The SolarWinds have returned to haunt four cybersecurity companies who tried to hide their breaches and ended up with their trousers around their ankles, and North Korea succeeds in getting one of its IT workers hired… but what’s their plan?
All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault.
Warning: This podcast may contain nuts, adult themes, and rude language.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
It wasn't helped, of course, because SolarWinds had been advising customers to disable any antivirus before installing its software. In retrospect, maybe not the best advice.
Doesn't look that good.
Doesn't look that good.
Yeah.
Smashing Security, Episode 390: When Security Firms Get Hacked and Your New North Korean Remote Worker with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 390. My name's Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 390. My name's Graham Cluley.
And I'm Carole Theriault.
Ah, Carole, you sound in a much better voice this week. Are you feeling better?
I am, and I'm getting my sense of smell and taste back. That was a bit of a shocker. Not fun.
I didn't know you had any sense of taste ever. That's extraordinary.
Well, that's why I hang out with you.
Oh, oh, you got me on the boomerang.
Sorry, I don't mean to bully you.
Now, I've had a busy week. I went off to Norway.
Yes.
I performed on the stage at the Oslo Opera House.
I hear it's very beautiful.
It is stunning, the Oslo Opera House. It's an incredible piece of architecture. Really, really cool. Looks like a Bond villain's lair.
But it was terrific being there and meeting some fans of the pod as well. Hope you enjoy your stickers.
But it was terrific being there and meeting some fans of the pod as well. Hope you enjoy your stickers.
High five to you all. Now, let's kick this show off and thank this week's wonderful sponsors: 1Password and Vanta. Now coming up on today's show, Graham, what do you got?
I'm going to be talking about when cybersecurity companies get hacked.
Ooh, and I'm going to talk about when a new remote hire does not work out as planned. All this and much more coming up on this episode of Smashing Security.
Now, chums, I'm going to start off today talking about a hack which happened a few years ago, the hack of SolarWinds. Carole, have you heard of SolarWinds?
Yes.
Yes, of course you have.
It was huge.
Huge. And they are a huge company. They're a $5 billion company. They manage network infrastructure for, well, just about everyone.
Over 425 of the US Fortune 500 are using their software.
That means the top 10 US telecoms companies, all branches of the US military, the Department of Justice, the US President's Office, the top 5 accounting firms, Microsoft, Intel, Google, the list goes on and on and on.
And their problems began when some of their developers left their GitHub repository, the place where they put in their source code.
They left it open to the public, to the entire world, which isn't a good idea, is it?
Well, it can be all right leaving your source code open, but maybe not if your source code includes a hardcoded plaintext password for one of your company's update servers.
That's not so good, is it? Not so wise.
Over 425 of the US Fortune 500 are using their software.
That means the top 10 US telecoms companies, all branches of the US military, the Department of Justice, the US President's Office, the top 5 accounting firms, Microsoft, Intel, Google, the list goes on and on and on.
And their problems began when some of their developers left their GitHub repository, the place where they put in their source code.
They left it open to the public, to the entire world, which isn't a good idea, is it?
Well, it can be all right leaving your source code open, but maybe not if your source code includes a hardcoded plaintext password for one of your company's update servers.
That's not so good, is it? Not so wise.
No, you wouldn't want to do that if you were a company.
Now that's bad enough. What's even worse, though, than revealing your password is revealing it's a really, really bad password.
I can't remember what it was.
So the company's name is SolarWinds and they have a password to their update service. Just have a guess. Have a guess.
Is it SolarWinds with some zeros and ones?
You're so close. The password was SolarWinds123.
Aha.
Yeah, not that great. As we all know, to have a properly strong password, you'd need to add an exclamation mark on the end of that.
And— So SolarWinds, they took an interesting approach when they were challenged about this. In fact, a member of Congress Katie Porter.
She went viral briefly when she spoke to SolarWinds CEO about the password.
And— So SolarWinds, they took an interesting approach when they were challenged about this. In fact, a member of Congress Katie Porter.
She went viral briefly when she spoke to SolarWinds CEO about the password.
Does this look familiar to you?
Yes.
SolarWinds123. Is it true that some servers at your company were secured with this crackerjack password, SolarWinds123?
I've got a stronger password than SolarWinds123 to stop my kids from watching too much YouTube on their iPad.
I've got a stronger password than SolarWinds123 to stop my kids from watching too much YouTube on their iPad.
And the SolarWinds CEO, he responded by saying, well, it wasn't really our fault, and he blamed it on an intern. No.
Congressman, I believe that was a password that an intern used on one of his GitHub servers back in 2017, which was reported to our security team, and it was immediately removed.
