A teenage cybercriminal posts a smug screenshot to mock a sextortion scammer… and accidentally hands over the keys to his real-world identity. Meanwhile, we look into the crystal ball for 2026 and consider how stolen data is now the jet fuel of cybercrime – and how next year could be even nastier than 2025.
Plus, Graham rants about recipe sites that won’t shut up, and there’s even more love for Lily Allen’s album “West End Girl” album.
All this and more is discussed in episode 446 of the “Smashing Security” podcast with cybersecurity veteran and keynote speaker Graham Cluley, and special guest Rik Ferguson.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
And he then says to Krebs, look, I really don't think you should write a story about me because it might mess up the law enforcement investigation into me.
You could interfere with an ongoing investigation. I would hate for that to happen.
He obviously wants to see properly concluded and come to its right resolution.
Smashing Security, episode 446, a hacker doxes himself, and social engineering as a service, with Graham Cluley and special guest Rik Ferguson.
Hello, hello, and welcome to Smashing Security episode 446. My name's Graham Cluley.
Smashing Security, episode 446, a hacker doxes himself, and social engineering as a service, with Graham Cluley and special guest Rik Ferguson.
Hello, hello, and welcome to Smashing Security episode 446. My name's Graham Cluley.
And I am Rik Ferguson.
Hello, Rik. Welcome back to the show. It's been many, many years since you last joined us.
For anyone who doesn't know— I mean, is there anybody who doesn't know rockstar Rik Ferguson? Describe yourself, Rik, to our audience?
For anyone who doesn't know— I mean, is there anybody who doesn't know rockstar Rik Ferguson? Describe yourself, Rik, to our audience?
I'm 6 feet tall. I weigh 182 pounds.
Oh, there you go.
What's that in kilograms?
I don't know. Actually, about 80. I'm really not sure. I should know. I left the world of Imperial behind many years ago.
Okay. Well, you're a fine figure of a man and you also work in the cybersecurity industry, don't you?
Oh, there is that.
Oh, there is that. There is some relevance to you coming on the podcast this week.
Yeah. It's weird. I've been in technology as an industry in IT, let's say, for 31 years. And I think 26 of those have been in cybersecurity, although it wasn't called that back then.
And you still haven't solved the cybersecurity problem. Don't you feel a bit of a failure?
Oh, no, I have. I just haven't told anyone.
Oh, okay. Okay. While you're continuing to make money out of it, you mean.
It's those, you know, everlasting matchsticks and everlasting light bulbs, all those other things. I've got all those on a shelf too.
Well, before we kick off, let's thank this week's wonderful sponsors, Vanta, 1Password, and Drata. We'll be hearing more about them later on in the podcast.
This week on Smashing Security, we're not going to be talking about how Europol has seized $25 million of bitcoin and scooped up 12 terabytes of data after shutting down a cryptocurrency laundering hub.
You'll hear no discussion of shady panda, a 7-year-long cybercriminal campaign that saw malicious browser extensions infect 4.3 million Google Chrome and Microsoft Edge users.
And we won't even mention how fake Calendly invites are luring victims to a phishing page that steals Google Workspace and Facebook Business credentials.
So, Rik, what are you going to be talking about this week?
This week on Smashing Security, we're not going to be talking about how Europol has seized $25 million of bitcoin and scooped up 12 terabytes of data after shutting down a cryptocurrency laundering hub.
You'll hear no discussion of shady panda, a 7-year-long cybercriminal campaign that saw malicious browser extensions infect 4.3 million Google Chrome and Microsoft Edge users.
And we won't even mention how fake Calendly invites are luring victims to a phishing page that steals Google Workspace and Facebook Business credentials.
So, Rik, what are you going to be talking about this week?
I'm gonna be talking about how we keep seeing the same stories over and over again. Almost every story you see is basically a breach of some kind or ransomware of some kind.
But maybe we can talk about how I think that stuff's gonna evolve and how maybe we're not in an ever-repeating Groundhog Day of cybersecurity, but that things actually do change and what to look out for and how we can try and get ahead of that.
But maybe we can talk about how I think that stuff's gonna evolve and how maybe we're not in an ever-repeating Groundhog Day of cybersecurity, but that things actually do change and what to look out for and how we can try and get ahead of that.
Sounds good. And I'm gonna be talking about how not to be a cybercriminal. All this and much more coming up on this episode of Smashing Security.
Before we begin, I wanted to tell you about 1Password, who are supporting the podcast today.
It's easy to assume that being small means flying under the radar, but the reality is that small businesses are being targeted more and more by malicious hackers.
Cybercriminals know that lean teams often lack the resources to prevent or respond to a breach. But the good news is even the smallest teams can foil cybercrime.
1Password provides simple security to help small teams manage the number one risk that hackers exploit: weak passwords.
1Password provides centralized management to make sure your company's logins are secure.
It's a simple turnkey solution that can be rolled out in hours, whether you have dedicated IT staff or not.
However complex your security needs may get, 1Password will stay with you every step of the way. Take the first step to better security by securing your team's credentials.
Find out more at 1Password.com/smashing. That's 1Password.com/smashing and start securing every login.
Before we begin, I wanted to tell you about 1Password, who are supporting the podcast today.
It's easy to assume that being small means flying under the radar, but the reality is that small businesses are being targeted more and more by malicious hackers.
