In episode 403 of “Smashing Security” we dive into the mystery of $65 million vanishing from Coinbase users faster than J-Lo slipped into Graham’s DMs, Geoff gives a poor grade for PowerSchool’s security, and Carole takes a curious look at QR codes.
All this and more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by The Lazarus Heist’s Geoff White.
Warning: This podcast may contain nuts, adult themes, and rude language.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Off the back of this, can I also have a quick rant about ransomware operators?
Because they're all tuned in. They all listen to Smashing Security, all the ransomware bad guys.
Hey guys. Hey guys. Or should I say Privet or Strasvidscha? Because we know where you all are based.
Smashing Security, Episode 403. Bitcoin, Coinbase crypto heists, QR codes, and ransomware in the classroom with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 403. My name's Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 403. My name's Graham Cluley.
And I'm Carole Theriault.
And this week, Carole, we are joined by a very special guest, someone who's been on the show many times before.
It is, of course, the star of the Lazarus heist and various other activities. It's Geoff White.
It is, of course, the star of the Lazarus heist and various other activities. It's Geoff White.
Hello, hello, hello.
The crowd goes wild. Thank you for being here, Geoff.
Can you jump on screen? Some applause there.
Geoff, what's been keeping you busy lately?
Well, yes, powering into 2025. I'm lucky because America Invades Greenland was on my bingo card, so I win.
Been keeping up with the rolling chaos that is the incoming Trump administration, and I've got various projects in the work and things in the pipeline which I'm working on, so I'm busy, which is good.
Been keeping up with the rolling chaos that is the incoming Trump administration, and I've got various projects in the work and things in the pipeline which I'm working on, so I'm busy, which is good.
Fantastic.
Let's thank this week's wonderful sponsors, 1Password, Tailspin, Scale and Cortex Symphony 2025. Coming up on today's show, Graham, what do you got?
I'm going to be talking about how some companies are still telling their users to turn off their security.
Okay, what about you, Geoff?
I'm going to be talking about a school data breach and how annoyed I am with incommunicative ransomware gangs.
Okay, and I'm going to delve into the wondrous growth of the QR code. All this and much more coming up on this episode of Smashing Security.
Now, chums, chums, here we are, episode 403 of Smashing Security. Quite extraordinary. What have we actually learned? What's been the purpose of this?
What wisdom have we shared with the wider population, do you think, after all these podcasts?
What wisdom have we shared with the wider population, do you think, after all these podcasts?
Are we on the educational tract and I didn't know?
Well, it would be nice if there was a small slither of that, wouldn't it?
Constantly educational, I would argue. Spreading the good word of cybersecurity and the important lessons to be learned.
Right, exactly.
I think to be safer online, we've often shared some pretty straightforward tips, even if you're only half listening while walking the dog.
You've hopefully learned to use a password manager and have unique, hard-to-crack passwords. Yeah.
You've hopefully learned to use a password manager and have unique, hard-to-crack passwords. Yeah.
Use multifactor authentication.
Oh, good one. Install an ad blocker in your browser to prevent malvertising. That's a good one as well.
Oh, I haven't done that.
Yep, have a password keeper of sorts.
Use a VPN to ensure your connections can't be intercepted.
Don't use the phone in the bath. No, that was another podcast, sorry.
Brad Pitt almost certainly isn't in love with you. That's another thing we've learnt. Don't click on suspicious attachments or dangerous links.
We could go on forever, couldn't we?
I don't know if we could go on for 400 episodes, but anyway, somehow we've managed to. So how would you feel if a company told you specifically to stop doing some of these things?
Hmm.
Hmm.
Concerned. In a word.
Or, or please, pray tell, say more.
What if they told you you really shouldn't run an ad blocker anymore? Or to believe it every time Jennifer Lopez drops into your DMs declaring her undying love for you?
Not because following any of those behaviors is actually bad for your security, but because it might make you look suspicious. That's their argument.
It's not that it's bad for your security. It's because it makes you look suspicious because you're securing yourself.
Not because following any of those behaviors is actually bad for your security, but because it might make you look suspicious. That's their argument.
It's not that it's bad for your security. It's because it makes you look suspicious because you're securing yourself.
Suspicious to whom?
Hmm.
Well, to them, to the company. They're saying, don't do that because it makes you look suspicious to us.
I mean, I would look suspicious if I was dating Jennifer Lopez, not just because I fancy Diana Rigg more than Jennifer Lopez.
Although that would also be suspicious, as she has been dead for some years.
I mean, I would look suspicious if I was dating Jennifer Lopez, not just because I fancy Diana Rigg more than Jennifer Lopez.
Although that would also be suspicious, as she has been dead for some years.
Jennifer Lopez has died?
No, Diana Rigg.
Oh my goodness. Frantically Googles Diana Rigg now.
That's my domain. In fact, probably the only way I might end up dating J.Lo for real would be if I made a cryptocurrency fortune. I think she's just split up with that—
No chance. No chance.
She's just split up with Ben Affleck. She's vulnerable.
You could be the gazillionaire, bazillionaire, 15 Elon Musks with a few Bezos on each shoulder, and you still wouldn't get J.Lo, dude.
Hey, she's still Jenny from the block.
Yeah, exactly. You're not from her block. Trust me. Trust me.
Fascinating as this is, and much as I'm enjoying the pictures now of Diana Rigg, back to the plot. Who is this company telling people, Graham?
And why are they saying that implementing security makes you look suspicious? Can you name names?
And why are they saying that implementing security makes you look suspicious? Can you name names?
I can. Yay. Coinbase.
Oh, they're crypto, right? The crypto guys.
Yeah. So that's how I'm going to lure J.Lo in. So I'm there in my mink coat with my silver cane, pouring my crypto fortunes into an online exchange like Coinbase.
But some people have been having trouble with Coinbase lately. It turns out many Coinbase users have reported sudden restrictions on their accounts.
So there is a chap we've spoken about him before in his work called Zackxbt. Sounds like a rapper.
But some people have been having trouble with Coinbase lately. It turns out many Coinbase users have reported sudden restrictions on their accounts.
So there is a chap we've spoken about him before in his work called Zackxbt. Sounds like a rapper.
Legend.
Yes. You know him, right? Renowned cryptocurrency investigator, and he's unraveled ransomware gangs and investigated all kinds of heists which happened in the past.
He's recently mentioned in a thread on Twitter that folks are fuming that they have been locked out of their Coinbase accounts.
And he posted a screenshot of dozens and dozens of Coinbase users reporting that they cannot access their accounts any longer, and they've been given no reason.
He's recently mentioned in a thread on Twitter that folks are fuming that they have been locked out of their Coinbase accounts.
And he posted a screenshot of dozens and dozens of Coinbase users reporting that they cannot access their accounts any longer, and they've been given no reason.
So that's when you're going in you normally would, you put in your username and your password, and it just goes, eh-eh.
You can't come in.
And it doesn't say why, you're just locked out.
So let me tell you what users are saying. There's a guy called Zubik. He says, "I woke up today, found out I can't access my funds on Coinbase. No warning or explanation.
I've been trying to contact support all day. I've been refreshing the app nonstop. Nothing." He says, "I thought I could trust this platform.
Now I'm not even sure I'll get any of my money back." Justin Taylor said, "Locked out of my Coinbase account. Verification keeps failing.
WTF is happening." Eric, poor old Eric, he says, "Just locked out of my account after trying to send $25,000 worth of crypto." A guy called Nas says, "Out of the blue, Coinbase restricting my account." And he says it gives him restriction instructions.
It says, "Please visit the support page." When he goes to the support page, it goes, "Please follow the restriction instructions." So he's in this endless loop.
He says, "It's the worst customer support experience ever." A guy called The Bogfather says, "Coinbase has trapped my funds for two months with no explanation.
I can't trade out of my current positions. This is egregious.
Nobody should use an exchange that does this." Because of course, if you've got your funds trapped in a particular place and you're desperate to sell, it's horrendous.
I've been trying to contact support all day. I've been refreshing the app nonstop. Nothing." He says, "I thought I could trust this platform.
Now I'm not even sure I'll get any of my money back." Justin Taylor said, "Locked out of my Coinbase account. Verification keeps failing.
