The story of how hackers managed to compromise the US Government’s official SEC Twitter account to boost the price of Bitcoins, AI isn’t helping reduce the rife conspiracy theories inside classrooms, and is the funeral bell tolling for ransomware?
All this and more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by special guest Jane Wakefield.
Warning: This podcast may contain nuts, adult themes, and rude language.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
You've heard it here, folks. Graham loves the ransomware dudes. He's on side.
He does seem to, doesn't he? He really does.
I'll put a very special link in the show notes this week, by the way. If everyone who listens could click on it before installing their latest Microsoft security patch.
I'm not clicking on any links you send me from now on, Graham.
Smashing Security, Episode 404. Podcast Not Found with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security episode 404. My name is Graham Cluley.
What a geek joke, and I didn't even notice till you said it.
Podcast Not Found.
I'm Carole Theriault.
And we're joined this week by a special guest returning to the show. It's my great pleasure to invite back on Jane Wakefield. Hello, Jane.
I'm very honoured to be on the 404 episode. Yay!
Now, Jane, you've been busy, haven't you? Because you've got this new podcast that's come out.
I have, yes. So we're 3 episodes into a podcast called Scam Detectors, which, as the name suggests, is looking all at scams. It's an interesting world, a terrifying world.
The point of it is to educate people, to hear from people who have fallen— I shouldn't use that phrase.
That's one phrase we shouldn't use, falling for, because one of the points of the podcast is to change the language around it so that we don't see victims as being to blame for these things because, as you probably know, these scammers are so sophisticated that anyone these days can fall for a scam.
The point of it is to educate people, to hear from people who have fallen— I shouldn't use that phrase.
That's one phrase we shouldn't use, falling for, because one of the points of the podcast is to change the language around it so that we don't see victims as being to blame for these things because, as you probably know, these scammers are so sophisticated that anyone these days can fall for a scam.
I like that. I've never heard that before.
It's really interesting.
It's a bit like people are now saying we shouldn't say pig butchering, we should call it romance baiting.
Exactly.
I thought you were going to say romance butchering.
No.
So that's Interpol that's decided to do that.
And actually, the woman, the academic that worked with Interpol on that, changing that language, is Elizabeth Carter, who is on the next episode and talks to you about that.
It's really fascinating stuff, actually. Yeah, makes you think.
And actually, the woman, the academic that worked with Interpol on that, changing that language, is Elizabeth Carter, who is on the next episode and talks to you about that.
It's really fascinating stuff, actually. Yeah, makes you think.
It does.
Brilliant. Well, after you finish listening to this episode, listeners, you can go head over and listen to Scam Detectors.
But first, let's thank this week's wonderful sponsors: 1Password, Tripwire, and Scanner.dev. Now, coming up on today's show, Graham, what do you got?
But first, let's thank this week's wonderful sponsors: 1Password, Tripwire, and Scanner.dev. Now, coming up on today's show, Graham, what do you got?
I'm going to be telling you how a giant schnauzer faces 5 years in prison.
Okay, what about you, Jane?
So my thoughts are going to turn to the AI summit that's going on in Paris this week.
And ding dong, is that the funeral bell tolling for ransomware? All this and much more coming up on this episode of Smashing Security.
Now, chums, I want to take you back in time a little over 12 months.
On January the 9th, 2024, the official Twitter account of the US Securities and Exchange Commission, the SEC, those government dudes over in America who look after all the trading exchanges, they posted a message up on their Twitter account and it said, "Today the SEC grants approval for Bitcoin ETFs for listing on all registered national securities exchanges.
The approved Bitcoin ETFs will be subject to ongoing surveillance and compliance measures to ensure continued investor protection." So this was a major announcement in the financial world, a big win for cryptocurrency.
For weeks, traders had been speculating that the SEC was about to announce whether it would approve the trading on exchanges of funds that tracked the value of bitcoin.
And here it was. Good news if you were a crypto bro or gal. Oh, yes. Well, yeah. What do they do? Is that called a crypto gal? I don't know. Shouldn't it be crypto sis?
On January the 9th, 2024, the official Twitter account of the US Securities and Exchange Commission, the SEC, those government dudes over in America who look after all the trading exchanges, they posted a message up on their Twitter account and it said, "Today the SEC grants approval for Bitcoin ETFs for listing on all registered national securities exchanges.
The approved Bitcoin ETFs will be subject to ongoing surveillance and compliance measures to ensure continued investor protection." So this was a major announcement in the financial world, a big win for cryptocurrency.
For weeks, traders had been speculating that the SEC was about to announce whether it would approve the trading on exchanges of funds that tracked the value of bitcoin.
And here it was. Good news if you were a crypto bro or gal. Oh, yes. Well, yeah. What do they do? Is that called a crypto gal? I don't know. Shouldn't it be crypto sis?
Crypto people, crypto dudes.
I don't know. Anyway, the tweet was accompanied by a very corporate kind of image picturing the SEC chairman. His name is Gary Gensler endorsing the approval.
There wasn't much about the tweet which would raise suspicion amongst typical Twitter user, even those who would consider themselves kind of security savvy if you saw it.
There wasn't much about the tweet which would raise suspicion amongst typical Twitter user, even those who would consider themselves kind of security savvy if you saw it.
Mm-hmm.
But of course, it's the Smashing Security podcast, so we rarely have good news. And I'm afraid the account had been hacked.
Scammers had posted that unauthorised message to the SEC's 660,000 followers to influence the price of bitcoin. Wow. And as you can imagine, it had an impact.
The market price of bitcoin immediately leapt up to nearly $48,000. Ah, the innocence of a year ago. Today, bitcoin is about $100,000 now for one bitcoin, isn't it?
Scammers had posted that unauthorised message to the SEC's 660,000 followers to influence the price of bitcoin. Wow. And as you can imagine, it had an impact.
The market price of bitcoin immediately leapt up to nearly $48,000. Ah, the innocence of a year ago. Today, bitcoin is about $100,000 now for one bitcoin, isn't it?
You're kidding me.
No, no, no. Have you not been on—
Oh yes.
No, I don't pay attention to any of these things.
I'm being an ostrich for the next few years.
What about you, Jane? Have you got any cryptocurrency investments?
I don't, no. I am a little bit of a crypto cynic.
Yeah.
And also personally, I was given a little bit of a bitcoin many years ago and I lost it. So I think my cynicism has grown out of incompetence.
You didn't put it in the wastepaper basket, did you? Like that chap in Wales who's—
Oh my gosh, he's still looking, isn't he? He's now trying to get access to the dump site.
I mean, that's a tragic case, but no, it was written down on a piece of paper and I lost the piece of paper.
And it was gifted to me at a TED conference and I didn't think any more about it. But yeah, I look back now thinking, oh, that was probably a piece of paper I shouldn't have lost.
I mean, that's a tragic case, but no, it was written down on a piece of paper and I lost the piece of paper.
And it was gifted to me at a TED conference and I didn't think any more about it. But yeah, I look back now thinking, oh, that was probably a piece of paper I shouldn't have lost.
It wasn't meant to be, Jane.
If you don't mind me asking, what year do you think that was when you were given a little bit of a bitcoin?
I think it was around 2014.
Okay. Don't dwell on it too much.
No, no. Let's not talk about it anymore, Graham.
Anyway, it was a scam, right? They hacked into the account. The price leapt up, even though it's obviously leapt up a lot more since then.
You know, we all wish perhaps that we'd bought some back then.
You know, we all wish perhaps that we'd bought some back then.
It was impressive back then. It was impressive.
Yes. So posting from his own Twitter account, the SEC Chairman Gensler confirmed the news was false.
He said no decision had yet been announced and the account had been hacked, he said. And as the truth emerged, the price of bitcoin slipped back down again.
And potentially, of course, some people will have lost money as a result of that.
He said no decision had yet been announced and the account had been hacked, he said. And as the truth emerged, the price of bitcoin slipped back down again.
And potentially, of course, some people will have lost money as a result of that.
Not if they just sat on the bitcoin they had.