Cybercriminals know that lean teams often lack the resources to prevent or respond to a breach. But the good news is even the smallest teams can foil cybercrime.
1Password provides simple security to help small teams manage the number one risk that hackers exploit: weak passwords.
1Password provides centralized management to make sure your company's logins are secure.
It's a simple turnkey solution that can be rolled out in hours, whether you have dedicated IT staff or not.
However complex your security needs may get, 1Password will stay with you every step of the way. Take the first step to better security by securing your team's credentials.
Find out more at 1Password.com/smashing. That's 1Password.com/smashing and start securing every login.
On with the show.
So, chums, today I want to tell you about how not to be a cybercriminal. Rik, you are not a cybercriminal, I'm assuming.
Yeah, I definitely am very good at not being one.
Right. It's not that tricky really to not be a cybercriminal, isn't it? You just don't commit cybercrime. That's the essential trick.
And most days I get away with that quite successfully.
And most days I get away with that quite successfully.
Yeah, I mean, there are times when my wife is on my case a little bit that I should be committing a little more cybercrime, but I've managed to steer clear of it.
Yes, my accountant probably would like me to commit some cybercrime. But there are people out there who've taken on cybercrime as a hobby, as a pastime, maybe even a career as well.
And I guess they are the people who I am addressing today, 'cause I'm going to tell those people what not to do if they want to be a competent cybercriminal.
And I guess they are the people who I am addressing today, 'cause I'm going to tell those people what not to do if they want to be a competent cybercriminal.
Isn't that aiding and abetting?
Well, I suppose, possibly. Oh dear.
They'll never make it stick. They'll never make it stick.
Because to be a cybercriminal, there are certain things you probably do have to do. You have to commit cybercrimes. That's pretty much written into the job description.
Usually relating to money, to finance.
Doesn't always have to. I mean, sometimes it's a defacement. Sometimes, you know, it's just mindless vandalism or something. But yeah, but these days it often will involve some cash.
And also, and this is important, you need to get away with it because otherwise your cybercrime career just comes to an end, doesn't it?
And also, and this is important, you need to get away with it because otherwise your cybercrime career just comes to an end, doesn't it?
And I think you need to not only get away with it, you have to keep getting away with it. And you have to make sure that looking back, you haven't done anything you might regret.
Mm, it's tricky, isn't it? And preferably you don't want anyone to work out who was behind that particular cybercrime, not just being stopped in the act.
You don't want to be identified. That's my assumption.
You don't want to be identified. That's my assumption.
That's a major reason why I think I'm not a cybercriminal because the vast majority of my online handles tend to be Rik Ferguson.
Yeah, that would be a bit of a giveaway. You would need a different one.
Also, the thing is with you, Rik, is because of course you are famed for your mane of hair and your rockstar good looks, I think you're gonna leave some physical evidence behind.
Also, the thing is with you, Rik, is because of course you are famed for your mane of hair and your rockstar good looks, I think you're gonna leave some physical evidence behind.
There'll be some DNA. Once you're in your 50s, it all does start to fall out a little bit. So there's a permanent trail, much like my dog. Not like that.
Hair. What we're gonna talk about today is a gloriously stupid operational security fail by a cybercriminal. And I think we all love those, don't we?
We love it when the cybercriminals, when the malicious hackers really goof up and leave evidence lying around, which makes it so easy to identify who they actually are.
And this is why I want to introduce to you someone called Rey.
Rey, not with an A, but Rey with an E, a bit like that character from Star Wars: The Force Awakens waggling her lightsaber around, Rey is a core member of that infamous hacking group that likes to call itself Scattered Spider Lapsus$ Hunters.
We love it when the cybercriminals, when the malicious hackers really goof up and leave evidence lying around, which makes it so easy to identify who they actually are.
And this is why I want to introduce to you someone called Rey.
Rey, not with an A, but Rey with an E, a bit like that character from Star Wars: The Force Awakens waggling her lightsaber around, Rey is a core member of that infamous hacking group that likes to call itself Scattered Spider Lapsus$ Hunters.
The unholy triumvirate.
They are, aren't they? It's a sort of greatest hits mashup of several notorious hacking collectives.
If you do think of it in musical terms, it's a bit like if Emerson, Lake & Palmer teamed up with Crosby, Stills, Nash & Young and Barclay James Harvest, and you end up with this cacophony of 1970s supergroups.
If you do think of it in musical terms, it's a bit like if Emerson, Lake & Palmer teamed up with Crosby, Stills, Nash & Young and Barclay James Harvest, and you end up with this cacophony of 1970s supergroups.
No one knows who they are, Graham. No one knows who they are.
Oh, no, yeah, okay. If you're of a certain age, you may know who those folks are.
But rather than a band of crooners, Scattered Spider Lapsus$ Hunters is, well, all they've got is not gold records on their walls. They've got compromised Salesforce logins.
That's what they've been stealing lately. They've been causing all kinds of mischief and one of the admins of Scattered Spider Lapsus$ Hunters is this Rey person.
They're an admin on their Telegram and Discord channels where they are chit-chatting away and gobbing off at each other and slagging each other off and also plotting their cybercrimes as well.
And this hacking crew, as I said, they are notorious. Over the past year or so, they've been claiming responsibility for all sorts of corporate breaches.
