Basketball stars have allegedly joined forces with the mafia to fleece high-rollers in a poker scam involving hacked shufflers, covert cameras, and an X-ray card table.
Meanwhile, researchers have found they could poke around an FIA driver portal to pull up the personal details of Formula 1 megastars.
Plus: Graham’s “Pick of the Week” turns CAPTCHA hell into a delightfully deranged browser game that will make you question vegetables, geometry, and your life choices, while Danny takes a trip to ancient Africa.
All this and more is discussed in episode 441 of “Smashing Security” podcast with cybersecurity veteran and keynote speaker Graham Cluley, and special guest Danny Palmer.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
They would use prearranged physical cues like touching a particular chip or adjusting items on the table or scratching their nose or their buttocks or whatever it was.
That's it.
They had to try. Obviously, it's a problem if you have got an itchy bottom. You could send the wrong messages. Smashing Security.
Smashing Security, episode 441, Inside the Mob's Million Dollar Poker Hack and a Formula 1 Fumble with Graham Cluley and special guest Danny Palmer.
Smashing Security, episode 441, Inside the Mob's Million Dollar Poker Hack and a Formula 1 Fumble with Graham Cluley and special guest Danny Palmer.
Hello, hello, and welcome to Smashing Security, episode 441. My name's Graham Cluley.
And I'm Danny Palmer.
Danny, first time on the show. Welcome.
Thank you for having me. Longtime listener, first time caller.
Now Danny, it is your first time on the show. There may be some people out there who don't know who you are. Why don't you describe what you do?
And what you're doing on Smashing Security. What brings you here?
And what you're doing on Smashing Security. What brings you here?
Cool. Well, I suppose the summary is I'm a cybersecurity journalist and writer, which I've been doing for the past, oh, 15 years or so now.
I was probably best known for my time at ZDNet, where I was senior reporter for about 7 and a half years up until 2023. I've been freelance from the start of this year.
I've appeared in various publications that people are probably aware of, you know, The Register, The Stack, Computer Weekly, that sort of thing.
Do a bit of consulting on the side as well.
And prior to ZDNet, I was at Computing magazine for a number of years where I was talking about and reporting on things what CIOs were thinking about and talking about, which is where we first came into contact, I believe.
I was probably best known for my time at ZDNet, where I was senior reporter for about 7 and a half years up until 2023. I've been freelance from the start of this year.
I've appeared in various publications that people are probably aware of, you know, The Register, The Stack, Computer Weekly, that sort of thing.
Do a bit of consulting on the side as well.
And prior to ZDNet, I was at Computing magazine for a number of years where I was talking about and reporting on things what CIOs were thinking about and talking about, which is where we first came into contact, I believe.
I think it was. I actually remember an interview we did down in some London hotel one time. And you wrote an article about how, what was it?
Don't call it the cloud, call it someone else's computer. Yeah, exactly. I managed to dig up the article.
Oh yeah, I think that may have been the first time that we actually met. And for a really long time, I believed maybe I had been the first person to come up with that phrase.
It was still early back then, I suppose, because back then cloud, this newfangled thing that CIOs and IT leaders were trying to get to grips with while they were still planning for a BYOD strategy that involved BlackBerrys with keyboards on.
But your beat is very much cybersecurity, isn't it?
Yes, yes. I did a bit of security back then. At ZDNet, I really focused on cybersecurity as a beat.
I worked internally at a cybersecurity company for two years doing editorial strategy for them. So yeah, it's the bread and butter of what I do. 95% of it is, yes, cybersecurity.
I've been covering the space for a long time. I think, I like to think about how one of my very first stories for ZDNet back in 2016 was about a ransomware attack.
It hit a hospital, I believe it was, in the north of England. And the ransom demand for that was a colossal total of £500.
I worked internally at a cybersecurity company for two years doing editorial strategy for them. So yeah, it's the bread and butter of what I do. 95% of it is, yes, cybersecurity.
I've been covering the space for a long time. I think, I like to think about how one of my very first stories for ZDNet back in 2016 was about a ransomware attack.
It hit a hospital, I believe it was, in the north of England. And the ransom demand for that was a colossal total of £500.
How times have changed.
Yeah, you're lucky now if they only want, in inverted commas, £500,000. It's evolved.
Everything's evolved and it's just getting faster, it seems, which leads people like me to write about and explain these issues.
And I hope I can help in that way because I don't have any technical background myself.
You know, my background is a journalist and reporter, but everything I've learned over the years has been covering the space. I've always found it so fascinating.
There's always stuff to write about. People wanted to hear about it.
And as has been discussed plenty of times on the podcast, cybersecurity is, for want of a better phrase, real world, real news now.
And if we all know about the Jaguar Land Rover everything. M&S, the Co-op. It's not just this thing that's at arm's length, it's affecting the real world.
Everything's evolved and it's just getting faster, it seems, which leads people like me to write about and explain these issues.
And I hope I can help in that way because I don't have any technical background myself.
You know, my background is a journalist and reporter, but everything I've learned over the years has been covering the space. I've always found it so fascinating.
There's always stuff to write about. People wanted to hear about it.
And as has been discussed plenty of times on the podcast, cybersecurity is, for want of a better phrase, real world, real news now.
And if we all know about the Jaguar Land Rover everything. M&S, the Co-op. It's not just this thing that's at arm's length, it's affecting the real world.
And it's impacting all of us, isn't it?
Yeah, yeah. I remember that weekend when the Co-op thing happened and thinking, huh, shelves are a bit empty, or must be just because it's the bank holiday weekend.
Turns out it was not.
Turns out it was not.
Well, before we kick off, let's thank this week's wonderful sponsors: Action1, Vanta, and SecAlerts. We'll be hearing more about them later on in the podcast.
This week on Smashing Security, we're not going to be talking about how a fake Telegram app has infected over 58,000 Android devices with malware, stealing data and seizing control of accounts.
You'll hear no discussion of how food shipments in Russia have been disrupted nationwide after its food safety agency was hit by a DDoS attack.
And we won't even mention how people searching for videos about game hacks, cheats, and software cracks are being targeted by a sophisticated network of malicious accounts on YouTube distributing malware.
So Danny, what are you going to be talking about this week?
This week on Smashing Security, we're not going to be talking about how a fake Telegram app has infected over 58,000 Android devices with malware, stealing data and seizing control of accounts.
You'll hear no discussion of how food shipments in Russia have been disrupted nationwide after its food safety agency was hit by a DDoS attack.
And we won't even mention how people searching for videos about game hacks, cheats, and software cracks are being targeted by a sophisticated network of malicious accounts on YouTube distributing malware.
So Danny, what are you going to be talking about this week?
I'm going to be talking about how hackers managed to access the passports of Formula 1 drivers.
