Smashing Security podcast #417: Hello, Pervert! – Sextortion scams and Discord disasters

You create a 12-word seed phrase, right? You obviously store that very securely, or you write it in the back of a book.

Tattoo it on your ass.

Depends how visible your ass is.

So now I have two things I definitely, absolutely cannot lose for love or money. Okay.

You can't lose your ass, but potentially someone could read the seed phrase on it. I wouldn't recommend putting it there.

Big pants.

Big pants. Smashing Security, episode 417. Hello Pervert: Sex Torsion Scams and Discord Disasters with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Smashing Security, episode 417. My name's Graham Cluley.

And I'm Carole Theriault.

What's coming up on the show this week, Carole?

Before we kick off, let's first thank this week's wonderful sponsors, Drata, Dashlane, and Vanta. It's their support that helps bring you this show for free. Now coming up on today's show, Graham, what do you got?

I've identified a little bit of discord in the world of cryptocurrency.

Quelle surprise. And I look into the Hello Pervert scam. Plus, I have a chat with Matt Hillary, a CISO at Drata, and we talk specifically about GRC. That's governance, risk, and compliance. All this and much more coming up on this episode of Smashing Security.

Now, chums, chums. Where do you keep your money? Where do you keep your money, Carole?

In the bank.

Oh, that's disappointing. I was hoping you're going to say in the shed and you've got to lock it and I could pop round any Thursday and pinch it or under the flower pot or something like that. Well, in the old days, yes, I think many people used banks, didn't they? Or put it under the bed or in their wallet, maybe if it's a little bit of loose change. But these days, in the case of cryptocurrency, the place where you put it is a portable hardware wallet, often in the form of a little USB device.

Yeah, something you don't want to lose.

You don't want to lose it, and you shovel your bitcoin onto it so your bitcoin doesn't get stolen. That's the theory, at least. And it's a good idea, I reckon, if you have cryptocurrency. It's better than shoving it into an online cryptocurrency exchange or into a wallet app you've downloaded from some app store onto your phone, because a hardware wallet, or also known as a cold wallet, is offline storage.

Of course, we talked about this before. Yeah, yeah, yeah.

Yeah. The private keys to your crypto fortune, they are disconnected from the internet, massively reduces the risk of your cryptocurrency being hacked or phished or falling prey to malware. So you are in control of the keys. With hardware wallets, it's you who are holding the private keys. It's not a third party who you've entrusted it to.

Do some people feel better with that? Because if it were me, that would make me much more nervous.

That you were in charge?

If I were in charge. Yeah. There's certain things I'm very happy to be in charge of.

Right.

Like dinner party. I could throw a dinner party. I could do a podcast. I don't want to be in charge of any keys that is my whole fortune.

Yeah. You wouldn't want to put me in charge of a dinner party, or you wouldn't want to put me in charge of your private fortune, would you?

Or my crypto keys, to be honest.

Right, okay. So why would you trust some crypto bro who set up a website saying, "Oh, we can store all your cryptocurrency keys," rather than trusting yourself? You have it on a little device, you control when you plug it in, you control when you access it.

Yeah, it makes sense. If you were gonna go down that route, I think it makes perfect sense to be fully in charge because there's not a lot of regulation out there to help you out.

Right. And even if your computer is infected by malware one day, the hardware wallet you have on that USB key... If, as I suspect you inevitably would, Carole, if you lost your hardware wallet.

Absolutely. I'm not fighting you on that one.

You can recover your funds because when you set it up, you create a 12-word seed phrase, right? And you obviously store that very securely, or you write it in the back of a book.

Tattoo it on your ass.

Depends how visible your ass is.

So now I have two things I definitely, absolutely cannot lose. For love or money, okay.

You can't lose your ass, but potentially someone could read the seed phrase on it. I wouldn't recommend putting it there.

Big pants. Big pants.

Very big, thick pants. Now, one of the most well-known USB hardware wallets for those people who aren't using tattoos on their bottoms, it comes from a company called Ledger, and they're one of the good guys. Their hardware wallets are well regarded. They're designed to keep your cryptocurrency offline, immune from the hackers, but I'm afraid they've not been having the best time security-wise.

Oh.

They have become embroiled in a series of incidents.

Do tell.

I'm going to tell you about the latest example. Ledger has an official Discord server.

Okay.

Which they use for announcements and tech support and community engagement, all good stuff like that, you know.

Right, sounds good.

A lot of young people use Discord, don't they? I don't. I don't really understand it, to be honest, but a lot of people use it. Gamers and the like use it.

Yeah, Maria's a big fan. Maria Varrati.

Well, there you are. She's a proper nerd, not like us. And on that official Discord server for Ledger, a message was posted by an administrator warning that Ledger recently had a security issue and that to protect themselves, users should verify their recovery phrases. And those, of course, are the recovery phrases you should never tell anyone ever, because if you hand them over, someone else can recreate your cryptocurrency fortune and nab all of your money. So you've got to be careful. So Ledger are telling you they've had a security issue. Go to this link and verify. You can see where this is going wrong already.

Where are they saying this? They've emailed me.

This is on Discord.

Oh, it's on Discord.

It's on their Discord from one of their administrators telling you about this instant breaking news. We've had this happen to us.