And we even heard on last week's episode with Dan Raywood they allegedly tried to recruit insiders at a major cybersecurity firm, trying to get data out of them.
But rather than a band of crooners, Scattered Spider Lapsus$ Hunters is, well, all they've got is not gold records on their walls. They've got compromised Salesforce logins.
That's what they've been stealing lately. They've been causing all kinds of mischief and one of the admins of Scattered Spider Lapsus$ Hunters is this Rey person.
They're an admin on their Telegram and Discord channels where they are chit-chatting away and gobbing off at each other and slagging each other off and also plotting their cybercrimes as well.
And this hacking crew, as I said, they are notorious. Over the past year or so, they've been claiming responsibility for all sorts of corporate breaches.
And we even heard on last week's episode with Dan Raywood they allegedly tried to recruit insiders at a major cybersecurity firm, trying to get data out of them.
I wonder which firm that could have been. There was a story in the news recently, I believe.
There was. CrowdStrike.
Yes.
So, but they haven't confirmed it. You know, there's suspicions. There are suspicions which have been reported.
Now, Rey was reportedly involved with a ransomware outfit called Hellcat, and they also helped run a BreachForums-style leak marketplace online.
So you've probably heard of BreachForums.
It's a notorious site where data is shared and tools are shared which allow hackers to break into systems, or they sell their data which they've exfiltrated from the companies which they've hacked.
And it turns out that, well, BreachForums, there's more incarnations of it than Doctor Who. There's more versions of it than people who've played James Bond.
Now, Rey was reportedly involved with a ransomware outfit called Hellcat, and they also helped run a BreachForums-style leak marketplace online.
So you've probably heard of BreachForums.
It's a notorious site where data is shared and tools are shared which allow hackers to break into systems, or they sell their data which they've exfiltrated from the companies which they've hacked.
And it turns out that, well, BreachForums, there's more incarnations of it than Doctor Who. There's more versions of it than people who've played James Bond.
It's kind of famed for takedowns.
It is.
As well as for being a breach forum. Law enforcement has acted against breach forums so many times, and it always, in one form or another, rises from the ashes.
It's whack-a-mole. Europol or FBI, you know, they whop them on the head and their servers come down and then bloop, up it comes again.
And there doesn't seem to be anything which cybercrime enforcement can do to permanently defeat it.
Not to say that they're doing a bad job, and it's great that they dismantle these operations, but it does keep coming back.
And Rey was one of these people who was running one of these sites.
Now, unfortunately for Rey, they recently suffered a bit of a setback, not thanks to cutting-edge digital forensics or a multi-nation police operation, but rather because of their own screw-up.
So let me take you back in time. Back in May 2024, Rey received one of those sextortion emails. Have you received a sextortion email, Rik?
And there doesn't seem to be anything which cybercrime enforcement can do to permanently defeat it.
Not to say that they're doing a bad job, and it's great that they dismantle these operations, but it does keep coming back.
And Rey was one of these people who was running one of these sites.
Now, unfortunately for Rey, they recently suffered a bit of a setback, not thanks to cutting-edge digital forensics or a multi-nation police operation, but rather because of their own screw-up.
So let me take you back in time. Back in May 2024, Rey received one of those sextortion emails. Have you received a sextortion email, Rik?
I have, I had, I did pay.
You did?
I was very worried, but yeah, I mean, they're 10 a penny, aren't they?
Yeah.
We've all seen them. We had access to your webcam and we got footage of you watching porn, pay the ransom.
Yes.
I mean, I'm laughing, but there is a serious side to that whole sextortion thing as well. These ones are fake, but as a threat, I mean, it is responsible for ruining people's lives.
Oh, absolutely.
There are horrific tales of how people have actually been recorded on webcams or sometimes been blackmailed to do things on camera and the threats which have then resulted.
That's all ghastly.
But what we're talking about here today is an email which comes in, which claims, "Aha, I've been watching you for a while and you know that I've been watching you because I've emailed you from your own email address and here is one of your passwords," they say, as though that were convincing information.
The truth is your passwords, or at least one of your passwords, is probably out there already.
All they have to do is go to an existing data breach, find your email address, find the password associated with it, and send you an email.
And it's easy to forge the from header so it looks like it's from your own email address.
And people panic about this and they think that they've been hacked and they think, you know, oh, I've gotta send bitcoin and all the rest of it.
There are horrific tales of how people have actually been recorded on webcams or sometimes been blackmailed to do things on camera and the threats which have then resulted.
That's all ghastly.
But what we're talking about here today is an email which comes in, which claims, "Aha, I've been watching you for a while and you know that I've been watching you because I've emailed you from your own email address and here is one of your passwords," they say, as though that were convincing information.
The truth is your passwords, or at least one of your passwords, is probably out there already.
All they have to do is go to an existing data breach, find your email address, find the password associated with it, and send you an email.
And it's easy to forge the from header so it looks like it's from your own email address.
And people panic about this and they think that they've been hacked and they think, you know, oh, I've gotta send bitcoin and all the rest of it.
Especially with the password, right? Yeah, that's the key, isn't it? That's the key to credibility. Oh my word, that really is my password.
Yeah.
This must be real.
Yeah. And so, you know, please, if you receive something on that, don't reply to it, just delete it because it's almost certainly a scam.
So this guy, Ray, who's obviously a bit of a hacker, he received one of these things and he thought it was really funny.