And I'm going to be talking about high-stakes hackers. All this and much more coming up on this episode of Smashing Security.
Right then, we've got time for a quick word now about one of our sponsors today, Action1. Now, most security breaches still happen because of unpatched vulnerabilities.
And the worst part? Many already have fixes available for them. But patching can be a real pain, right?
If staying up at night worrying about the next cyberattack headline sounds familiar, it's time to try Action1, the patch management platform that just works.
You can start updating Windows, Mac, and third-party apps in under 5 minutes, and Linux support is coming very soon. The best part?
Well, your first 200 endpoints are free forever with no functional limits. This isn't a disguised free trial. There's no credit card required, no hidden limits, no tricks.
All you have to do is visit smashingsecurity.com/action1. Smashingsecurity.com/action1 and get started today.
So if you're looking to automate patching and save weeks or even months doing it, go to smashingsecurity.com/action1 and sign up for patching that just works.
And thanks to Action1 for supporting the show. Now, Danny, Danny, I've got a question for you.
Right then, we've got time for a quick word now about one of our sponsors today, Action1. Now, most security breaches still happen because of unpatched vulnerabilities.
And the worst part? Many already have fixes available for them. But patching can be a real pain, right?
If staying up at night worrying about the next cyberattack headline sounds familiar, it's time to try Action1, the patch management platform that just works.
You can start updating Windows, Mac, and third-party apps in under 5 minutes, and Linux support is coming very soon. The best part?
Well, your first 200 endpoints are free forever with no functional limits. This isn't a disguised free trial. There's no credit card required, no hidden limits, no tricks.
All you have to do is visit smashingsecurity.com/action1. Smashingsecurity.com/action1 and get started today.
So if you're looking to automate patching and save weeks or even months doing it, go to smashingsecurity.com/action1 and sign up for patching that just works.
And thanks to Action1 for supporting the show. Now, Danny, Danny, I've got a question for you.
Yes.
Have you ever wanted to join the mafia?
I don't think I'd do that well in that sort of environment, if I'm honest.
You don't picture yourself as Danny Cold Grip Palmerelli or something like that? You'd be offering to whack people's unpatched networks. You don't picture yourself in that way?
Why ever not?
Why ever not?
Well, when you give me a cool nickname like that, maybe, maybe I can consider it a bit more.
I could see you offering protection contracts on people's USB drives, you know, sidling up to people saying, awful lot of data you've got there, would be a real shame if something were to happen to it.
Every week you'd have to come kneel before me, Don Cluelioni, pay your respect. Well, here's the thing, Danny.
Don't imagine that it is all pretzels and horses' heads on the pillow in organised crime, because sometimes things can get pretty sticky.
As they have done in the United States, where 31 people have just been arrested and charged with running illegal rigged poker games.
Every week you'd have to come kneel before me, Don Cluelioni, pay your respect. Well, here's the thing, Danny.
Don't imagine that it is all pretzels and horses' heads on the pillow in organised crime, because sometimes things can get pretty sticky.
As they have done in the United States, where 31 people have just been arrested and charged with running illegal rigged poker games.
Oh dear.
Yeah. And of course, they're using technology to help them.
Of course.
According to FBI Director Kash Patel, he says we're talking about tens of millions of dollars in fraud and theft and robbery. And this was a multi-year investigation.
Well, I was thinking, well, that sounds interesting. I thought it'd be interesting to hear how they've managed to hack these poker games. I thought, is it online gambling?
What's going on? Turns out it's not online gambling. Turns out this is real-life stuff. IRL, as the kids say.
Well, I was thinking, well, that sounds interesting. I thought it'd be interesting to hear how they've managed to hack these poker games. I thought, is it online gambling?
What's going on? Turns out it's not online gambling. Turns out this is real-life stuff. IRL, as the kids say.
Ah, that's interesting. You'd think it would be virtual, because it's probably easier, probably, to rob a virtual casino than it is to rob an actual casino or a museum, maybe.
Yeah, and you also imagine it's harder to get caught if you're doing it virtually, possibly from the other side of the planet rather than across the other side of a green baize table.
So I looked into this and it sounds like a remarkably sophisticated cheating operation, and it makes old-fashioned methods like card counting seem positively quaint.
But first, let's set the scene. So this operation allegedly ran from about 2019 until quite recently, and it involved a mixture of people.
So the people organizing the poker games, there were people supplying technology which helps them cheat. There were money launderers.
And in addition, they also had well-known sports stars who were helping them.
So I looked into this and it sounds like a remarkably sophisticated cheating operation, and it makes old-fashioned methods like card counting seem positively quaint.
But first, let's set the scene. So this operation allegedly ran from about 2019 until quite recently, and it involved a mixture of people.
So the people organizing the poker games, there were people supplying technology which helps them cheat. There were money launderers.
And in addition, they also had well-known sports stars who were helping them.
Interesting. Were these sports stars willing accomplices, or— You sometimes see people pay to get cameos and things.
Yes.
Sports stars will say something and— Yeah, not really knowing what they're saying.
Yes, you sometimes get that. But according to the FBI, these were people who knew what they were doing. They say they were employed as what they called face cards to lure in victims.
There are former and current NBA figures, so these are the basketball stars in America, who were used to attract, draw people in to play high-stakes private poker games against them.
Amongst the people arrested is Miami Heat NBA player Terry Rozier, also known as Scary Terry.
There are former and current NBA figures, so these are the basketball stars in America, who were used to attract, draw people in to play high-stakes private poker games against them.
Amongst the people arrested is Miami Heat NBA player Terry Rozier, also known as Scary Terry.
That's a good mob name.
And Chauncey Billups, who is the head coach of the Portland Trail Blazers, who was inducted into the Basketball Hall of Fame last year.
And these poker games took place in private houses and high-end card rooms. So there's no traditional casino involved here.
And these poker games took place in private houses and high-end card rooms. So there's no traditional casino involved here.
So they're not going and candying their chips in Las Vegas or somewhere. They're just going to— Well, someone's fancy house, by the sound of it.
Yeah, it's not the Mecca Bingo Hall. It's not the Bellagio.
Same thing.
This is someone's— probably quite a nice house, I imagine. But there's no oversight. It's the perfect environment for scamming the unwary.
So this is a combination of celebrities being present. There's secrecy. There's a perceived exclusive high-roller table.
And this is social engineering, where victims assume the games are legitimate, and maybe are more willing to bet large sums. Are you a gambler at all?
So this is a combination of celebrities being present. There's secrecy. There's a perceived exclusive high-roller table.
And this is social engineering, where victims assume the games are legitimate, and maybe are more willing to bet large sums. Are you a gambler at all?
No, not really. I've been to Vegas.