That's gross. It's really gross.
That's gross. It's really gross.
Not good. And the problem was these Chinese hackers broke into SolarWinds. They exploited their access to the update server and created a malicious software update called Sunburst.
And that malware was installed via the booby-trapped SolarWinds software update. It then sat around waiting for around about two weeks before doing anything malicious.
And then when it triggered, it disabled all antivirus software and forensic tools to try and stay undetected.
And it started looking for other vulnerabilities to exploit on your network.
And ultimately, as many as 18,000 of some of SolarWinds' 300,000 customers installed this malicious update, and they were now compromised with a remote access Trojan.
Now, 18,000, you may think, could have been much worse.
And that malware was installed via the booby-trapped SolarWinds software update. It then sat around waiting for around about two weeks before doing anything malicious.
And then when it triggered, it disabled all antivirus software and forensic tools to try and stay undetected.
And it started looking for other vulnerabilities to exploit on your network.
And ultimately, as many as 18,000 of some of SolarWinds' 300,000 customers installed this malicious update, and they were now compromised with a remote access Trojan.
Now, 18,000, you may think, could have been much worse.
Uh-huh, but I remember the companies.
Yeah, the organizations, there's NATO, the UK government, the European Parliament, Microsoft, big organizations. And the hackers, hung around undetected for up to 9 months.
That's so gross.
In all of these organizations, stealing information, gaining unauthorized access to data and email accounts. Huge data trove.
This is one of the biggest hacks in history, one of the most serious security breaches.
And it wasn't helped, of course, because SolarWinds had been advising customers to disable any antivirus before installing its software. In retrospect, maybe not the best advice.
Maybe not the best advice. Doesn't look that good. Yeah, doesn't look that good.
This is one of the biggest hacks in history, one of the most serious security breaches.
And it wasn't helped, of course, because SolarWinds had been advising customers to disable any antivirus before installing its software. In retrospect, maybe not the best advice.
Maybe not the best advice. Doesn't look that good. Yeah, doesn't look that good.
No, but also you can understand how big companies have been working in a certain way for decades potentially, and everything's gone tickety-boo, and they have these certain little back doors in place, and they're there for a very good reason, as long as they're kept stum and all this.
And I'm sure many companies do this. And it's not smart, you know, because when this happens, it's a real shit show, you know?
And I'm sure many companies do this. And it's not smart, you know, because when this happens, it's a real shit show, you know?
Well, yeah, and it's certainly not smart publishing your password, particularly dumb password.
But that was obviously an error, you know, that wasn't by design.
Yes, I'm not saying it was deliberate by any means.
And of course, organizations like governments, like big companies, like the US President's office, whatever, they do rely upon security companies and cyber companies pushing out updates And sometimes they will kind of greenlight those updates rolling out.
We saw that with the big CrowdStrike outage earlier this year.
And of course, organizations like governments, like big companies, like the US President's office, whatever, they do rely upon security companies and cyber companies pushing out updates And sometimes they will kind of greenlight those updates rolling out.
We saw that with the big CrowdStrike outage earlier this year.
We're basically saying that companies need to be paranoid all the time, but how paranoid can you be and run a business? So it's complicated.
It's difficult, but we're putting a lot of trust in these companies. So this happened back in 2020, this huge data breach caused by this supply chain attack.
So why am I talking about this today, Graham? Is it that you haven't found any other good stories in the last four years? Well, the reason is because there's been a development.
So why am I talking about this today, Graham? Is it that you haven't found any other good stories in the last four years? Well, the reason is because there's been a development.
Mm-hmm.
Because although the breach happened in 2020, there are now some other big cyber firms which have been caught with their trousers down as a result of this breach.
Cybersecurity firms like Avaya, Check Point, Mimecast, and Unisys have just been fined by the SEC, which says they tried to brush the impact of the SolarWinds hack, the impact that hack had on their companies, under the carpet.
So they were customers of SolarWinds who got affected by this.
They were breached, but they weren't fully transparent about what happened, and they are now facing millions of dollars worth of fines as a consequence.
Cybersecurity firms like Avaya, Check Point, Mimecast, and Unisys have just been fined by the SEC, which says they tried to brush the impact of the SolarWinds hack, the impact that hack had on their companies, under the carpet.
So they were customers of SolarWinds who got affected by this.
They were breached, but they weren't fully transparent about what happened, and they are now facing millions of dollars worth of fines as a consequence.
So they got data stolen as well and didn't report it.
Exactly. Or they didn't reveal all of the details as to what was going on.
They tried to sweep it under the rug, hoping no one would notice the giant lump of digital doo-doo that they would hide in there. So it's a bit like hiding a corpse.
