that certain customer data has been accessed, including customer names and contact details, email addresses and home addresses where provided.
Our investigations have identified that certain customer data has been accessed, including customer names and contact details, email addresses and home addresses where provided.
I don't know if I'd say that's very little, but—
Well, yeah, they didn't say how many.
Yeah, okay.
They just said some. I don't like that they only said some, and maybe that's because they don't really know at the moment.
But then they went on, they were a little bit more specific. They said also some Oyster card refund data. That's the travel card used in London.
They say that may have been accessed, including bank account numbers, sort codes, for round about 5,000 customers, they say.
But then they went on, they were a little bit more specific. They said also some Oyster card refund data. That's the travel card used in London.
They say that may have been accessed, including bank account numbers, sort codes, for round about 5,000 customers, they say.
Very little. Very little.
Not much to feel good about if you are one of those 5,000.
Of course, I was being facetious. I'm sure that was clear. Wow.
Yes, you also. Yes. So, so far, so normal. But when a company gets hacked, the impact isn't just to its customers. It's also impacting their IT systems.
Whose IT systems? The customer's IT systems?
No, no, the IT systems of the organisation that's been hacked. So TfL in this case, right?
Right.
So, live tube arrival information wasn't available on their website and in their app, although it was still available at the stations themselves.
You couldn't apply for a new Oyster photocard.
They said, if you can't get a new photocard, carry on making your journeys as usual, please keep on giving us money, but keep a record and maybe we can arrange a refund in the future.
They said, maybe we'll be able to do that once we've resolved this cybersecurity incident.
So there was an impact on the IT systems, and they said some of our staff may not be able to access systems either, so it may be difficult.
But when a company gets hacked, it's not just about its customers, and it's not just about its IT systems, it's also about the employees.
And TfL revealed that workers' email addresses, job titles, employee numbers were also accessed.
Although at this point of time, at the time of recording, Sunday night, don't forget, they don't believe other data such as bank details and dates of birth and home addresses, they don't think that's been accessed.
You couldn't apply for a new Oyster photocard.
They said, if you can't get a new photocard, carry on making your journeys as usual, please keep on giving us money, but keep a record and maybe we can arrange a refund in the future.
They said, maybe we'll be able to do that once we've resolved this cybersecurity incident.
So there was an impact on the IT systems, and they said some of our staff may not be able to access systems either, so it may be difficult.
But when a company gets hacked, it's not just about its customers, and it's not just about its IT systems, it's also about the employees.
And TfL revealed that workers' email addresses, job titles, employee numbers were also accessed.
Although at this point of time, at the time of recording, Sunday night, don't forget, they don't believe other data such as bank details and dates of birth and home addresses, they don't think that's been accessed.
Yeah, this dribble effect is not fun, is it?
No.
This is just dribbling, dribbling, and every time they dribble, it's more awful, awful stinky stuff that you just don't want to hear.
They're stuck between a rock and a hard place.
I mean, it's horrible obviously for the employees and customers that more and more information begins to dribble out and it's generally bad news.
But it's also really tough for the organization because they're thinking, well, we need to tell them what we know so far, even if we don't know the story.
I mean, it's horrible obviously for the employees and customers that more and more information begins to dribble out and it's generally bad news.
But it's also really tough for the organization because they're thinking, well, we need to tell them what we know so far, even if we don't know the story.
Yeah. If we don't know shit, we're in panic mode. People are yelling at us left, right, and center.
And we have to act calm, cool, and collected and give people information they're asking for. Otherwise, it looks like we're hiding information. And this just happened, right?
This just happened.
And we have to act calm, cool, and collected and give people information they're asking for. Otherwise, it looks like we're hiding information. And this just happened, right?
This just happened.
Well, the start of this month. Yeah. It's now two weeks later since it first happened.
Yeah. Yeah. They're not a tech firm, but they're an important infrastructure in London, key infrastructure.
Yes. Now, sometimes when a hack like this occurs, you kind of have to assume the worst, don't you?
Because if you assume the worst, at least it's not going to get any worse than that. And at least that may be the best route to recovery.
So one of the things that they've decided to do is they're going to undertake an all-staff IT identity check.
So before any member of staff can log back into their system, they're going to verify those users' identities.
Because if you assume the worst, at least it's not going to get any worse than that. And at least that may be the best route to recovery.
So one of the things that they've decided to do is they're going to undertake an all-staff IT identity check.
So before any member of staff can log back into their system, they're going to verify those users' identities.
I haven't heard of that happening before.
Well, it's a bit like resetting a password on a website.
I mean, I get it. I get it. It's interesting. But that's a lot of staff when you talk about the Tube in London.
Well, yeah, because they're telling these people to show up in person. They're not telling them to do this via their computer. They're not telling them to do it even via video call.
You have to show up in person. 30,000 people are being told to show up in person.
You have to show up in person. 30,000 people are being told to show up in person.
Please arrive on Monday between 9:30 and 10:30.