Yeah, but if they bought some as they saw it going up and then it went down again, it's like, well, you know, we've lost money there.
And there was one scammer who was so opportunistic.
I don't think he was connected with the original hack, but he actually created a fake SEC account on Twitter where he published an apology for what had happened and invited anyone who had lost money as a consequence of the hack to visit his refund site.
And there was one scammer who was so opportunistic.
I don't think he was connected with the original hack, but he actually created a fake SEC account on Twitter where he published an apology for what had happened and invited anyone who had lost money as a consequence of the hack to visit his refund site.
Oh no.
Which was of course itself. You have to admire the audacity and the imagination of scammers sometimes.
Yeah, exactly.
And one of the things we were talking about in the upcoming episode is how these scammers have their own conferences and award ceremonies to kind of pat each other on the back at how good they've got at scamming people.
And you're absolutely right, it's layering scam upon scam upon scam, isn't it?
I was on Reddit trying to look for somebody that might be able to help me out with the issue of money muling.
And one of the things we were talking about in the upcoming episode is how these scammers have their own conferences and award ceremonies to kind of pat each other on the back at how good they've got at scamming people.
And you're absolutely right, it's layering scam upon scam upon scam, isn't it?
I was on Reddit trying to look for somebody that might be able to help me out with the issue of money muling.
Yes.
And there was a warning on there that if anybody kind of writes about a scam they've fallen for and someone posts saying, you know, we can help you, contact us and we'll help you get your money back, then that is likely to be a scam of itself.
So we are living in this sort of multi-layered world where the scammers are not just one step ahead of us, but about seven steps ahead of us, it would seem.
So we are living in this sort of multi-layered world where the scammers are not just one step ahead of us, but about seven steps ahead of us, it would seem.
There's a lot of sneaky folks out there.
There is, and a lot of money to be made. Yes.
Now, some people criticised Twitter. They said, well, you should have had stronger security in place to protect an important government account like that.
And Twitter said, hey, it's nothing to do with us. They posted a message saying the account didn't have two-factor authentication enabled.
And Twitter said, hey, it's nothing to do with us. They posted a message saying the account didn't have two-factor authentication enabled.
So nothing to do with us.
Yeah, yeah, yeah, yeah. You should have enabled multifactor authentication.
And if what Twitter said was true, that was kind of embarrassing for the SEC, not only because any major account should have multifactor authentication in place, but especially because remember the SEC chairman, Gary Gensler, a few weeks before the hack during Cybersecurity Awareness Month in October, he had posted on Twitter telling everyone you should always secure your financial accounts with strong password and multifactor authentication.
So he'd actually been proclaiming about the importance of this.
And if what Twitter said was true, that was kind of embarrassing for the SEC, not only because any major account should have multifactor authentication in place, but especially because remember the SEC chairman, Gary Gensler, a few weeks before the hack during Cybersecurity Awareness Month in October, he had posted on Twitter telling everyone you should always secure your financial accounts with strong password and multifactor authentication.
So he'd actually been proclaiming about the importance of this.
Oops.
Well, this week we found out what actually happened and who, in part, was responsible for the SEC's account being hijacked.
A 25-year-old man called Eric Council from Athens, Alabama, has pleaded guilty to charges that he conspired with others to carry out a SIM swap. Yeah.
So we talked about SIM swaps before.
This is where hackers get phone companies to reassign a cell phone number from the legitimate user to a SIM card controlled by the fraudster instead, which makes this whole story from Twitter where they said there wasn't multifactor authentication in place rather hard to comprehend because the only point at which your phone number would really be relevant in terms of hacking an account would be if you had multifactor authentication, if you'd give them a number and it was maybe texting you the 6-digit code or something to confirm that you were the account holder.
So it doesn't make much sense, but then a lot of stuff which comes from Twitter these days doesn't make much sense.
Anyway, this Eric Council guy, this 25-year-old guy, he has online handles including Ronin, Giant Schnauzer. I don't know if it's his type of dog.
I don't know why he's Giant Schnauzer, but Easy Money is one of his other names online.
He was a member of a gang that performed SIM swaps for money and hacked social media accounts.
And in early 2024, he received a message—like I said, he's in a gang, and he got a message on Telegram from one of his other co-conspirators, which included the personal information of their intended victim, someone who ran the SEC's social media account.
A 25-year-old man called Eric Council from Athens, Alabama, has pleaded guilty to charges that he conspired with others to carry out a SIM swap. Yeah.
So we talked about SIM swaps before.
This is where hackers get phone companies to reassign a cell phone number from the legitimate user to a SIM card controlled by the fraudster instead, which makes this whole story from Twitter where they said there wasn't multifactor authentication in place rather hard to comprehend because the only point at which your phone number would really be relevant in terms of hacking an account would be if you had multifactor authentication, if you'd give them a number and it was maybe texting you the 6-digit code or something to confirm that you were the account holder.
So it doesn't make much sense, but then a lot of stuff which comes from Twitter these days doesn't make much sense.
Anyway, this Eric Council guy, this 25-year-old guy, he has online handles including Ronin, Giant Schnauzer. I don't know if it's his type of dog.
I don't know why he's Giant Schnauzer, but Easy Money is one of his other names online.
He was a member of a gang that performed SIM swaps for money and hacked social media accounts.
And in early 2024, he received a message—like I said, he's in a gang, and he got a message on Telegram from one of his other co-conspirators, which included the personal information of their intended victim, someone who ran the SEC's social media account.
So that was their target.
That was the target.
And he received not only their name and Social Security number and those kind of details, but he also received a fake ID card with the victim's name, but with the photo of the scammer.
And he received not only their name and Social Security number and those kind of details, but he also received a fake ID card with the victim's name, but with the photo of the scammer.
Okay. Yeah.
It's not like high arts or anything, is it?
No. And what Eric had, and maybe you—I don't know, maybe both of you carry one of these around with you. Do either of you have a mobile ID card printer which you carry around?
I do not, no.
What, you like a printer in my pocket? Occasionally I'm down at the local supermarket. I'm like, oh yeah, maybe I should print that off.
When you're buying alcohol, they say, oh, can we have to see some ID? And you just go—you know, when you churn it, you don't do that. Okay. Eric does.
Eric carries around with him a mobile ID card printer. And he goes with that to Huntsville, Alabama.
He went into a mobile phone shop, and he claims he wants a new SIM for what he claims is his AT&T phone number, but is of course really the victim's.
And he shows them his fake ID, which he's printed out.
Eric carries around with him a mobile ID card printer. And he goes with that to Huntsville, Alabama.
He went into a mobile phone shop, and he claims he wants a new SIM for what he claims is his AT&T phone number, but is of course really the victim's.
And he shows them his fake ID, which he's printed out.
Right. So he just was buying a SIM card. He just was like, hey, give me a new one.
Yes, but it's not just the SIM card. It's the SIM card associated now, because he's shown his ID to AT&T, associated with the phone number.
Right.
So he's taken over the phone number. That's how it works. He then goes down the road and goes into the Apple Store and he buys a brand new Apple iPhone.
And the only thing he does with this Apple iPhone is turn it on, put in this brand new SIM card, and he receives the two-factor security reset code for the SEC Twitter account because his accomplice has just tried to get into the account.
Maybe he said, oh, I've forgotten my password or something like that.
And it sent the authentication code to the number it has on that account as being the account owner for the SEC's official Twitter account, right? So he's got the security code.
And the only thing he does with this Apple iPhone is turn it on, put in this brand new SIM card, and he receives the two-factor security reset code for the SEC Twitter account because his accomplice has just tried to get into the account.
Maybe he said, oh, I've forgotten my password or something like that.
And it sent the authentication code to the number it has on that account as being the account owner for the SEC's official Twitter account, right? So he's got the security code.
So yeah, he got the security code, which he needed to take over the account, but he had to get a new SIM card and a new iPhone to do it.
That's the only thing he does with the phone. Yeah.
Right.
And then with his personal phone, he takes a photo of the iPhone showing the reset code, and he transmits that to one of his co-conspirators via Telegram.