Yeah.
I've put $5 in a machine and it gave me back $70. And that was me done. I was like, yep, okay. I've won gambling now. I'm just gonna go enjoy my winnings.
Well done to you. Well done for walking away, and congratulations on walking away with more than you went in with. That's brilliant.
So, in a normal poker game across a table, they will have in the casinos a shuffling machine. That's something which randomly mixes the cards before they're dealt.
Presumably that's to stop any shenanigans or if the dealer is crooked and doing a sort of dodgy shuffle. So it avoids the accusations of cheating.
So, in a normal poker game across a table, they will have in the casinos a shuffling machine. That's something which randomly mixes the cards before they're dealt.
Presumably that's to stop any shenanigans or if the dealer is crooked and doing a sort of dodgy shuffle. So it avoids the accusations of cheating.
No dodgy dealers here, of course.
No, no dodgy deals, no dodgy dealers. But in this case, they were using something called the DeckMate 2 card shuffler.
These are machines that you'll find in proper casinos that are meant to ensure a deck has been perfectly randomly shuffled.
But the DeckMate II, in what can only be described in retrospect as an accident waiting to happen, has a curious component, because part of its gubbins inside is an internal camera.
Yeah. Now this normally verifies the integrity of a deck of cards, that it hasn't been tampered with and that it is being shuffled properly.
But back at the Black Hat security conference a couple of years ago, a security researcher called Joseph Tartaro demonstrated that if you could gain access to that camera, you've essentially got — well, it's like having X-ray vision at the poker table.
These are machines that you'll find in proper casinos that are meant to ensure a deck has been perfectly randomly shuffled.
But the DeckMate II, in what can only be described in retrospect as an accident waiting to happen, has a curious component, because part of its gubbins inside is an internal camera.
Yeah. Now this normally verifies the integrity of a deck of cards, that it hasn't been tampered with and that it is being shuffled properly.
But back at the Black Hat security conference a couple of years ago, a security researcher called Joseph Tartaro demonstrated that if you could gain access to that camera, you've essentially got — well, it's like having X-ray vision at the poker table.
Are we going to find out next that this camera was connected to the internet somehow, or was linked to a local laptop?
I can see already that you are auditioning for your place inside some sort of criminal organisation, Danny. You've got that kind of mindset.
So normally the device doesn't have that, but it does have a USB port. And it turns out that you can alter the firmware through that USB port.
And the new firmware which you put on can access the camera feed and will then send images of every single card as it's being shuffled via Bluetooth to a nearby phone.
So someone standing around the table has got a phone which is connected to the card shuffler. Because that's easier if you think about it.
It's easier to have some sort of dodgy piece of software on your phone than to have it on the card shuffler.
So if you can just get the feed sent to your phone, then your phone can do more. And maybe your phone has got a better connection to 4G data or Wi-Fi or whatever it may be.
So normally the device doesn't have that, but it does have a USB port. And it turns out that you can alter the firmware through that USB port.
And the new firmware which you put on can access the camera feed and will then send images of every single card as it's being shuffled via Bluetooth to a nearby phone.
So someone standing around the table has got a phone which is connected to the card shuffler. Because that's easier if you think about it.
It's easier to have some sort of dodgy piece of software on your phone than to have it on the card shuffler.
So if you can just get the feed sent to your phone, then your phone can do more. And maybe your phone has got a better connection to 4G data or Wi-Fi or whatever it may be.
From what I know about card games, which admittedly isn't that much, I believe in places like Las Vegas, you're not allowed your phone at the table.
While I suppose in environments like this, which are less regulated—
While I suppose in environments like this, which are less regulated—
Yeah.
That's allowed.
This is the thing, you see. It's not as though the person around the table is looking at their phone, right? The phone is being used to transmit the images further.
So it is then transmitting this data, the data doesn't just go to one person around the table. It goes to someone who's offsite.
I'm imagining a guy in a van parked outside, but maybe that's just my cinematic, you know, I've just seen too many heist movies.
So it is then transmitting this data, the data doesn't just go to one person around the table. It goes to someone who's offsite.
I'm imagining a guy in a van parked outside, but maybe that's just my cinematic, you know, I've just seen too many heist movies.
With some sort of nondescript description on the side saying it's like a catering company or—
Yes, or laundry or— Yes, exactly.
Flowers by Irene, that sort of thing.
But in fact, it could just as easily be someone in a different room. Who knows? Because this isn't a private home.
And that person who's safely removed from the actual game, they've probably got their proper computer there, which is receiving the full deck in order.
And they're running it through a custom app, which is calculating the optimal betting strategies for each hand.
And that person who's safely removed from the actual game, they've probably got their proper computer there, which is receiving the full deck in order.
And they're running it through a custom app, which is calculating the optimal betting strategies for each hand.
Ah.
And that remote operator, let's imagine they are in a van. They have become the command centre. And they are transmitting instructions back to someone at the table.
And that person they called the quarterback. They liked a lot of sporting terminology, maybe because they were doing stuff with the NBA here.
And that person they called the quarterback. They liked a lot of sporting terminology, maybe because they were doing stuff with the NBA here.
Yep, that sounds about right. They do like a brand, criminals, don't they?
So, the quarterback, they can't obviously, you know, go, "Couple of aces." They can't, you know, "Fold." They can't do that.
So, they developed a rather elegant signalling system for the people playing round the table.
They would use pre-arranged physical cues, like touching a particular chip, or adjusting items on the table, or scratching their nose, or their buttocks, or whatever it was that they had to communicate.
So, they developed a rather elegant signalling system for the people playing round the table.
They would use pre-arranged physical cues, like touching a particular chip, or adjusting items on the table, or scratching their nose, or their buttocks, or whatever it was that they had to communicate.
It's very sort of old school, that is, isn't it, in terms of how it's operated in the physical space?
Yes, but at this stage, what else can you do?
You know, obviously it's a problem if you have got an itchy bottom or if you have got a cold and you're touching your face all the time.
You know, you could obviously send the wrong messages.
You know, obviously it's a problem if you have got an itchy bottom or if you have got a cold and you're touching your face all the time.
You know, you could obviously send the wrong messages.
Yeah, you don't want the coughing major at your table.
So each gesture they make translates to specific instruction. So, you know, who has got the win in hand or watch out for them or when to raise, when to fold, when to go all in.
They don't need to be too specific. They just need to give a general direction of, ask for another card or give up now because you're gonna lose.
They don't need to be too specific. They just need to give a general direction of, ask for another card or give up now because you're gonna lose.
It's really interesting, isn't it? You'd say it's quite innovative.
Obviously being used for naughty purposes, but they put in the work to figure out how to get this whole scheme going.
Obviously being used for naughty purposes, but they put in the work to figure out how to get this whole scheme going.