And so what he did was he took a screenshot of it and he posted it up on a Telegram chat with some of his mates.
Now, he's no dummy, so what he did was he partially redacted his email address. So he got rid of the username part, from the screenshot. So it just said, you know, @proton.me.
So that was his ProtonMail email address. Very sensible. Not shown his email address so people wouldn't easily be able to identify who he was.
But what he didn't do was he didn't redact the password.
So this guy, Ray, who's obviously a bit of a hacker, he received one of these things and he thought it was really funny.
And so what he did was he took a screenshot of it and he posted it up on a Telegram chat with some of his mates.
Now, he's no dummy, so what he did was he partially redacted his email address. So he got rid of the username part, from the screenshot. So it just said, you know, @proton.me.
So that was his ProtonMail email address. Very sensible. Not shown his email address so people wouldn't easily be able to identify who he was.
But what he didn't do was he didn't redact the password.
Because of course, no one knows that password.
Right.
It was in the mail.
So what we have here is a key administrator in a sprawling cybercriminal enterprise posting his actual password, or one of his actual passwords, to Telegram.
But that password came to the attention of renowned cybersecurity sleuth Brian Krebs. You don't mess with Brian Krebs.
But that password came to the attention of renowned cybersecurity sleuth Brian Krebs. You don't mess with Brian Krebs.
People do, but they live to regret it.
Most of us, we have nightmares about, I don't know, Dracula. And vampires and Frankenstein. The cybercriminals, they have nightmares about Brian Krebs. Very true.
That's who they're worried about. And this password, it wasn't a dumb password like 'let me in' or '12345678' or something like that.
That's who they're worried about. And this password, it wasn't a dumb password like 'let me in' or '12345678' or something like that.
No, because the guy's a pro. The guy's a pro.
He's a pro. Instead, it was the following 15 characters: MRVNGDG99Z03E29.
Very good.
Kind of a good password, really. And there's a mixture of uppercase and lowercase in there as well. Not a bad password.
He's missing his special characters though. I'm disappointed.
Yeah, he hasn't got an exclamation mark on the end, which is normally what people do.
That's how you secure a password. You have to put that on the end.
But it was a password that was unique enough so that when it was searched for by Krebs in databases of credentials previously stolen by cybercriminals, it linked straight back to a specific ProtonMail account.
It linked to one called . So now we've got a strong indication as to what the email address should have been before it was redacted, and we have a password.
And it turned out that that username and password combination had been exposed at least twice in early 2024 when somebody's computer got hit by an info-stealing Trojan horse.
It linked to one called . So now we've got a strong indication as to what the email address should have been before it was redacted, and we have a password.
And it turned out that that username and password combination had been exposed at least twice in early 2024 when somebody's computer got hit by an info-stealing Trojan horse.
Oh, the irony.
The irony. Yes, almost as though this hacker guy might be hanging out with dodgy people downloading things left, right, and center off the net. Who knows what he was doing?
So, we now have that information.
And a security firm discovered that that email address belonged to a member of breach forums who went by the username of O5TDEV, which was part of the username.
Okay, so now we've got that.
And a search for that nickname, O5TDEV, found at least two website defacements archived, which showed that someone called O5TDEV had previously defaced websites saying pro-Palestinian messages during the website defacement, which helpfully said hacked by 05-TDEV.
Okay, so we're beginning to put all the pieces together.
So, we now have that information.
And a security firm discovered that that email address belonged to a member of breach forums who went by the username of O5TDEV, which was part of the username.
Okay, so now we've got that.
And a search for that nickname, O5TDEV, found at least two website defacements archived, which showed that someone called O5TDEV had previously defaced websites saying pro-Palestinian messages during the website defacement, which helpfully said hacked by 05-TDEV.
Okay, so we're beginning to put all the pieces together.
It's honestly incredible research and journalism from Brian. When I read these kinds of things, I know you're not even at the end yet.
It's always so gripping when he says, here's all the steps I went through. I found this, then I found this, then I put this together. I made this logical leap, which led me to this.
It's incredible.
It's always so gripping when he says, here's all the steps I went through. I found this, then I found this, then I put this together. I made this logical leap, which led me to this.
It's incredible.
Yes. So further investigation found that Ray's Telegram account was particularly active in a cybercrime-focused channel called Jacuzzi.
I didn't know what to make of that when I got to that point in the story. I was worried to read on.
Well, it all seems fairly innocent enough, but in that particular place, he's sharing some personal details.
So he's sharing maybe that his father was an airline pilot, that he has some family connections to Ireland. He even has a connection to the surname Ginty as well.
And they claimed in 2024 to be 15 years old. So a little bit more digging is going on by Krebs and co.
And what was uncovered were hundreds of credentials that had been stolen from a computer belonging to that ProtonMail email address.
And it was a shared Windows PC located in Amman, Jordan, and multiple people were using the same computer and all of them had the same surname, which is Qader. K-H-A-D-E-R.
And the data showed that Ray's full name was likely to be Saif al-Din Qader. So what does Brian Krebs do? He drops him an email.
So he's sharing maybe that his father was an airline pilot, that he has some family connections to Ireland. He even has a connection to the surname Ginty as well.
And they claimed in 2024 to be 15 years old. So a little bit more digging is going on by Krebs and co.