Surely most would look for a secondary source of information. You'd go to the website, you would look at your email, go to your account to see if everything was fine on the actual website.

You know, you're a very wise person.

I'm not.

And you've got a lot of money to lose. I understand.

I don't have a lot of money to lose.

And so you don't mind losing a bit of your cryptocurrency. You have investments in all kinds of places. But imagine all of your eggs were in the cryptocurrency basket and you thought, oh my goodness, I've got to do this right now. And sometimes you just click without thinking. And of course, in this particular case, if you did click on the link, if you entered your recovery phrase as directed by the administrator from Ledger on their Discord server, bam. Oh dear, oh dear. You have just handed over all of your money.

Did people fall for that? Did people fall?

I don't know.

Okay.

We don't know. We don't know. What we do know, although it was Ledger's official Discord channel and although the message was posted by an official moderator and admin on that Discord channel, at least from an account of an official moderator or admin. It wasn't the official moderator who actually posted it themselves. It was a hacker who had compromised the moderator's account.

Yeah.

And posted this phishing message for all of those Ledger users on the official Discord. So a crafty piece of social engineering. And of course, a Discord server, it can be a busy place. Lots of people logged in. And some people you, Carole, would be savvy to this and think, whoa, whoa, whoa, what's going on here? I need to warn everyone. And so some users did realise what was going on and they tried to post warnings, whereupon they instantly got themselves booted out of the Discord server.

By the pseudo-administrator, because the account had been taken over. Got you.

Exactly. Exactly. Now, this obviously created quite a few headlines. Even former Binance CEO, so Binance was a cryptocurrency exchange, CZ, his name is, real name is Changpeng Zhao. He's crypto's very own legally challenged and utterly irony-free motivational speaker. He's been in some trouble with the law for various things, but he popped up to mumble some things about, you know, you've gotta stay vigilant. He says, you gotta stay vigilant 'cause there's lots of scammers out there, he said. And meanwhile, what was Ledger's response? Well, Ledger, they sort of said something along the lines of, oh, whoops, you know, we had an unsecured account. Don't click on anything. Which, to be honest—

It's underplaying it a little bit.

It is a little bit. It's a bit if I went into the Louvre, not the loo, went into the Louvre and I threw a can of spaghetti at the Mona Lisa. And then I said, look, it's not a problem. I've said sorry. You know, that's it, right?

You can wipe it off with a—

Wipe it off. Here's a little chamois cloth. Don't worry about it. I can draw you another one. I can do you another one. So Ledger says it's now tightened the security of its Discord server. And they've said that there was a contractor who was an administrator, someone they were paying to administer the Discord server, who had his account hacked. They claim, well, it wasn't us who got hacked.

Okay, but—

But, you know, but it was the administrator. Come on, on the official server.

You're kind of blaming the victim though, a bit, by asking Ledger to be more... Do you know what I mean? Because they are the victim, aren't they?

Well, they are a victim. I would argue they're probably not as big a victim as anyone who actually entered their details and ended up having all their cryptocurrency plundered.

Yeah, it always sucks if your whole strapline, your whole marketing message is, we are as safe as Fort Knox, you know?

Yeah.

Because who is really?

People are paying a premium to use these devices because they expect proper security. Now, this isn't the only challenge facing Discord users.

Oh dear. Okay.

Back in 2020, I know that was a few years ago, but back in 2020, Ledger suffered another security breach. Its e-commerce database was hacked, exposing customers' names, email addresses, phone numbers, home addresses. 270,000 people in all who had bought a Ledger cold wallet to stop themselves from being robbed. Over a quarter of a million. They now had to deal with the fact that a group of hackers who'd really like to rob them now knew precisely where they lived.

Mm-hmm.

And what we've seen in the last week are reports that some Ledger customers are receiving snail mail through the post. So yes, actual real human beings have been receiving real physical envelopes through the post containing physical letters. And these letters, which have Ledger's logo on them, instruct them that they need to complete a mandatory wallet validation for a critical security update. And what do they do? Well, you know all about this, Carole. Phishing.

Mm-hmm.

I hate that word. So people are being told scan a QR code to go to a webpage and enter your recovery phrase again. And the letter says failure to complete this mandatory validation process may result in restricted access to your wallet and funds. So again, people are being duped.

Yeah, that's a bit— I think that's a little bit scarier, really. I'd find that a little— I mean, okay, where do people keep these things? Do they keep them on their keychain, these little USBs or whatever, these little wallets? We keep them in a safe. You keep them in your house.

I'm not going to tell you where I put mine, but yeah, you could hide in all kinds of private places, Carole. I'll leave that to your imagination. But, you know, here we've just seen Marks & Spencer hacked, right? And we found out that customer data has fallen into the hands of these hackers as well. And someone asked me earlier today, I was speaking to a reporter and they said, well, what happens if the hackers decide to exploit this information in a few months' time rather than right now? I said, oh, absolutely they can. And here we're seeing the Ledger breach from 5 years ago haunting it because the hackers know who has Ledger devices. They know who to send these letters to.

Yeah, and it's not you change your name or your house address very often.

Not that often.

Mm.

So here's my advice. Never ever give your recovery phrase to anybody. Not online, not over email, not through Discord. It doesn't matter.