And if you're gonna make millions, which apparently this gang did, it's obviously worth the investment and the number of people and the technology which they're using.
According to the indictment, they won large sums of money from unsuspecting players — these people who came to these games were losing, in some cases, hundreds of thousands of dollars.
According to the indictment, they won large sums of money from unsuspecting players — these people who came to these games were losing, in some cases, hundreds of thousands of dollars.
Ow.
And it wasn't just the tech which we've spoken about, the shuffling machine. Apparently there was a chip tray which was fitted with hidden cameras as well to read cards.
As cards are sort of dealt round the table, they had a special— get this— they had apparently an X-ray table that could see face-down cards.
As cards are sort of dealt round the table, they had a special— get this— they had apparently an X-ray table that could see face-down cards.
It's all very James Bond, isn't it?
You can imagine Q coming up with this. They had contact lenses or glasses that apparently could detect marked cards.
Now, that must be part of a Bond film.
That has to be, doesn't it? There must be a movie where that happens. Apparently, they were also up to other shenanigans.
So they apparently allegedly robbed someone at gunpoint to steal their card shuffler.
I don't know why they stole one, but apparently they stole one which had already been rigged in this particular way. Maybe they're having problems with the supply chain.
I don't know. I suppose you can't go on eBay and buy one which has already been tampered with.
So they apparently allegedly robbed someone at gunpoint to steal their card shuffler.
I don't know why they stole one, but apparently they stole one which had already been rigged in this particular way. Maybe they're having problems with the supply chain.
I don't know. I suppose you can't go on eBay and buy one which has already been tampered with.
Maybe their darkweb marketplace had recently suffered a takedown. So, yeah, supply chain issues there, not just for the general public, also for cybercriminals.
So they had these basketball stars who were drawing people in who had money.
There was this quarterback who was receiving the card information and distributing it through prearranged signals. And they also— all these chaps around the table.
They have colourful names. There's a guy called Juice there. There's another guy who was called Black Tony, another guy called Flapper Poker.
And there was a number of infamous crime families involved. The Bonannos, the Gambinos, the Genoveses. These are all branches of the mafia.
They were taking their cut from these games, which were running from Manhattan to the Hamptons to Miami. It's a pretty big deal, Danny.
There was this quarterback who was receiving the card information and distributing it through prearranged signals. And they also— all these chaps around the table.
They have colourful names. There's a guy called Juice there. There's another guy who was called Black Tony, another guy called Flapper Poker.
And there was a number of infamous crime families involved. The Bonannos, the Gambinos, the Genoveses. These are all branches of the mafia.
They were taking their cut from these games, which were running from Manhattan to the Hamptons to Miami. It's a pretty big deal, Danny.
Yeah. I can't help but chuckle at those names. They do sound stereotypically made-up Italian gangster names. It does. But I suppose, no, real life influences the movies.
So Gambinos, I mean, that's so close to just being Gambolinos, which would— it'd be all be a bit on the nose, wouldn't it?
So Gambinos, I mean, that's so close to just being Gambolinos, which would— it'd be all be a bit on the nose, wouldn't it?
And of course, sometimes the people thought, well, how come I keep on losing these games? You know, normally I do better than this.
And some of these people refused to pay their debts.
But of course, if you refuse to pay your debt to these kind of people, they are going to deploy their traditional collection methods, right?
Which quite often may be down a back alley with a bit of lead drainpipe. So, you know, chances are you're going to pay up.
And some of these people refused to pay their debts.
But of course, if you refuse to pay your debt to these kind of people, they are going to deploy their traditional collection methods, right?
Which quite often may be down a back alley with a bit of lead drainpipe. So, you know, chances are you're going to pay up.
Either that or lose use of your knees, I suppose.
Yes. Now, it turns out the guys at Wired magazine a while back, after the research was announced at Black Hat, they actually tested out this DECM8-2 vulnerability themselves.
They demonstrated the hack in a real game. They successfully fleeced two unsuspecting players. So there's a new source of income for any journalists who—
They demonstrated the hack in a real game. They successfully fleeced two unsuspecting players. So there's a new source of income for any journalists who—
It is a tough industry out there.
It is. It is. So I hope this has given you some ideas, Danny.
But unfortunately for you, the Deckmate 2, the manufacturers have since issued patches and disabled the USB port, maybe with a bit of chewing gum, I don't know.
But apparently those fixes, though, only apply to new units in licensed establishments.
So if you're going for a private poker game and they've got a deck shuffling machine, maybe you'd be a little bit careful.
Or also if you hear the X-ray machine whir up as it hits you with radiation and takes your X-ray in order to find out what's on the cards. So watch out.
But unfortunately for you, the Deckmate 2, the manufacturers have since issued patches and disabled the USB port, maybe with a bit of chewing gum, I don't know.
But apparently those fixes, though, only apply to new units in licensed establishments.
So if you're going for a private poker game and they've got a deck shuffling machine, maybe you'd be a little bit careful.
Or also if you hear the X-ray machine whir up as it hits you with radiation and takes your X-ray in order to find out what's on the cards. So watch out.
I mean, security patching is difficult for many people. Options this where they, well, they just don't want to apply them.
There's no sort of we can or we can't, just you're relying on the goodness of their criminal hearts to patch this thing out so they can stop doing their own scam.
I suspect they might not be willing to do.
There's no sort of we can or we can't, just you're relying on the goodness of their criminal hearts to patch this thing out so they can stop doing their own scam.
I suspect they might not be willing to do.
Let me tell you about SecAlerts, who are sponsoring today's show.
Look, if you're drowning in vulnerability alerts and spending way too much time figuring out which ones actually matter to you and your software, SecAlerts solves that problem.
They monitor over 100 sources and automatically match vulnerabilities to your specific software versions. But here's the clever bit.
You can build custom queries that filter out all the noise. Want to see only critical Microsoft vulnerabilities with a CVSS of 8 to 10 that have been actively exploited this week?
Done. No more wading through irrelevant alerts. You can push those alerts directly to the people who need them via email, Slack, Teams, whatever works for you.
And set the frequency yourself. One of their clients said it best. They said, "SecAlerts has been an absolute game changer.
We've strengthened our security posture and improved response times significantly." They've got plans for businesses of all sizes, and right now you can try SecAlerts for free for 30 days.
Use the code SMASHING and you'll get 50% off a yearly subscription. Check them out at SecAlerts.co. That's secalerts.co. And thanks to SecAlerts for supporting the show.
Danny, what's your story for us this week?
Look, if you're drowning in vulnerability alerts and spending way too much time figuring out which ones actually matter to you and your software, SecAlerts solves that problem.
They monitor over 100 sources and automatically match vulnerabilities to your specific software versions. But here's the clever bit.