And what was uncovered were hundreds of credentials that had been stolen from a computer belonging to that ProtonMail email address.
And it was a shared Windows PC located in Amman, Jordan, and multiple people were using the same computer and all of them had the same surname, which is Qader. K-H-A-D-E-R.
And the data showed that Ray's full name was likely to be Saif al-Din Qader. So what does Brian Krebs do? He drops him an email.
He sends a friendly email. Not to him though, right?
At first he emails him and he doesn't get a reply. But Krebs doesn't give up.
And so what he decides to do is look a little bit further because the PC also had autofill information on its browser, which suggested there was also someone using the PC, was a 46-year-old man called Zaid Qader, who said his mother's maiden name was Ginty, who worked at Royal Canadian Airlines.
And because Saif hadn't replied, Krebs tried contacting his dad instead.
And so what he decides to do is look a little bit further because the PC also had autofill information on its browser, which suggested there was also someone using the PC, was a 46-year-old man called Zaid Qader, who said his mother's maiden name was Ginty, who worked at Royal Canadian Airlines.
And because Saif hadn't replied, Krebs tried contacting his dad instead.
I'm gonna tell your dad on you. It takes me back.
Yeah, we've all been there. Not quite as scary as when your mum gets told something, in my experience. Yeah, very true. So within 2 hours, the father hadn't replied, but the son had.
He responded via Signal saying, "I saw your email.
I don't think my dad will respond to you because he thinks it's some kind of scam that you've sent him." At least you know that he's been educated by his kids.
He responded via Signal saying, "I saw your email.
I don't think my dad will respond to you because he thinks it's some kind of scam that you've sent him." At least you know that he's been educated by his kids.
They're looking after him.
Yeah, he's done some emergency work there. Say, oh, Dad, Dad, don't worry about that, Dad. That sounds like a scam. Let me deal with that.
He'll be like, you know those emails you get that say they've caught you on webcam? It's like that.
And so this guy who we'll call Ray, but his real name was Saif, got in touch with Krebs. He said, look, my dad doesn't believe the email, but I am prepared to talk to you.
I've decided to talk to you directly. And he said, look, I've been thinking of moving away from cybersecurity for a while.
I've decided to talk to you directly. And he said, look, I've been thinking of moving away from cybersecurity for a while.
I wonder why.
He's desperately saying, I'm already cooperating with law enforcement, he says. They've been in touch with me for some months now.
And he then says to Krebs, look, I really don't think you should write a story about me because it might mess up the law enforcement investigation into me.
And he then says to Krebs, look, I really don't think you should write a story about me because it might mess up the law enforcement investigation into me.
You could interfere with an ongoing investigation. I would hate for that to happen.
He obviously wants to see properly concluded and come to its right resolution.
So, next time you get told that these hackers are geniuses, remember that the guys who are fighting the cybercriminals can be really, really smart too, and can uncover the true clues.
Because in this case, this guy was unmasked not through elite counter-hacking, not through surveillance, but he was unmasked because he posted his own password online while mocking a fellow scammer.
And I think there's no richer justice than that, is there?
So, next time you get told that these hackers are geniuses, remember that the guys who are fighting the cybercriminals can be really, really smart too, and can uncover the true clues.
Because in this case, this guy was unmasked not through elite counter-hacking, not through surveillance, but he was unmasked because he posted his own password online while mocking a fellow scammer.
And I think there's no richer justice than that, is there?
Have you never been tempted though? I sometimes come up with such a pleasing password scheme that I wanna share what the scheme is online. I know you can't, you just can't.
And it's like, but I'm really proud of it.
And it's like, but I'm really proud of it.
Try not to do that. You can tell me privately, Rik, if you want. I'd be very interested.
There was a time a while back when I could have had access to Jonathan Ross's inbox. On Twitter.
That's right. I remember this.
He tweeted his email address, his private email address. Which was obviously meant to be a DM. So I thought I'd do some digging.
Yeah.
It was a me.com address. It was an Apple email address. So I went and I hit the reset password button. I forgot my password. And then it said, do you want to go through?
This was a while ago. So there were mechanisms were not in place.
This was a while ago. So there were mechanisms were not in place.
It was like 15 years ago or something, I think, wasn't it?
Yeah. Do you want to go through the security reset questions? And I said, yes. And the question popped up, what's the name of your dog?
So I went to Wikipedia, name of the dog is in the Wikipedia article, put the name of the dog in, and I was greeted with, please enter your new password, at which point I closed my browser and messaged Jonathan Ross directly.
So I went to Wikipedia, name of the dog is in the Wikipedia article, put the name of the dog in, and I was greeted with, please enter your new password, at which point I closed my browser and messaged Jonathan Ross directly.
Yes.
But it shows you even the slightest lapse of attention, focus, judgment, whatever, can have some really serious consequences, cybercriminal or otherwise, right?
You need to be careful of that stuff.
You need to be careful of that stuff.
It really can. And of course, make sure you're choosing, I mean, this, in this case, it looks like he had chosen a unique password for this particular purpose.
It wasn't something that dumb. But we have seen situations, someone else in the public eye, some years ago now, Mark Zuckerberg.
It wasn't something that dumb. But we have seen situations, someone else in the public eye, some years ago now, Mark Zuckerberg.
Yeah.