WTF is happening." Eric, poor old Eric, he says, "Just locked out of my account after trying to send $25,000 worth of crypto." A guy called Nas says, "Out of the blue, Coinbase restricting my account." And he says it gives him restriction instructions.
It says, "Please visit the support page." When he goes to the support page, it goes, "Please follow the restriction instructions." So he's in this endless loop.
He says, "It's the worst customer support experience ever." A guy called The Bogfather says, "Coinbase has trapped my funds for two months with no explanation.
I can't trade out of my current positions. This is egregious.
Nobody should use an exchange that does this." Because of course, if you've got your funds trapped in a particular place and you're desperate to sell, it's horrendous.
And Coinbase, I'm assuming, is not regulated by whatever regulates all the banks and financial institutions.
I think there are more and more regulations. I mean, maybe you know about this more than me, Geoff, governing some of these cryptocurrency exchanges these days.
They are increasingly coming under regulations, but the main sort of activity around that's been around money laundering because with money laundering, it sort of doesn't matter which jurisdiction you're in.
If you're handling anything to do with US dollars or US citizens, you know, US money laundering legislation will kick in.
But no, to your point that you're right, they're not regulated in the same way as banks are.
But what's interesting, Graham, is from going back to the start, what you were saying is that when people have implemented, you know, things like VPNs and so on, that's what's triggering these Coinbase problems is that people have tried to implement a security thing.
If you're handling anything to do with US dollars or US citizens, you know, US money laundering legislation will kick in.
But no, to your point that you're right, they're not regulated in the same way as banks are.
But what's interesting, Graham, is from going back to the start, what you were saying is that when people have implemented, you know, things like VPNs and so on, that's what's triggering these Coinbase problems is that people have tried to implement a security thing.
So I'm going to come to that in just a minute.
Oh, sorry. I'll go back to pictures of Darnaway.
So why is Coinbase doing this? Well, according to ZackXBT, it's to prevent its users from losing something in the region of $300 million per year.
Not each of them, but $300 million per year, he reckons, is being lost to social engineering scams on Coinbase.
And so ZackXBT, he's got this buddy Tanuki42, and he and Tanuki42 have been investigating this, and they say that they've seen evidence that $65 million was stolen from Coinbase users between December and January.
And that, they reckon, is a huge underestimate. The true number is likely to be much higher because these are only the thefts that they know about.
They've seen evidence on the blockchain or they've had shared with them by victims rather than based on any information from Coinbase or police reports.
Not each of them, but $300 million per year, he reckons, is being lost to social engineering scams on Coinbase.
And so ZackXBT, he's got this buddy Tanuki42, and he and Tanuki42 have been investigating this, and they say that they've seen evidence that $65 million was stolen from Coinbase users between December and January.
And that, they reckon, is a huge underestimate. The true number is likely to be much higher because these are only the thefts that they know about.
They've seen evidence on the blockchain or they've had shared with them by victims rather than based on any information from Coinbase or police reports.
Well, where do you go? I mean, what's a cop going to say if you said, "Oh, I lost my crypto?" You know, what's a cop going to do?
I suspect those sort of questions are coming into police. There may be enormous challenges sometimes in chasing this kind of thing and getting a resolution.
But, you know, this is a very common type of theft today.
But, you know, this is a very common type of theft today.
It certainly is. I think I read the other day that — is it in the UK? Something like 12% of people now own crypto in some form or another.
Wow.
Could have been 12% among younger people, but yeah, it's like crypto's no longer a niche thing. It's, you know, you're looking at a significant percentage of the population.
Yeah, in the UK we're trying to work out, I think crypto is now recognized as a thing in the UK. It's recognized as an actual asset in the UK.
So when it's stolen, you know, it should be recognized as having a property stolen. But of course, you know, going down to your local cop shop and saying, oh, I've lost my crypto.
I'm not quite sure what kind of response you'd get to that.
Yeah, in the UK we're trying to work out, I think crypto is now recognized as a thing in the UK. It's recognized as an actual asset in the UK.
So when it's stolen, you know, it should be recognized as having a property stolen. But of course, you know, going down to your local cop shop and saying, oh, I've lost my crypto.
I'm not quite sure what kind of response you'd get to that.
So Zackxbt says he started looking into this because someone contacted him saying that they had lost $850,000.
See, that hurts.
I don't understand why you keep so much money in there.
I can, you know, I imagine because you're greedy, right?
Why do you keep that much money in a pension?
Because it's regulated.
Yes.
A lot harder to get money out of a pension, I think, than to enter a username and password and transfer it.
I mean, under your mattress is safer than many crypto joints, in my view. You know, it doesn't make as much money, I suppose.
Anyway, this particular guy who lost $850,000, ZackXBT found that something 25 other users had fallen for the identical scam, where a scammer called the victim, they sort of spoofed their phone number, they pretended to be Coinbase.
They used personal information obtained from private databases to gain their trust. So they knew information about their victim. Now, that isn't revolutionary.
We've seen those kind of scams in the past, obviously, many times before. And what people don't realize is Coinbase will never, ever call you.
But when they did call, when the scammer called, they told the victim their account had had multiple unauthorized login attempts. So people kept on trying to log in.
They then sent a spoofed email to the user, which appeared to come from Coinbase support with a fake case ID. Further gaining the trust of the victim.
They used personal information obtained from private databases to gain their trust. So they knew information about their victim. Now, that isn't revolutionary.
We've seen those kind of scams in the past, obviously, many times before. And what people don't realize is Coinbase will never, ever call you.
But when they did call, when the scammer called, they told the victim their account had had multiple unauthorized login attempts. So people kept on trying to log in.
They then sent a spoofed email to the user, which appeared to come from Coinbase support with a fake case ID. Further gaining the trust of the victim.
Coinbase would never do that either. Send a support email.
Well, maybe their support people wouldn't get around to it, who knows?
But that then instructed the victim to transfer funds to a Coinbase wallet and whitelist that address while support, in quotes, verified the account security.
So obviously that's where the scam takes place, is that the money is then moved.
But that then instructed the victim to transfer funds to a Coinbase wallet and whitelist that address while support, in quotes, verified the account security.
So obviously that's where the scam takes place, is that the money is then moved.
I can totally see people falling for this. What would you do? What would you do to verify it?
I guess many people would just click on the link and say, does this look the Coinbase site?
Mm-hmm.
And the scammers, of course, have cloned the Coinbase site pretty much identically.
They're using what are called panels, which are being openly sold on cybercrime forums on Telegram, which are basically little do-it-yourself kits, ways for really rolling out a scam website.
So this once again is cybercrime industrialized where there are criminals who've given you the tools to piece together your scam and all the things that you need in order to con someone out of money.
And there are many Telegram channels where scammers are advertising these sort of services.
The scammers can vary from being script kiddies, probably many of them are script kiddies, but they're also sort of more organized criminals as well based around the world.
Now, earlier on, I was talking about companies which maybe were giving poor advice regarding security, telling you to turn off your security.
Scott Shapiro is a senior director of product management at Coinbase, and he recently tweeted that people shouldn't use VPNs and ad blockers as Coinbase treats them with suspicion.
So his tweet said, "Public service announcement, don't use a VPN to access Coinbase.
Attackers always use VPNs, so our risk models take that as a negative sign, even if you're legitimately using your own account.
Same with ad blockers and other extensions." Well, yeah, hackers use VPNs in order to keep themselves safe and secure online, right?
They don't want their identity falling out there. They don't want to be tracked too much.
They're using what are called panels, which are being openly sold on cybercrime forums on Telegram, which are basically little do-it-yourself kits, ways for really rolling out a scam website.
So this once again is cybercrime industrialized where there are criminals who've given you the tools to piece together your scam and all the things that you need in order to con someone out of money.
And there are many Telegram channels where scammers are advertising these sort of services.
The scammers can vary from being script kiddies, probably many of them are script kiddies, but they're also sort of more organized criminals as well based around the world.
Now, earlier on, I was talking about companies which maybe were giving poor advice regarding security, telling you to turn off your security.
Scott Shapiro is a senior director of product management at Coinbase, and he recently tweeted that people shouldn't use VPNs and ad blockers as Coinbase treats them with suspicion.
