Arion Kurtaj, a teenager from the UK, amassed a fortune through audacious cybercrimes. From stealing Grand Theft Auto 6 secrets to erasing Brazil’s COVID vaccination data, his exploits were legendary. But his hacking spree took a bizarre turn when he was placed under police protection… in a Travelodge outside Oxford.
Plus Bengal cat lovers in Australia should be on their guard, as your furry feline friends might be leading you into a dangerous trap., and there’s yet more headaches for troubled 23andMe.
All this and much more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Thom Langford.
Plus don’t miss our featured interview with Paul Fryer from BlackBerry.
Warning: This podcast may contain nuts, adult themes, and rude language.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
How do you think that goes down with his fellow hackers?
I think they love it.
They love it.
I've been holding this weight. I want to be authentic. I want to be me. Thank you so much. Smashing Security, episode 393: Who needs a laptop to hack when you have a Fire Stick?
With Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, episode 393. My name's Graham Cluley.
With Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, episode 393. My name's Graham Cluley.
And I'm Carole Theriault.
And Carole, we are joined today by a special guest. We haven't had a guest on for a while, have we?
It's been so long since we've had a guest, and I'm so thrilled that I don't have to just speak with you this week.
Oh, show me. Ladies and gentlemen, pleased to announce, yes, it's your maiden aunt's favourite, Mr. Thom Langford. Thom, you're still with us. That's great news.
I am. And it's so nice to be called special again.
We're very, very glad you're here, Thom. You're gonna give us a little bit of jolt of energy that we desperately need.
Well, yeah. Yeah.
Shall we?
I think so.
But first, let's thank this week's wonderful sponsors, 1Password, Vanta, and BlackBerry. It's their support that helps us give you this show for free.
Now, coming up on today's show, Graham, what do you got?
Now, coming up on today's show, Graham, what do you got?
I'm gonna be explaining how a life and death emergency can lead to $14 million.
Okay, what about you, Thom?
I'm going to be talking about the dangers of being a cat owner.
And I'm going to be talking about 23andMe and you and you and you and you and you.
Plus, we have a featured interview with Paul Fryer from BlackBerry, who's going to tell us how we can keep the lines of communication open even in the worst natural or man-made disasters.
All this and much more coming up on this episode of Smashing Security.
Plus, we have a featured interview with Paul Fryer from BlackBerry, who's going to tell us how we can keep the lines of communication open even in the worst natural or man-made disasters.
All this and much more coming up on this episode of Smashing Security.
Now, chums, chums, quick question for you. Did you have a job as a teenager? Thom, were you ever a teenager?
Yeah, a long time ago.
Right, yeah.
I did, as a late teenager. I worked in room service in a Park Lane hotel.
Oh la di da! Oh, you must have some stories regarding that.
Oh, I do.
Don't know how many shillings you were paid back then.
£110 a week, something like that.
Oh, right, okay. Wouldn't you have liked to have made $14 million?
A week? Or in total?
In total, in total. Don't be greedy, Thom.
Well, in total, I mean, it does dilute it a little bit, but yeah, I'd go for that.
What about you, Carole?
Yeah, of course, I worked my whole life. I worked from the age of 14. Got fired from my first job, actually. Was that when you worked for your dad? Yeah.
Well, I'm going to tell you today the story of one teenager actually living near us in Oxford, UK. His name's Aryan Kurtaj and how he made his fortune.
And maybe we can all learn a lesson or two from that, albeit we may not want to follow in his footsteps. So in 2021, this youngster, he was about 16 years old.
He was part of a hacking group that broke into Electronic Arts. They stole 780 gigabytes of data. And—
And maybe we can all learn a lesson or two from that, albeit we may not want to follow in his footsteps. So in 2021, this youngster, he was about 16 years old.
He was part of a hacking group that broke into Electronic Arts. They stole 780 gigabytes of data. And—
Whoa, okay. And this is right in the middle of the pandemic. So everyone else is sitting at home rocking, going, I'm so lonely, I'm so lonely, and I'm so lonely.
Maybe playing video games. And suddenly people are hacking the video games companies. And the stolen data was dumped online.
And it didn't actually take long for Kurtaj to be identified. His name was provided to the FBI, and we'll get a hint as to what was going on in the background a little bit later.
But Kurtaj and others then hacked other companies, including BT, British Telecom, demanded a $4 million ransom. So, you know, it's pretty serious stuff, this.
You know, it's not just defacement, it's not just a DDoS. This is stealing data, demanding money.
And it didn't actually take long for Kurtaj to be identified. His name was provided to the FBI, and we'll get a hint as to what was going on in the background a little bit later.
But Kurtaj and others then hacked other companies, including BT, British Telecom, demanded a $4 million ransom. So, you know, it's pretty serious stuff, this.
You know, it's not just defacement, it's not just a DDoS. This is stealing data, demanding money.
And going after some big dogs for the money as well, right?
Right. And they were finding ways to actually monetise this data which had been stolen. So victims, some of them found themselves SIM-swapped.
One of the victims was a guy called Daniel Shenton. He told the press how he landed at Heathrow Airport. He'd been on holiday in Mexico. And, right, he landed during the pandemic.
One of the victims was a guy called Daniel Shenton. He told the press how he landed at Heathrow Airport. He'd been on holiday in Mexico. And, right, he landed during the pandemic.
Nice.
January 2022, this was. So he landed at Heathrow. Turned on his mobile phone, wouldn't connect. And he thought, well, that's a bit frustrating.
Got himself a new SIM card, didn't work either. And eventually he managed to log into his Coinbase cryptocurrency account.
And rather than find the $45,000 he was expecting to find in there, he actually found instead 52 pence.
Got himself a new SIM card, didn't work either. And eventually he managed to log into his Coinbase cryptocurrency account.
And rather than find the $45,000 he was expecting to find in there, he actually found instead 52 pence.
Maybe you should just quickly explain what a SIM swap is, just for some of our listeners.
Right, so SIM swap is where hackers managed to trick a mobile phone company into thinking that they own a particular mobile phone number rather than you.
So your mobile phone number is basically stolen from you, which means that when a company or service or an online account maybe texts you a message or sends you an authentication code, it doesn't go to your phone.
It now goes to the hacker's phone who somehow hijacked your phone number.
And sometimes that's done with social engineering, where they ring up the phone company and say, "Oh, I've lost my phone.
I need my phone number switched to this new SIM." Other times, they can actually have paid someone corrupt inside the phone company to assist them in doing this.
So your mobile phone number is basically stolen from you, which means that when a company or service or an online account maybe texts you a message or sends you an authentication code, it doesn't go to your phone.
It now goes to the hacker's phone who somehow hijacked your phone number.
And sometimes that's done with social engineering, where they ring up the phone company and say, "Oh, I've lost my phone.
I need my phone number switched to this new SIM." Other times, they can actually have paid someone corrupt inside the phone company to assist them in doing this.
Yeah.
Perfect.
Very well said, Graham.
Thank you very much. Kurtaj was a member of a gang called Lapsus$. And do you remember Lapsus$?
Yeah, yeah, yeah.
Is this self-named or is this named by one of those companies that likes to pull random words out?
I think it was actually self-named, 'cause it was LastPass with a dollar sign on the end.
And I can't believe any legitimate cybersecurity company would've created such an irritating name.
And I can't believe any legitimate cybersecurity company would've created such an irritating name.
'Cause that's proper hacker elite speak, isn't it?
Yes, exactly. You know, it's like, oh, let's put a dollar in there.
One of the organizations they hacked was Brazil's Ministry of Health, and they deleted the country's database of COVID vaccinations.
One of the organizations they hacked was Brazil's Ministry of Health, and they deleted the country's database of COVID vaccinations.
That's outrageous. That really is outrageous.
I mean, it's just pure damage, isn't it, for the sake of it rather than anything else.
Shits and giggles and lots of actual harm. Yeah.
This guy, Kurtaj, November 2021, he took over a site called Doxpin. That wasn't because he hacked it. He bought the site. So Doxpin, don't know if you've ever encountered it.
It's a site where hackers publish each other's personal information. They publish each other's personal information to intimidate their rivals.
So hackers don't always get along, right? And so you can understand that hackers have rivalries and hackers want to put down other hackers.
So they find out about each other and then say, here's all the information about this hacker.
It's a site where hackers publish each other's personal information. They publish each other's personal information to intimidate their rivals.
So hackers don't always get along, right? And so you can understand that hackers have rivalries and hackers want to put down other hackers.
So they find out about each other and then say, here's all the information about this hacker.
So it's like hacker Facebook.