So he installed Telegram on the phone as well then.
No, he does it from his personal phone.
Oh, because he took a picture of it.
Takes a picture.
Mm-hmm.
So there's nothing else going on on the iPhone.
His co-conspirator then uses that code to gain access to the SEC's Twitter account and posts the message that shifts the price of bitcoin.
And then he jumps in his car, drives 40 minutes or so back to his hometown of Athens, Alabama, where he goes into their local Apple Store, takes the iPhone back and says, I don't really want this after all.
His co-conspirator then uses that code to gain access to the SEC's Twitter account and posts the message that shifts the price of bitcoin.
And then he jumps in his car, drives 40 minutes or so back to his hometown of Athens, Alabama, where he goes into their local Apple Store, takes the iPhone back and says, I don't really want this after all.
Can I have a refund?
Can I have a refund? And he gets his refund. So he's not associated with the phone. He's not associated with the SIM card because he's used his fake ID.
And he thinks, brilliant, I've got away with it. As you can imagine, journalists like Jane, right? Tech journalists went crazy about this news because the bitcoin price has changed.
An official government Twitter account has been hacked, posted fake news up there.
And it was in June 2024 that Eric, our hacker, his apartment in Athens, Alabama was searched by the FBI. There'd been a number of other SIM card swaps going on as well.
They'd managed to locate him and they found his fake ID card and the portable ID card printer. They searched his laptop and they noticed some of his internet searches.
And my guess is he'd been worrying that he might be in quite hot water about this SEC hack because some of the things which he'd searched for on his computer were things like SEC hack, Telegram SIM swap.
How can I know for sure if I'm being investigated by the FBI?
He searched, what are the signs that you're under investigation by law enforcement or the FBI, even if you haven't been contacted by them?
And he thinks, brilliant, I've got away with it. As you can imagine, journalists like Jane, right? Tech journalists went crazy about this news because the bitcoin price has changed.
An official government Twitter account has been hacked, posted fake news up there.
And it was in June 2024 that Eric, our hacker, his apartment in Athens, Alabama was searched by the FBI. There'd been a number of other SIM card swaps going on as well.
They'd managed to locate him and they found his fake ID card and the portable ID card printer. They searched his laptop and they noticed some of his internet searches.
And my guess is he'd been worrying that he might be in quite hot water about this SEC hack because some of the things which he'd searched for on his computer were things like SEC hack, Telegram SIM swap.
How can I know for sure if I'm being investigated by the FBI?
He searched, what are the signs that you're under investigation by law enforcement or the FBI, even if you haven't been contacted by them?
Oh, how embarrassing for him that he left that in his internet searches.
At the end of the day, we're all human, aren't we? You know, that is such a sophisticated story, and it kind of involves many levels of sort of thinking things out.
But just with a classic murder kind of story, there's always something that lets you down.
And often it is just our own sort of natural human curiosity and our fear of being caught that is ultimately what's going to expose you.
But yeah, it just shows how sophisticated these hackers are getting.
Although it does feel if this SIM card swap is such an easy way of getting hold of those important details that get you into an account, there must be a way surely of stopping that?
But just with a classic murder kind of story, there's always something that lets you down.
And often it is just our own sort of natural human curiosity and our fear of being caught that is ultimately what's going to expose you.
But yeah, it just shows how sophisticated these hackers are getting.
Although it does feel if this SIM card swap is such an easy way of getting hold of those important details that get you into an account, there must be a way surely of stopping that?
Well, clearly, the checks which were done at the mobile phone operator weren't sufficient. I mean, you can understand though the frustration.
If you've lost your phone, if you don't have your SIM card, if you want to switch it, you don't want to have to go through too many hoops.
I mean, obviously, we all want security, but we also want convenience.
It's I haven't got my phone, I can't do my work, I've fallen off the side of a bridge, I can't retrieve it any longer, get me back online.
If you've lost your phone, if you don't have your SIM card, if you want to switch it, you don't want to have to go through too many hoops.
I mean, obviously, we all want security, but we also want convenience.
It's I haven't got my phone, I can't do my work, I've fallen off the side of a bridge, I can't retrieve it any longer, get me back online.
Yeah.
It is a dilemma both for the customer service people at the mobile phone store, but it's also a dilemma for these accounts which are trying to be secured as well.
And I wonder if in the Apple stores they're seeing this. Surely that would raise alarm bells as well.
If someone comes in, buys a phone, and then comes back and says, actually, I don't want it.
It's a bit why would you not want a phone that you've literally just purchased unless you've been up to no good on it?
If someone comes in, buys a phone, and then comes back and says, actually, I don't want it.
It's a bit why would you not want a phone that you've literally just purchased unless you've been up to no good on it?
Although he did buy it in a different location.
Mm-hmm.
It was different cities where he bought it, which I suppose makes it a little less likely someone's going to say, "Hang on, you were here half an hour ago." True, true.
Yeah.
I'm not clear on how he got caught. Where was his mistake in his whole operation? 'Cause it's quite intricate.
So I've tried to find that out. And the only thing I found is that in the June of last year, he was committing a number of other SIM swap frauds.
And I wonder, if at some point, maybe one of the mobile phone operators who he went into took a copy of his ID and may have got his photograph, and maybe someone was able to identify him that way and send the cops in his general direction.
I imagine it was some of the other thefts which were going on, which ultimately led the cops to his door. Yeah, yeah, yeah.
And I wonder, if at some point, maybe one of the mobile phone operators who he went into took a copy of his ID and may have got his photograph, and maybe someone was able to identify him that way and send the cops in his general direction.
I imagine it was some of the other thefts which were going on, which ultimately led the cops to his door. Yeah, yeah, yeah.
Okay, that makes sense.
Anyway, this week he's pleaded guilty. He's now facing a maximum sentence of 5 years. He's going to be sentenced in May. And we'll see what happens then.
But clearly there's other— because he didn't actually do the hack of the account. He was the guy doing the SIM swap and passing on the reset code.
So there are other people as yet unknown to us who were also involved in this.
And it'd be interesting to see in the fullness of time whether any of those guys are also caught, because clearly they are making a lot of money out of doing hacks this too.
Jane, what's your story for us this week?
But clearly there's other— because he didn't actually do the hack of the account. He was the guy doing the SIM swap and passing on the reset code.
So there are other people as yet unknown to us who were also involved in this.
And it'd be interesting to see in the fullness of time whether any of those guys are also caught, because clearly they are making a lot of money out of doing hacks this too.
Jane, what's your story for us this week?
Okay, well, I'm gonna take you into something that I've become a bit obsessed with recently, which is this idea that we are sort of sleepwalking almost into sort of post-truth era where we can't tell what's real and what's not.
Yeah.
I don't go on social media very much anymore 'cause I've just got a bit sick of it all.
But when I do go on social media, I can't help but notice loads and loads of fake videos, harmless stuff like wildlife videos that purport to show a polar bear being rescued on a polar vessel.
And it's a cute thing, so it gets lots of hits and it gets lots of attention and it grabs lots of eyes.
You look at the comments below and it's firmly divided by people that are just like, "Oh, this is so cute.
Oh, thank you for rescuing this polar bear," to people that are like, "This is AI. This is clearly AI-generated.
Don't fall for it." And I feel like we are entering this new digital divide between those people that see things with a critical eye, and obviously I'd like to think that journalists are often included in that, and people that can't see the wood from the trees or the truth from the fake, to put it in terms of what I'm talking about here.
That's kind of the background as to something I'm just becoming increasingly worried about as we go into a new era of AI.
And of course, that coincides with the Paris AI Summit, which is the third talking shop around AI that we've seen. We had one in South Korea, we had one obviously at Bletchley Park.
I'm a bit of a sceptic about what these things actually do in terms of moving the debate forward.
It's often just an excuse for lots of powerful people to stand together and talk about this issue.
But when I do go on social media, I can't help but notice loads and loads of fake videos, harmless stuff like wildlife videos that purport to show a polar bear being rescued on a polar vessel.
And it's a cute thing, so it gets lots of hits and it gets lots of attention and it grabs lots of eyes.