You can build custom queries that filter out all the noise. Want to see only critical Microsoft vulnerabilities with a CVSS of 8 to 10 that have been actively exploited this week?
Done. No more wading through irrelevant alerts. You can push those alerts directly to the people who need them via email, Slack, Teams, whatever works for you.
And set the frequency yourself. One of their clients said it best. They said, "SecAlerts has been an absolute game changer.
We've strengthened our security posture and improved response times significantly." They've got plans for businesses of all sizes, and right now you can try SecAlerts for free for 30 days.
Use the code SMASHING and you'll get 50% off a yearly subscription. Check them out at SecAlerts.co. That's secalerts.co. And thanks to SecAlerts for supporting the show.
Danny, what's your story for us this week?
Well, I found this really interesting. It's also kind of sports themed.
Okay.
So basically, some cybersecurity researchers, Iain Carroll, Gal Nagle, and Sam Curry, they thought it'd be fun to try and essentially hack and test some of the websites around Formula 1.
As I'm sure many people know, cybersecurity and Formula 1 are very linked these days.
Half the teams have a cybersecurity company's name on their car, which is, you know, it's all over the place.
When you see sort of, you know, these big name drivers, they've got the names of companies on their jackets, on the side of the car.
It's always interesting when I was playing Formula 1 games. It's I was going to relax after a day at work, then I'd be stuck behind a car with a security company's name on the back.
It's "oh, I was trying to relax in my evening away from cybersecurity, but apparently not." Anyway, they had a look at the FIA, which is essentially the global body that runs international motorsport.
They looked at the Super Licence and Driver Categorisation Portal, and long story short, they managed to access Max Verstappen's passport, driver's license, and personal information within about 10 minutes.
As I'm sure many people know, cybersecurity and Formula 1 are very linked these days.
Half the teams have a cybersecurity company's name on their car, which is, you know, it's all over the place.
When you see sort of, you know, these big name drivers, they've got the names of companies on their jackets, on the side of the car.
It's always interesting when I was playing Formula 1 games. It's I was going to relax after a day at work, then I'd be stuck behind a car with a security company's name on the back.
It's "oh, I was trying to relax in my evening away from cybersecurity, but apparently not." Anyway, they had a look at the FIA, which is essentially the global body that runs international motorsport.
They looked at the Super Licence and Driver Categorisation Portal, and long story short, they managed to access Max Verstappen's passport, driver's license, and personal information within about 10 minutes.
Oh, crikey.
They didn't do anything bad with it. They just, they were able to look at it. And crucially, this vulnerability has been closed. It was all responsibly disclosed.
But essentially, there's a public-facing system because while you do have the superstar motorsport drivers in Formula 1 and the other high-level sports, you can do motor racing as a more amateur pursuit.
But essentially, there's a public-facing system because while you do have the superstar motorsport drivers in Formula 1 and the other high-level sports, you can do motor racing as a more amateur pursuit.
Yes.
You still have to get your license, your paperwork to allow you to do so.
You have to be loaded as well, don't you? You have to be rich.
I think it helps, yeah. I think it does help. I mean, I don't think you need one of these to go sort of banger racing.
But yeah, if you want to sort of do your sports car Porsche racing and that sort of thing, yeah, you do need to be quite rich.
And again, I believe some cybersecurity executives I won't name actually do take part in actual sports car races, which is, uh, I've heard that.
But yeah, if you want to sort of do your sports car Porsche racing and that sort of thing, yeah, you do need to be quite rich.
And again, I believe some cybersecurity executives I won't name actually do take part in actual sports car races, which is, uh, I've heard that.
Yes.
A good hobby, I guess, if you can afford it. But in this case, the portal is public-facing.
Now, any website you sign up to, you can enter your name and password to sign up, which anyone can do, 'cause anyone could really be involved in this.
Now, any website you sign up to, you can enter your name and password to sign up, which anyone can do, 'cause anyone could really be involved in this.
Right.
So essentially they logged into this system, they got in there, and they started poking around the backend of things, and they found a JavaScript exploit in the login portal, which allowed them to see a bit more information than they perhaps should have been able to see.
But it also gave them the access to tools which could escalate administrator privileges.
So, oh boy, yes, you could get it for people who were responsible for handing out the licenses, you get responsibilities for other people involved in motorsport, and you could get responsibilities that the administrator of the website was able to hand out, which is, as we know, the most important one when it comes to a website.
So they managed to get access to this administrator portal, which gave them an entirely new dashboard to look at.
They could categorize drivers, they could manage employees, update server-side things like email templates and more. What they managed to do was they loaded a driver's profile.
It doesn't say who this driver was, but they managed to— it could have been any sort of sports car driver around the world, but they managed to find the user's password hash, their email address, their phone number, passport, and resume, and other personal information, which is, you know, not ideal.
But it also gave them the access to tools which could escalate administrator privileges.
So, oh boy, yes, you could get it for people who were responsible for handing out the licenses, you get responsibilities for other people involved in motorsport, and you could get responsibilities that the administrator of the website was able to hand out, which is, as we know, the most important one when it comes to a website.
So they managed to get access to this administrator portal, which gave them an entirely new dashboard to look at.
They could categorize drivers, they could manage employees, update server-side things like email templates and more. What they managed to do was they loaded a driver's profile.
It doesn't say who this driver was, but they managed to— it could have been any sort of sports car driver around the world, but they managed to find the user's password hash, their email address, their phone number, passport, and resume, and other personal information, which is, you know, not ideal.
Far from it, yeah.
Also, no, you don't want that out there, but also, they managed to load internal communications about the driver categorization, including comments about the driver's performances.
So, you know, if these were proper baddies, in addition to getting access to data, they could have, you know, people looking at the comments going, oh, this guy's been rubbish, he needs to be demoted, which would be quite demoralizing for people.
But no, they essentially got to a point where they managed to access the details of Max Verstappen. So that's the Formula 1—
So, you know, if these were proper baddies, in addition to getting access to data, they could have, you know, people looking at the comments going, oh, this guy's been rubbish, he needs to be demoted, which would be quite demoralizing for people.
But no, they essentially got to a point where they managed to access the details of Max Verstappen. So that's the Formula 1—
Yes.
—World Drivers' Champion, 4-time World Championship winner, famous Dutch motor racing driver. Yes.
I mean, I don't know anything about Formula 1, but I've heard of him. He's a big deal.
Yeah, he's quite good at driving a car. Right, okay.
They managed to find his passport, his regular driving license, his super license, his password hash, and PII, and his CV as well, which I kind of wonder what that looks like.
Does he have sort of LinkedIn approvals? No, drives car well.