So his tweet said, "Public service announcement, don't use a VPN to access Coinbase.
Attackers always use VPNs, so our risk models take that as a negative sign, even if you're legitimately using your own account.
Same with ad blockers and other extensions." Well, yeah, hackers use VPNs in order to keep themselves safe and secure online, right?
They don't want their identity falling out there. They don't want to be tracked too much.
Duh.
Of course they're worried about law enforcement doing these things.
But it seems to me it is crazy that Coinbase is actually telling people turn off things which normally we would suggest can offer an additional level of security, blocking malware with ad blockers and various extensions, maybe using a VPN as well, especially if you've got $850,000 worth of cryptocurrency in an online exchange.
But it seems to me it is crazy that Coinbase is actually telling people turn off things which normally we would suggest can offer an additional level of security, blocking malware with ad blockers and various extensions, maybe using a VPN as well, especially if you've got $850,000 worth of cryptocurrency in an online exchange.
I don't think they're alone though, in companies that say don't use VPNs if you want this to work.
You know, lots of people use VPNs, for example, or used to, I don't know if it still works, but you know, used to use VPNs to watch streaming channels they weren't allowed to watch in certain regions and that sort of thing.
You know, lots of people use VPNs, for example, or used to, I don't know if it still works, but you know, used to use VPNs to watch streaming channels they weren't allowed to watch in certain regions and that sort of thing.
Yeah. There are non-security reasons to use VPNs as well.
There's perhaps less requirement for a VPN amongst the general population than there used to be, because so many sites now do have set up an encrypted tunnel with your browser via HTTPS.
So I'm always dubious about some of these VPN companies who really oversell the security features of those systems, but—
There's perhaps less requirement for a VPN amongst the general population than there used to be, because so many sites now do have set up an encrypted tunnel with your browser via HTTPS.
So I'm always dubious about some of these VPN companies who really oversell the security features of those systems, but—
You sound like Scott Shapiro.
Well, I'm not saying don't use it. I'm not saying don't use it.
And I think it's a real mistake for a company to say, because bad guys use this stuff, don't you ever use this stuff, because I think that does send a dangerous message.
And I think it's a real mistake for a company to say, because bad guys use this stuff, don't you ever use this stuff, because I think that does send a dangerous message.
So are you saying that basically the people that use VPNs are the ones that weren't able to log into their accounts, but their money is fine and safe?
It's just don't use VPNs, otherwise we won't be able to identify you properly.
It's just don't use VPNs, otherwise we won't be able to identify you properly.
Certainly it seems some of these people have been locked out because of their ad blocker usage, maybe extensions, maybe their use of VPNs.
Who knows what other signals Coinbase is looking for, for suspicious activity.
Who knows what other signals Coinbase is looking for, for suspicious activity.
What's really fascinating about all of this is there's actually a really massive issue lurking in the heart of all of this, which is that when cryptocurrency was created, when Bitcoin was created as one of the first major cryptocurrencies, one of the big attractions of it was anonymity, was the idea that unlike your credit card and your bank account, you can't be tracked.
It was basically digital cash was the idea. And that was a big draw at the beginning was governments did not control this. There was strong privacy and anonymity in the whole thing.
It was cash that you could use online.
And then what happened after that was a bunch of people got involved that were thinking, well, this could be a huge — we can make money off of this.
So from the very beginning of the Bitcoin era of crypto, you've had this schism between the idealists, if you like, about crypto who see this as a radical reinvention of society, et cetera, and the let's make tons of money out of this kind of people.
And what's interesting with this Coinbase thing is that the things they're pushing back on, things VPNs and ad blockers, these are privacy technologies.
And so the very heart of cryptocurrency being a privacy-enhancing technology, Coinbase are saying, no, we're on the money side and you don't get the privacy enhancing technology stuff.
I find that fascinating.
The other observation I would make is frankly, if you've got £850,000 or dollars worth of funds anywhere, you need to be paying somebody to look after that security of that.
Now, if it's in a bank, the bank hires a security person to look after it.
If you are giving it to Coinbase, Coinbase are not hiring a security person to look after your £850,000 and they're certainly not in this case, hiring them to do enough of a good job for you.
It's worth taking a chunk of that lovely stash of money you've got and paying somebody to make sure that it's secured and vetting your processes.
It was basically digital cash was the idea. And that was a big draw at the beginning was governments did not control this. There was strong privacy and anonymity in the whole thing.
It was cash that you could use online.
And then what happened after that was a bunch of people got involved that were thinking, well, this could be a huge — we can make money off of this.
So from the very beginning of the Bitcoin era of crypto, you've had this schism between the idealists, if you like, about crypto who see this as a radical reinvention of society, et cetera, and the let's make tons of money out of this kind of people.
And what's interesting with this Coinbase thing is that the things they're pushing back on, things VPNs and ad blockers, these are privacy technologies.
And so the very heart of cryptocurrency being a privacy-enhancing technology, Coinbase are saying, no, we're on the money side and you don't get the privacy enhancing technology stuff.
I find that fascinating.
The other observation I would make is frankly, if you've got £850,000 or dollars worth of funds anywhere, you need to be paying somebody to look after that security of that.
Now, if it's in a bank, the bank hires a security person to look after it.
If you are giving it to Coinbase, Coinbase are not hiring a security person to look after your £850,000 and they're certainly not in this case, hiring them to do enough of a good job for you.
It's worth taking a chunk of that lovely stash of money you've got and paying somebody to make sure that it's secured and vetting your processes.
Are you offering your services at this point?
Well, I just—
Has this turned into an advert?
For an $85,000 down payment, you can hire the services of Geoff White.
Geoff, what's your story for us this week?
I'm going to be looking at a hack on a US company called PowerSchool. I just can't help pronouncing it that. It just sounds PowerSchool. This is a software provider for schools.
So basically it provides the kind of software that logs grades and attendance and all that kind of thing.
According to TechCrunch, 18,000 schools it's in and supports 60 million students in North America. Software was hacked.
This went back to, I think it was December last year, they first announced it. And we're still finding out the details about this.
The reason this story caught my eye was, and it's a really facile reason, but do you remember that scene in WarGames, that classic computer hacking movie, where Matthew Broderick's character hacks into a school database and changes his grades?
So basically it provides the kind of software that logs grades and attendance and all that kind of thing.
According to TechCrunch, 18,000 schools it's in and supports 60 million students in North America. Software was hacked.
This went back to, I think it was December last year, they first announced it. And we're still finding out the details about this.
The reason this story caught my eye was, and it's a really facile reason, but do you remember that scene in WarGames, that classic computer hacking movie, where Matthew Broderick's character hacks into a school database and changes his grades?
Dialing into the school's computer. Are those your grades?
Yeah.
I don't think that I deserved an F. Do you? You can't do that.
It took me straight back to that as soon as I saw this, because it records your school grades, this software.
And the idea that you can hack in and change your grades to an A, I just — it took me right back to WarGames.
And the idea that you can hack in and change your grades to an A, I just — it took me right back to WarGames.
But should I admit that having worked in this industry for 35 years.
Oh no.
I've never seen WarGames.
Oh no.
He's not seen a lot of very good films in my opinion.
Really? Were you raised by wolves?
He was probably raised by wolves.
Never seen WarGames.
No, no, nor E.T. We could list a lot of movies.
Oh no.
Sneakers, that's a hacking movie. Not seen that.
Independence Day?
I have seen Independence Day, yes.
Oh, there you go. There's a bit of weird hacking there, isn't there?
Thank goodness the aliens were using Mac computers, so Geoff Goldblum was able to infect them that way.
Anyway, so yes, WarGames. By the way, WarGames, I still think is worth a watch. Right. It's a thrilling little tale.
And there's this classic scene in it where Matthew Broderick's character is logging into the school software to change his grade.
I mean, there's a number of things about the film that are quite unrealistic.
One is that there's a really attractive girl in school who's attracted to him, even though he's a computer geek. And he tries to change her grades as well.
And then she refuses and says, no, no, you shouldn't change my grades. And then when she leaves, he changes her grade anyway to an A.
And there's this classic scene in it where Matthew Broderick's character is logging into the school software to change his grade.