You look at the comments below and it's firmly divided by people that are just like, "Oh, this is so cute.
Oh, thank you for rescuing this polar bear," to people that are like, "This is AI. This is clearly AI-generated.
Don't fall for it." And I feel like we are entering this new digital divide between those people that see things with a critical eye, and obviously I'd like to think that journalists are often included in that, and people that can't see the wood from the trees or the truth from the fake, to put it in terms of what I'm talking about here.
That's kind of the background as to something I'm just becoming increasingly worried about as we go into a new era of AI.
And of course, that coincides with the Paris AI Summit, which is the third talking shop around AI that we've seen. We had one in South Korea, we had one obviously at Bletchley Park.
I'm a bit of a sceptic about what these things actually do in terms of moving the debate forward.
It's often just an excuse for lots of powerful people to stand together and talk about this issue.
It feels like sometimes there's a lot of grandstanding, doesn't there, rather than—
Yeah, it's called networking, I think.
Yeah, well, that's it.
Hey, it's Paris. Who doesn't want to go to Paris, right?
Yeah, but you know, how much will they actually change? Because, you know, beneath the radar, there's a lot of things to worry about.
And I saw a report in The Times yesterday written by the Commission into Countering Online Conspiracy in Schools, which is not a commission I'd ever heard of before, and it sounds quite terrifying in some ways.
But its report is even more terrifying because it relates that conspiracy theories are now rife in the classroom.
Young people are more inclined to trust social media influencers than the government when it comes to news sources and forming their views of the world.
And you know, those views of the world are formed by things that I've just described— these fake videos, these kind of conspiracy theories that will get lots of hits, so they're gonna attract a lot of eyeballs, so they're going wild on social media.
But unfortunately for a younger generation that is getting most of its information, I'm concerned that 80% of what they think they're learning from social media is actually just complete rubbish.
And as an ex-teacher, before I became journalist, I just think this is really, really worrying.
And I saw a report in The Times yesterday written by the Commission into Countering Online Conspiracy in Schools, which is not a commission I'd ever heard of before, and it sounds quite terrifying in some ways.
But its report is even more terrifying because it relates that conspiracy theories are now rife in the classroom.
Young people are more inclined to trust social media influencers than the government when it comes to news sources and forming their views of the world.
And you know, those views of the world are formed by things that I've just described— these fake videos, these kind of conspiracy theories that will get lots of hits, so they're gonna attract a lot of eyeballs, so they're going wild on social media.
But unfortunately for a younger generation that is getting most of its information, I'm concerned that 80% of what they think they're learning from social media is actually just complete rubbish.
And as an ex-teacher, before I became journalist, I just think this is really, really worrying.
And it's hard to monitor. Like, you talk to parents, how do you get a kid off the phone?
We were hanging out with some young teens this weekend, they were on the phone the whole time.
We were hanging out with some young teens this weekend, they were on the phone the whole time.
Oh, so totally. I mean, that is another big issue, isn't it? And again, these videos that people can now create using AI programs in seconds, they're so engaging, you know.
Who doesn't want to watch a polar bear seemingly being rescued, or all of the other things that you might scroll through?
And who doesn't want to read about why definitely people didn't land on the moon. I mean, that's far more interesting in some ways than the truth, which is that, you know, they did.
But it's getting involved in those conspiracy theories is really, really grabbing the attention of youngsters and shaping how they see the world.
And these people are going to be the people that go out and make decisions in future.
And if they're being grounded in disinformation and fake news and AI-generated content, then that's concerning.
Who doesn't want to watch a polar bear seemingly being rescued, or all of the other things that you might scroll through?
And who doesn't want to read about why definitely people didn't land on the moon. I mean, that's far more interesting in some ways than the truth, which is that, you know, they did.
But it's getting involved in those conspiracy theories is really, really grabbing the attention of youngsters and shaping how they see the world.
And these people are going to be the people that go out and make decisions in future.
And if they're being grounded in disinformation and fake news and AI-generated content, then that's concerning.
Yeah, I don't know if we sound like fuddy-duddies thinking this.
I always sound like that, Carole.
No, but I feel the same, right? But I don't know if it's an age thing or if the kids look at it and go, yeah, no, it's really bad, but I'm addicted to it.
Yeah, yeah. And then secondary to that, I also saw a report on the BBC because the BBC is really trying to counter this disinformation.
They've got a whole unit now set up called BBC Verify.
They've got a whole unit now set up called BBC Verify.
Yes.
Which tries to really get to grips with stuff that is disinformation.
And again, not only are children believing more and more conspiracy theories, they're believing less and less mainstream news.
They're very, very cynical that mainstream news is telling us the truth, which is also very disturbing.
And again, not only are children believing more and more conspiracy theories, they're believing less and less mainstream news.
They're very, very cynical that mainstream news is telling us the truth, which is also very disturbing.
That is a worry, isn't it? And of course, we've got politicians who are also telling us, oh, you can't believe XYZ channel or what they're saying about this.
Indeed. We have 4 years of somebody telling us that pretty much everything in the mainstream media is made up, I'm sure.
But the BBC did an experiment and it gave OpenAI's ChatGPT, Microsoft's Copilot, Google's Gemini, and Perplexity AI content from the BBC website and then asked them questions about the news.
And it said that the resulting answers contained significant inaccuracies and distortions, which, you know, again, increasingly we're relying on AIs to summarise content for us, aren't we?
Because essentially we're quite lazy. You know, if we can get an AI to tell us the gist of something, then why wouldn't we?
But if the gist of that is wrong and is getting it wrong, then this is setting in motion a kind of slow march towards a post-truth era that I don't think any of us really want to live in.
But I don't quite see what we do about it.
But the BBC did an experiment and it gave OpenAI's ChatGPT, Microsoft's Copilot, Google's Gemini, and Perplexity AI content from the BBC website and then asked them questions about the news.
And it said that the resulting answers contained significant inaccuracies and distortions, which, you know, again, increasingly we're relying on AIs to summarise content for us, aren't we?
Because essentially we're quite lazy. You know, if we can get an AI to tell us the gist of something, then why wouldn't we?
But if the gist of that is wrong and is getting it wrong, then this is setting in motion a kind of slow march towards a post-truth era that I don't think any of us really want to live in.
But I don't quite see what we do about it.
Oh, that was gonna be my question. Graham must know. Graham knows everything.
Yeah, come on, Graham, take this problem on you. You can do it.
Just trust me. Just trust me. I can be relied upon completely. It is a problem, isn't it?
It does feel like we're on a constant slow march towards this world where trust is being dramatically eroded.
So things that we used to be able to trust, or as you say, I mean, news outlets like the BBC, for instance, which historically has been trusted, a lot of people don't trust it so much now.
And if we see AIs as well beginning to subvert the things that news outlets are saying, then we're in a right old pickle.
It does feel like we're on a constant slow march towards this world where trust is being dramatically eroded.
So things that we used to be able to trust, or as you say, I mean, news outlets like the BBC, for instance, which historically has been trusted, a lot of people don't trust it so much now.
And if we see AIs as well beginning to subvert the things that news outlets are saying, then we're in a right old pickle.
We are. Deborah Turness, who's the CEO of BBC News and Current Affairs, said that these companies are playing with fire.
She said, we live in troubled times, and how long will it be before an AI-distorted headline causes significant real-world harm?
Well, we've already seen with this summer riots last year on the back of a lot of disinformation around the terrible stabbings of young children in Liverpool, that, you know, this, it can cause all kinds of real-world harm.
And I hope that this takes center stage amongst the discussions at the Paris AI Summit rather than lots of posturing from politicians and powerful AI companies.
But I'm not entirely sure that it will.
She said, we live in troubled times, and how long will it be before an AI-distorted headline causes significant real-world harm?
Well, we've already seen with this summer riots last year on the back of a lot of disinformation around the terrible stabbings of young children in Liverpool, that, you know, this, it can cause all kinds of real-world harm.
And I hope that this takes center stage amongst the discussions at the Paris AI Summit rather than lots of posturing from politicians and powerful AI companies.