They managed to find his passport, his regular driving license, his super license, his password hash, and PII, and his CV as well, which I kind of wonder what that looks like.
Does he have sort of LinkedIn approvals? No, drives car well.
As you said, there will be personal information, his contact details.
These are things which fraudsters and identity thieves could exploit, or they could contact him pretending to be the website.
If they can change the email template, for instance, which is sent out, there would be the potential for sending out malicious links. And grabbing even more sensitive data.
These are things which fraudsters and identity thieves could exploit, or they could contact him pretending to be the website.
If they can change the email template, for instance, which is sent out, there would be the potential for sending out malicious links. And grabbing even more sensitive data.
Yeah, as we've seen plenty of times in the past, you know, cybercriminals love a celebrity hack. Yeah.
Information, photos, email addresses, that sort of thing, you know, things for blackmail purposes.
But fortunately, in this case, these are some ethical white hat security researchers. Yes.
They managed to see all this data alongside what they described as sensitive information about internal FIA operations.
They didn't say what that was, and they say they did not actually access any of the passports or sensitive information, and anything they were able to see, they've deleted the ability to get hold of it again.
The good news is they weren't baddies. They took this information to the FIA, who essentially took this vulnerability report and fixed the vulnerability.
And so they got an official response, right? And the blog post was released, you know, in the last week, and the public disclosure of all this to ensure that this is all fixed.
Information, photos, email addresses, that sort of thing, you know, things for blackmail purposes.
But fortunately, in this case, these are some ethical white hat security researchers. Yes.
They managed to see all this data alongside what they described as sensitive information about internal FIA operations.
They didn't say what that was, and they say they did not actually access any of the passports or sensitive information, and anything they were able to see, they've deleted the ability to get hold of it again.
The good news is they weren't baddies. They took this information to the FIA, who essentially took this vulnerability report and fixed the vulnerability.
And so they got an official response, right? And the blog post was released, you know, in the last week, and the public disclosure of all this to ensure that this is all fixed.
Did the FIA pay them a bounty? Did they say, thank you very much, here's some cash, we appreciate that?
That's unclear. I suppose for the researchers, even if they haven't got a cash prize through this, I suppose it's quite a big sort of name to point out.
Yeah, it's not as though Formula 1 is short of a few quid, is it? You're right there.
Yeah, it's not as though Formula 1 is short of a few quid, is it? You're right there.
You would have expected them to have been able to afford better security, and you have to wonder what other resources they may have online which may be susceptible to flaws, or indeed other sports as well, which may have similar operations where the sports stars create accounts and upload sensitive information as they travel around the world, which may be vulnerable to similar problems.
I mean, at the very least, they could give them some free tickets to go and watch a race or something.
I mean, at the very least, they could give them some free tickets to go and watch a race or something.
They might get a hat with a Formula 1 team branding on.
Danny, hat's not good enough, Danny.
But I do have a statement here from them.
So the FIA spokesperson said, the FIA became aware of a cyber incident— good phrase, good phrasing— involving FIA driver capitalization website over the summer.
Immediate steps were taken to secure drivers' data, and the FIA reported this issue to the applicable data protection authorities in accordance with the FIA's obligations.
No other FIA digital platforms impacted in this instance. And then we have the final line of the statement here.
The FIA has invested extensively in cybersecurity and resilience measures across its digital estate.
It has put world-class data security measures in place to protect all its stakeholders and implements a policy of secure by design in all new digital initiatives.
So the FIA spokesperson said, the FIA became aware of a cyber incident— good phrase, good phrasing— involving FIA driver capitalization website over the summer.
Immediate steps were taken to secure drivers' data, and the FIA reported this issue to the applicable data protection authorities in accordance with the FIA's obligations.
No other FIA digital platforms impacted in this instance. And then we have the final line of the statement here.
The FIA has invested extensively in cybersecurity and resilience measures across its digital estate.
It has put world-class data security measures in place to protect all its stakeholders and implements a policy of secure by design in all new digital initiatives.
Because if they want to know the names of some cybersecurity firms, all they got to do is look at half of the cars on the track.
Yeah, it's a veritable who's who of sort of, you know, well-known cybersecurity firms.
Quick word about one of our sponsors today, Vanta. Now I know what you're thinking, oh good, another bit of software promising to make my security easier.
But honestly, Vanta's actually pretty handy. Here's the deal.
If you are spending half your week chasing down evidence for audits or updating endless spreadsheets or trying to prove that yes, you do take security seriously, Vanta automates all of that.
It pulls everything together, keeps an eye on your systems, and basically makes sure you're ready for an audit at any time.
No panic, no last-minute scavenger hunts for screenshots or policies you forgot to upload 6 months ago.
It also plugs into the tools you're already using and uses a bit of AI magic to flag up issues before they become a proper mess.
So if that sounds like something that might save you from a few sleepless nights, check them out at vanta.com/smashing. That way they'll know that you heard about them on this show.
And if you use that link, you'll get $1,000 off, which is nice as well, isn't it? So thanks to Vanta for sponsoring this week's episode. And let's crack on with the show.
And welcome back. And you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
But honestly, Vanta's actually pretty handy. Here's the deal.
If you are spending half your week chasing down evidence for audits or updating endless spreadsheets or trying to prove that yes, you do take security seriously, Vanta automates all of that.
It pulls everything together, keeps an eye on your systems, and basically makes sure you're ready for an audit at any time.
No panic, no last-minute scavenger hunts for screenshots or policies you forgot to upload 6 months ago.
It also plugs into the tools you're already using and uses a bit of AI magic to flag up issues before they become a proper mess.
So if that sounds like something that might save you from a few sleepless nights, check them out at vanta.com/smashing. That way they'll know that you heard about them on this show.
And if you use that link, you'll get $1,000 off, which is nice as well, isn't it? So thanks to Vanta for sponsoring this week's episode. And let's crack on with the show.
And welcome back. And you join us at our favorite part of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish.
It doesn't have to be security-related necessarily. Well, my Pick of the Week this week, it's a little bit security-related.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish.
It doesn't have to be security-related necessarily. Well, my Pick of the Week this week, it's a little bit security-related.
Just a little bit?
Just a little bit. And I think that's allowed because I'm kind of fascinated by CAPTCHAs. Do you like CAPTCHAs?
It's a strong word. Yeah, it's interesting how they've been getting more complex over the years as well, going from, yeah, enter this text into choose what is a bike or two.
There's ones now you have to turn a 3D model of an animal around to make sure it is facing the right way, which apparently a computer is no good at doing.
There's ones now you have to turn a 3D model of an animal around to make sure it is facing the right way, which apparently a computer is no good at doing.
Well, I have found a new game online. It is free, Danny. You may want to play it yourself. It is called I'm Not a Robot.