I don't know if you've ever hidden a corpse, Carole.
They tried to sweep it under the rug, hoping no one would notice the giant lump of digital doo-doo that they would hide in there. So it's a bit like hiding a corpse.
I don't know if you've ever hidden a corpse, Carole.
No, no, no.
Don't try and hide it under the carpet.
Not even for Halloween.
No, because you'll stumble over it. It's tricky. You've got to hide it properly. So, for instance, Avaya, they played it cool. They said a few internal emails were accessed.
Yeah.
Actually, the hackers had helped themselves to at least 145 files in their cloud storage. So whoops-a-daisy, a bit more serious.
Right, so they never told customers either that their data had been leaked.
Right.
Which is super naughty too.
So then there was Mimecast as well. They apparently didn't even realize that it'd been hacked until a year after everyone else.
So security company obviously had heard about the SolarWinds breach, didn't recognize that even though it were a customer, didn't recognize that it had actually fallen foul of it till 2021, a whole year later.
So security company obviously had heard about the SolarWinds breach, didn't recognize that even though it were a customer, didn't recognize that it had actually fallen foul of it till 2021, a whole year later.
Oh, you should see my face. It's painful.
You don't like this kind of thing, do you? You don't enjoy this. You find this really uncomfortable.
No.
So, in the case of Check Point, it's said that they tried to minimise the attack.
They failed to disclose the nature of the code which the hackers had stolen, and the quantity of encrypted credentials they'd accessed as well.
They failed to disclose the nature of the code which the hackers had stolen, and the quantity of encrypted credentials they'd accessed as well.
You see? People go too far.
Well, the hackers went too far.
Yes!
It's their fault, right? Oh, it is ultimately their fault.
Of course it is.
It's then the security company's fault for not being honest about what happened, because that's what we preach to other victims. Be transparent with your customers.
Hope they don't beat you up too much. That's better than doing a cover-up. Unisys, they described the risks of the cybersecurity breach as hypothetical.
Hope they don't beat you up too much. That's better than doing a cover-up. Unisys, they described the risks of the cybersecurity breach as hypothetical.
Hypothetical?
Well, this particular hypothetical breach at Unisys actually stole gigabytes and gigabytes of data which walked out the door.
Unhypothetically.
It's a bit like standing in a volcano and saying, you know, oh, this fire thing, that's a bit of a hypothetical risk, isn't it?
No, it's not a hypothetical risk when you're surrounded by flames and fire and lava. It's a bit more than that. But now they are paying the price.
Unisys have been told to pay $4 million in civil penalty, Avea $1 million, Check Point, $995,000. I don't know why they get a $5,000 rebate in that.
Mimecast are gonna have to pay $990,000.
No, it's not a hypothetical risk when you're surrounded by flames and fire and lava. It's a bit more than that. But now they are paying the price.
Unisys have been told to pay $4 million in civil penalty, Avea $1 million, Check Point, $995,000. I don't know why they get a $5,000 rebate in that.
Mimecast are gonna have to pay $990,000.
Yeah.
But there's also been damage done to their brand reputation, of course, and there will be customers who will have found out about this after the fact, who will be very knocked off.
Yeah. Because you put a lot of trust in security companies because, you know, they also sit at a low level on your systems.
They have access to a lot of information in order to make sure that it's safe.
They have access to a lot of information in order to make sure that it's safe.
And they're supposed to be the experts, these companies, right?
They're the ones we trust to keep our data safe, and yet they don't seem to know how to handle a security breach themselves.
They're the ones we trust to keep our data safe, and yet they don't seem to know how to handle a security breach themselves.
I think most companies would try and downplay it.
And it's sad, but I'm trying to think they would want to just skate that line between honesty and keeping everyone calm so they don't have to deal with a huge, you know, employee going crazy and customers going crazy.
And it's sad, but I'm trying to think they would want to just skate that line between honesty and keeping everyone calm so they don't have to deal with a huge, you know, employee going crazy and customers going crazy.
But unfortunately, it's one of those things where you kind of should be telling people, shouldn't you? Even if it's bad news, it's, I'm sorry, there's some bad news.
It's a bit if granddad dies, right? If granddad dies, it's upsetting to everybody.
But you've got to tell the grandchildren at some point that granddad isn't going to be around anymore. You can't do a weekend at Bernie's and pretend that he's still alive.
It's a bit if granddad dies, right? If granddad dies, it's upsetting to everybody.
But you've got to tell the grandchildren at some point that granddad isn't going to be around anymore. You can't do a weekend at Bernie's and pretend that he's still alive.
I agree.