But always remember it. Don't ever forget it.

Well, yeah, or store it somewhere securely, your recovery phrase. Yeah, those seed phrases. So you could put them in a password manager, for instance. That could be a good place to put them. Doesn't matter if it's a Ledger moderator in their official Discord or after you receive a letter in the post, just don't tell anybody. And I have to ask, why is Ledger using Discord as a support portal anyway? It is a video gamer chat room. You know, it's all crazy emojis and memes and neon text. I don't know if you've ever been in it, Carole.

I've been there a few times. It's not where I to hang out. I think there is a lot of useful information there, but all things on the internet, things sour over time sometimes.

I don't know if it's a secure customer support portal that's appropriate for Ledger. Call me an old fuddy-duddy if you wish.

Okay, you're an old fuddy-duddy.

Carole, what's your story for us this week?

Well, this morning I'm perusing the wires looking for a story idea for this week's show.

Yeah.

And I saw that there was a little resurgence of a malicious attack that I don't think we've ever covered on the show, despite it being around for at least a few years.

All right.

So I want to dive into the Hello Pervert scam.

Hello Fervent?

Well, no, with a P. Oh, okay. Several news reports and security pundits say it's back causing havoc. And a great way to slow down the success rate of these types of scams is, I think, to talk about it and warn folks. So here we are.

Okay.

So the basic gist of the scam is this: they send a message, usually by email, to a target victim or potential victim with the subject line "Hello Pervert."

Okay, well, instantly I think this is not an email from my bank.

Right, right. So you have to put yourself into the shoes of John Doe, right? And you're seeing this headline in a big stack of unread emails.

Yes.

What would be your first thoughts?

What's Carole messaging me about now, I think. I mean, yeah, I'd wonder who has sent me a message with the subject line, Hello, Pervert. Yes.

You know who did it? Yourself. It comes from your own account.

Oh, is this because I've been sleepwalking or something? I'd got up in the middle of the night and maybe a slightly racy dream?

But maybe you're thinking someone's inside my computer.

Oh yeah, that's possible, yes.

So then you're thinking, maybe I shouldn't have done naked yoga in front of my iPad. You know? So the title's rather clever because, you know, most phishing attacks kind of have this tinge of alarm or fearmongering or urgency, all in the hopes of getting you to react rather than to think, right? That's basically what the whole game plan is. And typically the point is to get your credentials, your username or your password, your Ledger 12-word code, or get your banking details or whatever.

But how are they going to do it? All they've got is a subject line of "Hello, pervert."

Well, we're going to walk through a typical version of these scams. And I thought it might be interesting because I don't think we've done this before.

Okay.

So it starts off saying, hello, pervert. I've sent this message from your iCloud mail. Right. So it's alarming that you're thinking, okay, they're inside my mail.

Okay, well, I don't have an iCloud account, an iCloud email account.

So I don't know the answer to this. I was under the assumption that anyone who had a Mac now had an iCloud account, a mail account.

I think you have an iCloud account. I'm not sure if you have an iCloud email. Listeners, let us know.

Yes.

We do.

So, okay, so that starts with that. And then it says, I want to inform you about a very bad situation for you.

Hmm.

Right? So get the panic up a little bit because you might be going, oh, poo, oh, poo.

Okay, what's this going to be? Yeah.

But then it changes tack. It goes, however, you can benefit from it if you act wisely.

Right.

So I'm feeling that there is something you might be able to do to get out of this situation. But you don't really know what the situation is yet. Right?

Yeah.

Right. So then it goes, have you heard of Pegasus? It says this is a spyware program that installs on computers and smartphones and allows hackers to monitor the activity of device owners. It provides access to your webcam, messengers, emails, call records, et cetera. It works well on Android, iOS, and Windows. I guess you already figured out where I'm getting at.

OK, so Pegasus is a real piece of spyware. It's been high profile. It's been written about many times.

Talked about it on the show, yeah.

Yep, state-sponsored attackers sometimes have used it as well. It is out there for sale. Well, some people might actually go and use a search engine, might they, to first think, well, I haven't heard of Pegasus, but let me have a little look. And once they got past the flying horse, they find out that there's this piece of spyware, and that may give credence to this suggestion that they have been hacked.

I think so. And in fact, if they went and researched it even just today, the day of recording, you would hear that The NSO Group, the people behind Pegasus, have to pay Meta $168 million for the WhatsApp spy case where basically Pegasus was in there looking for activists, journalists, investigative journalists, and that kind of thing.

Which is really great, actually. I mean, we slag off Facebook all the time and the Meta group of companies, but here they have actually taken action against a spyware company. I guess Facebook have basically said, hey, 'You can't spy on our users, that's our job.' Apple also had a case against them, but they dropped it.

But it seems that Facebook didn't. Anyway, so you would, right? You would go exactly as you say. It is a true program. So if you went and gone, 'I'm gonna go check out this Pegasus thing,' you would go, 'Yep, this is real.' Yep. So the letter carries on. 'It's been a few months since I installed it on all your devices because you were not quite choosy about what links to click on the internet.' During this period, I've learned about all aspects of your private life, but one is of special significance to me.

Is it my visit to Outpost Gallifrey where I read all of the Doctor Who gossip, or is it—

Do you do it in the nude?