It is by the ingenious Neil Agarwal, who's written a number of other fantastic online games in the past.
It is by the ingenious Neil Agarwal, who's written a number of other fantastic online games in the past.
I see this, yeah.
So it gives you a CAPTCHA, and it starts off with a very simple CAPTCHA of, you know, tick a box to say you're not a robot.
And then every time it shows you a new CAPTCHA and things get worse and worse and more complicated. It is an escalating nightmare of quirky puzzles.
What begins as ticking a checkbox quickly spirals into deciphering warped text or parallel parking a car with arrow keys or drawing perfect circles or building a Minecraft pickaxe or— Oh dear.
You even have to order algebraic equations or assemble IKEA furniture in one of them.
And then every time it shows you a new CAPTCHA and things get worse and worse and more complicated. It is an escalating nightmare of quirky puzzles.
What begins as ticking a checkbox quickly spirals into deciphering warped text or parallel parking a car with arrow keys or drawing perfect circles or building a Minecraft pickaxe or— Oh dear.
You even have to order algebraic equations or assemble IKEA furniture in one of them.
Well, I've already stuck here. It says select all the squares with a vegetable. Some of these I'm generally not sure about. Is a corn on the cob vegetable?
Oh, I don't think it is, you know.
Oh, I don't think it is, you know.
No, that's not a vegetable. No, I wouldn't have said so.
Oh, it is. It must be. I clicked on it. It wouldn't let me through. Then I clicked on it and it went through. So corn on the cob, a vegetable.
So it's educational as well. At one point I was being asked to break up with my AI girlfriend. So I was chatting to a chatbot. I had to try and get rid of her.
How did that go?
Well, you'd be surprised, Danny. I actually have a great deal of experience of breakups. But normally I'm not the one delivering the programme. Normally I'm the one receiving it.
Now there are even some people who have livestreamed their attempts to play this game and see how far they managed to get.
If you this game, you can actually maybe compete with your friends and colleagues to see how far they get as well. Anyway, it's a lot of fun. How far have you got so far, Danny?
Now there are even some people who have livestreamed their attempts to play this game and see how far they managed to get.
If you this game, you can actually maybe compete with your friends and colleagues to see how far they get as well. Anyway, it's a lot of fun. How far have you got so far, Danny?
I'm on level 5. I'm currently having to rotate an intersection around to make it—
Oh yeah, it's Spaghetti Junction, that one, isn't it?
Yeah, it is. Yeah, it's not Spaghetti Junction. No, it isn't. But it's— That sort of thing, yeah, and I've managed to complete— wait, no, I haven't managed to complete that.
I could be here a while.
I could be here a while.
There was one where it says, avenge Garry Kasparov, try and beat Deep Blue at chess. And so you're playing a chess game, and you've got to beat it.
It's well, this is pretty good chess play.
It's well, this is pretty good chess play.
I'm on to level 6 now, and I've got to win tic-tac-toe.
Or noughts and crosses, as us Brits call it.
So I could be here— oh, I just lost. I lost. Oh dear.
Anyway, lots of fun. It's called I'm Not a Robot. I will put a link in the show notes, and that is my pick of the week. Danny, what's your pick of the week?
Well, I am going to go for a book I've been reading. Despite all my work around cybersecurity and modern tech, I do like reading a bit of history.
I guess you get to a certain age and you basically fall into one of two camps. You either like Wars of the Roses or World War II. I think that's how it works.
But I've decided to try and expand my horizons, I suppose quite literally if you turn it in terms of distance. I'm reading a book. It's by former BBC journalist Zainab Badawi.
It's called An African History of Africa: From the Dawn of Humanity to Independence. And it's making me realise just how little about African history I knew about.
It starts off with the dawn of humanity, so humans evolving from apes in Central Africa, starting from there. Then it jumps forward quite a lot to ancient Egypt.
It's a thing where, and as the author points out, it's not really associated as African history by the wider world.
It's sort of its own, the pharaohs, Tutankhamun, all that sort of thing. It's kind of in its own little pocket.
And then I've gone on to read about various other kingdoms, the Kingdom of Kush. I'm only halfway through it, but it's really, really interesting. I feel I'm learning a lot.
It's one of those books where I'm almost staying up very much past my bedtime, so I just want to keep reading, which is a very good thing.
So yeah, I heartily recommend it, especially if you want a perspective on history which is outside of just the regular stuff we always hear about.
I do believe we covered ancient Egypt back when I was in school a long time ago. I think it went ancient Egypt, 1066, Henry VIII, World War II. That's history.
I guess you get to a certain age and you basically fall into one of two camps. You either like Wars of the Roses or World War II. I think that's how it works.
But I've decided to try and expand my horizons, I suppose quite literally if you turn it in terms of distance. I'm reading a book. It's by former BBC journalist Zainab Badawi.
It's called An African History of Africa: From the Dawn of Humanity to Independence. And it's making me realise just how little about African history I knew about.
It starts off with the dawn of humanity, so humans evolving from apes in Central Africa, starting from there. Then it jumps forward quite a lot to ancient Egypt.
It's a thing where, and as the author points out, it's not really associated as African history by the wider world.
It's sort of its own, the pharaohs, Tutankhamun, all that sort of thing. It's kind of in its own little pocket.
And then I've gone on to read about various other kingdoms, the Kingdom of Kush. I'm only halfway through it, but it's really, really interesting. I feel I'm learning a lot.
It's one of those books where I'm almost staying up very much past my bedtime, so I just want to keep reading, which is a very good thing.
So yeah, I heartily recommend it, especially if you want a perspective on history which is outside of just the regular stuff we always hear about.
I do believe we covered ancient Egypt back when I was in school a long time ago. I think it went ancient Egypt, 1066, Henry VIII, World War II. That's history.
And they stopped there, didn't they?
And I think the way many of us were taught, at least in Europe and America, I imagine it was very much a European and American perspective on the world.
So Africa, for instance, we would be thinking of it in terms of, well, what did the Europeans do there?
Mind you, they may not tell us everything that the Europeans got up to in certain parts of Africa as well.
But clearly civilisations were there and extraordinary things were happening in history. And many of us are frankly ignorant of it.
And I think the way many of us were taught, at least in Europe and America, I imagine it was very much a European and American perspective on the world.
So Africa, for instance, we would be thinking of it in terms of, well, what did the Europeans do there?
Mind you, they may not tell us everything that the Europeans got up to in certain parts of Africa as well.
But clearly civilisations were there and extraordinary things were happening in history. And many of us are frankly ignorant of it.
Yeah, it's certainly interesting that you mentioned there are these advanced civilisations in Africa at a time when in the British Isles we were still rolling around in dirt essentially.
Not much has changed, Danny. Not much has changed.
