Smashing Security podcast #435: Lights! Camera! Hacktion!

I'm going to give you the name of somebody, and you have to tell me whether they've ever portrayed a hacker, cybercriminal, general computer baddie on screen, or if they're just what we in the business call a bit rubbish at acting. Hacker or ham?

Okay, let's do it.

Smashing Security, Episode 435. Lights, camera, action with Graham Cluley. Hello, hello, and welcome to Smashing Security, Episode 435. My name's Graham Cluley.

And I'm Jenny Radcliffe.

Jenny, welcome back to the show. It's been such a long time.

I know, it feels ages. It's lovely to be back. Thanks for asking me.

It is yonks. Now, for anybody who doesn't know you, Jenny, and shame on them if that is the case. How would you describe yourself? Well, I suppose my handle online for all the socials is The People Hacker. And that comes from me being known as a social engineer specialising in psychology of social engineering scams and cons.

You're also a celebrated keynote speaker as well, aren't you? People will often have seen you at conferences and running awareness courses inside companies as well, sort of raising the spectre of social engineering and really helping people get to grips with it.

Yeah, lots of time on the road, lots of talks, podcasts, interviews, that type of thing. And a book. I wrote a book.

Yes.

Which a lot of people seem to enjoy, which is very nice. A few don't, I did have one great review where the guy hated it, hated everything about it. I was a terrible writer. It was awful. And I looked to see what else he'd reviewed, and he'd bought some kitchen utensils, which he'd absolutely spent really a very long time telling everyone how terrible they were. So I didn't feel quite as bad. Let me get the plug in. The book is called People Hacker. 99p very often on a Kindle, I've noticed.

Fantastic. Well, before we kick off, let's thank this week's wonderful sponsors, Adaptive Security and Vanta.

I'd talk about the ICO report that warns that kids are hacking their schools for fun or days.

We'll be hearing more about them later on the show. This week on Smashing Security, we're not going to be talking about Shayhalud, a fast-spreading open-source worm that is stealing credentials from developers and publishing their secrets on GitHub. You'll hear no discussion of how losses are rocketing at Jaguar Land Rover as a cyberattack continues to cause disruption. And we won't even mention how North Korean spies are using ChatGPT to create fake South Korean military IDs. So Jenny, what are you going to be talking about this week?

And I'm going to be talking about crimes against cinema. All this and much more coming up on this episode of Smashing Security. Now, chums, chums, I have to say, I absolutely loathe it when people use the term "bad actors" to describe hackers and cybercriminals. How do you feel about it, Jenny?

It just— I find— well, I find it confuses people. It confuses audiences if I say bad actor, they laugh.

They think of Nicolas Cage. That's what they're thinking about.

You see, I don't think Nicolas Cage is that bad.

Don't you?

No, because I remember a movie called Wild at Heart, which was a David Lynch film, and he was great in it. Oh, okay. I don't know if he was acting so much.

As being Nicolas Cage.

Correct. So I'll give you that.

Okay, bad actor has become this terrible bit of corporate jargon, and it makes cybercriminals sound like they're trying to remember the lines in their Am Dram production of Hamlet, or that they're about as impressive as I was when I played a tree in my school's nativity play. And there are a lot of actors, thespians, who are out of work, and many of them, I suspect, are out of work for good reason. And I think there could be a danger that we create a self-fulfilling prophecy if we refer to malicious hackers as bad actors. Are we, in fact, increasing the risk that actual bad, straight-to-DVD-style actors will view their natural career progression as, well, let's become cybercriminal? So I don't like the terminology. And that is why I propose we start the fight back. Right now, right here on the podcast. I think it's important to stop using the phrase bad actors and be able to tell the difference between bad actors and bad actors. So what I'm going to do with you today, Jenny, is I'm going to play a little game with you, which I call Hacker or Ham. Hacker or Ham.

Okay, let's do it. Let's do it. So, Hacker or Ham is the game show where cybersecurity meets questionable acting choices. Mm-hmm.

And you have to tell me whether they've ever portrayed a hacker, cybercriminal, general computer baddie on screen, or if they're just what we in the business call a bit rubbish at acting. How well do you know your movies?

Okay, I'm okay.

You're alright. I'm not a big movie buff. Although, do you know, back in the day— Yeah.

Yes, the good old days. The good old days. We'll all watch a movie together, right?