Yes. Yeah. Or hacker LinkedIn. And there's all the information. And you're thinking, oh crumbs, there's my address. There's my photographs. Kurtaj bought this for $75,000.
Not a bad little thing to buy yourself when you're 16 years old, which he was at the time.
Not a bad little thing to buy yourself when you're 16 years old, which he was at the time.
A lot of wonga, but I guess he had a lot of chump change he could spend.
He was making money because of these cryptocurrency transactions.
Making coin, as the kids say.
Now, he took over the management of the site, but it turned out he wasn't very good at running it. Wasn't a very good manager. I'm sure some of us can identify with that as well.
I'm sure they could, Graham.
But people did— they didn't like him running the site. And eventually, he was convinced to sell it back to the original owners.
What?
So he sold it back to them. So, okay, you take it over then, if people don't like the way I'm running it. But this Kurtaj guy—
Took all the info.
Yeah, he downloaded the database of everyone's usernames, their passwords, their email addresses.
Of course he would!
What do you think he does?
Makes his own site.
Yeah, he publishes all this database of everyone who's a member of doxing. An absolute goldmine for cybercrime investigators.
Wow.
Now, how do you think that goes down with his fellow hackers?
I think they love it.
They love it.
I've been holding this weight. I want to be authentic. I want to be me. And you've pushed me over the brink. Thank you so much.
I hated being called Colostomy Bag Boy. I want my real name to be out there.
I think nothing speaks more like a petulant teenager than buying, then selling a hacker website, and then publishing everybody's details.
I mean, that's just a teenager basically just grunting and saying, "Oh, you don't understand," and then slamming the door, but with money.
I mean, that's just a teenager basically just grunting and saying, "Oh, you don't understand," and then slamming the door, but with money.
So unsurprisingly, the other hackers then published Kurtaj's own details, not just his email address, but also photos of him where he goes to school, his home address, where his family are, what his parents do.
Did he not think that was possible? Do you think it didn't even occur to him? I know he's 16. I know he's 16.
Teenager brain, you know.
Well, we'll be looking more into his brain later on.
Okay.
So he was then arrested by UK police for the BT hack, right? He got arrested in January 2022. They seized his phones, but because he's only 16, they release him, right?
They can't put him in remand. You don't put young people that young typically into remand. And within a month, the Lapsus$ gang had hacked someone else.
They'd hacked Nvidia, the chip people, the people who were behind all the cryptocurrency mining. They stole credentials for two of their contractors.
They got past multifactor authentication, again, maybe by doing this SIM swap. They released 80 gigabytes of data. They demanded a ransom. And then they take on the big guns.
They take on Microsoft, they hack Microsoft, they hack Samsung, and the list goes on and on and on.
And one of the ways in which the hackers were able to break into accounts, one of the ways in which they're able to SIM swap people.
They can't put him in remand. You don't put young people that young typically into remand. And within a month, the Lapsus$ gang had hacked someone else.
They'd hacked Nvidia, the chip people, the people who were behind all the cryptocurrency mining. They stole credentials for two of their contractors.
They got past multifactor authentication, again, maybe by doing this SIM swap. They released 80 gigabytes of data. They demanded a ransom. And then they take on the big guns.
They take on Microsoft, they hack Microsoft, they hack Samsung, and the list goes on and on and on.
And one of the ways in which the hackers were able to break into accounts, one of the ways in which they're able to SIM swap people.
Right.
And get past multifactor authentication was through these things called EDRs.
Mm, no idea what that is.
Okay, Emergency Data Requests.
These are a legal mechanism through which law enforcement agencies, typically in the United States, can obtain information from social networks, telephone companies, internet service providers in life and death emergencies.
Or the police claim there's going to be some terrorist activity or someone's going to die. We need a number now. We need these details now.
So, it's a way of fast-tracking rather than taking out a subpoena. It's a way of fast-tracking the information to get it out of companies.
These are a legal mechanism through which law enforcement agencies, typically in the United States, can obtain information from social networks, telephone companies, internet service providers in life and death emergencies.
Or the police claim there's going to be some terrorist activity or someone's going to die. We need a number now. We need these details now.
So, it's a way of fast-tracking rather than taking out a subpoena. It's a way of fast-tracking the information to get it out of companies.
Okay.
So, what the hackers did was they posed as police and law enforcement, go to the tech companies and say, we need the details, we need the phone number of this particular person, or who runs this website.
Was it two teenagers in a long police coat?
The one's on top of the shoulders of the other?
Yeah, exactly.
It's a bit like that.
We are the police doing the business.
And in some cases, they had actually hacked the police accounts in order to send the messages through the police's own portal to these tech companies.
So to the tech companies, it really looked like it was legitimate. And so they were handing over the information in a quick fashion.
And with that, they were then able to trick the cell phone company, as we described, into letting them grab the SIM number.
So to the tech companies, it really looked like it was legitimate. And so they were handing over the information in a quick fashion.
And with that, they were then able to trick the cell phone company, as we described, into letting them grab the SIM number.
There must have been warrants involved and stuff. I mean, it's the panic thing that stops companies from actually doing their due diligence.
It's the emergency.
There's a bomb which has been planted.
We don't have time for warrants. Give us everything.
Imagine Bruce Willis, right? It's that kind of situation.
My husband would swoon.
Thom Cruise in Mission: Impossible. He doesn't bother with subpoenas and the paperwork.
Comes down from the sky.
Jack Bauer. Mr. President, I need to speak to the president.
Paul Blart, the mall cop.
So, the FBI right now says there's been a huge rise in the number of underground forum posts, which are offering to coach people on how to steal data through these fraudulent emergency data requests.
For as little as $100, you can find out how to do this. And the hackers are loving it. And this is one of the things that the Lapsus$ gang were doing.
They were even offering $20,000 a week to employees of mobile phone companies who would help them take over mobile phone numbers.
For as little as $100, you can find out how to do this. And the hackers are loving it. And this is one of the things that the Lapsus$ gang were doing.
They were even offering $20,000 a week to employees of mobile phone companies who would help them take over mobile phone numbers.
Oh my God.
Well, that beats £110 a week.
So, the police arrested Kurtaj again, right? They've arrested him once, and then these other companies have been hacked.
And how old is he now? 17 with peach fuzz.
I think he's not quite 17 yet, but yeah, he's still very young. He's said to have amassed a bitcoin fortune worth approximately $14 million. By now, that would be worth a lot more.
And his dad was actually interviewed by the press at the time, and they said, we know we're hoping to keep him off computers. He's never talked about hacking.
He is very good on computers, spends a lot of time on them. I always thought he was playing games. He said, we're gonna try to stop him from going on computers.
And so he was released.
And his dad was actually interviewed by the press at the time, and they said, we know we're hoping to keep him off computers. He's never talked about hacking.
He is very good on computers, spends a lot of time on them. I always thought he was playing games. He said, we're gonna try to stop him from going on computers.
And so he was released.
Surely, surely. Okay, okay. It's so weird. I would just assume that as part of his arrest, it would be, yeah, not allowed on computers, dude. For obvious reasons.
Touch one and you're in jail.
Touch one and you're in jail.
He needs it for his schoolwork.
He's been released again on condition he stays off computers. But remember, he was doxxed.
And over the next few months, someone threw bricks through the window of his family home just outside Oxford. His mother's car was smashed up.
And this is a weird thing: a bag of chicken was mysteriously delivered to his house.
And over the next few months, someone threw bricks through the window of his family home just outside Oxford. His mother's car was smashed up.
And this is a weird thing: a bag of chicken was mysteriously delivered to his house.
You sure it wasn't Deliveroo?
Exactly. It could have been Uber Eats, couldn't it?
Yeah, exactly. A KFC delivery. I mean—
There was even said to be a plot from hackers to steal crypto from him.
So the police decide he needs protection, because even though he's suspected of being up to no good, he needs protection from other criminals.
And so he was booked into the Travelodge in—
So the police decide he needs protection, because even though he's suspected of being up to no good, he needs protection from other criminals.
And so he was booked into the Travelodge in—
Okay, so now we know where the Oxfordshire Police Service put people when they want to protect them.
Yeah. People think this is a nice, sleepy old county, Oxfordshire, but actually, look what's going on.
Thereafter, Uber got hacked. I don't know if it's about the chicken delivery. Their internal Slack got hacked—someone posted a link to an erect penis to their Slack. Ew.
And then a couple of days later, Rockstar Games, the makers of Grand Theft Auto—someone stole clips from them for Grand Theft Auto 6, which hasn't been released yet.
And then a couple of days later, Rockstar Games, the makers of Grand Theft Auto—someone stole clips from them for Grand Theft Auto 6, which hasn't been released yet.