Carole, what's your story for us this week?
Okay, okay. So no big surprises. No surprise, the whole COVID pandemic thing revolutionized remote working. And there's a huge increase in remote workers.
An Owl Labs report says that 60+ percent of workers aged 22 to 65 in the States say they work remotely at least occasionally. And that's a huge increase from pre-pandemic times.
And remote workers are also apparently more productive. They attribute it to fewer distractions, reduced commuting time, and a comfortable working environment.
Would you agree with that? Do you think you're more productive in a home environment than you would be in an office environment?
An Owl Labs report says that 60+ percent of workers aged 22 to 65 in the States say they work remotely at least occasionally. And that's a huge increase from pre-pandemic times.
And remote workers are also apparently more productive. They attribute it to fewer distractions, reduced commuting time, and a comfortable working environment.
Would you agree with that? Do you think you're more productive in a home environment than you would be in an office environment?
It's been so long since I've worked in an office environment. I mean, it's been over 10 years for me at home.
I love working at home, but maybe I love all the distractions and being able to nip out for a walk around the park whenever I rather than having a boss breathing down my neck.
I love working at home, but maybe I love all the distractions and being able to nip out for a walk around the park whenever I rather than having a boss breathing down my neck.
Well, there's a thing, employees it too. Another report found that 98% of remote workers would to continue working remotely at least part of the time for the rest of their careers.
Yeah.
And it seems it's good for employers too, because remote work has enabled companies to tap into the global talent pool.
A Gartner survey indicated that 74% of CFOs plan to shift some employees to remote work permanently just to leverage the benefits of diverse and widespread talent.
A Gartner survey indicated that 74% of CFOs plan to shift some employees to remote work permanently just to leverage the benefits of diverse and widespread talent.
And less office space to have to rent, or maybe you can downsize your office because people only come in once a week and you could stagger them for different days.
You know, there's all kinds of big financial reasons why this could be attractive to businesses too.
You know, there's all kinds of big financial reasons why this could be attractive to businesses too.
Absolutely.
So all this gives employees more choice over where they can live without having to compromise their careers because they can work from anywhere, while employers no longer need to stop their search for talent at the national borders.
So win-win-win.
When a firm finds an international candidate for a contractor position they have open, and this person has the right profile and the right skill set, it's really smart to get your skates on because that resource won't be sitting on the sidelines for long.
But despite best intentions, things can go wrong and sometimes very, very wrong as it did in this case.
So a company based in either the US, UK, or Australia, they've chosen to be anonymous internationally for reasons that will maybe become clear.
So all this gives employees more choice over where they can live without having to compromise their careers because they can work from anywhere, while employers no longer need to stop their search for talent at the national borders.
So win-win-win.
When a firm finds an international candidate for a contractor position they have open, and this person has the right profile and the right skill set, it's really smart to get your skates on because that resource won't be sitting on the sidelines for long.
But despite best intentions, things can go wrong and sometimes very, very wrong as it did in this case.
So a company based in either the US, UK, or Australia, they've chosen to be anonymous internationally for reasons that will maybe become clear.
Okay. So a company on planet Earth.
A company on planet Earth.
I don't know why they narrow it. Why did they bother narrowing it down that much?
It's so interesting, isn't it?
So they find this strong candidate for a position, for an IT position, an IT role, and they go through all the interview hoops and checks to onboard this promising new consultant.
And then, of course, tools, tech, and access is shared, and work begins, and the initial months pass.
And it's sometimes around this point, if you're an employer, that you might realize that the candidate might not work out.
And this might be because despite the employer's best intentions, they're just not a good fit.
That might be work quality is low, or there's poor communication, or they show up naked for a video call and break the rules or whatever.
So they find this strong candidate for a position, for an IT position, an IT role, and they go through all the interview hoops and checks to onboard this promising new consultant.
And then, of course, tools, tech, and access is shared, and work begins, and the initial months pass.
And it's sometimes around this point, if you're an employer, that you might realize that the candidate might not work out.
And this might be because despite the employer's best intentions, they're just not a good fit.
That might be work quality is low, or there's poor communication, or they show up naked for a video call and break the rules or whatever.
Yeah, one of those, I won't say which one, but one of those has often been the issue with me when I've started a new job.
Now, in this specific case, the company cites poor performance, and this led to the contractor's dismissal. Fair enough.
And the firm seems to have decided to cut its losses and terminate the relationship with the consultant because he wasn't doing the work properly.
And that should have been the end of that, except that following the contractor's dismissal, the company starts receiving emails with attachments containing evidence of stolen data, stolen data from their very own systems.
And then the firm receives an email demanding a six-figure sum in cryptocurrency for the information not to be published or sold online.