But I'm not entirely sure that it will.
So what worries me is in the past we have seen social media sites, which of course is where a lot of this fake information and conspiracies can spread.
We've seen them policing and monitoring that for misinformation. And as we all know, in the last couple of months, that has dramatically changed.
And they're now saying, we're not going to do that anymore. They're viewing that not as safety and handling of misinformation, they're rather portraying it as censorship.
And they're saying, well, free speech means you can say whatever you like. Unfortunately, that means people will be able to talk utter nonsense and dangerous nonsense as well.
So it doesn't feel like those sites are going to be helping us very much in stopping the spread of this kind of fakery.
We've seen them policing and monitoring that for misinformation. And as we all know, in the last couple of months, that has dramatically changed.
And they're now saying, we're not going to do that anymore. They're viewing that not as safety and handling of misinformation, they're rather portraying it as censorship.
And they're saying, well, free speech means you can say whatever you like. Unfortunately, that means people will be able to talk utter nonsense and dangerous nonsense as well.
So it doesn't feel like those sites are going to be helping us very much in stopping the spread of this kind of fakery.
No, and I think, you know, it's very convenient, isn't it, for them that they can call it censorship when actually I think a lot of it is down to just they don't have the capacity.
To deal with this because it's got so out of hand that there's no way that any sort of moderation process, even one that's led by AI, can really get to grips with the amount of disinformation that we have out there.
So, it's kind of too late, you know, this stuff is already out there. And what do AI systems learn from? They learn from data on the internet.
So, they could well be learning from misinformation. So, we are in this sort of never-ending circle of, well, what would you call it? A never-ending circle of doubt, I suppose.
Abused, for want of a better word. But yeah, it's not good. And I don't quite know how you roll back on that because I think it's probably in many ways too late.
To deal with this because it's got so out of hand that there's no way that any sort of moderation process, even one that's led by AI, can really get to grips with the amount of disinformation that we have out there.
So, it's kind of too late, you know, this stuff is already out there. And what do AI systems learn from? They learn from data on the internet.
So, they could well be learning from misinformation. So, we are in this sort of never-ending circle of, well, what would you call it? A never-ending circle of doubt, I suppose.
Abused, for want of a better word. But yeah, it's not good. And I don't quite know how you roll back on that because I think it's probably in many ways too late.
Oh dear.
And this idea that we'll all just kind of have much more critical eyes is, is, it's hard, isn't it? Lots of people don't think critically. Why do scammers get so many victims?
Because people don't step back from things and think and question. They just sort of throw themselves into it and they believe whatever they're told. Well, we'll see.
Gosh, I feel I've really brought the mood down with that story.
Because people don't step back from things and think and question. They just sort of throw themselves into it and they believe whatever they're told. Well, we'll see.
Gosh, I feel I've really brought the mood down with that story.
Sorry.
Cheery. Carole, what have you got for us this week?
Well, it's that time of year. I'm not talking about winter carnival or Valentine's Day. Much more boring than that.
I mean the time of year when industries like Smashing Security and technology issue their annual reports.
I mean the time of year when industries like Smashing Security and technology issue their annual reports.
And reading the tea leaves as to what might happen in the future as well.
Yeah, in my old life, in our old life, in fact, Graham, we used to, you know, be responsible for pulling together the annual report for one of these companies.
And it's not easy, right? Researchers answer with one word. They give you a level stare. Massive datasets.
I don't understand them enough to understand if there's something interesting in them. I mean, there's a lot of fond memories. We once used a Wordle that was not a Wordle.
What's it called? A word cloud.
And it's not easy, right? Researchers answer with one word. They give you a level stare. Massive datasets.
I don't understand them enough to understand if there's something interesting in them. I mean, there's a lot of fond memories. We once used a Wordle that was not a Wordle.
What's it called? A word cloud.
Word cloud.
Yeah, we did a word cloud and you'd have like worms, viruses, spyware, Trojans. So security reports, there are a lot of them and they're still going strong.
I'm sure no one is surprised to hear that ransomware featured quite highly in forecasting this coming year.
Like, for example, we have the National Cybersecurity Alliance and they say ransomware will escalate.
They say critical suppliers, so those that entire industries rely upon, will continue to be targeted in 2025.
Sophos put out a report saying ransomware attacks are surging with 59% of organizations hit last year, and they say that's only going to grow.
Zscaler report said AI-powered social engineering attacks will surge and fuel ransomware campaigns. So in short, ransomware is painted as an utterly relentless threat.
But I thought there's got to be some good news around this.
And rather than having a doom and gloom story, we could look at the flip side because I think there is a definite silver lining of hope.
I'm sure no one is surprised to hear that ransomware featured quite highly in forecasting this coming year.
Like, for example, we have the National Cybersecurity Alliance and they say ransomware will escalate.
They say critical suppliers, so those that entire industries rely upon, will continue to be targeted in 2025.
Sophos put out a report saying ransomware attacks are surging with 59% of organizations hit last year, and they say that's only going to grow.
Zscaler report said AI-powered social engineering attacks will surge and fuel ransomware campaigns. So in short, ransomware is painted as an utterly relentless threat.
But I thought there's got to be some good news around this.
And rather than having a doom and gloom story, we could look at the flip side because I think there is a definite silver lining of hope.
Oh, thank goodness. Especially after Jane's story. That's great. That's what we need. Cheer us up, Carole.
You know, all these bad dudes are having quite an easy time, it seems, spinning gold from ransomware.
So one good news component is the UK Home Office is proposing a targeted ban on ransomware payments.
So under the proposal, public sector bodies, including local councils, schools, and NHS trusts, would be banned from making any payments to ransomware hackers.
And the government says this would strike at the heart of the cybercriminal business model. What do you think about that? Do you think it'll make a difference?
So one good news component is the UK Home Office is proposing a targeted ban on ransomware payments.
So under the proposal, public sector bodies, including local councils, schools, and NHS trusts, would be banned from making any payments to ransomware hackers.
And the government says this would strike at the heart of the cybercriminal business model. What do you think about that? Do you think it'll make a difference?
I think it's complicated.
I think it's all very well in principle having a don't pay the ransomware guys policy, but if your organization has got sensitive details about, for instance, school children, that was, well, it could be medical records or something like that.
Do you really want that to be published online?
Or do you want your systems to be down for months and months and months and people not to be able to get their operations or your kids to be educated?
Sometimes the least worst decision may be to pay the ransomware guys, unpleasant and unpalatable as it may be. My view is you can't have a hard and fast rule.
I think it's all very well in principle having a don't pay the ransomware guys policy, but if your organization has got sensitive details about, for instance, school children, that was, well, it could be medical records or something like that.
Do you really want that to be published online?
Or do you want your systems to be down for months and months and months and people not to be able to get their operations or your kids to be educated?
Sometimes the least worst decision may be to pay the ransomware guys, unpleasant and unpalatable as it may be. My view is you can't have a hard and fast rule.
Hmm.
Interesting. Well, we know the UK is considering this ban.
Yes, they're considering it.
Yes. For these councils and schools and NHS trusts. But in the US, we don't really know what's going on.
There have been talks about banning payments in the past, but they've stopped short of imposing an outright national ban on them.
There have been talks about banning payments in the past, but they've stopped short of imposing an outright national ban on them.
You have to consider in the United States, if you were to impose a ban on paying ransomware, that's going to damage the cryptocurrency market, right? It's all about the crypto now.
We want plenty of crypto being bought and sold and transferred.
We want plenty of crypto being bought and sold and transferred.
They're going to start funding the ransomware gang.
Ransomware a go-go. We want to encourage ransomware. This is great for the economy. Let's make America ransomware central. Neutral again.
Yeah, I don't think it's enforceable myself. I think it feels like you are, the government is imposing too much.
Say it's a business and as Graham said, you know, sensitive data, if they don't pay the ransom, is the government going to be responsible for all the leaking of that company's secrets, its IP stuff?