So the police are thinking, what is going on? So they go and visit him at the Travelodge in room—this tickled me—the room number was M15. They put him in the MI5.
You've done your due diligence on this story, right?
I have, I have. I actually found out which Travelodge it was—all I had was a photograph. I did a reverse Google image search and found out it was the Travelodge.
Now, they didn't find a computer with him, but they found an Amazon Fire Stick plugged into his TV and a keyboard and mouse.
And what he'd done is to the Fire Stick, he'd downloaded the Silk Browser, and from there he'd been able to hack.
Now, they didn't find a computer with him, but they found an Amazon Fire Stick plugged into his TV and a keyboard and mouse.
And what he'd done is to the Fire Stick, he'd downloaded the Silk Browser, and from there he'd been able to hack.
You've got to admire, in some ways, this guy's tenacity.
Or he's completely addicted.
I was going to say, yeah, he's addicted, isn't he? He's absolutely addicted.
He doesn't know what to do, and he's smart enough to know all the workarounds. And he's too young to, you know.
And his parents haven't convinced him, and these multiple arrests haven't stopped him. So he was arrested again, of course, and he did have his day in court.
The judge heard medical evidence which said that he was highly autistic and that he didn't understand the difference between good and bad.
And in fact, the jury were ordered not to adjudicate as to whether he had intended to commit crime or not—they said he wasn't capable of making that decision.
The judge heard medical evidence which said that he was highly autistic and that he didn't understand the difference between good and bad.
And in fact, the jury were ordered not to adjudicate as to whether he had intended to commit crime or not—they said he wasn't capable of making that decision.
They only had to determine whether he had committed the alleged acts.
Well, he knew that $14 million in bitcoin was good.
Yeah.
And his defence team, they argued, well, releasing the GTA 6 trailer—the video game trailer—ahead of time, that actually helped with the promotion of the game.
And so it hadn't caused them any harm. The games developers, Rockstar Games, they said, "It cost us $5 million, actually."
And so it hadn't caused them any harm. The games developers, Rockstar Games, they said, "It cost us $5 million, actually."
Yeah.
The end result is, he has been confined to a secure mental health ward. He's been put in a secure hospital indefinitely until doctors decide he's no longer a danger to the public.
So, he's probably gonna be there for a while. Interestingly, apparently the hospital ward does have computers in the common areas.
Whether he's going to access them or not, who knows? But it's an interesting case, isn't it?
What should happen to people who have such severe autism they can't be kept off their computers? They don't necessarily understand right and wrong.
Was this a good way to deal with this guy or not? I tend to think, well, in the absence of anything else, maybe this was the right thing to do with him.
But obviously, companies and individuals have lost huge amounts of money as the result of this guy's actions.
So, he's probably gonna be there for a while. Interestingly, apparently the hospital ward does have computers in the common areas.
Whether he's going to access them or not, who knows? But it's an interesting case, isn't it?
What should happen to people who have such severe autism they can't be kept off their computers? They don't necessarily understand right and wrong.
Was this a good way to deal with this guy or not? I tend to think, well, in the absence of anything else, maybe this was the right thing to do with him.
But obviously, companies and individuals have lost huge amounts of money as the result of this guy's actions.
He certainly needs some therapy. There's no doubt about it. Whatever form that would help him here. But he also has to— you have to be held accountable to one degree or another.
How could the parents not notice if he has extreme severe autism?
He was attending a special needs school for many years. So I think there had been a lot of challenges with his upbringing.
His parents had split up, they had taken him out of school after there had been some violent incidents and trouble that, and then taken to this special needs school.
His parents had split up, they had taken him out of school after there had been some violent incidents and trouble that, and then taken to this special needs school.
So here's some nice context at the end.
Well, I'm telling you about the crime, and then I'm telling you about him himself, mitigating circumstances.
So it's not always black and white, and it is complicated, and it is interesting how many people who have been charged, particularly teenagers who've got involved in cybercrime sometimes, have been determined to have autistic traits.
So it's not always black and white, and it is complicated, and it is interesting how many people who have been charged, particularly teenagers who've got involved in cybercrime sometimes, have been determined to have autistic traits.
Well, Marcus Hutchins, for instance. Is it Asperger's he has that was taken into account?
Right, yeah.
But not everyone with autism with technical traits goes down this type of route.
No. At all, right?
No, some of them start cybersecurity podcasts, don't they?
Yes, they do.
Thom, what's your story for us this week?
So, either of you a lover of cats?
Oh, I don't have a cat at the moment. I have had cats. I cats.
Oh, I love cats. Cats are cool.
Cats are cool. Absolutely. And Bengal cats, the most regal of cats.
What are Bengal cats? Just give me an idea of what they are.
I can tell you, because my cat has got a slight Bengal thing. They tend to have spots. They look leopardy. They're very long and they're very strong.
So they can actually jump really high and they can kick the butt out of most cats. Apparently, they're one of the only cats that are semi-feral. So they're very difficult to tame.
So they can actually jump really high and they can kick the butt out of most cats. Apparently, they're one of the only cats that are semi-feral. So they're very difficult to tame.
And they can make a banging curry.
As an ingredient.
So, if you're in Australia, you might want to find out, 'cause Australia's got all sorts of weird rules when it comes to its flora and fauna and animals and all that sort of thing.
But you might want to know if it's legal to own a Bengal cat in Australia or if you need a license for it. So what might one type into Google in that case?
So things maybe, are Bengal cats legal in Australia? Or even, do you need a license to own a Bengal cat in Australia? And you would get some responses back, right?
And you'd click on said responses and do what it says to find out. So apparently, this being a cybersecurity podcast, not a cat podcast, apparently—
But you might want to know if it's legal to own a Bengal cat in Australia or if you need a license for it. So what might one type into Google in that case?
So things maybe, are Bengal cats legal in Australia? Or even, do you need a license to own a Bengal cat in Australia? And you would get some responses back, right?
And you'd click on said responses and do what it says to find out. So apparently, this being a cybersecurity podcast, not a cat podcast, apparently—
What's the pity?
Yes, exactly. Criminals out there have been using a kit called DootLoader, which manipulates search engine optimization, SEO.
And this is— SEO is what companies use to basically try and get their products as high as possible in Google or DuckDuckGo's or even Bing's responses.
And this is— SEO is what companies use to basically try and get their products as high as possible in Google or DuckDuckGo's or even Bing's responses.
There's a myriad of ways of doing it. Keywords, paying money, all kinds of stuff.
It's as much technology as it is dark art.
Yeah.
You know, and it's one of the worst things on the internet, really, isn't it?
That's right.
Because it's just horrible.
It's a constant zero-sum game at the end of the day.
The only worse thing than messing around with SEO is to meet an SEO consultant. It's just, oh, because how do you know they're an SEO consultant?
Because they keep saying the same word over and over again and synonyms.
Because they keep saying the same word over and over again and synonyms.
Exactly.
Yes, exactly.
So what this does is when people search specifically for Bengal cats in Australia, etc., etc., a specific series of links are marked very highly in the SEO.
And so victims are often enticed into clicking on these links, which are disguised as legitimate marketing or legitimate Google searches.
And so victims are often enticed into clicking on these links, which are disguised as legitimate marketing or legitimate Google searches.
Yeah.
But it's actually malicious adware and it directs them to a compromised website that hosts a malicious payload masquerading as the desired file.
So it might say, download this handy document to find out about—
So it might say, download this handy document to find out about—
Is this in the sponsored area typically of searches or just near the top of a normal link?
I think it's just near the top. I think sponsored, you actually have to hand money over, right?
Exactly right. So it's just sitting there as, this is the best result for your request. This is the number one response that Google or whatever search engine you're using has.
Now, if they do go to that compromised website and download a file because here's your handy cut out and keep or fill in this application form for your, you know, much-loved Bengal cat, etc.
This payload is delivered and it's a malware that sits on your machine, but nothing happens initially.
But if that malware remains there undetected for a while, it then goes on and downloads a second stage payload known as the Gootkit.
I just love these names, which is a highly evasive information stealer and remote access Trojan, or RAT.
And what it does is it establishes a persistent foothold on the user's computer and network environment and anything else it can reach out and talk to.
This payload is delivered and it's a malware that sits on your machine, but nothing happens initially.
But if that malware remains there undetected for a while, it then goes on and downloads a second stage payload known as the Gootkit.
I just love these names, which is a highly evasive information stealer and remote access Trojan, or RAT.
And what it does is it establishes a persistent foothold on the user's computer and network environment and anything else it can reach out and talk to.
So in your desire for a cat, you've ended up with a rat.
Indeed. Indeed. I see what you've done there, Graham.