So that's my pick of the week.
Fantastic. Well, that just about wraps up the show for this week. Danny, thank you so much for joining us.
I'm sure lots of our listeners would love to find out what you're up to and follow you online.
I'm sure lots of our listeners would love to find out what you're up to and follow you online.
Thanks very much for having me again. It's been a real pleasure. I suppose the best way to find me these days, well, there is my website, which is www.dannypalmer.co.uk. Makes sense.
You can search me on BlueSky, on LinkedIn. But yeah, those are the key ways to find me.
You can search me on BlueSky, on LinkedIn. But yeah, those are the key ways to find me.
And people can hit you up via LinkedIn if they want some help with their cybersecurity writing and things like that?
Yes, definitely. I do the editorial articles as well.
I've also been doing some sort of, I guess you call it behind the scenes stuff, consultation, that sort of thing, training for people in terms of what to do and not do when you've been hit by a cybersecurity incident.
I've also been doing some sort of, I guess you call it behind the scenes stuff, consultation, that sort of thing, training for people in terms of what to do and not do when you've been hit by a cybersecurity incident.
And of course, Smashing Security is on social media as well. You can find us on BlueSky. You can find me on LinkedIn. And don't forget to ensure you never miss another episode.
Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.
For episode show notes, sponsorship info, guest lists, and the entire back catalog of over 440 episodes, check out smashingsecurity.com. Until next time, cheerio. Bye-bye. Bye.
You've been listening to Smashing Security with me, Graham Cluley.
Well, thanks very much to Danny Palmer for joining us this week, and also big thanks to this episode's sponsors, Action One, Vanta, and SecAlerts, and to all the chums who've signed up for Smashing Security Plus over on Patreon.
They include Panos, Isaac Kim, 636B, Marvin71, Ryan Howells, Andrew Webster, Babar, James Leonard, Ferrell, Rory, Mark Crossley, Jarz Edwards, Veildog, Jack, Rach K, Phil, Colin Gourlay, Kevin Windsor, Chima Orem, Tash L, Gordon, and King Cyril.
Now, wouldn't you like to have your name read out at the end of the show every now and then? If so, you should sign up for Smashing Security Plus.
For as little as $5 a month, you can become a member of our happy little tribe, and you'll gain early access to the episodes with none of the pesky adverts. Ooh!
Just go to smashingsecurity.com/plus for more details. Now, I know not everyone can afford something like that. That's quite understandable.
So don't feel any pressure to become a member of Smashing Security Plus. What you can do though, it's absolutely free, is you can tell your friends about Smashing Security.
You can go up to them and say, "Oi, do you listen to any cybersecurity podcasts?" "No." "Well, maybe you should listen to Smashing Security.
It's the cybersecurity podcast for people who don't like cybersecurity podcasts." Or maybe you could wear one of our lovely t-shirts from our merch store.
Just go to smashingsecurity.com/store. You'll wear it, you'll feel gorgeous. Oh, against your skin, it will feel so lovely. And of course, you're helping to spread the word.
Whatever you're doing, thank you very, very much for listening, tuning in each week. It really means so much to me. Well, I'm going to sign off now, but I'll see you in a week.
Cheerio. Bye-bye.
Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts.
For episode show notes, sponsorship info, guest lists, and the entire back catalog of over 440 episodes, check out smashingsecurity.com. Until next time, cheerio. Bye-bye. Bye.
You've been listening to Smashing Security with me, Graham Cluley.
Well, thanks very much to Danny Palmer for joining us this week, and also big thanks to this episode's sponsors, Action One, Vanta, and SecAlerts, and to all the chums who've signed up for Smashing Security Plus over on Patreon.
They include Panos, Isaac Kim, 636B, Marvin71, Ryan Howells, Andrew Webster, Babar, James Leonard, Ferrell, Rory, Mark Crossley, Jarz Edwards, Veildog, Jack, Rach K, Phil, Colin Gourlay, Kevin Windsor, Chima Orem, Tash L, Gordon, and King Cyril.
Now, wouldn't you like to have your name read out at the end of the show every now and then? If so, you should sign up for Smashing Security Plus.
For as little as $5 a month, you can become a member of our happy little tribe, and you'll gain early access to the episodes with none of the pesky adverts. Ooh!
Just go to smashingsecurity.com/plus for more details. Now, I know not everyone can afford something like that. That's quite understandable.
So don't feel any pressure to become a member of Smashing Security Plus. What you can do though, it's absolutely free, is you can tell your friends about Smashing Security.
You can go up to them and say, "Oi, do you listen to any cybersecurity podcasts?" "No." "Well, maybe you should listen to Smashing Security.
It's the cybersecurity podcast for people who don't like cybersecurity podcasts." Or maybe you could wear one of our lovely t-shirts from our merch store.
Just go to smashingsecurity.com/store. You'll wear it, you'll feel gorgeous. Oh, against your skin, it will feel so lovely. And of course, you're helping to spread the word.
Whatever you're doing, thank you very, very much for listening, tuning in each week. It really means so much to me. Well, I'm going to sign off now, but I'll see you in a week.
Cheerio. Bye-bye.
Host:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Guest:
Danny Palmer:
/ dannypalmerwriter
Episode links:
- Baohuo, the gray eminence. Android backdoor hijacks Telegram accounts, gaining complete control over them – Dr Web.
- Cyberattack on Russia’s food safety agency reportedly disrupts product shipments – The Record.
- Dissecting YouTube’s malware distribution network – Check Point.
- 31 Defendants, Including Members and Associates of Organized Crime Families and National Basketball Association Coach Chauncey Billups, Charged in Schemes to Rig Illegal Poker Games – US Department of Justice.
- How Hacked Card Shufflers Allegedly Enabled a Mob-Fueled Poker Scam That Rocked the NBA – Wired.
- Every Formula 1 driver on the grid just had their passport and license details leaked – but it could have been so much worse – TechRadar.
- I’m not a robot – Neal.fun.
- Can I Beat The CAPTCHA Game? – YouTube.
- An African History of Africa by Zeinab Badawi – Penguin.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
- Support us on Patreon!
Sponsored by:
- Action1 – Keep your systems safe (and your sanity intact) with the patch management platform that just works. The best part? Your first 200 endpoints are free, forever, with no functional limits.
- SecAlerts – SecAlerts makes your job easier by matching vulnerabilities to your software, using information as soon as it’s released. Use code SMASHING for 50% off a year subscription.
- Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!
Support the show:
You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.
Join Smashing Security PLUS for ad-free episodes and our early-release feed!
Follow us:
Follow the show on Bluesky, or join us on the Smashing Security subreddit, or visit our website for more episodes.
Thanks:
Theme tune: “Vinyl Memories” by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