Say it's a business and as Graham said, you know, sensitive data, if they don't pay the ransom, is the government going to be responsible for all the leaking of that company's secrets, its IP stuff?
I think at the moment the UK are proposing that if you're a private business as opposed to a government organization or critical infrastructure, that you'll be advised to tell the authorities before making the payment.
Oh, okay.
Yeah.
So it's for public bodies like schools and—
Right.
Exactly.
So it'll be done in consultation, which may be a good thing because of course you want the authorities to gather information as to who the ransomware gangs have caught, especially if they're on their trail.
So it'll be done in consultation, which may be a good thing because of course you want the authorities to gather information as to who the ransomware gangs have caught, especially if they're on their trail.
Agree. Agree.
But yes, I think the proposal is that you'll have to go to the authorities and say to them, we've been hit by ransomware, what do we do now?
Yeah, I mean, I do think that we need a little bit more sort of openness about these sort of attacks, don't we?
Because we're not really clear who pays and who doesn't at the moment and how much people pay.
And also, you know, if you pay, does that mean that they go away and that you get your data back, or do they just take that as a sort of starting payment and continue to sort of blackmail you and say, well, we need— actually, we want some more once you've opened the door?
So I think the starting point for all this should be a lot more openness about what happens in these attacks rather than sort of imposing bans on what people, how people decide to sort of act on them.
Because we're not really clear who pays and who doesn't at the moment and how much people pay.
And also, you know, if you pay, does that mean that they go away and that you get your data back, or do they just take that as a sort of starting payment and continue to sort of blackmail you and say, well, we need— actually, we want some more once you've opened the door?
So I think the starting point for all this should be a lot more openness about what happens in these attacks rather than sort of imposing bans on what people, how people decide to sort of act on them.
How do you feel about this?
In October 2023, there was a US-led alliance of more than 40 countries who vowed not to pay ransoms to cybercriminals in a bid to starve the hackers from their source of income.
In October 2023, there was a US-led alliance of more than 40 countries who vowed not to pay ransoms to cybercriminals in a bid to starve the hackers from their source of income.
Okay, and how's that worked out?
It's easy to say that, isn't it, until it's you that's affected and your bottom line is, you know, basically put on hold until you make a decision one way or the other.
So yeah, it's tricky, isn't it?
So yeah, it's tricky, isn't it?
But there's lots of bills we don't like to pay, right? We don't like to pay insurance.
You insure your house or you insure your car and things like that, and you kind of think, oh God, I've got to give these people money. And it's, you know, will I ever get this back?
So in some ways, ransomware, you might consider it a business expense. It's simply something that we have to do occasionally because our security screws up occasionally. Wow.
You insure your house or you insure your car and things like that, and you kind of think, oh God, I've got to give these people money. And it's, you know, will I ever get this back?
So in some ways, ransomware, you might consider it a business expense. It's simply something that we have to do occasionally because our security screws up occasionally. Wow.
I'm a little blown away by his view here.
Yeah, that's radical.
And we've got a new sponsor, the LockBit ransomware gang sponsoring Smashing Security.
Yeah, exactly. You sure you haven't got a new job, Graham, working for a ransomware company? Because you sound like you're promoting it a little bit.
And he's dragging me down with him.
Well, one of these reports had a different story because everything was very doom and gloom, but the recent Chainalysis report said ransomware payments fell by 35% year on year last year.
So where last year they grabbed $800 million in extortion payments, the previous year had been much higher, $1.25 billion. So what happened to make this not as profitable a year?
So one of the things was LockBit. There were arrests last year and takedowns, big ransomware gangs.
Well, one of these reports had a different story because everything was very doom and gloom, but the recent Chainalysis report said ransomware payments fell by 35% year on year last year.
So where last year they grabbed $800 million in extortion payments, the previous year had been much higher, $1.25 billion. So what happened to make this not as profitable a year?
So one of the things was LockBit. There were arrests last year and takedowns, big ransomware gangs.
LockBit.
You also had disruption. So, the fact that these gangs got arrested disrupted the ecosystem. They say it's changed the ransomware playing field.
So now, rather than having these big fat players, you have lots of itty-bitty players.
And the itty-bitty players, while of course they can still cause damage, does reduce the attacks on so-called big game targets. So key target, a very valuable target.
So now, rather than having these big fat players, you have lots of itty-bitty players.
And the itty-bitty players, while of course they can still cause damage, does reduce the attacks on so-called big game targets. So key target, a very valuable target.
Yes, yes.
But I got to say, every single report I read of pretty reputable companies all had different numbers, all had different statistics, all had— so it's really hard to get an idea other than people saying ransomware, it ain't going anywhere.
It's not at death's doors just yet. And all this fragmenting of groups, Rapid7 say that they're splintering and rebranding, making it more difficult to track and mitigate them.
So there's some dark spots on my silver lining of my cloud. But I do think that a business dries up if there's not enough money to be made.
Because there's a lot of effort that goes in, especially if you have a very select high-value target.
And if you weren't convinced that you would make a payday, would you maybe go do something else? And if the ransomware money train derails, where do they go?
You know, where do the cyber twunks go to make their cash?
It's not at death's doors just yet. And all this fragmenting of groups, Rapid7 say that they're splintering and rebranding, making it more difficult to track and mitigate them.
So there's some dark spots on my silver lining of my cloud. But I do think that a business dries up if there's not enough money to be made.
Because there's a lot of effort that goes in, especially if you have a very select high-value target.
And if you weren't convinced that you would make a payday, would you maybe go do something else? And if the ransomware money train derails, where do they go?
You know, where do the cyber twunks go to make their cash?
Cybercriminals and hackers have been looking for a business model which actually works.
And the extraordinary thing which has happened with ransomware is it's an incredibly effective way of making money.
And the extraordinary thing which has happened with ransomware is it's an incredibly effective way of making money.
The old days, the way they did it, though, is they would lock your data, not necessarily steal it. Right. And say to unlock it, pay us.
But I think there's a lot of, you know, right now they just take the data and say, pay us and hope that we don't put it out there.
But I think there's a lot of, you know, right now they just take the data and say, pay us and hope that we don't put it out there.
Well, a lot do both. A lot will both exfiltrate your data and they'll lock up your computers as well.
The exfiltration, I think, is largely because people have backups so people can recover and get back up and running. Hopefully, hopefully they have backups.
But the threat of your customer data, of your partner data, of your internal intellectual property being released.
That, I think, is the scary thing, which makes them really— makes companies sweat at night if they've fallen victim to a ransomware gang.
It's not so much the recovery, actually, it's the potential impact.
The exfiltration, I think, is largely because people have backups so people can recover and get back up and running. Hopefully, hopefully they have backups.
But the threat of your customer data, of your partner data, of your internal intellectual property being released.
That, I think, is the scary thing, which makes them really— makes companies sweat at night if they've fallen victim to a ransomware gang.
It's not so much the recovery, actually, it's the potential impact.
Yeah, but you still have to trust that they don't put out that information. Like, once they've taken it, it becomes a game of, well, I'll pay you to keep quiet.
It's like a mafioso deal.
It's like a mafioso deal.
Well, to an extent, yes. But also, I mean, Jane was talking earlier about how some of these cybercriminal scammers have sort of award ceremonies and conventions and the rest.
These gangs care about their image and they don't want word getting round that the XYZ ransomware gang can't actually be trusted.
These gangs care about their image and they don't want word getting round that the XYZ ransomware gang can't actually be trusted.
They have standards, don't they?
They have standards. They are running a business.
It may be an illegal business, but they don't want people thinking, oh, well, there's no point paying them because they con you again.
So I think in many cases, actually, the ransomware gangs do do what they promise.
It may be an illegal business, but they don't want people thinking, oh, well, there's no point paying them because they con you again.
So I think in many cases, actually, the ransomware gangs do do what they promise.
You've heard it here, folks. Graham loves the ransomware dudes. He's on side.
He does seem to, doesn't he? He really does. He really loves it.
It's very interesting. Very interesting.
I'll put a very special link in the show notes this week, by the way. If everyone who listens could click on it before installing their latest Microsoft security patch.