Thank you very much.
I can tell why you're a professional.
I think it was very good, Graham.
Yeah, of course.
Thank you.
Thank you. But this Gootkit can then be used to deploy ransomware or other tools, including drumroll, Cobalt Strike for follow-on exploitation.
So what I find absolutely fascinating about this is, is this the tip of the iceberg or is there a criminal who just happens to love Bengal cats and finds it highly amusing that when people search for Bengal cats in Australia, that he's trying to compromise their machines.
So what I find absolutely fascinating about this is, is this the tip of the iceberg or is there a criminal who just happens to love Bengal cats and finds it highly amusing that when people search for Bengal cats in Australia, that he's trying to compromise their machines.
Or you're thinking of a Blofeld type.
Exactly. Or is it a cat breeder who's been spurned by the cat breeding community and wants to spread some kind of awful cat-based or rat-based malware out there?
It's either very, very specific or utterly random. And I think it's going to take a little while for us to find out.
Now, I looked at the Sophos website that actually broke this story and I got lost. I did not understand half the stuff they were talking about.
They were way above my technology grades.
But someone has put a vast amount of effort into this to try and use potential Bengal cat owners in Australia's computers to launch ransomware attacks elsewhere in the network.
It's either very, very specific or utterly random. And I think it's going to take a little while for us to find out.
Now, I looked at the Sophos website that actually broke this story and I got lost. I did not understand half the stuff they were talking about.
They were way above my technology grades.
But someone has put a vast amount of effort into this to try and use potential Bengal cat owners in Australia's computers to launch ransomware attacks elsewhere in the network.
Now, they could change it easily from Bengal cats, couldn't they?
Well, they could, sure.
They could, of course.
Yeah, absolutely.
I'm thinking if I was targeting you, Thom, for instance, I'd choose some sort of Lego lure.
Yeah, that's true.
1970s space Lego. Yeah.
I would choose something else, but nothing I would mention on the show.
Carole, what's your story for us this week?
Let's say hello to Uncle Anton, okay?
Uncle Anton, once retired, got to spend all his free time looking up into his family history, his family tree and all that, and was thrilled when he learned about genetic testing companies, 'cause they could help him find long-lost family.
So he signs up for one of repute, 23andMe. And to make sure he remembered his login, he cleverly used his trusted username and password, Antoinette123 and Antoinette321, you know?
And sent off his DNA and eagerly awaited the result to arrive. He wanted to know, was his weird obsession with dogs actually in his DNA?
Or which side of his family rewarded him with baldness at age 29.
So 23andMe have this amazing feature called DNA Relative Finder, and it's included in the 23andMe kit, which also includes ancestry reports, family tree, and trait reports.
And the idea, or what they sell it as, is you get personalized genetic insights to take action on your health.
People like Anton connect with distant relatives, including his niece, who I'll call DeMarie. Now, DeMarie works in cybersecurity and has never gone on these sites, right?
Because she sees this as a security issue.
Uncle Anton, once retired, got to spend all his free time looking up into his family history, his family tree and all that, and was thrilled when he learned about genetic testing companies, 'cause they could help him find long-lost family.
So he signs up for one of repute, 23andMe. And to make sure he remembered his login, he cleverly used his trusted username and password, Antoinette123 and Antoinette321, you know?
And sent off his DNA and eagerly awaited the result to arrive. He wanted to know, was his weird obsession with dogs actually in his DNA?
Or which side of his family rewarded him with baldness at age 29.
So 23andMe have this amazing feature called DNA Relative Finder, and it's included in the 23andMe kit, which also includes ancestry reports, family tree, and trait reports.
And the idea, or what they sell it as, is you get personalized genetic insights to take action on your health.
People like Anton connect with distant relatives, including his niece, who I'll call DeMarie. Now, DeMarie works in cybersecurity and has never gone on these sites, right?
Because she sees this as a security issue.
Okay.
But through Uncle Anton's family investigations—
You're using my pet name again.
Some genetic and health history data of DeMarie became available on the site. DeMarie, having never accessed the genetic testing site, was none the wiser. She doesn't know.
No.
Until she gets a message on her socials from some stranger saying, "Hey, cuz, we're related." So we've talked about 23andMe before, about a year ago, in fact.
Do you guys remember why we brought it up? Because, Thom, you must remember, you listen to every episode.
Do you guys remember why we brought it up? Because, Thom, you must remember, you listen to every episode.
It was the data was stolen, wasn't it?
Correct.
And there was a problem with this particular part of 23andMe, wasn't there? This thing which allowed you to connect with other people.
It's quite invasive.
Yeah, it was a way in which people were able to find out information about other people.
So even if they hacked one account, they're then able to grab information about other people too.
So even if they hacked one account, they're then able to grab information about other people too.
A bit like Facebook's shadow database of people who aren't on Facebook.
Exactly. Yeah, so let me just go back. Yes, they experienced a big data breach. Loads of user data was leaked and appeared on breach forums.
Yes.
And it was attributed to credential stuffing. So basically Anton's password and username weren't that difficult to crack. And he'd also used them on many other sites across the web.
So not only was Uncle Anton's data compromised, but people connected to him who hadn't shared their DNA with 23andMe, people like Demory, were also at risk.
Now at the time, 23andMe said, look, users, could you just not reuse passwords? Use some multifactor authentication. You know, this wouldn't have happened otherwise.
So not only was Uncle Anton's data compromised, but people connected to him who hadn't shared their DNA with 23andMe, people like Demory, were also at risk.
Now at the time, 23andMe said, look, users, could you just not reuse passwords? Use some multifactor authentication. You know, this wouldn't have happened otherwise.
It's all your fault, you dumb users. You're the ones who've handled this badly.
Yeah, exactly. But last month, 23andMe was made to pay up for this breach.
And one of the issues was that 23andMe seemed to have failed to alert customers with Chinese and Ashkenazi Jewish ancestry that the hacker appeared to specifically target them and then posted their information for sale on the dark web.
So there's loads of links in the show notes if you want to read more about this, listeners.
But in short, 23andMe were asked to pay $30 million for failing to protect the privacy of 6.9 million people whose personal information was exposed in the data breach last year.
1.5 million of those were never customers of 23andMe.
And one of the issues was that 23andMe seemed to have failed to alert customers with Chinese and Ashkenazi Jewish ancestry that the hacker appeared to specifically target them and then posted their information for sale on the dark web.
So there's loads of links in the show notes if you want to read more about this, listeners.
But in short, 23andMe were asked to pay $30 million for failing to protect the privacy of 6.9 million people whose personal information was exposed in the data breach last year.
1.5 million of those were never customers of 23andMe.
Wow.
So people like Demory. But that's not the end of the story. Because as a result of this entire fiasco, 23andMe are feeling the financial pinch.
Yeah.
And it's more than a pinch. It's more a wallop across the fat chops because the share price has fallen more than 70% this year.
In September, 7 of 23andMe's 8-strong board resigned, citing they had not received a satisfactory buyout.
And just today, the day of recording, DNA testing site 23andMe is to lay off 40% of its workers. Or 200 employees as it struggles for survival.
And also, it's halting work on therapies it's been developing, some for years.
In September, 7 of 23andMe's 8-strong board resigned, citing they had not received a satisfactory buyout.
And just today, the day of recording, DNA testing site 23andMe is to lay off 40% of its workers. Or 200 employees as it struggles for survival.
And also, it's halting work on therapies it's been developing, some for years.
I mean, it's not looking good for 23andMe at all, is it? It looks like they're facing bankruptcy. And you have to wonder, how are they going to make some money?
Either going to sell themselves, in which case the data goes to someone else who can then start changing things, or they're going to sell the data.
Yep.
This is permanent information. DNA stuff. It's not stuff you can actually mess around with and change up.
You can't change your DNA like you can change your password.
And who might this be very valuable for? For example, authorities would love this information, wouldn't they?
Health insurance companies.
Health insurance companies would love this information. Big Pharma.
What about an evil enemy state which was developing a biological weapon who wanted to knockout...
Podcasters.
I'm getting all a bit James Bond with this. I'm getting conspiratorial.
But here, this is the big clincher for me.
Unlike medical information, the type of genetic data collected by companies like 23andMe are not covered by HIPAA, limiting legal recourse for affected users.
Unlike medical information, the type of genetic data collected by companies like 23andMe are not covered by HIPAA, limiting legal recourse for affected users.
How is that not covered by HIPAA? It's the most personal of medical information, right?
And this was based on a very recent article just in The Atlantic. Again, links in the show notes.
So apparently 23andMe does comply with GDPR in the EU, which has stricter privacy protections and heavy penalties for breaches.