That's exactly what's happening.
No!
I hope they're not trying to get there by train. That is exactly what is happening.
There are eight locations across London, and I've seen the photographs posted on social media of these huge long queues.
It's like queuing for a Taylor Swift concert, going up the street through offices. Huge queues of people waiting to have their identity checked.
They're taking their passports with them and all the other information. Now, checking the identities of 30,000 people in person—huge logistical challenge.
There are eight locations across London, and I've seen the photographs posted on social media of these huge long queues.
It's like queuing for a Taylor Swift concert, going up the street through offices. Huge queues of people waiting to have their identity checked.
They're taking their passports with them and all the other information. Now, checking the identities of 30,000 people in person—huge logistical challenge.
Mm.
And as I said, they're giving staff time slots to show up at the locations.
They've warned the public that as this process is being carried out, there may be limited disruption to travel services as well.
They've warned the public that as this process is being carried out, there may be limited disruption to travel services as well.
Very, very little. Very little.
Very little. Very little. So, few questions. Why are they doing it this way? Couldn't they have done this via video link instead? And I was talking to somebody about this.
Yeah, I wouldn't trust it with AI stuff now.
I wouldn't trust it. Well, that's—see, yeah, that's exactly what they said, Carole. They said, well, what about if it were deepfaked?
But my reaction to that was, well, maybe technically they could, but I don't know if it'd be the most convincing thing.
But wouldn't it be easier for a criminal just to turn up in person with fake ID posing as an employee in that person's name? Wouldn't that be easier just to do that?
But my reaction to that was, well, maybe technically they could, but I don't know if it'd be the most convincing thing.
But wouldn't it be easier for a criminal just to turn up in person with fake ID posing as an employee in that person's name? Wouldn't that be easier just to do that?
Well, you could pose, may not get through. They might go, nice fake ID there, bubba. Let's go. You know, nice try.
Well, who's doing these identity checks? It's not Miss Marple. I mean, is it going to be someone who's—
I don't know. Maybe you should go and investigate, do some deep, deep investigation, see what's going on.
I also thought, why not have bosses verify their staff? Could the bosses not have rung up their staff?
Obviously not if you have hundreds of people working for you, but, you know, it must cascade down.
Obviously not if you have hundreds of people working for you, but, you know, it must cascade down.
Yeah, I'm actually—I think this is the right thing to do.
You do?
Because what it says to the public is this was a big fucking deal, which it is, right? And the public want the TfL to say this is a big deal.
Yeah.
And this is a way to help build trust again, and that it's going to be painful. But how long will it take? Maybe a few weeks of nightmare?
Now, something similar has happened before where they've had to verify all their staff. Not very long ago. Do you know Dick's at all? You're in North America.
Dick's is a sporting chain. They got hacked. They shut down all their email system and they re-verified people via video call.
So I guess TfL considered all their options, decided that although disruptive, this in-person check was the way in which they could feel most confident about what they're doing.
But what I'd say to any organizations out there listening, consider how you would handle this.
How would you identity check all of your staff before giving them access to your network again? How disruptive would it be? Have you planned for that kind of situation?
Now, when I was hearing about this hack, Carole, I was reminded of another organization that was hacked. MGM Resorts last year suffered a cybersecurity incident.
Dick's is a sporting chain. They got hacked. They shut down all their email system and they re-verified people via video call.
So I guess TfL considered all their options, decided that although disruptive, this in-person check was the way in which they could feel most confident about what they're doing.
But what I'd say to any organizations out there listening, consider how you would handle this.
How would you identity check all of your staff before giving them access to your network again? How disruptive would it be? Have you planned for that kind of situation?
Now, when I was hearing about this hack, Carole, I was reminded of another organization that was hacked. MGM Resorts last year suffered a cybersecurity incident.
I remember, yeah.
Their slot machines went down, their ATMs.
Mm-hmm.
Some people couldn't get into their hotel rooms, hitting all those hotels in Las Vegas.
And it was later revealed that the hackers who were members of the Scattered Spider gang had socially engineered MGM Resorts' IT help desk, pretending to be an employee who'd been locked out of their account.
And said, "Oh, can you help me if my two-factor authentication, you know, it's not working," you know, answering some questions.
And they gained access and were handed the login credentials.
That cost MGM over $100 million, which I imagine included the cost of resetting employees' login credentials and two-factor authentication tokens.
And it was later revealed that the hackers who were members of the Scattered Spider gang had socially engineered MGM Resorts' IT help desk, pretending to be an employee who'd been locked out of their account.
And said, "Oh, can you help me if my two-factor authentication, you know, it's not working," you know, answering some questions.
And they gained access and were handed the login credentials.
That cost MGM over $100 million, which I imagine included the cost of resetting employees' login credentials and two-factor authentication tokens.
And you know what, though, I'm— boohoo, boohoo, really. Like, MGM Resorts can afford that. Surely that is what of their annual turnover?