I'm not clicking on any links you send me from now on, Graham. I'm deleting any emails I get from you. That's it.
If you've been in the cybersecurity industry for a while, chances are you've already heard of Fortinet's Tripwire because they've been setting the standard for integrity monitoring tools for more than 25 years.
What you might not know is just how much of your environment Tripwire can monitor.
What you might not know is just how much of your environment Tripwire can monitor.
See, Tripwire Enterprise gives you context for suspicious changes across your servers, network devices, services, applications, databases, file systems, desktops, and more to give you the real-time awareness needed to stop breaches before damage is done.
It also automates compliance enforcement with the industry's largest policy library.
It also automates compliance enforcement with the industry's largest policy library.
So what are you waiting for? Visit tripwire.com/demo to set up a personalized demo session with a cybersecurity expert and learn how Tripwire can be your integrity management ally.
That's tripwire.com/demo. And thanks to Tripwire for supporting the show.
That's tripwire.com/demo. And thanks to Tripwire for supporting the show.
Here's a shocking reality. Traditional security tools are completely broken when it comes to managing today's massive log volumes.
Companies are paying millions per year just to keep up and they're still falling behind. That's why everyone's moving their logs to data lakes.
Companies are paying millions per year just to keep up and they're still falling behind. That's why everyone's moving their logs to data lakes.
Lakes.
It's just more cost efficient. But there's a catch.
Data lakes are incredibly complex to use, especially when you're dealing with loading dozens of log sources into SQL tables with strict schema requirements.
Data lakes are incredibly complex to use, especially when you're dealing with loading dozens of log sources into SQL tables with strict schema requirements.
And that's where scanner.dev comes in. They've revolutionized security data lakes by making them truly simple to operate.
Their platform offers schemaless log data indexing, which means you can dump in your logs without worrying about structure. And the best part? Your data never leaves your S3 buckets.
You maintain complete custody at all times.
Their platform offers schemaless log data indexing, which means you can dump in your logs without worrying about structure. And the best part? Your data never leaves your S3 buckets.
You maintain complete custody at all times.
Need to hunt for threats? Scanner lets you search through petabytes of logs in seconds, not hours.
And for your security team, we've made detections as code a breeze with CI/CD that syncs directly with GitHub. No more complex queries or waiting hours for results.
And for your security team, we've made detections as code a breeze with CI/CD that syncs directly with GitHub. No more complex queries or waiting hours for results.
Visit scanner.dev today and try out their interactive playground. That's scanner.dev, where security meets simplicity.
Now, regular listeners will know that 1Password is a long-term supporter of the Smashing Security podcast.
And this week we want to tell you about how 1Password's extended access management can help your business.
Now, regular listeners will know that 1Password is a long-term supporter of the Smashing Security podcast.
And this week we want to tell you about how 1Password's extended access management can help your business.
This is the first security solution that brings all the unmanaged devices, apps, and identities used in your company under your control.
And it ensures that every user credential is strong and protected, every device is known and healthy, and every app is visible.
'Cause 1Password Extended Access Management solves the problems traditional IAM and MDMs can't.
It's security for the way we work today, and it's now generally available to companies with Okta, Microsoft Entra, and Enbita for Google Workspace customers.
And it ensures that every user credential is strong and protected, every device is known and healthy, and every app is visible.
'Cause 1Password Extended Access Management solves the problems traditional IAM and MDMs can't.
It's security for the way we work today, and it's now generally available to companies with Okta, Microsoft Entra, and Enbita for Google Workspace customers.
1Password's award-winning password manager as well is trusted by millions of users and over 150,000 businesses from IBM to Slack.
And now they're securing more than just passwords with 1Password Extended Access Management. Find out more right now. Go to 1password.com/smashing.
And thanks to 1Password for supporting the show. And welcome back. Can you join us at our favourite table?
Favorite part of the show, the part of the show that we like to call Pick of the Week.
And now they're securing more than just passwords with 1Password Extended Access Management. Find out more right now. Go to 1password.com/smashing.
And thanks to 1Password for supporting the show. And welcome back. Can you join us at our favourite table?
Favorite part of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week.
Jane.
Oh, sorry. Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they read, a TV show, movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security related necessarily.
Could be a funny story, a book that they read, a TV show, movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security related necessarily.
Better not be.
Well, my Pick of the Week is not security related. I'm sure you're all familiar with the XKCD cartoons on the internet made by Randall Munroe. Wonderful cartoons.
He's been doing them for about 20 years, I think. Really, really great stuff. And I recently came across an article which he wrote.
And, you know, rather than one of his cartoons, and it was an article he wrote in The New Yorker. And it's called The Space Doctor's Big Idea.
And this is him explaining Einstein's theory of general relativity. Or rather, as he describes it, the big idea of a doctor with cool white hair.
And the reason why he describes Einstein's general relativity in those terms is because the entire article is written using only the 1,000 most common words in the English language.
So if you've ever wanted to understand general relativity, then go to the link on The New Yorker where Randall Munroe has explained it all in very simple terms. And it got me.
He's been doing them for about 20 years, I think. Really, really great stuff. And I recently came across an article which he wrote.
And, you know, rather than one of his cartoons, and it was an article he wrote in The New Yorker. And it's called The Space Doctor's Big Idea.
And this is him explaining Einstein's theory of general relativity. Or rather, as he describes it, the big idea of a doctor with cool white hair.
And the reason why he describes Einstein's general relativity in those terms is because the entire article is written using only the 1,000 most common words in the English language.
So if you've ever wanted to understand general relativity, then go to the link on The New Yorker where Randall Munroe has explained it all in very simple terms. And it got me.
When was this published?
This was published in 2015, but I've only just come across it.
Oh, okay.
You're sounding like it's revolutionary.
The theory of general relativity isn't revolutionary. It's 100 years old. But, you know, I thought this is extraordinary.
And I think there may be a case for using only the 1,000 most common English words. I'm of an age now where it's hard to explain to me some of the modern world.
Maybe I could do with an encyclopaedia which uses just the 1,000 most common English words to explain to me how they manufacture steel.
And I think there may be a case for using only the 1,000 most common English words. I'm of an age now where it's hard to explain to me some of the modern world.
Maybe I could do with an encyclopaedia which uses just the 1,000 most common English words to explain to me how they manufacture steel.
I think it's a good idea.
I think we should have a lot of things that are very boring, like reports and terms and conditions and contracts and all those very boring things that we have.
Well, we don't read through, do we, to be honest? We just click to the end and say, okay, yep, we've read all this.
I think we should have a lot of things that are very boring, like reports and terms and conditions and contracts and all those very boring things that we have.
Well, we don't read through, do we, to be honest? We just click to the end and say, okay, yep, we've read all this.
I want to look at more bears.
Yeah, if they were written in plain English, perhaps we would read them better and understand them better.
Anyway, this article on The New Yorker, The Space Doctor's Big Idea, I'll link to it in the show notes. You can trust the link. Is my pick of the week.
Now, Jane, what's your pick of the week? Or do you have a nitpick of the week?
Now, Jane, what's your pick of the week? Or do you have a nitpick of the week?
Yeah, I feel a bit bad about this because I'm going to moan again. I think I was called an old codger earlier, and this is kind of proper old codger territory.
And also it goes against what you were saying earlier about the importance of two-factor or multifactor authentication, because I have had my own personal hell today.
I've been locked out of my Microsoft account. All I want to do is pay a bill.
And also it goes against what you were saying earlier about the importance of two-factor or multifactor authentication, because I have had my own personal hell today.
I've been locked out of my Microsoft account. All I want to do is pay a bill.
Right.
All I want to do is just pay a bill. But because my Microsoft Authenticator app doesn't seem to be working. I can't do anything. It's as if I don't exist in the world.
So I've had to revert to the very old-fashioned way of using a telephone and talking to customer service, which of course is automated, and then they put you in a queue, a very long queue.
It was about an hour queue, and then I got through to somebody, and then I got cut off.