And can I just say, as a final word, you gotta love the GDPR, right? Warts and all. I know there's a few warts in it, but you gotta love the GDPR.
So apparently 23andMe does comply with GDPR in the EU, which has stricter privacy protections and heavy penalties for breaches.
And can I just say, as a final word, you gotta love the GDPR, right? Warts and all. I know there's a few warts in it, but you gotta love the GDPR.
So for all you naysayers out there... And next time someone invites you to spit into a test tube and put it in the box to them, maybe think twice.
That's just a Tuesday for me.
Yeah, but can you imagine, I don't know, I was thinking about that. You're a bit of a paranoid sort. You may not want your DNA to go anywhere, right?
So when you go over to a friend's house and you're, nope, not drinking anything.
So when you go over to a friend's house and you're, nope, not drinking anything.
I'm bringing my own glass.
I brought my own glass. Wouldn't it be nice to have secure communications through a critical event, be it a cyberattack, an extreme weather event, or even civil unrest?
Wouldn't it be nice to know that you were communicating to the right people so you can deploy resources to areas where they are most needed?
And wouldn't it be nice to have all this delivered out-of-band so there is continued communication even if your own infrastructure is compromised? The answer is yes. Yes, it would.
Say hello to BlackBerry's SecuSuite.
Certified to meet the highest security requirements, SecuSuite protects against threats to enterprise and local and national security by enabling secure communications on conventional mobile devices.
With BlackBerry SecuSuite, employees can make secure phone calls and exchange secure messages, including group chats, on the devices that they already carry. How cool is that?
Find out more at smashingsecurity.com/blackberry. And thanks to BlackBerry for sponsoring the show.
Wouldn't it be nice to know that you were communicating to the right people so you can deploy resources to areas where they are most needed?
And wouldn't it be nice to have all this delivered out-of-band so there is continued communication even if your own infrastructure is compromised? The answer is yes. Yes, it would.
Say hello to BlackBerry's SecuSuite.
Certified to meet the highest security requirements, SecuSuite protects against threats to enterprise and local and national security by enabling secure communications on conventional mobile devices.
With BlackBerry SecuSuite, employees can make secure phone calls and exchange secure messages, including group chats, on the devices that they already carry. How cool is that?
Find out more at smashingsecurity.com/blackberry. And thanks to BlackBerry for sponsoring the show.
Whether you're starting or scaling your company's security program, demonstrating top-notch security practice and establishing trust is more important than ever.
Vanta automates compliance for SOC 2, ISO 27001, and more, saving you time and money while helping you build customer trust.
Plus, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust center, all powered by Vanta AI.
Over 7,000 global companies like Atlassian, FlowHealth, and Quora use Vanta to manage risk and prove security in real time. Get $1,000 off Vanta when you go to vanta.com/smashing.
That's vanta.com/smashing for $1,000 off. Quick question: do your end users always, and I mean always without exception, work on company-owned devices and IT-approved apps?
I didn't think so. So my next question is: How do you keep your company's data safe when it's sitting on all of those unmanaged apps and devices?
Well, 1Password has an answer to this question, and it's called Extended Access Management.
1Password Extended Access Management helps you secure every sign-in for every app on every device, because it solves the problems traditional IAM and MDM can't touch.
Go and check it out for yourself at 1password.com/smashing. That's 1password.com/smashing. And thanks to the folks at 1Password for supporting the show.
And welcome back, and you join us at our favourite part of the show, the part of the show that we like to call Pick of the Week.
Vanta automates compliance for SOC 2, ISO 27001, and more, saving you time and money while helping you build customer trust.
Plus, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust center, all powered by Vanta AI.
Over 7,000 global companies like Atlassian, FlowHealth, and Quora use Vanta to manage risk and prove security in real time. Get $1,000 off Vanta when you go to vanta.com/smashing.
That's vanta.com/smashing for $1,000 off. Quick question: do your end users always, and I mean always without exception, work on company-owned devices and IT-approved apps?
I didn't think so. So my next question is: How do you keep your company's data safe when it's sitting on all of those unmanaged apps and devices?
Well, 1Password has an answer to this question, and it's called Extended Access Management.
1Password Extended Access Management helps you secure every sign-in for every app on every device, because it solves the problems traditional IAM and MDM can't touch.
Go and check it out for yourself at 1password.com/smashing. That's 1password.com/smashing. And thanks to the folks at 1Password for supporting the show.
And welcome back, and you join us at our favourite part of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week.
Pick of the Week.
Pick of the Week is the, this is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security-related necessarily. Better not be. Well, my pick of the week this week is not security-related.
I have to thank one of our listeners, Dutch listener Willem, brought this to my attention.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security-related necessarily. Better not be. Well, my pick of the week this week is not security-related.
I have to thank one of our listeners, Dutch listener Willem, brought this to my attention.
Yay, thanks Willem.
It is a website called Y-T-C-H, YTCH dot XYZ. There, that's easy to remember.
And this is— well, imagine what YouTube would be like if it actually mimicked what it was like to turn on your television back in the 1980s. Just had a handful of channels.
You could just change between them. You couldn't stream anything instantly. There was no TV on demand. That is what this website is like.
Now, guys, I sent you the link before the podcast so you could try it out. Thom, what did you think?
And this is— well, imagine what YouTube would be like if it actually mimicked what it was like to turn on your television back in the 1980s. Just had a handful of channels.
You could just change between them. You couldn't stream anything instantly. There was no TV on demand. That is what this website is like.
Now, guys, I sent you the link before the podcast so you could try it out. Thom, what did you think?
Do you know what? I was really confused at first, which is a fairly normal state of being for me. But nonetheless, I thought this is really quite cool.
I could see myself basically spending hours clicking the channel button every 2 to 3 minutes.
I could see myself basically spending hours clicking the channel button every 2 to 3 minutes.
And so is it just tied up with something like YouTube and it's just grabbing them at random or?
So it's got 39 channels. So there are channels about food, there's channels about comedy or cars or news and politics or classic movies, something like that.
And you just change a channel and it'll be wherever it is during that video at that time, as though you were watching old-style TV. There's no ads. Oh my goodness.
How wonderful is that?
And you just change a channel and it'll be wherever it is during that video at that time, as though you were watching old-style TV. There's no ads. Oh my goodness.
How wonderful is that?
It's like the BBC in the '70s.
There's a bit of static on the screen when you change the channel.
Oh, and you can choose your channel. I can— I'm looking at it now. You can say, oh, I'd like a food channel.
Oh, yeah.
But you can't click on it. You have to go to the channel.
Channel—
You actually have to go up and down. Yeah. You can't type in a number or anything like that, can you?
Personally, I love Channel 23, which is chess. 24 hours of chess up on there. Fantastic.
But—
Oh, Channel 9.
Channel 9 is cars. I can see on the list here right now. There's classical music.
That's a very good find, Graham.
Thanks to Willem for telling me about it.
Yeah.
Is this your way of saying that next week's podcast is going to be very late?
It's really enjoyable. YTCH, it's called. So YouTube channel, I guess it stands for, .xyz. Go and check it out. I think many people will actually really, really it.
Cute.
And that was my pick of the week. Thom, what's your pick of the week?
So cast your mind back, if you can, to 1975 in the UK. We've just had phenomenon that was 2001: A Space Odyssey. We had A Clockwork Orange. So all of these sort of futuristic—
Isn't it called A Clockwork, not Cockwork?
That's what I said, A Clockwork Orange. I think that was just you.
Carole, get your mind out of the gutter.
I've misheard.
You're thinking of the porn parody, aren't you? Anyway, so lots of slightly sort of post-apocalyptic feel or future feel going on.
It's before Star Wars, crucially, and you've got the powerhouses that is Gerry and Sylvia Anderson.
It's before Star Wars, crucially, and you've got the powerhouses that is Gerry and Sylvia Anderson.
Yes.
So if you don't know, Gerry and Sylvia Anderson are the creators, husband and wife, who created Thunderbirds, Stingray, Joe 90, Fireball XL5.
Captain Scarlet.
Captain Scarlet, yeah. What they got into was a TV show called Space: 1999.
Do you know this, Graham? I don't know this at all. You—
What?
Oh my goodness, you don't know? Oh, Carole!
Oh my god!
I love Space: 1999. It has the greatest theme tune of any TV programme ever, in my opinion.
So good. So good. Bottom line is, this is a classic British show that was— they were trying to sell it to the US. They had— the leads were American. Martin Landau and Barbara Bain.
Big hitters of the '70s. The basic premise is, the moon gets knocked out of its orbit by a massive nuclear explosion, and is now just travelling through space.