I'm not saying that, but I'm just saying they can afford it. I'm not sure the shareholders would have been happy.
I'm not saying that, but I'm just saying they can afford it. I'm not sure the shareholders would have been happy.
Oh, I'm sure not. But again, I'm not sure I believe in that whole, you know.
So one other side to this story with this TfL hack, we haven't really considered the big question is who was responsible?
And it looks like the police may have worked that out because within just a few days, like 3 days of TfL announcing its cybersecurity incident, the NCA, the National Crime Agency, arrested a 17-year-old teenage male in Walsall.
This highly sophisticated cybersecurity attack wasn't done by a state nation.
So one other side to this story with this TfL hack, we haven't really considered the big question is who was responsible?
And it looks like the police may have worked that out because within just a few days, like 3 days of TfL announcing its cybersecurity incident, the NCA, the National Crime Agency, arrested a 17-year-old teenage male in Walsall.
This highly sophisticated cybersecurity attack wasn't done by a state nation.
He doesn't even have peach fuzz on his chin.
They arrested him and they questioned him on phishing and Computer Misuse Act offenses, and he was released on bail.
Now, this is a funny coincidence because UK computer crime cops paid another visit to Walsall in the West Midlands a couple of months ago.
In July, they arrested— yes, a 17-year-old teenage male in Walsall suspected of being a member of the Scattered Spider gang, who are thought to be behind the MGM hack.
Okay, so I don't know how many 17-year-old youths there are in Walsall, or indeed how many of them may be in the habit of possibly hacking organizations and giving IT support teams a headache over login credentials, or someone has a router right in their basement, wherever they're using it.
Oh, you think it's just a compromised computer?
Now, this is a funny coincidence because UK computer crime cops paid another visit to Walsall in the West Midlands a couple of months ago.
In July, they arrested— yes, a 17-year-old teenage male in Walsall suspected of being a member of the Scattered Spider gang, who are thought to be behind the MGM hack.
Okay, so I don't know how many 17-year-old youths there are in Walsall, or indeed how many of them may be in the habit of possibly hacking organizations and giving IT support teams a headache over login credentials, or someone has a router right in their basement, wherever they're using it.
Oh, you think it's just a compromised computer?
And then it's just some 17-year-old is going, "I don't really know what's going on here." That's possible.
You should work on the defense case, I think.
It seems to me quite right to ponder if it's possible that the reason the UK police were able to find a suspect in the TfL hack quite so quickly was because they had the address of a suspect in another high-profile hack still in their sat-nav history.
So they just said, let's go back to Walsall and pick up this guy. Some people have dubbed this not an advanced persistent threat, but an advanced persistent teenager.
It seems to me quite right to ponder if it's possible that the reason the UK police were able to find a suspect in the TfL hack quite so quickly was because they had the address of a suspect in another high-profile hack still in their sat-nav history.
So they just said, let's go back to Walsall and pick up this guy. Some people have dubbed this not an advanced persistent threat, but an advanced persistent teenager.
But that's also a really excellent joke and well done you.
Well, it wasn't original, that one.
You told it so well.
Crow, what's your story for us this week?
So, okay, we're going to go back a bit. So let's think back late 2023.
Yes.
And at the time, I kind of thought that the whole crypto bandwagon was dwindling, you know, with so many exchanges, you know, having to disclose hacks like Binance or FTX.
Oh yeah.
There was even some declaring bankruptcy, FTX. Plus the soaring valuations that we were seeing were looking like they were calming down.
Like Bitcoin, for example, which was being valued at $60,000 per coin in '21-'22, was more in the range of $20,000 per coin in 2023. So that's a big dip.
And there was of course this legal quagmire faced by FTX's Sam Bankman-Fried and four of his honchos facing accusations of fraud, conspiracy, and money laundering.
And they weren't alone in that. So all this happening, I'm thinking, ah, crypto, it'll soon be something for the history books.
Like Bitcoin, for example, which was being valued at $60,000 per coin in '21-'22, was more in the range of $20,000 per coin in 2023. So that's a big dip.
And there was of course this legal quagmire faced by FTX's Sam Bankman-Fried and four of his honchos facing accusations of fraud, conspiracy, and money laundering.
And they weren't alone in that. So all this happening, I'm thinking, ah, crypto, it'll soon be something for the history books.
Yeah.
But then mid-July 2024, something happened. Bitcoin screamed upwards, from something like $25K to $67,000 per Bitcoin.
Yeah.
That's a huge jump. It's gone right back up.
Yeah.
And Bitcoins weren't the only coin to see a dramatic uptick, you know. So did Solana, so did doggy coin— sorry, Dogecoin.
In fact, the global cryptocurrency market cap rose by 0.7 to around $2.45 trillion. So big, big things happened. Can you think of why? Oh, what would have led in mid-July?
It coincided with political incidents.
In fact, the global cryptocurrency market cap rose by 0.7 to around $2.45 trillion. So big, big things happened. Can you think of why? Oh, what would have led in mid-July?