His passwords were revealed because of a breach at LinkedIn. And Mark Zuckerberg was using the same password on LinkedIn as he was using on, I think it was Pinterest and Twitter.
And the really bad thing about that was what the password was, because it was just 4 letters. It was D-A-A. D-A was Mark Zuckerberg's password.
And the really bad thing about that was what the password was, because it was just 4 letters. It was D-A-A. D-A was Mark Zuckerberg's password.
I mean, that's almost unhackable. Because it's actually, it's only two letters actually, isn't it?
Yes.
It's almost unhackable.
Almost entirely unhackable.
But it's like the story of the heist at the Louvre recently with the passwords to their security cameras.
Oh, what was that?
Louvre. No. I should be entirely clear that it's not definite that that was still the password at the time of the heist.
But it was reported as a vulnerability in an assessment previously. Whether it had been remediated or not is an open question.
But it was reported as a vulnerability in an assessment previously. Whether it had been remediated or not is an open question.
Right.
Oh yeah, boy. So this episode of the show is sponsored by Drata, and I'm going to tell you why you should check them out.
Look, if you are in security or compliance, you know the drill. You're constantly wearing 10 different hats: risk management, compliance, budgets. It's quite the handful.
Here's the thing, though. Drata actually helps with all of that.
Basically, they've made a platform that handles all the tedious compliance stuff that normally eats up your entire week.
What Drata does is automate the evidence collection, the compliance tracking, the security questionnaires. It just handles it.
They've got real-time monitoring, so you're always audit ready, which is nice because no one enjoys scrambling before an audit.
And they've even got AI assistants for questionnaires now, which honestly, thank the Lord.
The point is, instead of spending all your time proving that you are secure and compliant, you can actually focus on being more secure and compliant. Crazy, I know.
Anyway, if that sounds useful to you, check them out at drata.com/smashing.
That's D-R-A-T-A.com/smashing, and if you use that link, they will know that you heard about them on the show. And thanks to Drata for supporting Smashing Security.
Okay, Rik, what's your topic for us this week?
Look, if you are in security or compliance, you know the drill. You're constantly wearing 10 different hats: risk management, compliance, budgets. It's quite the handful.
Here's the thing, though. Drata actually helps with all of that.
Basically, they've made a platform that handles all the tedious compliance stuff that normally eats up your entire week.
What Drata does is automate the evidence collection, the compliance tracking, the security questionnaires. It just handles it.
They've got real-time monitoring, so you're always audit ready, which is nice because no one enjoys scrambling before an audit.
And they've even got AI assistants for questionnaires now, which honestly, thank the Lord.
The point is, instead of spending all your time proving that you are secure and compliant, you can actually focus on being more secure and compliant. Crazy, I know.
Anyway, if that sounds useful to you, check them out at drata.com/smashing.
That's D-R-A-T-A.com/smashing, and if you use that link, they will know that you heard about them on the show. And thanks to Drata for supporting Smashing Security.
Okay, Rik, what's your topic for us this week?
Well, you know, I was looking around thinking, what will I talk to Graham about? And as I looked at all of the stories that are breaking, it seemed like déjà vu.
Wherever I was looking, either there had been a gigantic breach or somebody else has suffered a ransomware attack or a combination of the two. Usually they kind of go hand in hand.
Wherever I was looking, either there had been a gigantic breach or somebody else has suffered a ransomware attack or a combination of the two. Usually they kind of go hand in hand.
Yep.
And it really kind of drives home the fact that the data that comes out of all of those leaks, you know, the underground economy for data and also the public data dumping economy is really kind of the jet fuel to the rest of cybercrime.
Without all the stolen identities and data dumps out there, the ransomware side of things would be less successful than it is today as well. Those two are inextricably linked.
In fact, I did some research beginning of this year. Here's a really big number for you.
Without all the stolen identities and data dumps out there, the ransomware side of things would be less successful than it is today as well. Those two are inextricably linked.
In fact, I did some research beginning of this year. Here's a really big number for you.
Oh, good.
2,447,878,758. Do you know what that is?
It's not your phone number, is it?
It's almost.
Bank account details?
It's the number of identities that were compromised, as far as I could ascertain, over the course of 2024 alone.
Wow.
Nearly 2.5 billion.
Huh.
And you've got to remember that number is heavily slanted towards the US because they have much more searchable public databases that detail how many people were affected, what kind of information was missing.
We don't really have that in Europe or elsewhere in the world. So I think the actual number would be several times bigger than that if we really had the data to hand.
But almost 2.5 billion, that's conservative value, about $10 billion worth of information on underground forums.
So it shows how prevalent and how widespread and how useful that information is, right?
We don't really have that in Europe or elsewhere in the world. So I think the actual number would be several times bigger than that if we really had the data to hand.
But almost 2.5 billion, that's conservative value, about $10 billion worth of information on underground forums.
So it shows how prevalent and how widespread and how useful that information is, right?
Yeah.
And what's really ramming that point home for me is that also 2023, '24 definitely saw the return of the info stealer.
We haven't spoken about info stealers for a very long time, I think. They were very much a consumer-facing info stealer type thing, right?
Looking for your autofill data, getting stuff out of your web browser, stealing cryptocurrency wallet stuff, stealing email account, social passwords, that kind of stuff.
Well, they're now a part of the malware as a service economy.