All right.

And what we do is we all have to press go at a certain time and then we'd comment online. And it was, you know, clunky and a little bit disjointed, but oh, innocent times, Graham. And it wasn't really all that long ago, I suppose.

I'm a little bit embarrassed, because there's a number of cyber-related movies I've never seen. So, I've never seen Hackers. I've never seen Sneakers.

Oh, great.

I've never seen Jurassic Park. I've never seen WarGames.

Sneakers! Sneakers is the one for me.

Is Sneakers good? Well, it's social engineering. Right. Alright. Let's play Hacker or Ham. Hacker.

Mhm.

Or ham. So, Jen, I am going to read out the name of an actor. You're gonna tell me if they are a bad actor, or if they have played a hacker on celluloid. Are you ready?

I'm ready. Let's do it. Number 1. Angelina Jolie. So, ham played Acid Burn, was the name in Hackers. Or alternatively, Angelina Jolie, Kate.

Oh.

So, she's an actor that played a hacker.

And would she say good actor? Or a ham?

I'm sure she doesn't care what we think. But I think Angelina Jolie is responsible for lots of people of our generation raising an eyebrow and paying more attention to hackers generally, in that movie. For sure.

I think that these celebrity actors right now, when they hear that we've been playing Hacker or Ham, they're probably playing Podcaster or Poop. They're probably saying, is this a decent podcast or is this a pile of cack?

I can tell you one thing about Angelina Jolie is that I was very good friends with someone who used to be a bodyguard.

Oh?

Especially when she was an ambassador for the UN.

Okay.

Apparently, bit of a nightmare to look after, but there you go. That's all I've got to say about that.

Hack on. Or ham. Alright, round 2 of Hacker or Ham. Well done, I think you did very well there. Hayden Christensen, hacker or ham?

He played Anakin Skywalker.

He did.

I don't know if hacking was a particular feature of Star Wars, but I knew

Yeah, I mean, he's pretty— I would say he's pretty hammy. If you saw him in Attack of the Clones, it was— Dear, oh dear, it wasn't good, was it?

Well, you know, I'm afraid I didn't. So there you go.

Alright, number 3, Steven Seagal. Hacker or ham?

Ham. Pure ham. Pure ham. And Seagal though, interesting fact, a lot of people think he did play a hacker.

Right.

Do you want me to tell you why? And you're going to love this. This is so you.

Oh, go ahead, yes.

Because in the movie Under Siege 2, which I will leave people to give an opinion on. But however, people assume he was a hacker because he used an Apple Newton in that. I don't know whether because of the timing or early '90s or something, that was considered wow, he must be a hacker.

That would be really cool.

He must be a hacker because he's using a personal digital assistant. So there you go.

Yeah, as far as I've been able to find out, he's never actually played a hacker. Definitely a bad actor, I would say. Okay, Nicolas Cage. Well, we've already mentioned him. Hacker or ham? You've got quite strong opinions on Nicolas Cage.

I don't know if he's ever played a hacker, I have

I don't think he has played a hacker.

Who's Kevin Mitnick? So no, Kevin Mitnick, obviously for most people in security would know Kevin Mitnick was the hacker known for social engineering and blended attacks.

Yes.

And also the person who said a quote that I use when I do my talks, which is, "You can't download a patch for human stupidity." And I always say that made him really popular at parties, coming up with stuff that. Whether you agree with him or not.

you'd get something sci-fi in. to be honest.

Kevin Mitnick, hacker or ham?

And I think Kevin Mitnick has actually acted. I think he was in some TV shows.

Yeah.

Was he in Alias or something that? He had a good agent, I expect.

He did. Walk-on parts, I think.

Yes, yes. Hugh Jackman, hacker or ham?

An actor, but he was in a film called Swordfish.

Yes.

Where he did play a hacker who had to hack something at gunpoint, I think, if I recall.

While being distracted by Halle Berry.

And the thing is, the thing I always think about that, or I mean, it's years since I've seen it, but how fast he types.

Well, he would.

I learned to type very quickly. And I'm looking at him doing a count. This is just almost no one types that quick. Well, thank you very much, Jenny, for playing Hacker or Ham. Hacker or Ham. I have to be honest, the thing that actually caught my attention, that is virtual reality adult entertainment.

Well, someone's got to do the motion capture for it, Jenny, you know.