It coincided with political incidents.
Mid-July. Was it Joe Biden decided to get out of politics and he's going to invest in cryptocurrency instead? Was it something? No, I'm on the right lines.
First part was right. Biden's announcement that he would not seek reelection certainly had an impact.
Right.
But also, I'll read a headline to give you a hint here. Bitcoin surged to a two-week high on Monday after the attempted assassination of the former president.
How quickly we've forgotten all about that.
Well, I hadn't.
I know, but it's astonishing, isn't it? That should have been the story of the year.
Yeah. Totally. That happened.
That happened. But, you know, that was a couple of weeks ago now. But yeah. Okay. So how did that affect cryptocurrency?
Well, the combination together. Right. So specifically, Biden stepping down.
This news was seen as beneficial to the crypto space because it increased the chances of Trump's return, who is perceived as more crypto friendly.
This news was seen as beneficial to the crypto space because it increased the chances of Trump's return, who is perceived as more crypto friendly.
Oh, I see.
And crypto friendly, the Republican hopeful seems to be.
Because just a month before the crypto stocks started doing their aforementioned uptick, Trump pitched himself at the San Francisco tech fundraiser.
He pitched himself as the crypto president. That's a quote.
Because just a month before the crypto stocks started doing their aforementioned uptick, Trump pitched himself at the San Francisco tech fundraiser.
He pitched himself as the crypto president. That's a quote.
Right. Whereas Joe Biden was just from the crypt.
Well, Reuters reported that at this event, our man slammed the Democrats' attempt to regulate the sector. And this is key to the issue, right?
Regulators have been sniffing around a lot more since the bankruptcies at major crypto firms.
Yeah, it spooked investors and exposed fraud and misconduct and left millions of investors out of pocket.
And the Democrats are saying even now, they want to look into this and maybe regulation is needed.
And of course, the crypto hoi polloi definitely don't want the Wild West that they've created of decentralized money generating schemes to be bogged down by rules.
Which would hold them more liable for losses or lack of security or lack of ethics or whatever.
Regulators have been sniffing around a lot more since the bankruptcies at major crypto firms.
Yeah, it spooked investors and exposed fraud and misconduct and left millions of investors out of pocket.
And the Democrats are saying even now, they want to look into this and maybe regulation is needed.
And of course, the crypto hoi polloi definitely don't want the Wild West that they've created of decentralized money generating schemes to be bogged down by rules.
Which would hold them more liable for losses or lack of security or lack of ethics or whatever.
What possible benefit would come from policing and regulating cryptocurrency more so that people didn't lose all of their savings?
Exactly. And they've managed to sell this, right? Saying, don't let this be regulated because you're going to lose money. Right now, this is where you can make hay. It's the gold rush.
So it makes sense that crypto dudes, they would be very happy that there is at least one presidential candidate that seems to be on side against regulation.
But wait, the Republican candidate of which we speak is even more crypto-friendly than that.
So it makes sense that crypto dudes, they would be very happy that there is at least one presidential candidate that seems to be on side against regulation.
But wait, the Republican candidate of which we speak is even more crypto-friendly than that.
He who shall not be named. Yes.
This past Monday, the wannabe pres with the Florida tan.
I don't think the tan comes from Florida. I think it comes from Coupranol. I don't think that that's a tan that has come from sunlight.
Always really small, you know, he's been wearing goggles.
That's why.
But our man is to announce the debut of a brand new crypto platform called World Liberty Financial.
This is a brand new decentralized financial platform that will be controlled by sons Trump Jr. and Eric Trump.
This is a brand new decentralized financial platform that will be controlled by sons Trump Jr. and Eric Trump.
There's going to be a Trump coin.
Quote, we're embracing the future with crypto and leaving the slow and outdated big banks behind, he said in a video posted Thursday on X from Mar-a-Lago.
World Liberty Financial has apparently partnered with AAVE. I don't know how you say that, A-A-V-E, AAVE, a crypto lending platform.
So I did a little digging, and huddle huddle, because they had a bit of a nightmare last April where they accidentally liquidated $26 million in assets belonging to their users.
So accidentally, apparently, right? So you need to have a certain threshold in order to be a user, I guess.
So you have to have at least X amount of cash or something in there, right?
World Liberty Financial has apparently partnered with AAVE. I don't know how you say that, A-A-V-E, AAVE, a crypto lending platform.
So I did a little digging, and huddle huddle, because they had a bit of a nightmare last April where they accidentally liquidated $26 million in assets belonging to their users.
So accidentally, apparently, right? So you need to have a certain threshold in order to be a user, I guess.
So you have to have at least X amount of cash or something in there, right?
Yep. Sounds familiar.
They accidentally changed that threshold to make it higher.
So suddenly loads of users didn't meet that threshold and the systems just flushed out their assets and sold them off because they couldn't be holders.
So suddenly loads of users didn't meet that threshold and the systems just flushed out their assets and sold them off because they couldn't be holders.