They're all out there, you know, using hosted infrastructure where you can just sign up and use it as a service and then go out and do your info stealing and then monetize the proceeds from that, all the stolen data, which leads to the successful ransomware attacks.
So, you know, when we think about this ongoing— we had the French Football Federation was breached very recently. 22 million members. We had the Korean equivalent to Amazon.
We haven't spoken about info stealers for a very long time, I think. They were very much a consumer-facing info stealer type thing, right?
Looking for your autofill data, getting stuff out of your web browser, stealing cryptocurrency wallet stuff, stealing email account, social passwords, that kind of stuff.
Well, they're now a part of the malware as a service economy.
They're all out there, you know, using hosted infrastructure where you can just sign up and use it as a service and then go out and do your info stealing and then monetize the proceeds from that, all the stolen data, which leads to the successful ransomware attacks.
So, you know, when we think about this ongoing— we had the French Football Federation was breached very recently. 22 million members. We had the Korean equivalent to Amazon.
Yes.
Admitted to a breach very recently, Coupang. 33.7 million people impacted by that one breach, which is more than half of the population of South Korea in its entirety.
We had the return of the Shaihulud worm stealing about 25,000 developer secrets, tokens, and so on. The breach at Asahi, which obviously was ransomware.
As well as having been driven by identity, it ended up in the exposure of a further 2 million people's personal details, as well as the ransomware.
We had the return of the Shaihulud worm stealing about 25,000 developer secrets, tokens, and so on. The breach at Asahi, which obviously was ransomware.
As well as having been driven by identity, it ended up in the exposure of a further 2 million people's personal details, as well as the ransomware.
It's ruined many Japanese people's lives because they're not able to drink their favorite beer.
It is a good beer too. It's a lovely beer.
It is.
One day you'll experience the joys, one day.
And then, and you know, we saw Scattered Spider being responsible, for example, for breaches of business intelligence providers last year. I mean, SiSense were breached.
Snowflake were breached. And then this year, Gainsight, Salesloft, all part of the Salesforce developer infrastructure.
And I think Gainsight said only a handful of their customers were affected. They must have really strange hands because I've only got 5 fingers on each of mine.
So slightly more than a handful. It's about 200.
But if you think about the Snowflake one last year, which had really serious effects on companies like Santander, Ticketmaster, hundreds of millions of people's details stolen in those attacks.
That only affected about 160 organizations. So they had smaller hands even. So, and that had massive outsized effects. And that was again, down to that same unholy trinity.
And it looks like they're now preparing to go after Zendesk customers as a result, probably of some of the information that was stolen.
And the attack on JLR and any of the other big ransomware attacks that you want to talk about. Are all kind of driven by this economy in stolen data.
So that's the reason we see it in the news happening over and over again is because it's basically the jet fuel to all of these other online criminal operations.
So I have been sitting around because it's that time of year thinking about what might happen next based on all of the stuff that we've seen over the past few years.
And then, and you know, we saw Scattered Spider being responsible, for example, for breaches of business intelligence providers last year. I mean, SiSense were breached.
Snowflake were breached. And then this year, Gainsight, Salesloft, all part of the Salesforce developer infrastructure.
And I think Gainsight said only a handful of their customers were affected. They must have really strange hands because I've only got 5 fingers on each of mine.
So slightly more than a handful. It's about 200.
But if you think about the Snowflake one last year, which had really serious effects on companies like Santander, Ticketmaster, hundreds of millions of people's details stolen in those attacks.
That only affected about 160 organizations. So they had smaller hands even. So, and that had massive outsized effects. And that was again, down to that same unholy trinity.
And it looks like they're now preparing to go after Zendesk customers as a result, probably of some of the information that was stolen.
And the attack on JLR and any of the other big ransomware attacks that you want to talk about. Are all kind of driven by this economy in stolen data.
So that's the reason we see it in the news happening over and over again is because it's basically the jet fuel to all of these other online criminal operations.
So I have been sitting around because it's that time of year thinking about what might happen next based on all of the stuff that we've seen over the past few years.
Because this is what happens, isn't it? Is the journalists start calling all the cybersecurity vendors saying, oh yes, we're going to need your predictions.
You always end up having big conversations with PR agencies and how can we make them interesting? How can we make them different from everybody else?
I know, let's just release them earlier.
I know, let's just release them earlier.
Yes. So the predictions start coming out in September as to what's going to happen in 2026 because everyone wants to get their report out before the other guys.
Exactly.
I remember back in the days when I worked for a vendor and we had to produce one of these and the PR people weren't happy at all when I said, well, my prediction is we're going to see more of the same.
It's going to be pretty much.
It's going to be pretty much.
And that's the one thing you're not allowed to say, isn't it? It's like, well, there'll… It is. Yeah, actually it is.
I predict there'll be lots of predictions. That's my prediction.
Yeah.
I think one of the things that we're going to see is that SaaS OAuth consent, SaaS tokens, Microsoft 365, Salesforce, Slack, all those different offerings are going to begin to rival traditional phishing.
Phishing has always dominated as the precursor to every attack. It's been up in the 90-odd percents for a very long time.
But I noticed some stats recently that said it was now at 40% of consumer-facing attacks was the precursor was phishing.
I haven't looked into the research to back it up, but if that's true, that's an incredible drop from 90-something percent.