So all the classic things that irritate us on a daily basis, and I've been sucked into this Kafka-esque black hole of just not being able to do a very simple thing and it taking me hours to do it.
And I totally understand that multifactor authentication is a very important thing, but when it goes wrong, it's a bloody nightmare.
Very nearly swore there, and I know I can, but I'm not going to because, you know, I mustn't. I mustn't be angry about this.
I just must be very calm and think, you know, this will all be solved eventually.
So I've had to revert to the very old-fashioned way of using a telephone and talking to customer service, which of course is automated, and then they put you in a queue, a very long queue.
It was about an hour queue, and then I got through to somebody, and then I got cut off.
So all the classic things that irritate us on a daily basis, and I've been sucked into this Kafka-esque black hole of just not being able to do a very simple thing and it taking me hours to do it.
And I totally understand that multifactor authentication is a very important thing, but when it goes wrong, it's a bloody nightmare.
Very nearly swore there, and I know I can, but I'm not going to because, you know, I mustn't. I mustn't be angry about this.
I just must be very calm and think, you know, this will all be solved eventually.
I wonder what's gone wrong.
Yeah, who knows? But we're sort of stuck in the middle as a customer, and it can be very frustrating for us.
And I was reading something that Jamie Bartlett, him of Crypto Queen fame, wrote the other day about how digital life seems to come with an awful lot of admin.
He was talking about parking apps and how, you know, you go to park your car and you have to do it on an app, but you haven't got the app, so you have to spend ages downloading the app, or you might take QR code that a scammer has put a ticket over, and then you're suddenly, you know, giving your money to a scammer.
We are in a world where there's an awful lot of admin to get small things done, and this is not what we were promised. This is not what we were promised.
We were promised that life was going to get much easier and much more simple.
And I was reading something that Jamie Bartlett, him of Crypto Queen fame, wrote the other day about how digital life seems to come with an awful lot of admin.
He was talking about parking apps and how, you know, you go to park your car and you have to do it on an app, but you haven't got the app, so you have to spend ages downloading the app, or you might take QR code that a scammer has put a ticket over, and then you're suddenly, you know, giving your money to a scammer.
We are in a world where there's an awful lot of admin to get small things done, and this is not what we were promised. This is not what we were promised.
We were promised that life was going to get much easier and much more simple.
Yeah, seamless, quick, hassle-free.
This is turning into the Grumpy Old Geeks podcast.
Yeah, I know, you probably won't have me back, but you know, this is the life I lead, and moaning about things is, you know, you've got to get these things off your chest on a podcast, really, haven't you?
Why not?
Why not?
Why not?
Thank you, Jane, for your nitpick of the week. Carole, what's your pick of the week?
Well, I am nowhere near security. Do you remember, Graham, we a long time ago saw a movie that narrowly missed the Palme d'Or?
Yes, yes.
And it turned out to be way fruitier than any of us expected.
The initial scene was—
It's a bit of a mortifying experience.
Very, yes, rude.
Yes. Eye-popping. Yes. Well, my pick of the week is a book that narrowly missed the Booker Prize last year. But it's not fruity in any way. It's called Creation Lake by Rachel Kushner.
Her fourth novel, but the first I've read. Have either of you read it or heard of her?
Her fourth novel, but the first I've read. Have either of you read it or heard of her?
No, I haven't heard of her.
I haven't. Okay.
It's so, so good. But quick synopsis, you've got Sadie Smith. This is a pseudonym, and she's ex-FBI and now a freelance spy, a spy for hire.
And she's been hired to disrupt to corrupt a small farming cooperative in France. Okay, so her job is to infiltrate them, spy on them, and influence their plans.
But through her research, she learns stuff which threatens to change her game plan or her worldview, even her raison d'être. It threatens that.
She's a great character, and she's ruthless. I mean, it's her job to dupe people, right, and gain their trust.
But woven through this thriller is almost a philosophical treatise about what it means to be human. I know it's— sorry to get deep again, but yeah, it's great.
And I don't stand alone. It's appeared on 16 lists of best books in 2024. I loved it. So pick of the week, Creation Lake by Rachel Kushner. Fantastic.
And she's been hired to disrupt to corrupt a small farming cooperative in France. Okay, so her job is to infiltrate them, spy on them, and influence their plans.
But through her research, she learns stuff which threatens to change her game plan or her worldview, even her raison d'être. It threatens that.
She's a great character, and she's ruthless. I mean, it's her job to dupe people, right, and gain their trust.
But woven through this thriller is almost a philosophical treatise about what it means to be human. I know it's— sorry to get deep again, but yeah, it's great.
And I don't stand alone. It's appeared on 16 lists of best books in 2024. I loved it. So pick of the week, Creation Lake by Rachel Kushner. Fantastic.
I feel a bit stitched up here because Graham's pick of the week is about something from The New Yorker. Yours is about the Booker Prize. And mine is about—
Dealing with Tesco.
Having to spend a long time trying to sort out Tesco. Hmm. I might have to rethink my pick of the week and come back with something a little bit more cerebral.
I think it's very balanced. That's what we want.
I'm the jam in the middle of the sandwich.
At least it's that kind of sandwich rather than any other kind. And that just about wraps up the show for this week. Thank you so much, Jane, for joining us.
I'm sure lots of our listeners would love to find out what you're up to and maybe follow you online, what's the best way for folks to do that?
I'm sure lots of our listeners would love to find out what you're up to and maybe follow you online, what's the best way for folks to do that?
Do you know what? Come find me on LinkedIn. It's my new favorite social media platform. There's no disinformation there. Well, there probably is, but not that I've noticed.
And yeah, I spend a lot of time there, very sadly.
And yeah, I spend a lot of time there, very sadly.
And you can find Smashing Security on Bluesky, unlike Twitter, which wouldn't let us have a G.
And don't forget, to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.
And don't forget, to ensure you never miss another episode, follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.
And huge, huge thank you to our episode sponsors, 1Password, Tripwire, and Scanner.dev. And of course, to our wonderful Patreon community.
It's their support that helps us give you this show for free.
For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 403 episodes, check out smashingsecurity.com.
It's their support that helps us give you this show for free.
For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 403 episodes, check out smashingsecurity.com.
Until next time, cheerio, bye-bye.
Bye. Bye.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guest:
Jane Wakefield
Episode links:
- SEC’s Twitter account hacked to say Bitcoin ETFs approved – Hot for Security.
- Twitter says it’s not its fault the SEC’s account got hacked – Graham Cluley.
- SEC Twitter hack blamed on SIM swap attack – Hot for Security.
- The SEC’s X account got hacked by a 25-year-old who went by ‘AGiantSchnauzer’ and got paid in Bitcoin, feds say – Fortune.
- Pupils share conspiracy theories for fun, with girls ‘more susceptible’ – The Times.
- AI chatbots unable to accurately summarise news, BBC finds – BBC News.
- US-led cybersecurity coalition vows to not pay hackers’ ransom demands – TechCrunch.
- 35% Year-over-Year Decrease in Ransomware Payments, Less than Half of Recorded Incidents Resulted in Victim Payments – Chain Analysis.
- Ransomware: proposals to increase incident reporting and reduce payments to criminals – GOV.UK.
- The 2024 Ransomware Landscape: ‘Looking back on another painful year’ – IT Wire.
- The Space Doctor’s Big Idea by Randall Munroe – The New Yorker.
- Reading guide: Creation Lake by Rachel Kushner – Booker Prizes.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsored by:
- 1Password – Secure every app, device, and identity – even the unmanaged ones at 1password.com/smashing.
- Tripwire Enterprise – Set up a demo of Tripwire Enterprise to see how you can simultaneously harden your systems and automate compliance.
- Scanner.dev provides a new technology offering fast search and threat detections for security data in S3 helping teams reduce the total cost of ownership of their SIEM by up to 90%.
Support the show:
You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.
Become a Patreon supporter for ad-free episodes and our early-release feed!
Follow us:
Follow the show on Bluesky, or join us on the Smashing Security subreddit, or visit our website for more episodes.
Thanks:
Theme tune: “Vinyl Memories” by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