I wouldn't want my assets flushed.
So that's fun. So they're the partner. And the other question mark is with the dealmaker for World Liberty Financial.
So according to Bloomberg, Chase Hero, double R-O, that can't be his real name. I mean, come on, Chase Hero.
So according to Bloomberg, Chase Hero, double R-O, that can't be his real name. I mean, come on, Chase Hero.
The name's Hero. Chase Hero.
So Chase Hero is apparently an interesting choice because he's kind of labeled by many in the industry as effectively unknown.
He only had one crypto project, which he's publicly affiliated with, and it attracted just a few million dollars and then suffered a devastating hack. So that's his background.
He only had one crypto project, which he's publicly affiliated with, and it attracted just a few million dollars and then suffered a devastating hack. So that's his background.
Sounds promising.
Yeah, there's a YouTube video with Hero. It's from 2018 and it's on YouTube still, right? So you can see it in the show notes.
Right.
It's called Crypto Talk and he's there driving a Rolls-Royce and he says, quote, "You can literally sell shit in a can wrapped in piss covered in human skin for $1 billion if the story's right, because people will buy it." Hang on.
He has in the past called himself reportedly the dirtbag of the internet and says that regulators should kick shitheads like him out.
He has in the past called himself reportedly the dirtbag of the internet and says that regulators should kick shitheads like him out.
And this is the person who's teamed up.
This is the dealmaker, right? Yeah. Sounds promising, right? I can't wait. And the icing on the cake, the icing on the cake, the man that X'd Twitter.
Can we just have a little hand clap for me? Because that's cute, right? X Twitter. Or has that been used many times?
Can we just have a little hand clap for me? Because that's cute, right? X Twitter. Or has that been used many times?
The person who X'd Twitter? What do you mean?
X'd? Yeah, X'd Twitter. It's kind of like axe Twitter. You get rid of it, put an X across it.
Oh, okay. That— oh, that's the— no, no, no, that's as good as my puns were earlier, in fairness.
Okay, whatever. The man that X'd Twitter, the richest man on the planet, has our presidential hopeful's endorsement to head a new governmental crypto task force.
And I think that is an amazing idea because we all know how much Elon loves regulators and he never rocks the boat for his own weird entertainment.
And why not have him be in charge of that? I think that sounds fantastic.
And I think that is an amazing idea because we all know how much Elon loves regulators and he never rocks the boat for his own weird entertainment.
And why not have him be in charge of that? I think that sounds fantastic.
What you're saying, that Elon Musk, if Donald Trump wins the election, right?
If, if, if he wins the election, he has Trump's endorsement to be the head of this government crypto task force at the moment.
Okay, but I don't think that means Elon Musk will do it though, will he?
No, but he might just for the kicks.
Now, all this crypto hype is a little bit of a U-turn for the former president, who has previously described himself as not a fan of cryptocurrency.
Now, all this crypto hype is a little bit of a U-turn for the former president, who has previously described himself as not a fan of cryptocurrency.
Well, he doesn't even use computers, does he? Tends to write his tweets or Truth Social posts on Post-it notes. Yeah, and other people type them in for him.
No, he famously doesn't use email and things like that, does he?
No, he famously doesn't use email and things like that, does he?
Yeah, well, you see, a person after my own heart. In 2019, he tweeted that cryptocurrency can facilitate unlawful behavior, including drug trade and other illegal activity.
But we do all know, and I think I can say this, that this guy loves the stink of the green, doesn't he? And it looks like he's set to go down the crypto highway to find it.
So people that are intrigued, I think trusted advice on crypto is worth remembering.
So first, before you get all excited, learn how cryptocurrencies work, the difference between various types of crypto assets like Bitcoin and altcoins and stablecoins and tokens and all that stuff, and deep dive into any project you're interested in.
Notably, we can't really deep dive into this project because there's not a lot of information that has been put out as of Sunday the 15th of September. Evaluate your risk tolerance.
Basically, only invest what you can afford to lose. And secure your investments with reputable exchanges with solid reputations.
But we do all know, and I think I can say this, that this guy loves the stink of the green, doesn't he? And it looks like he's set to go down the crypto highway to find it.
So people that are intrigued, I think trusted advice on crypto is worth remembering.
So first, before you get all excited, learn how cryptocurrencies work, the difference between various types of crypto assets like Bitcoin and altcoins and stablecoins and tokens and all that stuff, and deep dive into any project you're interested in.
Notably, we can't really deep dive into this project because there's not a lot of information that has been put out as of Sunday the 15th of September. Evaluate your risk tolerance.
Basically, only invest what you can afford to lose. And secure your investments with reputable exchanges with solid reputations.
This is, this is the killer one, isn't it?
And maybe store your crypto very, very safely, like in a hardware wallet or a secure wallet.
Yes.
Take heed, my friends. That's my advice.
This episode of Smashing Security is brought to you by Flashpoint. 2024 has been a year like no other for security.