And the firm seems to have decided to cut its losses and terminate the relationship with the consultant because he wasn't doing the work properly.
And that should have been the end of that, except that following the contractor's dismissal, the company starts receiving emails with attachments containing evidence of stolen data, stolen data from their very own systems.
And then the firm receives an email demanding a six-figure sum in cryptocurrency for the information not to be published or sold online.
Right.
Oh, and did I mention that this contractor's employment history and CV were totally bogus?
Turns out the contractor, or the person posing as the contractor, was actually from North Korea.
Turns out the contractor, or the person posing as the contractor, was actually from North Korea.
Ah, ah, now that makes things a bit— so this isn't just a disgruntled employee who's a bit peeved that he's been given the boot.
This is someone who maybe came into the organization with a certain intention right at the beginning.
This is someone who maybe came into the organization with a certain intention right at the beginning.
It's very well said. Yeah, so basically this company accidentally hired a North Korean IT worker for a remote job.
The worker stole data and then tried to hold the company to ransom after being fired. Now, it's not new that North Korea workers attempt to secure jobs in the West.
The FBI previously said that there are thousands of North Korean IT workers posing as non-North Korean to get remote jobs in the US in order to funnel money back to the North Korean state.
The worker stole data and then tried to hold the company to ransom after being fired. Now, it's not new that North Korea workers attempt to secure jobs in the West.
The FBI previously said that there are thousands of North Korean IT workers posing as non-North Korean to get remote jobs in the US in order to funnel money back to the North Korean state.
Yeah, I've been reading just recently on my little ebook reader, I've been reading The Lazarus Heist by Geoff White.
And there's so much about this, of their attempts to, I mean, this is obviously on a smaller scale perhaps than some of the other hacks which they've attempted, but it is all about getting the cryptocurrency in, isn't it?
And there's so much about this, of their attempts to, I mean, this is obviously on a smaller scale perhaps than some of the other hacks which they've attempted, but it is all about getting the cryptocurrency in, isn't it?
Well, SecureWorks told Business Insider that its counter-threat unit uncovered the activity after the unnamed firm from UK, US, or Australia received the extortion demand.
They identified the activity, but they aren't too sure as to which country it happened in. Yeah, right, great.
And we don't know if the company paid or not. There's no information on that.
But you see, many companies would be prohibited from paying a ransom because of the international sanctions on North Korea.
But you see, many companies would be prohibited from paying a ransom because of the international sanctions on North Korea.
Yes.
However, salaries received via North Korean fraudulent IT worker schemes are attempts to bypass these sanctions and generate revenue for the country.
Right. So how does it work?
Is it that they would, for instance, set up a bank account in the US, UK, Australia, and they get paid into that, and then they convert that into cryptocurrency for transportation back into North Korea, perhaps.
Is it that they would, for instance, set up a bank account in the US, UK, Australia, and they get paid into that, and then they convert that into cryptocurrency for transportation back into North Korea, perhaps.
Or you may have a handler, a middleman, right, to collect the— you might have a U.S. address and say, yeah, send me all the tech here to this U.S. address, thank you very much.
Yep, yep.
Now, this specific instance, however, was slightly different, said SecureWorks.
No longer are they just after a steady paycheck, they say they're looking for higher sums more quickly through data theft and extortion from inside the company's defenses.
And they recommend that companies implement rigorous identity verification procedures, conduct face-to-face or video interviews, and be vigilant for suspicious requests, such as efforts to redirect corporate IT equipment to a purported home address.
No longer are they just after a steady paycheck, they say they're looking for higher sums more quickly through data theft and extortion from inside the company's defenses.
And they recommend that companies implement rigorous identity verification procedures, conduct face-to-face or video interviews, and be vigilant for suspicious requests, such as efforts to redirect corporate IT equipment to a purported home address.
But this is the thing, isn't it? Even if you do an interview with somebody, it may be a different person who's actually doing the job. So they may have some sort of front person.
Whether it be on a Zoom call or less likely, perhaps these days, doing it across a desk, who passes the interview. Oh, thank you. You're absolutely wonderful.
And then the North Korean chap takes over for the actual hacking and the exfiltration of the data.
Whether it be on a Zoom call or less likely, perhaps these days, doing it across a desk, who passes the interview. Oh, thank you. You're absolutely wonderful.
And then the North Korean chap takes over for the actual hacking and the exfiltration of the data.
And, you know, the thing is, it opens up another can of worms because there are scams on both sides.
Employees can be scammed, right, by fake companies that are trying to get their details, and employers can be scammed by fake employees.