I mean, there's a number of things about the film that are quite unrealistic.
One is that there's a really attractive girl in school who's attracted to him, even though he's a computer geek. And he tries to change her grades as well.
And then she refuses and says, no, no, you shouldn't change my grades. And then when she leaves, he changes her grade anyway to an A.
That's love, baby.
So in preparation for this podcast, I watched the scene. Oh, that's the amount of preparation I do for this program.
Watch some YouTube. Thank you.
Anyway, back to the plot.
PowerSchool gets hacked and the hackers break into some portal which allows them access to a lot of the data that PowerSchool holds, which obviously is kids' data. So that's bad.
PowerSchool gets hacked and the hackers break into some portal which allows them access to a lot of the data that PowerSchool holds, which obviously is kids' data. So that's bad.
Yes.
It has to be said, one of the major problems with this is exactly what the thing gave access to and what information got stolen.
So we know that they said, well, this was potentially sensitive information.
So this was students' grades, their attendance and demographics, also Social Security numbers and medical data.
So we know that they said, well, this was potentially sensitive information.
So this was students' grades, their attendance and demographics, also Social Security numbers and medical data.
Ooh.
I was thinking about that. That could be, you know, my little Johnny has asthma and he might have to have his inhaler.
But even so, I mean, these days, mental health, does that include mental health data? Because that could be in there.
But even so, I mean, these days, mental health, does that include mental health data? Because that could be in there.
Oh, I'm sure it does.
Could be.
Significant stuff.
And this is a lot of schools who are using this software as well, isn't it?
Well, that's the other thing. A lot of schools using it. How many schools are affected? We don't know.
PowerSchool are doing this interesting thing of saying, "Yes, we've got a handle on this.
We know what's been affected." And then when journalists are asking, "Well, how many schools were affected?" PowerSchool say, "Well, we don't know." It's either column A or column B there.
Again, you get little tidbits of information come out.
Toronto School District Board, which is a school board in Canada, reckons the hackers may have accessed 40 years' worth of student data.
PowerSchool are doing this interesting thing of saying, "Yes, we've got a handle on this.
We know what's been affected." And then when journalists are asking, "Well, how many schools were affected?" PowerSchool say, "Well, we don't know." It's either column A or column B there.
Again, you get little tidbits of information come out.
Toronto School District Board, which is a school board in Canada, reckons the hackers may have accessed 40 years' worth of student data.
Oh, wow.
What are they keeping 40 years of student data online for?
Well, this is the thing, you've got to read these things carefully.
May have access to 40 years' worth of— What that probably means is that PowerSchool systems have access to something 40 years' worth of data going back, but did the hackers access that or not?
May have access to 40 years' worth of— What that probably means is that PowerSchool systems have access to something 40 years' worth of data going back, but did the hackers access that or not?
It sounds to me Matthew Broderick's in trouble.
Certainly.
They may have records of him logging in and changing his grades after all these years.
Indeed, indeed. Maybe that was the thing that was used in WarGames. So there is a huge amount of fog of war around this type of stuff.
But what's really been interesting is apparently the teachers who use this stuff, the school, I should say school administrators, it would be teachers, but also people who work in schools, run the IT systems, have been trying to get together and work out what the hell's happened.
The problem with this, and I do sympathize with PowerSchool, is each school sort of has its own implementation of this. They log their own types of data.
So when people say, well, what data's gone? PowerSchool sort of said, well, it kind of depends what the school was storing on our systems, which is sort of up to them.
So I do have a certain amount of sympathy.
What's interesting is the school administrators themselves have started to weigh into this and actually take matters into their own hands and have started sharing on one of their forums, one of these bulletin boards, information saying, well, I looked up this and I found that and the hacker's IP address is this.
If you search for that, you might be able to find— they got it.
So they're actually doing a sort of crowdsourced incident response to this thing, which just shows you in the kind of fog of war with a lack of information from PowerSchool, it seems the actual users themselves are coming together and trying to sort out what's happened.
It's been a really interesting sort of thing to watch in terms of the incident response.
But what's really been interesting is apparently the teachers who use this stuff, the school, I should say school administrators, it would be teachers, but also people who work in schools, run the IT systems, have been trying to get together and work out what the hell's happened.
The problem with this, and I do sympathize with PowerSchool, is each school sort of has its own implementation of this. They log their own types of data.
So when people say, well, what data's gone? PowerSchool sort of said, well, it kind of depends what the school was storing on our systems, which is sort of up to them.
So I do have a certain amount of sympathy.
What's interesting is the school administrators themselves have started to weigh into this and actually take matters into their own hands and have started sharing on one of their forums, one of these bulletin boards, information saying, well, I looked up this and I found that and the hacker's IP address is this.
If you search for that, you might be able to find— they got it.
So they're actually doing a sort of crowdsourced incident response to this thing, which just shows you in the kind of fog of war with a lack of information from PowerSchool, it seems the actual users themselves are coming together and trying to sort out what's happened.
It's been a really interesting sort of thing to watch in terms of the incident response.
That's weird though, well, 'cause often we would say, oh, you know, be careful doing that in a way because you want to involve the person who's running the software.
But if they're not coming back, what do you do?
But if they're not coming back, what do you do?
Exactly. Somebody said that their information has been suspicious and not very useful. And it has to be said, given what they were saying to the press.
So has there been any kind of ransom demand over this?
Well, we think so. We think it's ransomware attack. Now obviously, the way these modern ransomware attacks work, they've broken in, they've probably stolen a bunch of data.
What's interesting about this again though, is in the past when the hackers have attacked systems like this, sometimes they've gone to the provider, in this case PowerSchool, but the other option is to go, of course, to the 18,000 schools and try and get 18,000 ransoms out of them.
What's interesting about this again though, is in the past when the hackers have attacked systems like this, sometimes they've gone to the provider, in this case PowerSchool, but the other option is to go, of course, to the 18,000 schools and try and get 18,000 ransoms out of them.
Yeah.
Interestingly, this is again from this TechCrunch article, PowerSchool told TechCrunch they'd taken appropriate steps and said that it worked with cyber extortion incident response teams to negotiate with the threat actors responsible for the breach.
The TechCrunch article then goes on to say, this all but confirms that PowerSchool paid a ransom to the attackers that breached its systems.
The company refused to say how much it paid or how much the hacker demanded. Now, I think that's a bit of a leap.
Just because you've got somebody doing negotiation doesn't mean you've paid or certainly paid yet.
The TechCrunch article then goes on to say, this all but confirms that PowerSchool paid a ransom to the attackers that breached its systems.
The company refused to say how much it paid or how much the hacker demanded. Now, I think that's a bit of a leap.
Just because you've got somebody doing negotiation doesn't mean you've paid or certainly paid yet.
No.
But interestingly, what piqued my attention about this story was that I'm working at the moment on a ransomware story for an outlet. And so I'm doing a lot on ransomware.
So I'm looking at a lot of ransomware groups' websites where if they want to threaten the victim, they post details of the victim and say, we've hacked this company or this organization, you know, here's what we've got and we'll leak it unless they pay.
I haven't seen this PowerSchool leak on any of the sites I've been checking. I've got access to them all, but I've not seen it on there.
And the suspicion always is, well, if your information's not on the site, you're probably negotiating and probably paying up.
So I don't know whether that roundup of ransomware websites I'm looking at indicates that maybe PowerSchool have paid and therefore aren't being identified on the sites.
It's interesting. It's proper fog of war, this one.
So I'm looking at a lot of ransomware groups' websites where if they want to threaten the victim, they post details of the victim and say, we've hacked this company or this organization, you know, here's what we've got and we'll leak it unless they pay.
I haven't seen this PowerSchool leak on any of the sites I've been checking. I've got access to them all, but I've not seen it on there.
And the suspicion always is, well, if your information's not on the site, you're probably negotiating and probably paying up.
So I don't know whether that roundup of ransomware websites I'm looking at indicates that maybe PowerSchool have paid and therefore aren't being identified on the sites.
It's interesting. It's proper fog of war, this one.
And there's no sort of regulations about them reporting that they've fallen victim to this ransomware attack?
Like, do they have to inform the FBI, who maybe want to gather information on different cybercriminal groups?