Oh, well, actually, there's quite a few chess websites as well. There's a lot of porn action on those.

Maybe you'd be thinking, oh, there was that time where I had a quickie in front of the iPad. You know, there's a lot of things that might go through your head. A few months. It's long enough for you not to necessarily remember what you might have done or not done in front of a device, of which your home is probably littered.

Right. And so this guy has been watching me for months.

Right.

My goodness, I'm in trouble.

Now, goes on, I doubt you'd want your friends, family, and coworkers to know about it. However, I can do it in a few clicks. So again, nothing specific, right? But right now, I'd be okay, if you got something, show it to me. Surely you got to show it to me.

Yes, because he hasn't said, I can tell your Auntie Marjorie or something that, has he?

There's nothing talking about anything specific to me at all.

Okay. Yeah.

I guess the idea here is that you might feel so guilty or shameful about the thing that you have done, you're manifesting the whole story. You're filling the gaps to the story that they're putting out there.

Yes.

It then carries on. Every number in your contacts list will suddenly receive these videos on WhatsApp, on Telegram, on Instagram, on Facebook, on email. Everywhere is going to be a tsunami that will sweep away everything in its path. And first of all, your former life.

The good news for me is I know you, Carole, never read your email, right? Even if you were sent rude videos of me.

Can I just assure you right now that if I ever got a whiff of any communication having any imagery of you in a compromising situation, I assure you, I will close my eyes for you.

You're very sweet. That is the nicest thing you've ever said to me.

And then I'll run to therapy. Okay, so the threat is to embarrass you in front of everyone you care about is basically what the threat is there.

Right.

And then it carries on. Don't think of yourself as an innocent victim. No one knows where your perversion might lead in the future. So consider this a kind of deserved punishment to stop you. I'm some kind of God who sees everything. However, don't panic.

Okay.

As we know, God is merciful and forgiving. And so do I.

Well, this is great.

He says, my mercy is not free. Transfer $800 USD to my Litecoin LTC wallet.

Ah, I knew there was going to be something like this. I didn't think it was going to be say 5 Hail Marys and I'll let you go. So he wants the hard cash, eh?

It is the, what's it called, that plate that comes around?

Yes, yes, the collection plate, yes.

Yeah, so, but that's quite a doozy, $800. Apparently it varies between $500, $1,000. And then he carries on, once I receive confirmation of the transaction, I will permanently delete all videos compromising you, uninstall Pegasus from all your devices, and disappear from your life.

He sounds like a trustworthy fellow.

He's been great so far.

I trust him.

I love this promise of a rainbow after the impending storm that you're finding yourself in. Fantastic. So then he carries on, you can be sure my benefit is only money, otherwise I wouldn't be writing to you, but destroy your life without a word in a second. And then it says, I'll be notified when you open my email, and from that moment you have exactly 48 hours to send the money. If cryptocurrencies are uncharted waters for you, don't worry, it's very simple. Just Google crypto exchange or buy litecoin. It'll be no harder than buying some useless stuff on Amazon.

But be careful not to enter your recovery phrase.

And then there's all the threats at the end. There's this list of do not reply to this email, I've sent it from your iCloud mail. Do not contact the police, I have access to all your devices, and as soon as I find out you ran to the cops, videos will be published. Don't try to reset or destroy your devices. I, as I mentioned above, I'm monitoring all your activity, so you either agree to my terms or the videos are published. Also, don't forget that cryptocurrencies are anonymous, so it's impossible to identify them using the private address. And it ends with, good luck, my perverted friend. I hope this is the last time we hear from each other. And some friendly advice. From now on, don't be so careless about your online security.

They could have included some affiliate links to advise people, here are products you can buy in future to defend yourself, and they could make some money that way too. I mean, do you think this actually works? Do you think people do fall for these things and give the money? Because I mean, in case we haven't made it clear, the computer isn't infected, is it? The spyware isn't present.

What's fascinating to me is they've made themselves both extremely trustworthy. I've got control, I see everything, here are the rules, do this, everything will go well. But at the same time, there is nothing on your system at all, right? At all. So the whole thing is this complete ruse. It's not even bespoke to you. Now, of course, this kind of threat could, I'm sure, with the advent of technology, could be completely tailored to your specific, you know, so with Graham, you would probably say you'd mention chess Doctor Who, I don't know, Peanuts.

Yeah, but then they would have had to have actually broken into my computer and observed my browsing history, for instance, wouldn't they?

Or read your social posts and use some—

Oh yeah, but that's a lot of effort. That's a lot of effort, isn't it, for the scammer to get?

Not for your AI friends, but yes, maybe for today's scam.

Maybe not, maybe, but I mean—

This is low-tech.

Yeah, they're just sending these out to millions of people, I suppose, and there'll be some vulnerable people, a small percentage admittedly, who might think, oh crikey, you know?

Yeah, well, I think it depends on what you do in front of your screens, really. If you're leading a double life, this might get a little hot under the collar, seeing that email.

Yeah. Yeah, yeah. It's horrible, isn't it?

It is horrible. So, you know, we know the advice here. Make sure your passwords are unique and complex, including your email and socials. Don't think it's just my banking one I have to worry about. We've mentioned this earlier, reputable password managers can be invaluable here. And, you know, what do you think about running anti-malware programs if you're nervous in this situation? What would you say, oh wise one?