So, you know, employees are told to be very careful about sharing details with new companies until they're completely sure the company's legit.
I've seen advice like check the company has a legit website, check that it has a company email address, check its LinkedIn profile. These are all easy to create illegitimately.
Employees can be scammed, right, by fake companies that are trying to get their details, and employers can be scammed by fake employees.
So, you know, employees are told to be very careful about sharing details with new companies until they're completely sure the company's legit.
I've seen advice like check the company has a legit website, check that it has a company email address, check its LinkedIn profile. These are all easy to create illegitimately.
Yes.
And on the other side, we've got firms who are wary of hiring scammers, and they're told to vet much more stringently.
And while these additional steps are necessary, it hampers good people from finding good jobs at legit organizations. Do you see what I mean?
Because both sides are going, verify your identity, send me your passport, send me your banking details. And the employee's like, no way, are you mad? Show me you're legit.
And while these additional steps are necessary, it hampers good people from finding good jobs at legit organizations. Do you see what I mean?
Because both sides are going, verify your identity, send me your passport, send me your banking details. And the employee's like, no way, are you mad? Show me you're legit.
Yeah, I think you or I, if we were being interviewed for a job and they asked us to jump through too many hoops, at a certain point we're gonna say, you know what?
No, we're not doing this. You're just too hard to work with. You know, we wanna be your, we wanna be a bit more relaxed, guys.
No, we're not doing this. You're just too hard to work with. You know, we wanna be your, we wanna be a bit more relaxed, guys.
Yeah, apparently Amazon has mandated by January 2025, every worker has to be back in the office. Full-time, and there's a huge outcry.
Something like 70% are saying they're looking for new work because of it.
Something like 70% are saying they're looking for new work because of it.
Yeah. Well, can you imagine what it's like working in an Amazon office?
No, I mean, yeah, I think most people are now going, God, how did we work full-time in offices before? How did that happen?
There'll be time in your loo breaks.
So the whole point here is remote working has its costs too, especially when you're splashing around in international waters. Everything gets a little bit more complicated.
So, you know, I don't know, I guess the advice is take heed.
So, you know, I don't know, I guess the advice is take heed.
Whether you're starting or scaling your company's security program, demonstrating top-notch security practices and establishing trust is more important than ever.
Vanta automates compliance for SOC 2, ISO 27001, and more, saving you time and money while helping you build customer trust.
Plus, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust center, all powered by Vanta AI.
Over 7,000 global companies like Atlassian, FlowHealth, and Quora use Vanta to manage risk and prove security in real time. Get $1,000 off Vanta when you go to vanta.com/smashing.
That's vanta.com/smashing for $1,000 off. Quick question: do your end users always, and I mean always without exception, work on company-owned devices and IT-approved apps?
I didn't think so. So my next question is, how do you keep your company's data safe when it's sitting on all of those unmanaged apps and devices?
Well, 1Password has an answer to this question, and it's called Extended Access Management.
1Password Extended Access Management helps you secure every sign-in for every app on every device because it solves the problems traditional IAM and MDM can't touch.
Go and check it out for yourself at 1password.com/smashing. That's 1password.com/smashing. And thanks to the folks at 1Password for supporting the show. And welcome back.
Can you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
Vanta automates compliance for SOC 2, ISO 27001, and more, saving you time and money while helping you build customer trust.
Plus, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust center, all powered by Vanta AI.
Over 7,000 global companies like Atlassian, FlowHealth, and Quora use Vanta to manage risk and prove security in real time. Get $1,000 off Vanta when you go to vanta.com/smashing.
That's vanta.com/smashing for $1,000 off. Quick question: do your end users always, and I mean always without exception, work on company-owned devices and IT-approved apps?
I didn't think so. So my next question is, how do you keep your company's data safe when it's sitting on all of those unmanaged apps and devices?
Well, 1Password has an answer to this question, and it's called Extended Access Management.
1Password Extended Access Management helps you secure every sign-in for every app on every device because it solves the problems traditional IAM and MDM can't touch.
Go and check it out for yourself at 1password.com/smashing. That's 1password.com/smashing. And thanks to the folks at 1Password for supporting the show. And welcome back.
Can you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week. Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish. It doesn't have to be security-related necessarily.
Could be a funny story, a book they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish. It doesn't have to be security-related necessarily.
Better not be.
Well, my pick of the week this week is not security-related. My pick of the week this week is a documentary which I watched on Channel 4.
The documentary is called Undercover: Exposing the Far Right.
And this was a fascinating documentary film I watched last night following the work of the campaigning anti-fascist organization Hope Not Hate and their members track down far-right extremists, go undercover, and infiltrate organizations.