I always thought that would be the main use of that, but anyway, we digress. Yes, I mean, obviously, even the thought of even one of those things makes me, as a social engineer, chill. It is, it is chilling, isn't it? Because what you've done in this particular case is you've handed over your entire identity, pretty much, to Iranian state-sponsored hackers. Are we really thinking professional actors would be more sceptical? Suspicious. No one's suspicious enough.

Oh, that's true. That's true. No one's suspicious enough, are they? Graham, you are piling in on actors here. People always say, oh God, you know, do we need to be paranoid? Yes. Now, in this particular case, it wasn't teenage script kiddies having a bit of a poke at out-of-work actors. This was actually a sophisticated social engineering operation. Whenever I hear things like this, it reminds me of you, because I always remember you talking about the way that hacks in the past had sort of better names and skulls and things. That was something that made me laugh when you spoke about that. Yes.

I hate when people say how sophisticated or not something is.

Right. Because if it gets through, it doesn't need to be sophisticated. I mean, what do people say when it's not sophisticated? He sort of played cameos.

Yeah, I think that's a fair

Yes. And it's basically they just had the gift of the gab, didn't they? Where they were able to fool people into making poor decisions or they tricked them into believing that they were employees who'd been locked out of accounts. But then, you will see that when security writers and researchers say, they say, "It wasn't particularly sophisticated." Well, forget that. Well, Charming Kitten, earlier this year, they were targeting Israeli technology experts, journalists, and gamers. Cybersecurity professionals as tension rose between Israel and Iran. For instance, the hackers were reportedly using AI to help generate more convincing phishing messages, and apparently these messages said there is an urgent need for immediate assistance on an AI-based threat detection system to counter a surge in cyberattacks targeting Israel. Ah, but using AI to write the scripts, come on, come on now, more effort.

Everyone's so lazy these days.

Yes, exactly. You know, put some work into it, why don't you? So hackers aren't just going after the usual suspects here. They're going after actors, they're going after journalists, they're going after academics, and they don't need a zero-day exploit or sophisticated malware. Just good old-fashioned social engineering will often unlock the door. It's an interesting one, though, because I've been banging on about emotional triggers for years. But actually, this is quite rare inasmuch as a lot of the time when emotion's used in social engineering attacks, it's a negative one. So it's fear or it's shame or it's anger.

Or your credit card's been debited. Right. Or, you know, we've either got your emails and we've found something dodgy. So in this particular case, the actual bad actors, weren't the ones who couldn't remember the lines or deliver dialogue convincingly. They were the ones who were delivering these phishing emails so convincingly that professional actors who can normally tell when someone's putting on a performance, they were the ones who got taken in.

Yeah.

It said, I don't have enough information to determine if a human life is more valuable than a sentient robot's. Pull the plug. In the absence of clear information, I would default to inaction.

Abort. Abort. It's going to save the robot. It's begun. Machines that learn, they grow and strive. One day my name's Graham Cluley. And I'm Mark Stockley. And we'd like you to tune into our podcast, The AI Fix, your weekly dive headfirst into the bizarre and sometimes mind-boggling world of artificial intelligence. So I wanted to talk a little bit about this Information Commissioner's Office. This report because they've issued a warning.

Yes.

I saw an article from Joe Tidy on the BBC and this article that says there is a worrying trend of students hacking their own school and college systems for fun or as part of a dare. And it was basically saying that over half, so 57% of cyber attacks and data breaches in an education setting, that was carried out by someone with access to internal systems was with the students.

Right. Now that does mean that 43% is not carried out by students, but it's worrying people who are paid to worry about this. And there was this lady, Heather Toomey, who's the principal cyber specialist at the ICO, says, "What starts out as a dare, a challenge, a bit of fun in a school setting can ultimately lead to children taking part in damaging attacks on organisations or critical infrastructure." Right.

But almost a third of the breaches involve— I'm not laughing because this is bad, but I'm laughing because obviously this is going to happen— involve students illegally logging on to staff computer systems by guessing passwords or stealing details from their teachers. And in one instance, Graham, a 7-year-old— What?

A 7-year-old?

A 7-year-old was involved in a data breach and subsequently referred to the National Crime Agency's Cyber Choices programme, which I have to admit, to my shame, I had not heard of before. But it did feel very— I don't know whether it's just the world we're living in, but that sounds quite 1984. Anyway, and it's to help them understand the seriousness of their actions.