Oh, me? If you think there's a tiny chance that your computer might be infected with some malware, then yes, of course you should run some antivirus software to try and reassure yourself.

One that you trust.

Yeah. One that you trust. Yes. Don't use any links in this Hello Perv that, you know, they've asked you to click.

Don't go phishing.

Don't do anything that. And also, if the hacker really knew anything about what you had been up to, then surely they would've included that in the message to make it more compelling. So they would've said, "I know that you went to this site at this time, and this was your search which you entered," or that kind of thing. The lack of any corroborating evidence should set your alarm bells ringing. But as I said, there will be a small percentage of people who are vulnerable to this kind of thing and will just panic, and maybe they've got other bad stuff going on in their life. And so they might be duped into handing over the money. It's a terrible thing.

So what you do, you get one of these emails, you don't open it, right? Just slap it into your spam folder.

Yeah.

If you happen to open it, what do you do then? Don't pay them.

Yeah. Oh, yes.

Right.

Don't pay them.

Yeah.

Don't follow the advice in it. Just go, nice try, bucko. And if you end up paying for it, know it was a scam and contact your local authorities, your cyber authorities.

Now, if someone emailed me and they attached a picture of your bottom, Carole, with the recovery phrase, your cryptocurrency wallet.

You know what? There's not enough room on my ass for 12 words. If you're leading risk and compliance at your company, you're likely wearing 10 hats at once, managing security risks, compliance demands, and budget constraints, all while trying not to be seen as the roadblock that slows the business down.

But GRC isn't just about checking boxes. It's a revenue driver that builds trust, accelerates deals, and strengthens security. That's why modern GRC leaders turn to Drata, a trust management platform that automates tedious tasks so you can focus on reducing risk, proving compliance, and scaling your program.

With Drata, you can automate security questionnaires, evidence collection, and compliance tracking. You can stay audit-ready with real-time monitoring. And you can simplify security reviews with Drata's Trust Center and AI-powered questionnaire assistance.

Instead of spending hours proving trust, build it faster with Drata. Ready to modernize your GRC program? Visit drata.com/smashingsecurity to learn more. That's drata.com/smashing-security. Stolen credentials are the number one cause of data breaches, and well, there's a better way to solve that password problem, and that's with Dashlane.

Dashlane is doing what others aren't, providing complete credentials and password management, preventing employees from adopting poor password habits, streamlining secure access, and simplifying workflows.

And with Dashlane, you get real-time phishing alerts to stop employees from taking the bait, and you're protecting your data with patented security and the very strongest encryption available.

So what are you waiting for? Give Dashlane a try today, at your work or at home. There are versions of Dashlane for both personal home use and business use. And by being a listener to Smashing Security, you get savings off both. Save 25% off a new business plan, or 35% off a new personal premium plan by visiting smashingsecurity.com/dashlane. That's smashingsecurity.com/dashlane.

And thanks to Dashlane for supporting the show. Now, Carole, according to Vanta's latest State of Trust report, cybersecurity is the number one concern for UK businesses. And of course, Vanta can help you with that.

Whether you're a startup growing fast or already established, Vanta can help you get ISO 27001 certified and more without any of the headaches.

You see, Vanta allows your company to centralize security workflows, complete questionnaires up to 5 times faster, and proactively manage vendor risk to help your team not only get compliant, but stay compliant.

So stop stressing over cybersecurity and start focusing on growing your business in 2025. Check out Vanta and let them handle the tough stuff. Head to vanta.com/smashing to learn more. That's Vanta, V-A-N-T-A.com/smashing. And thanks to Vanta for sponsoring Smashing Security.

And welcome back. And you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.

Pick of the Week. Pick of the Week.

Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish. It doesn't have to be security related necessarily.

Better not be.

Now, last week, my Pick of the Week, if you remember, was a movie from about 35 years ago.

Yep. Very apt.

Yep.

And this week, my pick of the week is a movie that's out right now. Yes, I went to the cinema, or rather I was kind of dragged. I had my arm twisted by my lovely wife, and she said, "We're going to go and see a movie." I thought she said ThunderCats, but it turned out it was actually called Thunderbolts.

Okay.

And it's one of those Marvel superhero movies. How do you feel about Marvel superhero movies?

I wouldn't say they're my favourite.

She really likes them. I'm not a big fan of them.

Yeah, but I don't think— I think there's lots of people that adore them. I get it, you know, it's a good fantasy thing. It's just not where I like to kip out.

I don't like all the CGI fights. I find them a bit dull. It's a bit like watching a washing machine taking on a fridge freezer. And I just think, what is the point of watching this for 20 minutes with these things clonking each other? Anyway, this movie I actually thought was all right. And you know how I know? It was all right. And this is the big news.

You stayed awake.

Absolutely. I didn't fall asleep once. Normally, first sight of some CGI, I fall asleep. Not once during this movie. It's got Florence Pugh in it, English actress. She's doing a Russian accent. It's got some Ukrainian actress who's doing an English accent. And it's got David Harbour, who I recognize from something or other. He's doing a Russian accent. And various other people who I'm sure fans of superhero movies will know. Oh, and it's got Julia Louis-Dreyfus, who I've loved so much. Since Seinfeld, if you remember her.