Big hitters of the '70s. The basic premise is, the moon gets knocked out of its orbit by a massive nuclear explosion, and is now just travelling through space.
September 13th, 1999.
September 13th, 1999, exactly.
They get sent hurtling through space, and it's all about their weekly adventures, and who they come across, and the spectacular aliens, and their inner demons, and all that sort of stuff.
Brilliant. A perfect periodical show. And they had 22 episodes per season. So plenty of content.
They get sent hurtling through space, and it's all about their weekly adventures, and who they come across, and the spectacular aliens, and their inner demons, and all that sort of stuff.
Brilliant. A perfect periodical show. And they had 22 episodes per season. So plenty of content.
Yeah.
Now, the Moon City uniforms for the first series were created by an Austrian fashion designer, which tells you everything you need to know. Rudy Gernreich. And they were beige.
So beige. So much beige everywhere. They were glorious.
So beige. So much beige everywhere. They were glorious.
It was great. I loved it. I loved the Moon City. The special effects and model work, the Eagle— the Eagles were the transporters, their main spaceships.
They were awesome, weren't they?
They were awesome, weren't they?
As you'd expect, the model work was second to none. In fact, I think the Eagle transporter is beloved by many a man over a certain age.
But the music you mentioned, Graham, was season 2.
But the music you mentioned, Graham, was season 2.
Oh, was it?
Not season 1. Yeah.
Oh, really?
Well, from watching these, the ones that trigger my memory the most, season 2. Even though season 1 is so much better and so much more British, you know.
So it's, you know— but anyway, because I've told friends and family this so much and they've just ignored me, I thought I'd just tell a captive audience. I love this.
So it's, you know— but anyway, because I've told friends and family this so much and they've just ignored me, I thought I'd just tell a captive audience. I love this.
Yeah, it's superb.
It's dreadful as much as it is amazing. And that's part of the charm.
Gorgeous. Yeah, that's always a gorgeous combination.
Highly recommend it. So your pick of the week is Space 1999.
Very cool. Strong recommend from me as well. Carole, what's your pick of the week?
Okay, so my pick of the week is an article that I read over the weekend.
It's one of those, you know, when you watch The Office and then it gets really uncomfortable and I sometimes will hide behind the sofa just because I start clawing at my skin in discomfort.
It was one of those. And it involves dolls, dolls for kids from toymaker Mattel. Okay. And they're always putting out toys, these guys.
And they recently put out a new keepsake celebrating the new Wicked movie that's coming out.
It's one of those, you know, when you watch The Office and then it gets really uncomfortable and I sometimes will hide behind the sofa just because I start clawing at my skin in discomfort.
It was one of those. And it involves dolls, dolls for kids from toymaker Mattel. Okay. And they're always putting out toys, these guys.
And they recently put out a new keepsake celebrating the new Wicked movie that's coming out.
All right.
And I can tell that Thom's already seen this. So stay with me, Thom. Stay with me.
Yes.
So Wicked.
So just for those who don't know, the idea of the movie Wicked is it's set in the Land of Oz years before Dorothy's arrival and has a green-skinned, much misunderstood young woman who will eventually become the Wicked Witch of the West.
And Cynthia Erivo plays the witch Elphaba and Ariana Grande, the pop singer, plays Glinda, the popular blonde roommate.
Okay, so all that is backstory, 'cause you have these two characters in a box, right? And they're being touted for Christmas.
And you know, in these boxes, there's lots of information, and you can learn all about it at their website. So Graham, why don't you go to the website? So it's wicked.com.
So just for those who don't know, the idea of the movie Wicked is it's set in the Land of Oz years before Dorothy's arrival and has a green-skinned, much misunderstood young woman who will eventually become the Wicked Witch of the West.
And Cynthia Erivo plays the witch Elphaba and Ariana Grande, the pop singer, plays Glinda, the popular blonde roommate.
Okay, so all that is backstory, 'cause you have these two characters in a box, right? And they're being touted for Christmas.
And you know, in these boxes, there's lots of information, and you can learn all about it at their website. So Graham, why don't you go to the website? So it's wicked.com.
Wicked.
W-I-C-K-E-D. Yeah, that's the name of the movie. Yeah, W-I-C-K-E-D. All right, I'm going there.
Yeah.
Yeah.
Access beyond this page is restricted to adults 18+ only. Oh, hang on. Hang on.
What's going on?
That's only because of the green skin. Just click, go through, Graham.
Are you sure? Okay, Thom, I'm going to trust you.
Yeah, you'll be fine.
Oh, hello. These look like— oh, watch. Surely, surely that's not the president's desk she's sitting on. It says Stormy Trump Sold. Hang on. These look like rather X-rated videos.
Right. So apparently there's another studio known as Wicked Pictures that is currently making pornographic parodies featuring various characters from the Marvel Cinematic Universe.
And also A Clockwork Orange as well.
And it was unfortunate, however, that packaging for the Elphaba and Glinda dolls for the Wicked movie—
They got the URL wrong.
Listed the web address for wicked.com, the homepage of Wicked Pictures, where the link should have been wickedmovie.com.
So parents who may have bought these dolls for your children in the upcoming holiday season, you may want to get a little Sharpie and block that out.
A lesson to all though is be careful with links.
Graham, you remember when we were working and a journalist sent us a link, you know, with questions and he obviously was maybe having a bit of adult fun at the same time that he was emailing us a list of questions because he got the link wrong.
And we ended up on something that's—
So parents who may have bought these dolls for your children in the upcoming holiday season, you may want to get a little Sharpie and block that out.
A lesson to all though is be careful with links.
Graham, you remember when we were working and a journalist sent us a link, you know, with questions and he obviously was maybe having a bit of adult fun at the same time that he was emailing us a list of questions because he got the link wrong.
And we ended up on something that's—
Yeah, yeah. He sent us an unsavoury link, shall we say.
Anyway, moving on.
Now, Carole, you've been chatting to the folks at BlackBerry this week, haven't you?
Yes, I've been talking to Paul Fryer from BlackBerry.
And, you know, when things can go really wrong, as we've seen so many times this year through wars and through natural disasters, they have a way to keep the communication lines open.
Listen up. So listeners, today we are speaking with Paul Fryer.
He is a senior manager in the sales engineering team at BlackBerry, and we are going to talk about critical event management and how to do it right.
Now, BlackBerry needs little introduction. It was first founded in 1984 as Research in Motion, or RIM.
BlackBerry is now a leader in cybersecurity, helps businesses, government agencies, and institutions of all sizes secure their digital worlds.
Paul Fryer of BlackBerry, welcome to Smashing Security.
And, you know, when things can go really wrong, as we've seen so many times this year through wars and through natural disasters, they have a way to keep the communication lines open.
Listen up. So listeners, today we are speaking with Paul Fryer.
He is a senior manager in the sales engineering team at BlackBerry, and we are going to talk about critical event management and how to do it right.
Now, BlackBerry needs little introduction. It was first founded in 1984 as Research in Motion, or RIM.
BlackBerry is now a leader in cybersecurity, helps businesses, government agencies, and institutions of all sizes secure their digital worlds.
Paul Fryer of BlackBerry, welcome to Smashing Security.
Hi, Carole. Thanks so much for having me.
Thank you. So Paul, maybe we can just start and learn a bit about you. So how did you end up at BlackBerry?
Of course, I've been in technology since I fell out of school. So not to give my age away, but that was late 1994.
And I've run in positions across all of support, infrastructure, network design, a couple of ISPs that I've been a lead in.
And then it came to a point about 8 years ago where I really focused on cybersecurity as the next role for me. Do sales engineering.
I like designing things, I like building things, and I like driving success both individually and within teams.
So I joined at that point, if I may use a competitor, I joined McAfee.
I ran their sales engineering for about 6 years and then I moved across to BlackBerry 2, 2 and a half years ago to do the same thing across the UK and parts of EMEA and the Nordics.
Middle East, Africa, those sorts of areas.
And I've run in positions across all of support, infrastructure, network design, a couple of ISPs that I've been a lead in.
And then it came to a point about 8 years ago where I really focused on cybersecurity as the next role for me. Do sales engineering.
I like designing things, I like building things, and I like driving success both individually and within teams.
So I joined at that point, if I may use a competitor, I joined McAfee.
I ran their sales engineering for about 6 years and then I moved across to BlackBerry 2, 2 and a half years ago to do the same thing across the UK and parts of EMEA and the Nordics.
Middle East, Africa, those sorts of areas.
Yeah, and it's a very exciting time for BlackBerry as well with, you know, not just cybersecurity, but also with the advent of AI security, right?
So it's a fun time to be working in security, I think.