Wow. And this is the first time Hope Not Hate has allowed cameras to follow its undercover team.
And I found it really interesting because it's easy to think of far-right protesters in stereotypical terms, right?
I imagined someone, you know, a bit skinheaded, angry louts marching around shouting abuse at people who aren't white.
But one of the things that came across to me while watching this documentary is the puppet masters of the movement, the people at the top, who in some cases were sort of Cambridge University educated, very well spoken, who weren't necessarily beating up people on marches, but instead were trying to form an elite group of people obsessed with eugenics, with the potential to influence people in power.
And in this particular investigation, these people were looking for like-minded millionaires to fund their right-wing racist agenda.
And so we had this young journalist, Harry Shookman. He went undercover. He'd never used a hidden camera before. But he went undercover.
He posed as someone who'd come into a lot of cash and was looking to invest it.
And he pretended to be racist and tried to find out more about how this far-right group was operating and structured, what they're up to.
And crucially, and critically, who their mystery other mega-million tech investor was. So there was someone else who had also put a lot of money behind this particular movement.
The documentary is called Undercover: Exposing the Far Right.
And this was a fascinating documentary film I watched last night following the work of the campaigning anti-fascist organization Hope Not Hate and their members track down far-right extremists, go undercover, and infiltrate organizations.
Wow. And this is the first time Hope Not Hate has allowed cameras to follow its undercover team.
And I found it really interesting because it's easy to think of far-right protesters in stereotypical terms, right?
I imagined someone, you know, a bit skinheaded, angry louts marching around shouting abuse at people who aren't white.
But one of the things that came across to me while watching this documentary is the puppet masters of the movement, the people at the top, who in some cases were sort of Cambridge University educated, very well spoken, who weren't necessarily beating up people on marches, but instead were trying to form an elite group of people obsessed with eugenics, with the potential to influence people in power.
And in this particular investigation, these people were looking for like-minded millionaires to fund their right-wing racist agenda.
And so we had this young journalist, Harry Shookman. He went undercover. He'd never used a hidden camera before. But he went undercover.
He posed as someone who'd come into a lot of cash and was looking to invest it.
And he pretended to be racist and tried to find out more about how this far-right group was operating and structured, what they're up to.
And crucially, and critically, who their mystery other mega-million tech investor was. So there was someone else who had also put a lot of money behind this particular movement.
It's kind of like social engineering, what these investigative journalists are doing in this case.
A little bit.
You know, this whole undercover stuff. It's basically the same thing.
Yes. Not social engineering digitally, perhaps, but in real life. But I would imagine absolutely petrifying. It was nail-biting to watch.
And of course, we recently had an outbreak of racist riots in the UK, which this movie covers as well.
And this organization, Hope Not Hate, helped identify some of the people behind that. So, really interesting documentary. As I said, I watched it on Channel 4 streaming in the UK.
It was supposed to be shown in the last few days at the London Film Festival, and it was pulled at the last moment due to safety concerns because threats had been made.
From, you can imagine, the usual suspects about the airing of this documentary. Anyway, I would recommend it. Really good documentary, which was quite enlightening.
And that is why Undercover: Exposing the Far Right is my pick of the week. Not a lot of laughs there, Carole, I'll be honest with you.
And of course, we recently had an outbreak of racist riots in the UK, which this movie covers as well.
And this organization, Hope Not Hate, helped identify some of the people behind that. So, really interesting documentary. As I said, I watched it on Channel 4 streaming in the UK.
It was supposed to be shown in the last few days at the London Film Festival, and it was pulled at the last moment due to safety concerns because threats had been made.
From, you can imagine, the usual suspects about the airing of this documentary. Anyway, I would recommend it. Really good documentary, which was quite enlightening.
And that is why Undercover: Exposing the Far Right is my pick of the week. Not a lot of laughs there, Carole, I'll be honest with you.
Yeah, and yeah, okay.
A worthy one though. I think you'd find it interesting. Go and watch it. Carole, what's your pick of the week?
Okay, I may be breaking the rules today, and I'm doing it with the full knowledge that I have had this pick of the week before. What? Yes.
What?
Yes, deal, deal.
Sound the klaxon, sound the klaxon.
But Halloween's coming upon us, spooky time of year, and you know, the elections in the States are coming, also pretty scary.
Pretty spooky, yes.
So now I was thinking, what is the scariest movie that I've ever seen? Do you have an answer if I ask you?
Scariest movie I've ever seen? Oh, probably something like Doctor Who and the Seeds of Doom from 1976, I think it was. That was pretty scary.
Okay.
What's the scariest movie you've ever seen? The Shining?