Like, do they have to inform the FBI, who maybe want to gather information on different cybercriminal groups?
I understand in the US, if you're a public institution, like a sort of government department, then yes, you have to declare it.
But PowerSchool is a private company, and I'm pretty sure in the US, as in the UK, it's still not the case that you have to report. UK's looking at this.
UK government, obviously, big consultation. What do we do about ransomware?
But PowerSchool is a private company, and I'm pretty sure in the US, as in the UK, it's still not the case that you have to report. UK's looking at this.
UK government, obviously, big consultation. What do we do about ransomware?
Yeah.
It's being reported that they're trying to talk about, you know, introducing a duty to report. You have to report if you get hit by ransomware.
The people I've spoken to say, no, it's a bit different to that, that it'll be a duty to inform government if you want to pay, which obviously means, you know, you have to go and tell teacher if you're going to do this.
So the effect might be the same, that people don't want to pay 'cause they don't want to tell the government that they're gonna pay, but.
However, off the back of this, can I also have a quick rant about ransomware operators? Please.
The people I've spoken to say, no, it's a bit different to that, that it'll be a duty to inform government if you want to pay, which obviously means, you know, you have to go and tell teacher if you're going to do this.
So the effect might be the same, that people don't want to pay 'cause they don't want to tell the government that they're gonna pay, but.
However, off the back of this, can I also have a quick rant about ransomware operators? Please.
Because they're all tuned in. They all listen to Smashing Security, all the ransomware bad guys.
They know us, bad guys. Or should I say Privet or Strasovice? Because we know where you all are based.
But anyway, as part of this story I'm doing about ransomware, I am contacting a whole bunch of these ransomware operators, of these dudes.
And I've got to say, it is like pulling teeth.
It is the hardest interviewing job I've ever done because, A, they're computer geeks, and obviously computer geeks don't tend to, you know, be very verbose and chatty.
And B, I think a lot of them are Russian, who, from my dealings with Russians, are some of the most taciturn people on the planet.
Trying to get more than two words out of these people is agonizing. Like you ask them like, oh, you know, what do you think of the LockBit takedown last year? No, it's no problem.
Okay, yeah, why'd you get into ransomware? Oh, it's just the money.
But anyway, as part of this story I'm doing about ransomware, I am contacting a whole bunch of these ransomware operators, of these dudes.
And I've got to say, it is like pulling teeth.
It is the hardest interviewing job I've ever done because, A, they're computer geeks, and obviously computer geeks don't tend to, you know, be very verbose and chatty.
And B, I think a lot of them are Russian, who, from my dealings with Russians, are some of the most taciturn people on the planet.
Trying to get more than two words out of these people is agonizing. Like you ask them like, oh, you know, what do you think of the LockBit takedown last year? No, it's no problem.
Okay, yeah, why'd you get into ransomware? Oh, it's just the money.
You will not social engineer me, Mr. Journalist.
Just tell me. So I got one guy, I got one guy on the chat and he was coming out with answers and I thought, this guy's actually capable of stringing a sentence together, it's great.
And I was like, this is good, I can use some of these quotes, this is, you know, he is actually a ransomware operator, he's an affiliate, you know.
And then I looked back at the interview and there was something really strange about his answers. Oh no.
And I was like, this is good, I can use some of these quotes, this is, you know, he is actually a ransomware operator, he's an affiliate, you know.
And then I looked back at the interview and there was something really strange about his answers. Oh no.
There were shorter answers.
That were quite revealing about who he was and what he was doing. And in those answers, his grammar was pretty bad.
He didn't spell I with a capital I when he was saying I am and that kind of thing, no full stops.
And then the longer answers, the ones that I thought, oh, that's quite juicy, they were the kind of answers that you get from ChatGPT.
And I was like, oh no, the one interviewee I got who could string a sentence together is actually just using ChatGPT. Bloody hell, it's impossible.
I just want someone who talks sense. Oh my God.
He didn't spell I with a capital I when he was saying I am and that kind of thing, no full stops.
And then the longer answers, the ones that I thought, oh, that's quite juicy, they were the kind of answers that you get from ChatGPT.
And I was like, oh no, the one interviewee I got who could string a sentence together is actually just using ChatGPT. Bloody hell, it's impossible.
I just want someone who talks sense. Oh my God.
Carole, what have you got for us this week?
Well, before I get into my topic, have you guys been seeing articles about how children's reading levels are plummeting?
Something like a third of 8th graders in the US have below basic reading levels.
And if this can't be solved, my topic for today might be the answer, which is QR codes, because you don't need to read a thing. So QR codes. Okay, what does it stand for?
Any of you know QR?
Something like a third of 8th graders in the US have below basic reading levels.
And if this can't be solved, my topic for today might be the answer, which is QR codes, because you don't need to read a thing. So QR codes. Okay, what does it stand for?
Any of you know QR?
Oh, I don't know.
It's an acronym?
Quick something, is it?
Yes. Quick response. Quick response code. Okay, so it's a two-dimensional matrix barcode invented when? Any guesses?
1991.
1994. Very close.
Whoa.
Oh, I'm so close.
And it was originally used by a Japanese company called Denso-Wave. And it was used to label car parts.
And so these QR codes basically are, you know, we all know they're black squares on a white background and they have reference markers inside that are readable by most smartphones, computers, wearables, that sort of thing.
And then the data is extracted magically from these patterns and then brings you to whatever, a service, a product.
And so these QR codes basically are, you know, we all know they're black squares on a white background and they have reference markers inside that are readable by most smartphones, computers, wearables, that sort of thing.
And then the data is extracted magically from these patterns and then brings you to whatever, a service, a product.
So just to interrupt, for the eagle-eyed among us, magically interpreted.
What I'm intrigued by is some QR codes are really blocky and they've got, I don't know, 16 square bits on them and others, they're really, really tiny little blocks and loads and loads of them.
And yet they all scan. That's what I wonder is how does the phone turn the QR code into effectively a URL?
What I'm intrigued by is some QR codes are really blocky and they've got, I don't know, 16 square bits on them and others, they're really, really tiny little blocks and loads and loads of them.
And yet they all scan. That's what I wonder is how does the phone turn the QR code into effectively a URL?
Yes, I've wondered that too, Carole. Could you tell me?
You know what?
I'm not going to tell you on the show, but you can go read it in my show notes because I do have it in there and it uses some kind of technology, which I can't remember the name of right now, but yes, you can go read about it.
So, you know, go do your homework. I won't do it for you. QR codes have been poodling along for what, a few decades now? And suddenly they became pretty ubiquitous.
We saw tremendous growth in the use of them a few years ago. Why did we see that?
I'm not going to tell you on the show, but you can go read it in my show notes because I do have it in there and it uses some kind of technology, which I can't remember the name of right now, but yes, you can go read about it.
So, you know, go do your homework. I won't do it for you. QR codes have been poodling along for what, a few decades now? And suddenly they became pretty ubiquitous.
We saw tremendous growth in the use of them a few years ago. Why did we see that?
I thought it was COVID. Yeah, COVID kicked it off.
COVID.
If you were ordering things, wasn't it? Like restaurants. Yeah, you wouldn't have a waitress going from table to table spreading nasty germs.
Or waiter.
Yeah, it's the germs. The germies. It's the germies. The fingerprints, the greasy stuff on the parking meters, or fingerprints on menus.
Yeah, it was during the whole— was it eat out to help out? Or also show up to throw up was the other way we phrased it.
It's hard to remember just how careful a lot of us felt we had to be during the peaks of COVID.
And so it was a perfect storm that QR codes were there and it just proliferated during that time. And the other thing is that they're easy peasy lemon squeezy.
Even the youngest users would typically be able to figure out what to do with a QR code in a minute or two, right? It doesn't take a lot of technical nous.
Because you think it's really good for the user, right? It makes it easy for me to go to a parking place and then just scan this code and then off I go to where I need to go.
But it's used in all manner of things, from sharing simple business card details to touchless payments, Wi-Fi event check-ins, ordering online.
And the reason people use them is they're cheap. Incorporating QR codes is straightforward, budget-friendly, and there's even free tools to help you create them.
And so it was a perfect storm that QR codes were there and it just proliferated during that time. And the other thing is that they're easy peasy lemon squeezy.