Cyber threats, physical security concerns have continued to increase. Now geopolitical instability is adding a new layer of risk and uncertainty.
Last year there was a staggering 84% rise in ransomware attacks and a 34% jump in data breaches.
Flashpoint empowers organizations to make mission-critical decisions that will keep their people and assets safe. How does it do that?
By combining cutting-edge technology with the expertise of world-class analyst teams, and with Ignite, Flashpoint's award-winning threat intelligence platform, you get access to critical data, finished intelligence, alerts, and analytics all in one place.
It's no wonder Flashpoint is trusted by mission-critical businesses and governments worldwide. To access the industry's best threat data and intelligence, visit flashpoint.io today.
That's flashpoint.io. Quick question: do your end users always, and I mean always without exception, work on company-owned devices and IT-approved apps? I didn't think so.
So my next question is, how do you keep your company's data safe when it's sitting on all of those unmanaged apps and devices?
Well, 1Password has an answer to this question, and it's called Extended Access Management.
1Password Extended Access Management helps you secure every sign-in for every app on every device because it solves the problems traditional IAM and MDM can't touch.
Go and check it out for yourself at 1password.com/smashing. That's 1password.com/smashing. And thanks to the folks at 1Password for supporting the show.
Whether you're starting or scaling your company's security program, demonstrating top-notch security practices, and establishing trust is more important than ever.
Vanta automates compliance for SOC 2, ISO 27001, and more, saving you time and money while helping you build customer trust.
Plus, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust center, all powered by Vanta AI.
Over 7,000 global companies like Atlassian, Sophos, FlowHealth, and Quora use Vanta to manage risk and improve security in real time.
Get $1,000 off Vanta when you go to vanta.com/smashing. That's vanta.com/smashing for $1,000 off.
And welcome back, and you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
Cyber threats, physical security concerns have continued to increase. Now geopolitical instability is adding a new layer of risk and uncertainty.
Last year there was a staggering 84% rise in ransomware attacks and a 34% jump in data breaches.
Flashpoint empowers organizations to make mission-critical decisions that will keep their people and assets safe. How does it do that?
By combining cutting-edge technology with the expertise of world-class analyst teams, and with Ignite, Flashpoint's award-winning threat intelligence platform, you get access to critical data, finished intelligence, alerts, and analytics all in one place.
It's no wonder Flashpoint is trusted by mission-critical businesses and governments worldwide. To access the industry's best threat data and intelligence, visit flashpoint.io today.
That's flashpoint.io. Quick question: do your end users always, and I mean always without exception, work on company-owned devices and IT-approved apps? I didn't think so.
So my next question is, how do you keep your company's data safe when it's sitting on all of those unmanaged apps and devices?
Well, 1Password has an answer to this question, and it's called Extended Access Management.
1Password Extended Access Management helps you secure every sign-in for every app on every device because it solves the problems traditional IAM and MDM can't touch.
Go and check it out for yourself at 1password.com/smashing. That's 1password.com/smashing. And thanks to the folks at 1Password for supporting the show.
Whether you're starting or scaling your company's security program, demonstrating top-notch security practices, and establishing trust is more important than ever.
Vanta automates compliance for SOC 2, ISO 27001, and more, saving you time and money while helping you build customer trust.
Plus, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust center, all powered by Vanta AI.
Over 7,000 global companies like Atlassian, Sophos, FlowHealth, and Quora use Vanta to manage risk and improve security in real time.
Get $1,000 off Vanta when you go to vanta.com/smashing. That's vanta.com/smashing for $1,000 off.
And welcome back, and you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week. Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, movie, a record, a podcast, a website, or an app, whatever they like.
It doesn't have to be security related necessarily.
Could be a funny story, a book that they've read, a TV show, movie, a record, a podcast, a website, or an app, whatever they like.
It doesn't have to be security related necessarily.
Better not be.
Well, my pick of the week this week is not security related. It's also not a funny story, a book that I've read, a TV show, a movie, a record, a podcast, a website, or an app.
Whoa.
It is instead whatever I like.
Oh, because while I was on honeymoon earlier this year in Barcelona, I heard a melodic sound coming from this little town square, and I walked into it, and there I found a man playing an instrument of melodic percussion known as the tam drum.
And I was rather taken by it. I said, "That's a lovely instrument you got there, sir," I said in my faltering Catalan. And he said, "It's a tam drum.
Would you like to buy one?" And I bought one.
Oh, because while I was on honeymoon earlier this year in Barcelona, I heard a melodic sound coming from this little town square, and I walked into it, and there I found a man playing an instrument of melodic percussion known as the tam drum.
And I was rather taken by it. I said, "That's a lovely instrument you got there, sir," I said in my faltering Catalan. And he said, "It's a tam drum.
Would you like to buy one?" And I bought one.
Oh my God, did you?
I did, as a little honeymoon gift for myself and for my partner.
I bet she loves it.
She does love it. It is an instrument recycled from an old propane gas bottle grabbed from a scrapyard.