Of course.

She's a baddie in it.

Oh, nice.

And it was actually pretty funny in places. And I thought, this is all right. So I thought, I bet some of the listeners of Smashing Security would like Thunderbolts as well. Not cats, Thunderbolts. And that is why it is my pick of the week.

Boom boom.

Carole, what's your pick of the week?

I'll wait. I'll wait till it comes out on a— so I don't have to get off my sofa for it.

You need to protect that recovery phrase, don't you? Yeah, just stay sat down.

So my pick of the week is an audio drama. It's been ages since I recommended any. So I just finished season 2 of a BBC Drama Award winner called Exemplar. It won an award for best series. So, it's a modern-day thriller set in the northeast of England. It's starring Gina McKee as Jess, a kind of quiet but sharp lone wolf audio forensic scientist. Okay?

She's always very good, isn't she?

Yeah, she's so great. So, in fact, Jess is the UK's leading audio forensic examiner. And now she has this bright sidekick called Maya, who's learning the ropes from Jess, but also is showing Jess a trick or two of her own.

So, audio forensics, they're listening to audio and thinking, oh, is this— does that sound like a crime to you?

Well, kind of. The first series, okay, it was out in 2022, the first series. It opens with Jess and Maya examining evidence of a nightclub shooting. Who did the crime? The answers in the audio file.

Hey, hey.

So, there's a lot of kind of podcasty stuff, which makes it kind of cute. But I have to be honest, there's a lot of lingo I don't get.

Right?

Right? I was like, "Oh, I don't know that word." We know loads of words to do, "Let's fade it out." You know, let's—

Okay, there's one word we know. There's one word we know. Faded out. We don't know faded in. We'll learn that in time. Fade it out, we know.

So each episode has its own little audio mystery to solve, but there's an overall story arc. One where Jess's past was not all that rosy, and so that kind of dribbles through. Anyway, I've just finished season 2. It landed a few weeks ago, and the story arc carries on, so be sure to start with season 1.

What's it called again, Carole?

It's called Exemplar. It's an audio drama thriller. It's written by Ben and Max Ringham. It's available wherever you get your podcasts or on BBC Sounds. And that is my pick of the week.

Terrific stuff. Now, Carole, you've been chatting to the people at Drata this week.

Yes, I spoke with their CISO, Matt Hillary, all about GRC. Listen up. So listeners, today I speak with Matt Hillary, the CISO at Drata. This is the company that keeps you ahead of security reviews, audits, and risks. And today we're going to pick Matt's brains on how we can better manage GRC. Now, most of you know what that is, but for listeners my mom, hi, Mom, GRC stands for governance, risk, and compliance. So, thank you for coming on the show, Matt. Appreciate the time.

Of course. I really appreciate what you and Graham do here. It really uplevels our knowledge and in such an engaging and fun way. And so, I feel really privileged to be here with you and chatting about this today.

Well, you greased the wheels here for me. We have tons to cover today, so maybe we should just dive in. First, maybe just tell us a little bit about you and your responsibilities at Drata.

Of course. Now, you did a wonderful job introducing Drata. You know, Drata is a trust management platform. We help our over 7,000 customers on their respective GRC journeys. And we just announced, you know, our recent acquisition of Safebase to help companies build that interface of trust between companies and showcase all of our GRC efforts. Me, here at Drata, I lead our internal security compliance, IT, and privacy teams. And, you know, I was originally born into the GRC space. I started my career at the Seattle area working for Ernst & Young. And helping many of those organizations up in the Seattle area on their respective GRC journeys. You know, later in my career, I knew I needed to add the technical aspects of the hardcore security side of the spectrum. And so I added security engineering and operations to the mix and loved and thrived in that space. And I've started several security and GRC programs from the ground up at companies like AWS, Adobe, Instructure, Weave, and MX. And I've been a CISO at a number of companies prior to joining Drata.

Brilliant.

Well, I'm going to challenge you right now because I can tell the job title CISO, you know what you're doing. So can you explain GRC to those that are uninitiated?

Absolutely. You know, one of the things of just knowing something about a particular space is being able to hopefully distill that down to a set of terms that even a child can understand. So hopefully I can do that here.

Listen up, kids.

Totally.

So from a GRC standpoint, when I talk about Drata being a trust management platform, this is no different building trust between two humans. Being transparent and open and vulnerable are those principles that help build trust between human beings. And it's no different at the organization level. Every organization is trying to build trust in their customers, whether it be a business-to-consumer type of business, or whether it be a business-to-business type of business. That trust is really what helps build and accelerate our growth as companies. And so we're in the middle of that and helping build that trust. Now, there are very specific ways and processes that we have to basically follow to demonstrate that we're doing something in a way that our customers would expect. And so that's where the governance side of things, which is where we define what those expectations are for our companies, where the risk standpoint is, there's a number of bad things, or what could go wrong, as we call them, or things that might impact our companies that we need to identify and treat. And then last but not least, there's a number of great frameworks that are usually built upon common risks across our companies that allow us to identify, hey, what are some specific controls, or these things that we should be doing to help protect us. And that's the compliance side. And there are a number of reports and things that we can engage a third-party assessment organization to come in and help evaluate how we're doing against those controls so that it's not just us saying something. We actually have another person coming in and observing that we're doing what we are saying we're doing and putting that in a format that we can all hopefully understand and build that trust. And so if I'm trying to think of my own 7-year-old daughter explaining that to her, she'd be like, okay, I lost you.