Even the youngest users would typically be able to figure out what to do with a QR code in a minute or two, right? It doesn't take a lot of technical nous.
Because you think it's really good for the user, right? It makes it easy for me to go to a parking place and then just scan this code and then off I go to where I need to go.
But it's used in all manner of things, from sharing simple business card details to touchless payments, Wi-Fi event check-ins, ordering online.
And the reason people use them is they're cheap. Incorporating QR codes is straightforward, budget-friendly, and there's even free tools to help you create them.
Yep.
They're forgiving, so people can scan them from a bad angle. You don't have to be dead on. The size can be different.
Yeah.
They're also little research spies, these QR codes, because they help companies monitor who scans the material, how often, which type of device is used, what time did they scan, what location did they scan.
OK. Yeah.
And this tracking provides valuable insights, right? So they're pretty neat. And consumers like them. Businesses like them. So technological marvel.
Hmm.
There shouldn't be any problems. But there are. A lot of news right now happening both in the UK and the US about being careful of scams.
The media is rife with reports about motorists being scammed at car parks across the UK, with councils battling fraudulent QR codes stuck on machines.
The media is rife with reports about motorists being scammed at car parks across the UK, with councils battling fraudulent QR codes stuck on machines.
Yeah, this is where they stick over a false QR code, isn't it, on the machine?
Yes, I've seen this, yes.
That's right, right? And it can look really legitimate. And basically, the user just, you know, dum-da-dum, I need to pay for my parking, scan the code.
However, the link takes you to a fake website. So you're actually paying the fraudster, not the council, meaning that they'll probably fine you.
However, the link takes you to a fake website. So you're actually paying the fraudster, not the council, meaning that they'll probably fine you.
Who knows what the real parking website's supposed to look like? If it looks shonky, I'll be like, "Oh, that's just the parking website." That's normal.
And what about in the States? It seems to be US package scams. This follows last week's FTC scam alert on this very topic. So this is what the FTC say.
So an unexpected package from an unknown sender arrives in your name at your house. So you open it and you find a note that says it's a gift. But it doesn't say who sent it.
And the note also says, scan the QR code to find out who sent it.
So an unexpected package from an unknown sender arrives in your name at your house. So you open it and you find a note that says it's a gift. But it doesn't say who sent it.
And the note also says, scan the QR code to find out who sent it.
Okay.
Or to get instructions on how to return it.
But you've still got a gift. What's the gift?
Well, who knows? They promise big riches inside.
Maybe—
Cheetah bomb!
Has a diamond ring!
It's not a dog poop in a sandwich box or something like that. It is a proper— it's a proper thing that people might want.
So let's, I don't know, just say it's a shoehorn, for example. Right? You get it. This shoehorn.
Just to pick one of those incredibly popular items out of the— Yeah, yeah, yeah, yeah.
Okay, so you might—
Our survey said, uh-uh, a pair of grape scissors.
Do you know what? Both of those items I currently have in my house.
You are so upper class. So you get a shoehorn through the post in a package. You open it up. You think, who sent this to me?
You're wondering who the bloody hell— It must be Geoff White, you're thinking, who sent me this.
You're wondering who the bloody hell— It must be Geoff White, you're thinking, who sent me this.
He's the only guy I know.
He's the only guy I know who's into shoehorns. So you scan the QR code, you're taken to a website. What then happens? How do you get scammed at that point? I don't understand.
Well, you have to log in to your Amazon page, for example, to say—
Oh, I see. So it takes you to a fake Amazon. Oh, I see. I understand.
Maybe it's Amazon. Depends on what the scam is. Right.
Okay.
Right. Now, another targeted attack was presented in a Microsoft blog late last month, and it talked about a new spear phishing campaign.
And rather unusually, it targeted targets WhatsApp and uses QR codes. So as with a typical phishing attack by Star Blizzard, you guys know about Star Blizzard?
They're some gang that go around.
And rather unusually, it targeted targets WhatsApp and uses QR codes. So as with a typical phishing attack by Star Blizzard, you guys know about Star Blizzard?
They're some gang that go around.
Oh, it's a hacking gang. It's one of those hacking gang names. All right. Okay.
Yeah. According to Microsoft, the threat actor initiates email contact with their target to engage them, right?
In this campaign, the threat actor personates a government official, right? So that's what they used in this particular campaign.
Email sent to the target contains a QR code, quote, purporting to direct users to join a WhatsApp group on, quote, the latest non-governmental initiatives aimed at supporting Ukraine NGOs.
In this campaign, the threat actor personates a government official, right? So that's what they used in this particular campaign.
Email sent to the target contains a QR code, quote, purporting to direct users to join a WhatsApp group on, quote, the latest non-governmental initiatives aimed at supporting Ukraine NGOs.
Hang on, hang on. You get an email on your phone which contains a QR code. How do you scan an email on your phone with your phone's camera? You'd have to have mirrors.
Have they thought this through properly?
Have they thought this through properly?
Well, people, I don't know. I don't know how that works.
You could get the email on your laptop, couldn't you, if your email account's on your laptop, and then you scan it with your phone from your laptop.
Oh, I suppose so. I suppose so. Oh yes. Okay. Fair enough.
A lot of people have two phones. Maybe they're sitting there with both phones. Okay.
So this code, this QR code, okay, in this email is intentionally broken and will not direct the user to any valid domain.
And this is an effort by Star Blizzard apparently to target the recipient into responding.
So this code, this QR code, okay, in this email is intentionally broken and will not direct the user to any valid domain.
And this is an effort by Star Blizzard apparently to target the recipient into responding.
Right.
So when the target does respond, the threat actor apologizes for the inconvenience and says, shortened link, those bit.ly links, to the so-called WhatsApp group.
Right.
The target then clicks on the link and is redirected to a webpage with a QR code to join this so-called WhatsApp group.
Sounds like a lot of steps. Yeah, yeah.
It feels like a lot of effort.
I don't understand. Okay, however, okay, the malicious QR code that has been served up is not actually this NGO group, right?
But it's actually used by WhatsApp to connect an account to a linked device or a WhatsApp web portal.
But it's actually used by WhatsApp to connect an account to a linked device or a WhatsApp web portal.
Oh.
Yeah. So this means now if the target follows the instructions on the page, the threat actor can gain access to the messages in their WhatsApp account.
Oh, that's sneaky.
Mm-hmm.
Oh, yes. The criminal is linking their device to your WhatsApp account.
Getting access to all your content in there.
Oh, that's really nasty.
Mm-hmm.
Okay. Okay.
Now, these are just a couple of ways that QR codes are being used by the bad guys. But, you know, fear not, help is on the way in the USA.
Because remember, we recently discussed the Voluntary Cyber Trustmark that the US are doing to better help secure consumer-grade internet devices like smart speakers and home security cameras and baby monitors.
Well, the White House said that retailers, including Best Buy and Amazon, will be soon highlighting products that carry this US Cyber Trustmark.
And all you need to do is scan the QR code on the device for details about the cybersecurity of the product, such as the support of the product and security updates and all that stuff.
Like, is that irony? Is that irony? Is that the definition of irony?
Because remember, we recently discussed the Voluntary Cyber Trustmark that the US are doing to better help secure consumer-grade internet devices like smart speakers and home security cameras and baby monitors.
Well, the White House said that retailers, including Best Buy and Amazon, will be soon highlighting products that carry this US Cyber Trustmark.
And all you need to do is scan the QR code on the device for details about the cybersecurity of the product, such as the support of the product and security updates and all that stuff.
Like, is that irony? Is that irony? Is that the definition of irony?
And also, if you're buying a phone, you can't scan the QR code with your phone because you're buying the phone.
As Graham pointed out.
Yeah. What are you doing?
It's just a scam to sell more phones. Are you ready to experience the ultimate cybersecurity transformation?
Sign up for the Symphony 2025 Virtual Summit, the event that will keep you ahead of adversaries and empower you to stay one step ahead.
Sign up for the Symphony 2025 Virtual Summit, the event that will keep you ahead of adversaries and empower you to stay one step ahead.
See, Symphony 2025 is your VIP pass to the future of security innovation.