So it's a fun time to be working in security, I think.
AI is used a lot within the cybersecurity space.
Yeah.
And what we try and put across to organizations, I know we're going off topic a little bit, but what we try and put across to organizations is, AI is not AI.
Never the same just because we call it something.
The way we approach AI from a predictive standpoint when it comes to our cybersecurity solutions is very unique and different in the market.
So that's been a really interesting thing to drive across technology industries, government, public sector specifically, and other areas of industry.
Never the same just because we call it something.
The way we approach AI from a predictive standpoint when it comes to our cybersecurity solutions is very unique and different in the market.
So that's been a really interesting thing to drive across technology industries, government, public sector specifically, and other areas of industry.
Yeah, and I'm sure it plays a part as well in critical event management solutions.
So, effectively, critical event management is often referred to by its acronym, CEM, and maybe you can help us understand what is a critical event?
Like, is that a power outage or what is it?
So, effectively, critical event management is often referred to by its acronym, CEM, and maybe you can help us understand what is a critical event?
Like, is that a power outage or what is it?
Great question. Critical event management has such broad spectrum of scope across where it can be applied. I'll give you 3 examples.
So, let's take 3, an infrastructure, a technology, and then let's call it a people-focused event.
The recent Baltimore Bridge collapse, very high-profile infrastructure, as in physical infrastructure-based event, we were used to communicate across a number of different agencies to make sure that people were in the right place at the right time to respond to that incident and ensure no further loss of life or challenge to individuals in the area and make sure that we could collect real-time information about where those individuals were that were helping an event.
So, let's take 3, an infrastructure, a technology, and then let's call it a people-focused event.
The recent Baltimore Bridge collapse, very high-profile infrastructure, as in physical infrastructure-based event, we were used to communicate across a number of different agencies to make sure that people were in the right place at the right time to respond to that incident and ensure no further loss of life or challenge to individuals in the area and make sure that we could collect real-time information about where those individuals were that were helping an event.
Mm-hmm.
That's a really obvious critical event. It's very physical, it's very publicized. Secondly, a digital event. Physical events don't have to be physical in nature.
So a digital event, the recent widespread computer outage is a good example of this. You've got millions of devices impacted globally. Within about 6 minutes of each other.
How do organizations that have got, let's say, 10, 20, 30,000 devices out there understand what the impact in their business is?
How do they communicate with the workforce to find out who's impacted, who isn't impacted, and therefore where do we need to focus our effort to get these critical systems back up and running?
So we're talking about event management to recover critical systems within the organizations themselves.
We gather real-time status updates, maintain secure and reliable communication. How do we do that if their systems are down?
So a digital event, the recent widespread computer outage is a good example of this. You've got millions of devices impacted globally. Within about 6 minutes of each other.
How do organizations that have got, let's say, 10, 20, 30,000 devices out there understand what the impact in their business is?
How do they communicate with the workforce to find out who's impacted, who isn't impacted, and therefore where do we need to focus our effort to get these critical systems back up and running?
So we're talking about event management to recover critical systems within the organizations themselves.
We gather real-time status updates, maintain secure and reliable communication. How do we do that if their systems are down?
Well, exactly, that was going to be my next question. I mean, how—
Exactly right. So the elements we're talking about here with RCE ad hoc, as you mentioned just now, is that we are out of band. So we are out of band of their own infrastructure.
We're completely independent of them and therefore can be relied upon if they've got a digital incident that causes them an issue in communication across their infrastructure in the state.
And then the third one, which is interesting, it's interesting to talk about this today, we're recording this podcast as the latest US election is just closing off.
But you'll recall the US Capitol insurrection back end of Donald Trump's last leadership, where there was the civil unrest in the area.
And our solution set was actually used and pictured on the desktop of the office of the speaker in the House, in the Senate, advising people to exit the building because of civil unrest, where to go to, how to behave, and how to respond to make sure that people are led away to the right places.
That was done in multiple methods: email, SMS, telephone and desktop messaging. So we're able to advise people where to go, how to behave.
And we're two-way communication flow as well. So they have the opportunity to respond and say, yes, I've taken that action, or yes, I'm in that location.
And then again, they can quite quickly prioritize who they have to go and assist, help out, know where they are, roll call if anything, I suppose, know where people are, understand what's going on.
And then respond to those that need help more immediately than others.
We're completely independent of them and therefore can be relied upon if they've got a digital incident that causes them an issue in communication across their infrastructure in the state.
And then the third one, which is interesting, it's interesting to talk about this today, we're recording this podcast as the latest US election is just closing off.
But you'll recall the US Capitol insurrection back end of Donald Trump's last leadership, where there was the civil unrest in the area.
And our solution set was actually used and pictured on the desktop of the office of the speaker in the House, in the Senate, advising people to exit the building because of civil unrest, where to go to, how to behave, and how to respond to make sure that people are led away to the right places.
That was done in multiple methods: email, SMS, telephone and desktop messaging. So we're able to advise people where to go, how to behave.
And we're two-way communication flow as well. So they have the opportunity to respond and say, yes, I've taken that action, or yes, I'm in that location.
And then again, they can quite quickly prioritize who they have to go and assist, help out, know where they are, roll call if anything, I suppose, know where people are, understand what's going on.
And then respond to those that need help more immediately than others.
You know, it sounds to me a very useful tool, particularly today with so much environmental climate crisis changes that we're seeing with incidents happening all around the world.
Plus, we have civil unrest in many geographies. So this is something that could help.
So tell me, how does BlackBerry CEM Solutions Ad Hoc— what gives you the edge over anybody else?
Plus, we have civil unrest in many geographies. So this is something that could help.
So tell me, how does BlackBerry CEM Solutions Ad Hoc— what gives you the edge over anybody else?
I think there's a couple of things. I talked just now about the multiple communication chains. So we are able to do a number of things.
So we have an application on the phone, we have desktop app, as I talked about, but you don't have to have our software on your devices to receive a notification from our solution.
So we can do it over SMS. So we're able to use very lightweight common tools to communicate, make requests. And again, this is two-way.
So the SMS is two-way, so we can come back and give an answer to a question or a response back.
Secondly, I think it leads into a couple of other things that we have in the solution set, but with playbooks around events that we can trigger responses for, we can guide people into other areas of communication flow.
We have secure communications, voice and data.
So we have an application on the phone, we have desktop app, as I talked about, but you don't have to have our software on your devices to receive a notification from our solution.
So we can do it over SMS. So we're able to use very lightweight common tools to communicate, make requests. And again, this is two-way.
So the SMS is two-way, so we can come back and give an answer to a question or a response back.
Secondly, I think it leads into a couple of other things that we have in the solution set, but with playbooks around events that we can trigger responses for, we can guide people into other areas of communication flow.
We have secure communications, voice and data.
It's important.
Yeah, it is important.
So we have secure communications with SecureSuite, another BlackBerry company, and we can, as part of the playbook of an event, direct people to that communication platform to have the secure conversation if we're looking at certain security-level conversations that need to be had.
So we're not just restricting ourselves with that one application and applying it in one certain way, but we are able to guide around other methods to go and communicate with the team and respond to an incident that's happened.
So we have secure communications with SecureSuite, another BlackBerry company, and we can, as part of the playbook of an event, direct people to that communication platform to have the secure conversation if we're looking at certain security-level conversations that need to be had.
So we're not just restricting ourselves with that one application and applying it in one certain way, but we are able to guide around other methods to go and communicate with the team and respond to an incident that's happened.
I know, and I saw on your website that there were a few stats, and one of them was that BlackBerry CEM ad hoc solution organizations can quickly assess the scope in a matter of minutes.
And I would imagine in a situation this, most companies or organizations would have people jumping around mad frogs. You know, it'd be chaos.
So this must be something that helps direct and give focus.
And I would imagine in a situation this, most companies or organizations would have people jumping around mad frogs. You know, it'd be chaos.
So this must be something that helps direct and give focus.
Yeah, so that was my point around necessity of two-way communication.
Right.
And when we have an event, we can send out a force-wide or organization-wide request. They can respond to that.
And we quickly get a view of where people are in that risk level of the event. Let's say it's an infrastructure event, like a bridge collapse, for example.
Or maybe a fire alarm in an office building.
We can quite quickly understand where people are, what the risk is, and respond to that, allow the organization to respond to that so much quicker.
And we quickly get a view of where people are in that risk level of the event. Let's say it's an infrastructure event, like a bridge collapse, for example.
Or maybe a fire alarm in an office building.
We can quite quickly understand where people are, what the risk is, and respond to that, allow the organization to respond to that so much quicker.
I mean, it's unusual to have cybersecurity people on the show that actually have a life-saving component to their software.