Yeah. Yeah.

She's like, Ultimately, now this is where the Trust Center side of things come into play, which I think is ultimately the culmination of all of our efforts related to GRC. And that's being able to showcase all of our efforts publicly so that we can show in that transparent way, hey, we're trying in good faith efforts to do everything that we can on our end to really demonstrate that we're trying to do the things that we should be doing. And that's where Trust Center comes into play, where we really can, again, allow customers in a self-service way obtain the documents they need, obtain the artifacts they need to then assess and say, yeah, we agree, you are doing the things we expect you to do. Or— and this is actually, Carole, the thing that I love the most about these conversations is I learn the most when another customer comes in and says, hey, but what about this aspect? Have you thought about this? And in some cases, they identify stuff that will allow us to improve on our own journey.

It does sound rather complex right now with today's technological advancements. Things are going to be not easy in organizations when trying to cope with all this. Can you tell us maybe about the challenges that organizations are facing today?

You know, recently we partnered with Wakefield Research to survey a number of IT security GRC professionals. And, you know, we published this in our most recent 2025 State of GRC report that's available now. And these biggest challenges really stem from, you know, the industry pressure on this role. You're right, the stakes have never been higher and they continue to get higher. And so when you think about GRC professionals that may already be an extremely lean team, already, they're having to continue to effectively meet those demands and pressures along the way. The next is just the complexity associated with these frameworks, right? Our team members, we are the great influencers in the organization. We're the great orchestrators of these controls. And so you really have to be someone that other folks want to engage with to help basically meet those standards and find gaps. And hey, we have a goal to build trust with customers. Here's a requirement, this is where we're at today, how do we want to close that gap? And it's a fun collaborative exercise across the board and really builds trust. And last but not least, on the security side, obviously, the addition of AI on both sides of the fence, both the attacker as well as the defender side, has just continued to be a fun challenge to understand.

But maybe we could start with the AI one. So talk to me about how AI has changed the landscape for you in the security realm.

Yeah, I'm super bullish about AI. I believe that humans are inherently good. Now, pulling from Ted Harrington's recent book, Hackable, we got to think like the attacker. There's obviously a very small slice or percentage of us that, whether it be due to pressure, whether it be to opportunity, whether it be to rationalization, may do things that may go against what we hope to. And with AI specifically, on the attacker side, we're seeing more crafty social engineering attacks, both from the email side of things or the deepfake side of things or the password reset as a video deepfake showing up and saying, hey, I'm so-and-so, but they're not. And there's a number of things there that are kind of concerning to us that we're seeing on the attacker side. Another one is just more effective profiling and attack path vector identifiers. In this case, we're seeing many companies come out with well-trained AI models that can effectively simulate a red team and try to find things that they might be able to exploit, which will further embolden both our pen testers that were actively trying to say, hey, come at us, please attack us, let us know what our gaps are. But also on the attacker side, the real attacker side, to be able to profile and say, tell me everything about this company so that I can create an effective attack path. And so it's really that great accelerator, a great augmenter to us doing things whatever direction we want to go. And on the attacker side, we're seeing that. And now on the internal side, the opposite, the fire against fire piece, we're seeing great tools continue to be developed in this space to protect and defend. One of them is it's kind of, it's nice to be able to offload a lot of that tier 1 triage, whether it be internal team members reporting emails. And so we have an AI-powered phishing email box. It's, hey, instead of humans having to spend time during the day reviewing those, we have AI models that are trained to look for, yep, this is actually phishing, or no, actually this one looks pretty legitimate. Let's have a human take a look at it, right? Another thing that's been really neat is being able to uplevel all of our skills, right? It's nice to be able to have a resource to ask questions to. Now, I do worry about reliance and the de-skilling of ourselves by overrelying on this tool. We have to still continue to stay sharp on our side of things.

Yeah.

And then the last but not least is the part around just context, right? It's nice to be able to, with super capable CSPM tools today, to be able to give us findings in context and then backed by models to be able to give us even more context with regard to threat modeling, threat intelligence to help anyone who's sitting in that seat seeing configurations that may not be ideal to be able to respond more effectively than we ever have been able to before. And so it's nice to be able to see that side of defense happen.

I was thinking in your report, you talk about something like 93% of those surveyed wanted to see more critical aspects of GRC functions become automated. And I think that talks to what you're talking about, right? Being able to automate it allows you to take your resources and put them elsewhere. And that's a very exciting thing for organizations, I imagine, right now.

100%. You know, as a DRC professional born in this space, it used to be spreadsheets, share folders, and just screenshots. It's like, oh my gosh, this is really painful as a human to have to do these highly manual things. Now with programmatic interfaces that have been available for a number of years now, and that's kind of where Drata started, was being able to show up and say, look, I don't want to spend 5 weeks pulling screen prints, 25 screen prints or whatever of encrypted EBS volumes. I can pull an API and check this every single day of the audit period. We've changed that whole conversation to say, hi, you're control owner of this, so you own this space. And guess what? Behind the scenes, we're integrated with all of your infrastructure and tools here. It is watching things for you. And then that way they're able to change that conversation and say, hey, we've got your back. You're on the same side of the table as us, and hey, we found this gap that was identified last night. And as a result of these checks, can you give us some information about these two examples so that if the auditors were ever to ask, we know what happened here, or can we remediate this on the fly? And so it's really not only just meeting, but significantly exceeding wherever we were at before with these capable platforms. Amazing.