Oh no, I do like these things. Yes, I'm looking at one right now. I've seen these. Yeah, they have a very nice sound.
It has a very beautiful sound.
Yes.
In fact, I'm going to start playing one now in the background so everyone can enjoy it.
And I'm going to talk a bit softer now that that's playing.
Okay, yeah, because it's all a bit namaste now. It's all a bit meditation, yoga, all that jazz.
My kind of stuff.
You play it with your hands or more easily with little rubber sort of xylophone mallet things, sort of. It's a— I don't know what you're giggling about.
You're making your own jokes back there. It's a bit like, I was trying to work out how to describe it. You know, steel drums. You know, you get steel drums.
You're making your own jokes back there. It's a bit like, I was trying to work out how to describe it. You know, steel drums. You know, you get steel drums.
They can hear it right now.
I know you can hear it right now. I'm trying to describe what it looks like. It's the inverse of a steel drum.
So you're sort of banging on the outside of it and you get these beautiful sounds.
Anyway, it's easy to play even if you're an adult me, but in the hands of someone with a musical lean, and one of my stepsons is very musical, tinkle tonkle. It's really lovely.
And I will link to the website where we can get them. Obviously, it's going to cost you a bit because you'll have to get it shipped from Barcelona, unless you're out there.
But I've got one on my living room table, and everyone who comes by has a little tinkle tonkle, and it's a lot of fun. And that is my pick of the week, the tam drum.
So you're sort of banging on the outside of it and you get these beautiful sounds.
Anyway, it's easy to play even if you're an adult me, but in the hands of someone with a musical lean, and one of my stepsons is very musical, tinkle tonkle. It's really lovely.
And I will link to the website where we can get them. Obviously, it's going to cost you a bit because you'll have to get it shipped from Barcelona, unless you're out there.
But I've got one on my living room table, and everyone who comes by has a little tinkle tonkle, and it's a lot of fun. And that is my pick of the week, the tam drum.
Brilliant. There you go.
Carole, what's your pick of the week?
Okay, look, I've been reading a lot recently. And I just, I kind of started getting overwhelmed by fiction. After a while, I was just okay, enough.
So I decided to check out a random memoir. And I chose one from Demi— no, Demi, I learned Demi Moore. Demi Moore.
So I decided to check out a random memoir. And I chose one from Demi— no, Demi, I learned Demi Moore. Demi Moore.
Demi Moore.
Inside Out. Ten years ago she wrote this.
And the reason I chose this is because over the weekend I read that Demi— or no, Demi is starring in a new maximalist movie called The Substance. Have you heard about this?
And the reason I chose this is because over the weekend I read that Demi— or no, Demi is starring in a new maximalist movie called The Substance. Have you heard about this?
The sub— no, I haven't heard of The Substance. No.
Well, it's just come out. It follows 61-year-old actor Demi.
She plays a character called Elizabeth, and she basically in the movie tries a black market drug to create a younger version of herself.
Okay, apparently it's the most grotesque movie of the year. I'm dying to see it. This is totally up my alley. And I found this memoir, Inside Out.
And I don't know, she was a big deal for me because I was exactly at the right age when she kind of rose to fame.
She plays a character called Elizabeth, and she basically in the movie tries a black market drug to create a younger version of herself.
Okay, apparently it's the most grotesque movie of the year. I'm dying to see it. This is totally up my alley. And I found this memoir, Inside Out.
And I don't know, she was a big deal for me because I was exactly at the right age when she kind of rose to fame.
When she did Ghost with Patrick Swayze?
Oh, way before that. She was in St. Elmo's Fire, Brat Pack. You know, she was dating Emilio Estevez. I was getting those magazines who's dating who? And oh, oh my God.
And you know, there was Rob Lowe and Molly Ringwald and all that stuff. So that was my whole rock space.
And the book, this book Inside Out was written after her relationship with the 20-year-younger boy toy Ashton Kutcher went south.
So she talks about her shitty childhood, her rise to fame, her relationship with Brucey Brucey Willis, the movies she did.
You know, she was the highest paid actress ever for a while.
And you know, there was Rob Lowe and Molly Ringwald and all that stuff. So that was my whole rock space.
And the book, this book Inside Out was written after her relationship with the 20-year-younger boy toy Ashton Kutcher went south.
So she talks about her shitty childhood, her rise to fame, her relationship with Brucey Brucey Willis, the movies she did.
You know, she was the highest paid actress ever for a while.
Really? Yeah.
And she talks about that cover she did with Annie Leibovitz, you know, the 1991 Vanity Fair cover where she's—
Oh, when she was pregnant and naked. Yeah.
Mm-hmm. Everyone knows of that.
Yeah.
And I read the article, I found it in an archive, and I've put that in the show notes as well. It is so judgy about her.
It's really, you know, they basically kind of treat her as a princess that is not worth her success. But I did read something in that article that I don't think was in the memoir.