That's a really interesting point. And that's the reason why I talked about the worldwide computer outage. I also relate this back to, again, known communication. We're out of band.
Let's take a ransomware attack or a hack of some sort. People that are sitting on your infrastructure, having breached your network and listening to your communication flow.
How do you respond to that confidently with communication tools in your infrastructure that the people that are holding you to ransom or hacking you to steal data could be watching?
So you're having a conversation internally around what's our next step in resolving this issue. Threat actors can be watching that and then second-guessing your next step.
So the out-of-band element of a CEM platform means you can have those conversations outside of your infrastructure, knowing that the people that are either holding you to ransom or stealing your data can't see it and respond and change tack quicker than you can respond to what they're doing.
Let's take a ransomware attack or a hack of some sort. People that are sitting on your infrastructure, having breached your network and listening to your communication flow.
How do you respond to that confidently with communication tools in your infrastructure that the people that are holding you to ransom or hacking you to steal data could be watching?
So you're having a conversation internally around what's our next step in resolving this issue. Threat actors can be watching that and then second-guessing your next step.
So the out-of-band element of a CEM platform means you can have those conversations outside of your infrastructure, knowing that the people that are either holding you to ransom or stealing your data can't see it and respond and change tack quicker than you can respond to what they're doing.
Yeah, incredible, because there's a lot of talk these days about deepfakes, and they often take advantage of situations.
I mean, I've been in the industry for decades, and I remember even when we had Hurricane Katrina, immediately there were fake emails trying to raise money that were all going to fraudulent pockets.
How do you work around that?
I mean, I've been in the industry for decades, and I remember even when we had Hurricane Katrina, immediately there were fake emails trying to raise money that were all going to fraudulent pockets.
How do you work around that?
Yeah, there's no better time for a phishing email than a crisis, is there?
That's for sure.
Knowing who you're talking to is really important. There's one critical way we can deal with that.
You mentioned at the top of this podcast that BlackBerry's been around for a number of years. We are essentially a device management organization.
Well, at core, we were obviously a handset manufacturer.
We still maintain the security that that device gave you with a software set, a set of software solutions that allow you to manage applications and policy on mobile devices.
So we are able to also deploy these products using our secure management tooling such that you have every confidence that the person that sent you that message has valid access, is allowed to process that information, and is also monitored and audited based on the actions that are being taken.
And that's really important around how we deliver security from know who you're talking to as well as how do we respond to that issue.
You mentioned at the top of this podcast that BlackBerry's been around for a number of years. We are essentially a device management organization.
Well, at core, we were obviously a handset manufacturer.
We still maintain the security that that device gave you with a software set, a set of software solutions that allow you to manage applications and policy on mobile devices.
So we are able to also deploy these products using our secure management tooling such that you have every confidence that the person that sent you that message has valid access, is allowed to process that information, and is also monitored and audited based on the actions that are being taken.
And that's really important around how we deliver security from know who you're talking to as well as how do we respond to that issue.
Yeah, especially in a crisis, you don't have time to go and double-check and triple-check everything at that time. You got to go, go, go.
So you really want a trusted partner that knows what they're doing. And it sounds like BlackBerry might be a good one.
So you really want a trusted partner that knows what they're doing. And it sounds like BlackBerry might be a good one.
Yeah, the tool has to be trusted. And data security and governance is a really strong part of what we try and deliver within BlackBerry.
Well, I got to say, I've been a fan of BlackBerry for a long time, ever since the BlackBerry Curve way back when. It was my favorite handset. To date, it's still my favorite handset.
I wish it would come back. Is there anything you'd like to add for our listeners about Critical Event Management solution?
I wish it would come back. Is there anything you'd like to add for our listeners about Critical Event Management solution?
So there's a lot of areas that this solution set is suitable for.
I would suggest people look within their organization at the kind of things that they're concerned about, the kind of things they've got policies for around even the security of personnel, or they've got policies around if there's a data center outage or if there's a hack.
What's your communication plan for that?
What's your — how do you disseminate data in a secure way and communicate with your, not only boots on the ground, but your exec staff to make sure you're making the right responses and the right comments to press as well as internally?
Because high-profile organizations might have to make those sorts of statements. There is a place for solutions such as this.
I would suggest that organizations understand what that looks like before the incident happens and they cannot communicate.
I would suggest people look within their organization at the kind of things that they're concerned about, the kind of things they've got policies for around even the security of personnel, or they've got policies around if there's a data center outage or if there's a hack.
What's your communication plan for that?
What's your — how do you disseminate data in a secure way and communicate with your, not only boots on the ground, but your exec staff to make sure you're making the right responses and the right comments to press as well as internally?
Because high-profile organizations might have to make those sorts of statements. There is a place for solutions such as this.
I would suggest that organizations understand what that looks like before the incident happens and they cannot communicate.
Yeah, right? You know, be prepared is a key component of all this.
Absolutely.
Thank you so, so much, Paul.
Listeners, if you would like to hear more, there is a ton, a veritable ton of information available for free to Smashing Security listeners on BlackBerry's CEM solution page ad hoc.
They have videos, solution briefs, demos, ransomware, all kinds of jazz. All you've got to do is visit smashingsecurity.com/blackberry. That's smashingsecurity.com/blackberry.
And Paul Fryer, Senior Manager of Sales Engineering at BlackBerry, thank you so much for coming on and sharing your insight.
Listeners, if you would like to hear more, there is a ton, a veritable ton of information available for free to Smashing Security listeners on BlackBerry's CEM solution page ad hoc.
They have videos, solution briefs, demos, ransomware, all kinds of jazz. All you've got to do is visit smashingsecurity.com/blackberry. That's smashingsecurity.com/blackberry.
And Paul Fryer, Senior Manager of Sales Engineering at BlackBerry, thank you so much for coming on and sharing your insight.
Thanks, Carole.
It's been a pleasure.
Well, that just about wraps up the show for this week. Thanks very much, Thom, for joining us.
I'm sure lots of our listeners would love to find out what you're up to and follow you online. What's the best way for people to do that?
I'm sure lots of our listeners would love to find out what you're up to and follow you online. What's the best way for people to do that?
Google me, darling. Google me. Sorry, DuckDuckGo me.
And you can follow us on Twitter @SmashingSecurity, no G. Twitter doesn't allow us to have a G, but Bluesky has allowed us to have a G, so you can also follow us there instead.
And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.
And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.
And huge, huge thank you to our episode sponsors, Vanta, BlackBerry, and 1Password, and of course to our wonderful Patreon community. It's thanks to them all that this show is free.
For episode show notes, sponsorship information, guest lists, and the entire back catalog of more than 392 episodes, check out smashingsecurity.com.
For episode show notes, sponsorship information, guest lists, and the entire back catalog of more than 392 episodes, check out smashingsecurity.com.
Until next time, cheerio, bye-bye. Bye.
Stay secure, my friends.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
@thomlangford.bsky.social
@
Episode links:
- FBI issues warning as crooks ramp up emergency data request scams – The Register.
- Optimistic father of LAPSUS$ hacking suspect says he’s going to try to stop him using computers – Graham Cluley.
- LAPSUS$: GTA 6 hacker handed indefinite hospital order – BBC News.
- This Teenage Hacker Became a Legend Attacking Companies. Then His Rivals Attacked Him – Wall Street Journal.
- Bengal cat lovers in Australia get psspsspss’d in Google-driven Gootloader campaign – Sophos.
- Struggling DNA-testing site 23andMe to lay off 40% of its workers – BBC News.
- Remember That DNA You Gave 23andMe? – The Atlantic.
- Big Pharma Would Like Your DNA – The Atlantic.
- Addressing Data Security Concerns – Action Plan – 23andMe Blog.
- YTCH – YouTube-like cable TV.
- Space: 1999 opening titles – YouTube.
- Space: 1999 – Wikipedia.
- Wicked movie: Mattel ‘deeply regrets’ porn site misprint on dolls – BBC News.
- The Wicked Movie – Official Wicked Movie site.
- Mattel’s ‘Wicked’ Movie Dolls Mistakenly List Porn Site on Packaging – Variety.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsored by:
- BlackBerry – Tune in and empower your team with the knowledge to stay connected, no matter what crisis. Learn more about BlackBerry’s critical event management solutions.
- 1Password Extended Access Management – Secure every sign-in for every app on every device.
- Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!
Support the show:
You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.
Become a Patreon supporter for ad-free episodes and our early-release feed!
Follow us:
Follow the show on Bluesky, or join us on the Smashing Security subreddit, or visit our website for more episodes.
Thanks:
Theme tune: “Vinyl Memories” by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