It's packed with exclusive insights, live demos, and stories from pros who are already conquering the toughest threats with Cortex, the comprehensive cybersecurity platform by Palo Alto Networks.
It's packed with exclusive insights, live demos, and stories from pros who are already conquering the toughest threats with Cortex, the comprehensive cybersecurity platform by Palo Alto Networks.
Whether you're a security leader, part of a security operations team, or simply interested in the latest cybersecurity innovations, this 1-hour event has something for you.
So register now at Smashing Security. Smashingsecurity.com/symphony. That's smashingsecurity.com/symphony.
And join Symphony 2025 and be part of the cybersecurity transformation event of the year. And thanks to Symphony 2025 for sponsoring the show.
Everyone these days has a VPN as a sponsor. But Tailscale isn't like those.
This isn't about hiding your browsing habits from coffee shop owners, and it's not about watching Netflix in any other country.
And join Symphony 2025 and be part of the cybersecurity transformation event of the year. And thanks to Symphony 2025 for sponsoring the show.
Everyone these days has a VPN as a sponsor. But Tailscale isn't like those.
This isn't about hiding your browsing habits from coffee shop owners, and it's not about watching Netflix in any other country.
That's right. Tailscale is a modern networking solution for connecting your applications, your services, and devices securely.
It's great for companies and it's great for self-hosters too. And it's fast, really fast. It's private. It's easy to deploy. Zero config, no fuss.
LastPass VPN, plus it means zero trust. Every organization can use this.
It's great for companies and it's great for self-hosters too. And it's fast, really fast. It's private. It's easy to deploy. Zero config, no fuss.
LastPass VPN, plus it means zero trust. Every organization can use this.
Thousands of companies already use Tailscale, like Instacart, Hugging Face, Duolingo, and more. So why not try Tailscale for free today?
You'll get 100 devices and 3 users for free with no credit card required. Wanna learn more? Visit smashingsecurity.com/tailscale. That's T-A-I-L-S-C-A-L-E.
And thanks to Tailscale for supporting the show.
You'll get 100 devices and 3 users for free with no credit card required. Wanna learn more? Visit smashingsecurity.com/tailscale. That's T-A-I-L-S-C-A-L-E.
And thanks to Tailscale for supporting the show.
Now, regular listeners will know that 1Password is a long-term supporter of the Smashing Security podcast.
And this week, we want to tell you about how 1Password's extended access management can help your business.
And this week, we want to tell you about how 1Password's extended access management can help your business.
This is the first security solution that brings all the unmanaged devices, apps, and identities used in your company under your control.
And it ensures that every user credential is strong and protected, every device is known and healthy, and every app is visible.
'Cause 1Password Extended Access Management solves the problems traditional IAM and MDMs can't. It's security for the way we work today.
And it's now generally available to companies with Okta, Microsoft Entra, and in beta for Google Workspace customers.
And it ensures that every user credential is strong and protected, every device is known and healthy, and every app is visible.
'Cause 1Password Extended Access Management solves the problems traditional IAM and MDMs can't. It's security for the way we work today.
And it's now generally available to companies with Okta, Microsoft Entra, and in beta for Google Workspace customers.
1Password's award-winning password manager as well is trusted by millions of users and over 150,000 businesses from IBM to Slack.
And now they're securing more than just passwords with 1Password Extended Access Management. Find out more right now.
Go to 1password.com/smashing, and thanks to 1Password for supporting the show. And welcome back.
And you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
And now they're securing more than just passwords with 1Password Extended Access Management. Find out more right now.
Go to 1password.com/smashing, and thanks to 1Password for supporting the show. And welcome back.
And you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week. Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security-related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security-related necessarily.
Better not be.
Well, my Pick of the Week this week is not security-related. My Pick of the Week this week, Kroll, you're into the whole art thing. Well, I bought a piece of art.
Art for my lovely wife.
Art for my lovely wife.
Did she choose it?
No, she didn't. Well, no, she had hinted. She had hinted some months before. She thought, said, oh, I quite like that.
So I made a little mental note and thought, oh, I will get that for her one day.
So this particular piece of art is by an artist called Niall Conlon, who was brought up in Belfast and is in response to a sign which used to appear in some London boarding houses.
Back in the 1950s, which used to say, "No Irish, no blacks, and no dogs," which they'd put up in the window because they didn't want people staying there.
Now, I don't know if you've noticed lately, but there's been some people who've been a bit anti-diversity lately and maybe have been picking on minorities or maybe just dogs, who knows?
But as a result, I thought maybe I should choose this particular piece of art because Niall Conlon has done this piece of art, which is all about more Irish, more blacks, more dogs.
And so I bought it for my lovely wife. It's a vibrant piece of art. It's a bit graffiti-esque, I suppose. Promoting inclusivity, empathy, and diversity.
You can go and check out other art by Niall Conlon if you wish to. He's even doing t-shirts and mugs and all sorts these days as well. But that is my pick of the week.
So I made a little mental note and thought, oh, I will get that for her one day.
So this particular piece of art is by an artist called Niall Conlon, who was brought up in Belfast and is in response to a sign which used to appear in some London boarding houses.
Back in the 1950s, which used to say, "No Irish, no blacks, and no dogs," which they'd put up in the window because they didn't want people staying there.
Now, I don't know if you've noticed lately, but there's been some people who've been a bit anti-diversity lately and maybe have been picking on minorities or maybe just dogs, who knows?
But as a result, I thought maybe I should choose this particular piece of art because Niall Conlon has done this piece of art, which is all about more Irish, more blacks, more dogs.
And so I bought it for my lovely wife. It's a vibrant piece of art. It's a bit graffiti-esque, I suppose. Promoting inclusivity, empathy, and diversity.
You can go and check out other art by Niall Conlon if you wish to. He's even doing t-shirts and mugs and all sorts these days as well. But that is my pick of the week.
Fantastic.
Geoff, what's your pick of the week?
My pick of the week I'm going to go for is a book that I just finished, which is called Money Men by a guy called Dan McCrum.
This is also a documentary version of the book, which I think is called Skandal with a K, which is on Netflix. Yes, I do. I have mixed feelings about this book. And it confused me.
It confused me, did this one. Because on the one hand, it's very compellingly written. It's about a company called Wirecard, which was a German company.
Yes, Wirecard, very famous case of a company that managed to achieve, I think it was an $18 billion valuation. At one point they were going to buy Deutsche Bank.
They thought they could buy out Deutsche Bank. And it turned out the company was basically worthless. It was a giant fraud. So you're kind of seeing, you want to see where it goes.
You want to see what happens to the guy.
This is also a documentary version of the book, which I think is called Skandal with a K, which is on Netflix. Yes, I do. I have mixed feelings about this book. And it confused me.
It confused me, did this one. Because on the one hand, it's very compellingly written. It's about a company called Wirecard, which was a German company.
Yes, Wirecard, very famous case of a company that managed to achieve, I think it was an $18 billion valuation. At one point they were going to buy Deutsche Bank.
They thought they could buy out Deutsche Bank. And it turned out the company was basically worthless. It was a giant fraud. So you're kind of seeing, you want to see where it goes.
You want to see what happens to the guy.
Wise.
And it is an interesting read and it is a compelling read. However, some of the stuff in it was just not well explained at all.
I thought some of the concepts— if you're a financial journalist and you understand things, fine, but I'm not. I'm a journalist mainly concentrating on technology.
I'm not thick, but sometimes it sort of left me behind a little bit.
I thought some of the concepts— if you're a financial journalist and you understand things, fine, but I'm not. I'm a journalist mainly concentrating on technology.
I'm not thick, but sometimes it sort of left me behind a little bit.
Because Dan McCrum is a financial journalist, isn't he?
He is.
He works for the FT. Yeah, that's right. So yeah.
Yeah.
Yeah.
Works for the Financial Times and he had this amazing story and it is an incredible story.
He actually from very early on understood this company was a basket case, but then had to go through hell and high water to sort of prove that.
There is an interesting thing about how journalists work with or don't work with financial speculators who sometimes have a vested interest in a story being either true or not true.
So there's a whole subtext around that, which is all covered a bit in the book. But I don't know, I would be interested what other people think.