Okay, and this is when she was married to Bruce Willis. So apparently the Willis gave birth on film in addition to an audience of six friends. This is all in the Vanity Fair article.
And in addition to an audience of six friends, the couple had three video cameras taping the big event.
The guests included their massage therapist, Moore's personal assistant, Bruce's best friend Carmine, Moore's girlfriend Patsy, and of course Randy the video operator.
It's really, you know, they basically kind of treat her as a princess that is not worth her success. But I did read something in that article that I don't think was in the memoir.
Okay, and this is when she was married to Bruce Willis. So apparently the Willis gave birth on film in addition to an audience of six friends. This is all in the Vanity Fair article.
And in addition to an audience of six friends, the couple had three video cameras taping the big event.
The guests included their massage therapist, Moore's personal assistant, Bruce's best friend Carmine, Moore's girlfriend Patsy, and of course Randy the video operator.
So they've got multiple cameras. That means different angles, giving birth, and an audience. Is there a director's cut?
Demi is quoted as saying, the doctor was there, but Bruce's hands were in me pulling Rumer out. That's the name of their daughter. We have it all on video. I stayed very calm.
I had the baby's head out of me. I was touching her ear, and I said to Randy, are you getting this? I want to make sure he has it in focus. Crazy bonkers.
I had the baby's head out of me. I was touching her ear, and I said to Randy, are you getting this? I want to make sure he has it in focus. Crazy bonkers.
Hollywood.
But the book is basically that as well. It's fascinating. So she's lived in a vastly different life from mine.
So that's my crazy pick of the week, Demi Moore's 10-year-old memoir Inside Out. I really enjoyed it, Graham. I think you might too.
So that's my crazy pick of the week, Demi Moore's 10-year-old memoir Inside Out. I really enjoyed it, Graham. I think you might too.
I don't know, maybe I'll put it on my list with my Libby app. Maybe I'll find it. Well, that just about wraps up the show for this week.
You can follow us on Twitter @SmashingSecurity, no G. Twitter doesn't allow us to have a G.
And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast apps such as Pocket Casts, Spotify, and Apple Podcasts.
You can follow us on Twitter @SmashingSecurity, no G. Twitter doesn't allow us to have a G.
And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast apps such as Pocket Casts, Spotify, and Apple Podcasts.
And huge, huge thank you to our episode sponsors, Flashpoint, 1Password, and Fanta. And of course, to our wonderful Patreon community. It's thanks to them all that this show is free.
For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 384 episodes, check out smashingsecurity.com.
For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 384 episodes, check out smashingsecurity.com.
Until next time. Cheerio. Bye-bye. Bye-bye.
Clue. 15 episodes to go before we hit the big 400.
Should we even recognize?
Yes.
Should we just wait till 500? It just seems a bit pathetic celebrating a 400th episode.
Well, okay, you don't have to celebrate. I'll celebrate. Why don't you stay home?
Don't even show up.
I'll have my own show for a day. I'll invite my own Graham replacement for the show. And we'll have a 400th party. Oh.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Episode links:
- TFL cybersecurity incident announcement.
- TFL Employee Hub.
- DICK’S shuts down email, locks employee accounts after cyberattack – Bleeping Computer.
- MGM Resorts shuts down IT systems and slot machines go quiet following “cybersecurity incident” – Hot for Security.
- Teenage suspect in MGM Resorts hack arrested in Britain – The Record.
- Arrest made in NCA investigation into Transport for London cyber attack – NCA.
- Donald Trump Prepares to Unveil World Liberty Financial, a Cryptocurrency Business – The New York Times.
- Behind the Trump Crypto Project Is a Self-Described ‘Dirtbag of the Internet’ – Bloomberg.
- Cryptocurrency price on July 22: Bitcoin hits $68,000 level, Dogecoin, Avalanche surge up to 11% – The Economic Times.
- Trump vows to make US ‘world capital of crypto,’ taps Musk for new task force – CoinTelegraph.
- What bankers need to know about Trump’s World Liberty Financial – Yahoo! Finance.
- Bitcoin soars to two-week high after Trump attack – Reuters.
- Trump pitches himself as ‘crypto president’ at San Francisco tech fundraiser – Reuters.
- Aave fork on Blast mistakenly liquidated $26m – Crypto news.
- Crypto Talk With Chase Hero – Ep.7 (The Watchers) – YouTube.
- Tamdrum.
- ”Inside Out” by Demi Moore – HarperCollins.
- THE SUBSTANCE trailer – YouTube.
- Demi’s Big Moment – Vanity Fair.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsored by:
- 1Password Extended Access Management – Secure every sign-in for every app on every device.
- Flashpoint – Access the industry’s best threat data and intelligence.
- Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!
Support the show:
You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.
Become a Patreon supporter for ad-free episodes and our early-release feed!
Follow us:
Follow the show on Bluesky at @smashingsecurity.com, or on the Smashing Security subreddit, or visit our website for more episodes.
Thanks:
Theme tune: “Vinyl Memories” by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