I think I might know what Cyber Choices is. I think it's actually quite a good initiative. I think it's something—

I'm sure it is.

It's targeted to young people and it's designed to make them understand the repercussions. So they sort of say, we know you're into video games, we know you want to get one over your mates in the games, because that often has been a gateway into eventually hacking and cybercrime.

point. I mean, we've seen these attacks recently, a number of well-known named organizations where it appears some of them being hacked because people have rung up the help desks.

Of course.

People begin with DDoS attacks and things.

Yeah, of course, it's a good thing to have that.

But a 7-year-old?

But you know, this pulls into what happens to me, is that I am often asked to either speak to groups of youngsters, kids and teenagers, and sometimes a little bit older, about making the right choices in terms of their cyber skills and this type of thing as well. But the first thing I wanted to talk to you about was, I feel this is part of the problem comes from the curriculum and the way that cyber computing and stuff is taught in schools, because I think it can be quite boring. I don't know whether it's taught in an exciting way.

Right.

And I think if we don't teach kids on a curriculum about all the facets of this, they're going to be educated by someone else and they're going to find out on themselves.

Yeah.

I just don't think it starts early enough. I don't think they teach kids how exciting careers in cyber can be.

Right.

And I think from the very beginning, it needs to be taught that this is the bad stuff. This is what can happen out there. You know, if you've got a kid or a teenager who's really good at it, who's enthused and passionate about it, I think the curriculum needs to focus on that. And really teach them as much as we possibly can. They're going to learn it anyway.

Yes. But also maybe help them in terms of cyber ethics, because they may be immature in terms of their understanding of acceptable behaviours. For instance, hopefully most people know you shouldn't go around reading other people's diaries, right? And just because it's easy maybe to hack into someone's email because they chose a predictable password, doesn't mean it's all right to go in there and read everything which is in there.

No.

And, or you see people who sort of hack each other's social media accounts and post messages, you know, as a laugh, you know, in that person's name to embarrass them in front of their friends. And again, it sounds like a practical joke, but it's actually quite a hurtful thing to do. And it feels like those sort of things are the beginning elements of what could become something which turns more malicious in the future.

Yeah.

If you think that's all right, then you begin to use that as a basis for maybe deciding other behaviours are acceptable.

It should be from day one. Kids should be taught about the skills required, the ethics required, but also that it can be exciting and you can be on the right side. Yes. And also, I feel sorry for teachers.

Yeah.

I mean, I was asked to look at something for a school and the IT guy was great.

Yeah.

But I mean, trying to do the job that if it'd been a company with that many people and that many potential access points, he probably would have had a team of 8 to 10 minimum. But there's one guy and he's trying to keep an eye on all of this. But what made me smile was the idea that people were surprised.

Yeah.

You know, they were surprised when most of us who've got children have had at least one instant in their life where the child has managed to sort out a technical issue for you. Or maybe I'm just speaking for myself or someone I know.

Back in our day, we were programming the video recorder. Now the kids are probably fixing the firewall at home.

Exactly. And what it brings me to as well is the idea that alongside all of this, there should be being taught about awareness. And that gets forgotten as well. So, kids are naturally brilliant social engineers, right? They know which emotional strings to pull. They know what stories to tell. They know how to use urgency. So, we have to get a grip on the curriculum and we have to start teaching our children and our teenagers, "Look, you've got this, kids. These are the pitfalls. These are the dangers. These are the ethics. This is how you protect yourselves." And look, it can be exciting to be on the right side. And that, that to me, that's the wake-up call. Wise words. Okay, chums, hands up if you've ever clicked a dodgy link and then immediately thought, oh no, I've just handed my entire life over to a bloke in a tracksuit somewhere. Don't worry, you're not alone. Pick of the Week. Pick of the Week is the part of the show where everyone chooses something they like. Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish. It doesn't have to be security related necessarily. Well, no. No.

A simple answer.

Because I'm afraid—

Yes?

I don't watch that much television, which is a problem in the current stage of my various projects, but I don't actually watch all that much TV. So, but I love a detective drama, so do tell. Yeah, I don't watch that much either, but I get to see it sometimes over her shoulder. And Endeavour is a prequel to Inspector Morse. Lovely. Da da da!

Jenny, what's your pick of the week?