Okay, okay, I'm going to challenge you now. I want you to try and give me, let's say, 3 tips so that listeners can do maybe a better job of handling today's governance risk and compliance challenges?

Of course. One that comes to mind is start today with a trust center. I'll talk about it in a sec. And then next is invest in a platform to automate these GRC program elements. And then third is continue to shift left. And so starting with a trust center, whether or not you adopt an organization that provides an incredible trust center like Safebase, many organizations start this journey just simply by having a /security note or a /trust or a /compliance note on their main website to start explaining what they're doing. And again, that transparency is the core of building trust between people. And it's the same at the organization level. Chances are your company, wherever you may be at on your journey, you're already doing a number of really good things worth sharing. You're effectively writing a State of the Union related to your security, compliance, and privacy programs. And it's extremely introspective. And so, but the nice thing there is it's also extremely customer-centric. Once you have that information out there, customers can then ask key questions that will cause you to drive improvements to share more. And another one is just around customer due diligence. I learned a lot about the things that we need to continue to improve on our own programs through those conversations. And the nice thing is you can marry up the requests that come through your trust center with effective deal sizes or interactions with customers to really know and quantify your GRC team members' impact on the business. Being able to answer such things as hey, as a result of us having a trust center, we influenced the close of over $20 million in ARR in the last 90 days or something that might be a fantastic thing to report of saying we are now a business enabler, we're an accelerator, we're a deal cycle reducer in time. And so as a result, it's really enabling the business. And so the other part is just it really shifts your GRC program from being reactive to very proactive. You're able to see what artifacts people are requesting, what questions they're asking, so you really can get ahead of that curve. And I think many forget we're all on a journey, no one's there, and so we're all on that same side when it comes to building trust and really getting it out there to share what we're doing. Now, talking about investing in a platform to automate your GRC program elements, we're well beyond the old way of doing GRC with hundreds of integrations with third-party systems. Our platform is able to integrate and pull full population reviews of controls and make sure we're ready for assessment. Investments and that trust we believe here, at Drata and even in personal life is it's earned every single day and it's one of those that's earned in drips and then lost in buckets. And so when you have a tool to help make sure that you're continually doing what you're saying you're doing, it really keeps you in that realm of integrity, continue doing what you're saying you're doing on that journey. And so having that now is what I'm seeing a number of companies adopt, whether you're at the enterprise side of things where you've invested in this space quite a bit the last 10 years, but are man, I don't know if I want to invest in internal resources and tools to continue doing this, or if I want to adopt a platform that's already doing these things out of the box very well. Either way, it's going to accelerate your program. And last but not least, I want to talk about continuing to shift left, both from a code standpoint as well as a process standpoint. This last year, we released compliance as code. Infrastructure as code is not new, and security scans on infrastructure as code is also not new. But compliance as code. Being able to see and check things before you deploy to see, is this going to continue to help us meet our compliance requirements before it's actually deployed, really saves you from having to build that one resource for the price of two. Meaning today, a lot of us are very reactive and saying, hey, you built this resource, but oh, Drata detected it and said that this is not compliant. You have to go rebuild it. Now you can get it in code, which is awesome. So in CI/CD pipelines, we will do those checks to say, hey, you're going to deploy something that's not going to be compliant. And they're able to fix some of those uninstantiated defaults or whatever it may be to really get to the point where it is compliant by design. Those are the 3 tips that I give. Again, Trust Center, start there. Next, invest in an incredible platform to help automate your GRC program. And last but not least, continue to shift left, not only from a code standpoint, but also a process standpoint to say, man, what are some things that we need to prevent from happening initially? And this is one of those.

Listen to Matt, people, he's talking sense. So listeners, Drata have made their report The State of GRC 2025 available for you for free. So go and educate yourselves at smashingsecurity.com/drata. That's smashingsecurity.com/drata, D-R-A-T-A. And last but not least, a warm thank you to you, Matt Hillary, Vice President and CISO of Drata. Thank you for chatting with me. Of course, Carole Theriault. Thank you so much for your time.

Fantastic stuff. Well, that just about wraps up the show for this week. You can find Smashing Security on Blue Sky, unlike Twitter, which wouldn't let us have a G. And don't forget to ensure you never miss another episode. Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.

And huge thank you to our episode sponsors, Dashlane, Vanta, and Drata. And of course, to our wonderful Patreon community. It's their support that helps us give you this show for free. For episode show notes, sponsorship info, guest lists, and the entire back catalog of more than 416 episodes, check out smashingsecurity.com.

Until next time, cheerio, bye-bye. Bye.

Oh, my cat just walked in. Cutie. Meow's occasionally on the show. I think she just does it to be a dick. As soon as I'm recording, she'll often come in and go, "Meow." Give her credit. Oh, I should. There you go, Wilmington.