I will recommend it simply because I say it's a good read, but I'd be interested to know whether other readers like me were left a bit baffled by some of the content.
And there's other stories like Bad Blood and Billion Dollar Whale, which are great books and great stories, you know, that are about an industry but get through to the general public.
Money Men, I think, was pitched that way, and it is good enough to— definitely the story is good enough.
Every now and again, you just need a paragraph just put in layman's terms as to what's going on here, like a reprise paragraph.
He actually from very early on understood this company was a basket case, but then had to go through hell and high water to sort of prove that.
There is an interesting thing about how journalists work with or don't work with financial speculators who sometimes have a vested interest in a story being either true or not true.
So there's a whole subtext around that, which is all covered a bit in the book. But I don't know, I would be interested what other people think.
I will recommend it simply because I say it's a good read, but I'd be interested to know whether other readers like me were left a bit baffled by some of the content.
And there's other stories like Bad Blood and Billion Dollar Whale, which are great books and great stories, you know, that are about an industry but get through to the general public.
Money Men, I think, was pitched that way, and it is good enough to— definitely the story is good enough.
Every now and again, you just need a paragraph just put in layman's terms as to what's going on here, like a reprise paragraph.
Yeah, yeah.
So I will put it as my pick of the week because I have enjoyed it. But as I say, a flawed masterpiece.
Ah, I think that's quite elegant.
Yes.
It's one of those things where sometimes you want to sort of cut and paste the text and ask an AI to explain this bit as though I was 12 years old.
Yes.
And I do wonder, I do wonder in future whether, and this is a kind of slightly out there thing in terms of publishing, increasingly obviously I think people are going to read on e-readers.
And digital books and audiobooks. It is possible, potentially, as an author to do two slightly different versions of the book. One for fast lane readers and another for sort of—
And I do wonder, I do wonder in future whether, and this is a kind of slightly out there thing in terms of publishing, increasingly obviously I think people are going to read on e-readers.
And digital books and audiobooks. It is possible, potentially, as an author to do two slightly different versions of the book. One for fast lane readers and another for sort of—
And one for thickies.
Yeah, and you could take out certain paragraphs, certain details if people wanted to just, you know, if they already knew that. You could almost set your level.
How this would work, I don't know. I think it's a huge ask, and also writing a book's traumatic enough as it is, as I well know.
How this would work, I don't know. I think it's a huge ask, and also writing a book's traumatic enough as it is, as I well know.
It's the— yeah, it was Cole's Notes, what we used in university and high school way back in the day. Yeah, that's not reading though. That's information.
Exactly. Whereas this would be, you'd have different versions of the same book for different knowledge levels. Wow, I think that might become down the track.
Blowing my mind.
I know. Anyway, as long as they pay me three times as much to write the book, I don't mind.
Carole, what's your pick of the week?
So January, we've just finished January. And January in the UK is a pretty bleak time of year to my mind. It's cold, it's drizzly, it's dark. There's only a few hours of sunlight.
And so it seems to go on for about six weeks as well.
January goes on forever.
Oh, you guys, you guys are incredible. Think of how much worse December is. December, it's getting darker all the time. January, it's getting brighter.
In December, you're crammed into houses with relatives you only see once a year, and the tension is absolutely overwhelming. January is fantastic. You don't have very much to do.
It's relaxing. You know, you're just a slow start to the year.
In December, you're crammed into houses with relatives you only see once a year, and the tension is absolutely overwhelming. January is fantastic. You don't have very much to do.
It's relaxing. You know, you're just a slow start to the year.
Well, no, it's not just that. It's also, you know, you have to suffer after Christmas. You obviously, you know, maybe not spend loads at Christmas, but a lot of people do.
And you're sitting there after Christmas going, wow, my savings account is empty.
And you're sitting there after Christmas going, wow, my savings account is empty.
Yeah, the bank balance.
Okay, the list, right?
So I'm there a little bit nonplussed and I want to cheer myself up. And I thought, you know what? I really love marmalade. Do you guys like marmalade?
I like shredless marmalade. I don't like the one with the bits in it.
Okay. Okay. Well, I like the very bitty Seville orange marmalade. It's nectar of the gods to me.
Oh, really? Bitter.
Dark, not too sweet. And it's difficult to find in the stores. So I thought, why don't I make my own?
Right?
But you can only make your own in January or February because that's when Seville oranges from Spain are ready to be harvested.
Mm.
So I can't say it's not labor-intensive. It took a whole Sunday afternoon. I washed them, I boiled them, I took out the mushy inside, I chopped up the peel.
And then you have to scoop this super hot sugary marmalade into hot clean jars without burning yourself. That's super fun.
And then you have to scoop this super hot sugary marmalade into hot clean jars without burning yourself. That's super fun.
Fun.
Okay. Yes, yeah. Laugh a minute.
Yep, exactly. So I've done 3 pounds of Seville oranges. That gave me 10 jars of the stuff.
Geez Louise.
And now I wake up, you know, it's cold, damp February.
And you're sick of marmalade.
The sun's not even out. I'm up, right? Buttery toast and a tablespoon or two of marmalade on there and a big cup of builder's tea. And I butt wiggle with joy.
It's yum, yum, yum, yum, yum.
It's yum, yum, yum, yum, yum.
Oh, oh.
So I don't regret the time or effort. And if you want a crack at this, I've included the recipe that I use in the show notes.
Well, there you go. And that just about wraps up the show for this week. Thank you so much, Geoff, for joining us today.
I'm sure lots of our listeners would love to find out what you're up to and follow you online. What's the best way for folks to do that?
I'm sure lots of our listeners would love to find out what you're up to and follow you online. What's the best way for folks to do that?
As the police car rolls off into the distance.
He's right here, guys.
They've got me. Best way to follow me is probably on LinkedIn. Just look for Geoff White, Geoff with a G, G-E-O, and then White, like the color.
And you can find Smashing Security on Bluesky, unlike Twitter, which wouldn't let us have a G. And don't forget to ensure you never miss another episode.
Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.
Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.
And huge, huge thank you to our episode sponsors, Tailscale, 1Password, and Cortex Symphony 2025, and of course to our wonderful Patreon community. Thanks.
It's their support that helps us give you this show for free.
For episode show notes, sponsorship info, guest lists, and the entire back catalog, more than 402 episodes, check out smashingsecurity.com.
It's their support that helps us give you this show for free.
For episode show notes, sponsorship info, guest lists, and the entire back catalog, more than 402 episodes, check out smashingsecurity.com.
Until next time, cheerio. Bye-bye.
Bye.
Bye then.
400 though, wow.
Bloody hell.
500 soon.
Yeah, well, no.
Okay.
You didn't get your maths GCSE, did you? Not that soon.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Geoff White
Episode links:
- ZachXBT’s thread – Twitter.
- Coinbase employee tells users not to use a VPN or ad blocker – Twitter.
- What PowerSchool won’t say about its data breach affecting millions of students – TechCrunch.
- QR code – Wikipedia.
- Reed–Solomon error correction – Wikipedia.
- Urgent warning over QR code scam tricking drivers out of £100s at popular car parks – Express.
- Scam alert: QR code on an unexpected package – Consumer Advice
- New Star Blizzard spear-phishing campaign targets WhatsApp accounts – Microsoft Security Blog.
- What You Must Know Before Scanning a QR Code – AARP.
- “More” – Niall Conlon.
- “Money Men” by Dan McCrum – Penguin Books.
- Bitter Orange Marmalade Recipe – Ballymaloe Cooking School.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsored by:
- Tailscale – Tailscale is perfect for work or personal projects, making networking simple. Its free plan covers up to 100 devices and 3 users. Get started at tailscale.com and be up and running in less than 10 minutes!
- 1Password – Secure every app, device, and identity – even the unmanaged ones at 1password.com/smashing.
- Cortex Symphony 2025 – Ready to transform your cybersecurity? Register now to see the future of security innovation with exclusive insights, demos, and stories from pros.
Support the show:
You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.
Become a Patreon supporter for ad-free episodes and our early-release feed!
Follow us:
Follow the show on Bluesky, or join us on the Smashing Security subreddit, or visit our website for more episodes.
Thanks:
Theme tune: “Vinyl Memories” by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