Okay, so let's go to the opposite end of the scale.

Okay.

It's a mystery as well.

Yes.

So I'll read the headline.

Right. And this is from the Liverpool Echo. Crowds armed with torches hunt the Catman every night. Okay. Yep.

Who is dressed head to toe in a black catsuit. And this starts at sort of mid-June or mid-July.

All right. And people start seeing this guy dressed as a cat crawling through sand dunes, hiding behind bus stops, and in one instance approaching a parked car. And obviously now you would, you'd think there would be something more sinister or dodgy about this, but it appears to be not the case. Can I just clarify, when you say a cat suit, do you mean he's dressed up like a cat? Has he got whiskers and a tail, or?

It appears to be just someone wearing a skin-tight suit and some sort of cat mask.

Right. People have sort of looked at photographs and seen him in the background, and someone's taken a shot of him, and you can look them up online, obviously. I can't really make out that it looks like a cat, but apparently, he meows as well. Yes. Whereas now there's people taking photographs, they're being interviewed, there's a Facebook group. And it sort of made me laugh, even though clearly, you know, nothing bad has happened so far. Oh, so he wasn't his team. Now, a thought strikes me, Jenny, with all this attention this is getting on social media, is there a danger, I hate to say this, of copycats? Except when we're not, Graham. This is the thing, except when we're not. Oh, you can't go around dressing up as a clown. Someone dressed up as the clown and walked in front of people's Ring doorbells for a while and did it in places like Newcastle and Liverpool and Glasgow. The thing that I suppose I'd finish on on this would be, when I talk about social engineering and hacking generally, I talk about motive a lot, right? Or in this case, a sexual kink. Yes, carry on, yes.

Well, I've avoided saying that, Graham, and now you've gone there, haven't you? I think it's a gimp suit. There's some meeting, he hasn't got the address for the party, he's going down the road. Your filthy mind went straight to the gutter. It doesn't seem to be that.

You're calling me the pervert, but this was your pick of the week. Can I just point that out?

So it was, with no indication whatsoever that it has anything to do with anything else. Brilliant stuff. Well, that just about wraps up the show for this week. If you find me on LinkedIn or look for The People Hacker across socials, you'll find articles and interviews and things like that. And then need to watch this space for next year because next year is going to be very busy.

And of course, Smashing Security is on social media as well. You can find Smashing Security on Bluesky and you can also follow me on LinkedIn. And don't forget to ensure you never miss another episode, follow Smashing Security in your favorite podcast app. Such as Apple Podcasts, Spotify, and Pocket Casts. For episode show notes, sponsorship info, guest lists, and the entire back catalog of 435 or so episodes, check out smashingsecurity.com. Until next time, cheerio, bye-bye.

Bye.

You've been listening to Smashing Security with me, Graham Cluley, and that was rather fun, wasn't it? Thank you so much to Jenny Radcliffe. And also I'm grateful to this episode's sponsors, Adaptive Security Inventor. And of course, to all the chums who've signed up for Smashing Security Plus over on Patreon. They include Sebi, Heisenberg, Jack Anver Perth, Davon Pam, Xylar, Matthew Hunt, Mark Norman, Snack Madge, Daniel Kromeck, Nigel Scott, Sammy Dozer, Thom Langford, John W, Dr Herbalist, Mark Luxton, Reuben, Richard Maltner, and Steve B. Well, if you're rather jealous of those fine chaps and chapesses, you may well want to get your name read out at the end of one of the Smashing Security episodes, and you can have that pleasure from time to time. It's just one of the joys of Smashing Security Plus. You sign up for as little as $5 a month and you can get your name read out every now and then, as well as get early access to Smashing Security episodes and the occasional bonus content. If you're interested, just go to smashingsecurity.com/plus for more details. Now, I realize not everybody can do that. Not everybody can afford it and you've probably got much better things to spend your money on. So there are other ways in which you can support the podcast. You can like, you can subscribe, you can give 5-star reviews. Apparently that really tickles the algorithms and boy oh boy, people do love having their algorithms tickled, don't they? Maybe you can jot down a few lines and post on social media enticing other people to give Smashing Security a listen. Whatever you do to spread the word I really, really appreciate it. It is enormously helpful and it really makes all the effort worthwhile. So hope you enjoyed this week's episode and that you'll tune in next week for some more. And until then, cheerio. Bye-bye.