Thank you for asking. No, the 1973 movie The Exorcist. Definitely the scariest movie I ever saw.
Oh gosh.
Hands down. It may have been to do— when I saw it, I was way too young. But I've rewatched it and it's utterly chilling.
But even more chilling than The Exorcist is the BBC documentary that I watched last year about the making of The Exorcist. The Fear of God: 25 Years of The Exorcist.
This is with Mark Kermode. He's a talented and engaging UK-based film and culture critic. The documentary blew my mind because a lot went wrong in the making of the film.
And if you watch the film, it is scary, right? And you're "She looks petrified." And when you watch the documentary, you realize that, yes, she really was, and you realize why.
But even more chilling than The Exorcist is the BBC documentary that I watched last year about the making of The Exorcist. The Fear of God: 25 Years of The Exorcist.
This is with Mark Kermode. He's a talented and engaging UK-based film and culture critic. The documentary blew my mind because a lot went wrong in the making of the film.
And if you watch the film, it is scary, right? And you're "She looks petrified." And when you watch the documentary, you realize that, yes, she really was, and you realize why.
'Cause the director was bonkers. Was it William Friedkin? He was meant to be bonkers, wasn't he?
Yeah, utterly bonkers. So this was my pick of the week back in episode 294. It's my pick of the week again on 390 because it's that good a documentary.
But as a bonus, I've also put a link to a short 8-minute essay on The Exorcist from Mark Kermode's podcast, Kermode and Mayo's Take. It's a great resource for film buffs.
There's 500 episodes or more, so they're podcast veterans us, Clue.
But as a bonus, I've also put a link to a short 8-minute essay on The Exorcist from Mark Kermode's podcast, Kermode and Mayo's Take. It's a great resource for film buffs.
There's 500 episodes or more, so they're podcast veterans us, Clue.
So I've never watched The Exorcist quite intentionally. I've avoided it because I've heard it doesn't really appeal, and I'm a little—
Watch the documentary.
I'm a little bit scared. I am interested in the documentary. Documentary would be great, but I wanted to know, okay, you say that's scary.
Have you seen Doctor Who and the Seeds of Doom? No. Plants taking over the world. It's really scary. Well, that just about wraps up the show for this week.
You can follow us on Twitter @SmashingSecurity, no G, Twitter and mouse, type a G.
And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.
Have you seen Doctor Who and the Seeds of Doom? No. Plants taking over the world. It's really scary. Well, that just about wraps up the show for this week.
You can follow us on Twitter @SmashingSecurity, no G, Twitter and mouse, type a G.
And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.
And thank you to our episode sponsors, Vanta and 1Password, and of course to our wonderful Patreon community. It's their support that helps us give you this show for free.
Episode show notes, sponsorship info, guest list, and the entire back catalog of more than 289 episodes. Sorry, back catalog of more than 389 episodes.
Check out smashingsecurity.com.
Episode show notes, sponsorship info, guest list, and the entire back catalog of more than 289 episodes. Sorry, back catalog of more than 389 episodes.
Check out smashingsecurity.com.
Until next time, cheerio. Bye-bye. Bye.
God, I almost cut off 100 episodes just that. Just boom. Oh yeah. Slip of the tongue. We've lost 100 shows.
Data loss.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Episode links:
- SolarWinds Sunburst supply chain attack – Wikipedia.
- Rep. Katie Porter slams SolarWinds for its poor passwords – Twitter.
- SEC Charges Four Companies With Misleading Cyber Disclosures – SEC.
- Western firm hacked by North Korean cybercriminal hired as remote IT worker – Computing.
- Engaging with a Remote Workforce: Statistics and Strategies for Success – Government Events.
- 67% Of U.S. Employers To Lose Employees To Remote Work In 2024 – Forbes.
- A company’s remote-working hire turns out to be in North Korea. He tried to hold it to ransom – Business Insider.
- US company accidentally hires North Korean for remote work, gets blackmailed when they try to fire him – IBTimes.
- Watch “Undercover: Exposing the Far Right” – Channel 4.
- Undercover film exposing UK far-right activists pulled from London festival – The Guardian.
- Kermode and Mayo’s Take – YouTube.
- The Fear of God: 25 Years of the Exorcist – BBC iPlayer.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsored by:
- 1Password Extended Access Management – Secure every sign-in for every app on every device.
- Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!
Support the show:
You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.
Become a Patreon supporter for ad-free episodes and our early-release feed!
Follow us:
Follow the show on Bluesky at @smashingsecurity.com, or on the Smashing Security subreddit, or visit our website for more episodes.
Thanks:
Theme tune: “Vinyl Memories” by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