And I think what we will be seeing now, and there are strong signals of it, is stealing of tokens rather than credentials, OAuth abuse, that kind of thing, particularly as passwordless authentication is gaining ground quite rapidly now.
And then these will be token hopping campaigns by getting access into a SaaS provider, then moving down into the customers of that SaaS provider and stealing information that way without needing necessarily to get passwords just to get tokens.
I think one of the things that we're going to see is that SaaS OAuth consent, SaaS tokens, Microsoft 365, Salesforce, Slack, all those different offerings are going to begin to rival traditional phishing.
Phishing has always dominated as the precursor to every attack. It's been up in the 90-odd percents for a very long time.
But I noticed some stats recently that said it was now at 40% of consumer-facing attacks was the precursor was phishing.
I haven't looked into the research to back it up, but if that's true, that's an incredible drop from 90-something percent.
And I think what we will be seeing now, and there are strong signals of it, is stealing of tokens rather than credentials, OAuth abuse, that kind of thing, particularly as passwordless authentication is gaining ground quite rapidly now.
And then these will be token hopping campaigns by getting access into a SaaS provider, then moving down into the customers of that SaaS provider and stealing information that way without needing necessarily to get passwords just to get tokens.
Mm-hmm.
The other thing that I think we'll see, which is very directly related to the Scattered Spider side of things, 'cause those three groups coming together wasn't accidental.
They each had particular things that they were good at. And the thing that Scattered Spider are good at is social engineering.
They each had particular things that they were good at. And the thing that Scattered Spider are good at is social engineering.
Yeah.
It's making those phone calls up front, doing SIM swapping attacks, that kind of stuff.
They were the ones calling the call centers pretending to be employees locked out of accounts, for instance.
Exactly. And it was, you know, real people on real phones making real social engineering calls.
Yeah.
It takes balls to do that kind of thing.
Yeah, yeah.
To be convincing. It's a proper skill set.
And it's indicative with, you know, with this, the story about Ray is that they are, if any of what he said was true, feeling the heat of law enforcement.
We know there have been arrests of people within and associated with that group.
So I think we'll begin to see a rise of something that I called social engineering as a service, because everything's as a service now, right?
So if you are involved in a group like Scatter Spider and you are a bit worried about attracting attention of law enforcement, you will want to do what ransomware threat actors did a very long time ago and remove yourself from the immediate committing of the crime.
You don't do the breach, you don't steal the data.
They were very foolish to get themselves into the extortion game and run the extortion, but they wanted to keep as much of the money as possible.
I think if the people creating the ransomware had moved themselves away from the finance of the crime as well, law enforcement would not be focused on them at all.
And I think that's what groups like Scatter Spider will consider is how can we monetize our very unique skill set?
Well, we can offer it as a service to other people committing crimes. So I think with the aid of AI voice cloning, they'll be able to create things like scripted call flows.
They'll be able to generate those fake links to authorize apps as a whole package, but along with that particularly unique skill of social engineering on the phone.
So that means you'll have even very inexperienced threat actors who don't stand a chance with threat acting, being able to outsource that capability, get the data and the access that they want, and then carry out the rest of their campaign.
But it will remove the social engineers from the scene of the crime to a large extent.
And it's indicative with, you know, with this, the story about Ray is that they are, if any of what he said was true, feeling the heat of law enforcement.
We know there have been arrests of people within and associated with that group.
So I think we'll begin to see a rise of something that I called social engineering as a service, because everything's as a service now, right?
So if you are involved in a group like Scatter Spider and you are a bit worried about attracting attention of law enforcement, you will want to do what ransomware threat actors did a very long time ago and remove yourself from the immediate committing of the crime.
You don't do the breach, you don't steal the data.
They were very foolish to get themselves into the extortion game and run the extortion, but they wanted to keep as much of the money as possible.
I think if the people creating the ransomware had moved themselves away from the finance of the crime as well, law enforcement would not be focused on them at all.
And I think that's what groups like Scatter Spider will consider is how can we monetize our very unique skill set?
Well, we can offer it as a service to other people committing crimes. So I think with the aid of AI voice cloning, they'll be able to create things like scripted call flows.
They'll be able to generate those fake links to authorize apps as a whole package, but along with that particularly unique skill of social engineering on the phone.
So that means you'll have even very inexperienced threat actors who don't stand a chance with threat acting, being able to outsource that capability, get the data and the access that they want, and then carry out the rest of their campaign.
But it will remove the social engineers from the scene of the crime to a large extent.
This is potentially a huge problem. I'm thinking there's a lot of talk right now about many people maybe losing their jobs due to AI and other things.
You know, companies looking to save money using artificial intelligence to do a lot of the tasks which previously they've employed people for.
There will be people who are looking for ways to pay their mortgage or pay their rent at the end of the month.
And the easier it is to get into cybercrime, the more tempting it is going to be for more people to participate in it. And potentially we could see more attacks happening.
I mean, there will be people who are seeing the volume of reports which we're seeing right now in the newspapers and on the TV of companies being hacked and of the huge amounts of money some of these cybercriminals are making.
You know, companies looking to save money using artificial intelligence to do a lot of the tasks which previously they've employed people for.
There will be people who are looking for ways to pay their mortgage or pay their rent at the end of the month.
And the easier it is to get into cybercrime, the more tempting it is going to be for more people to participate in it. And potentially we could see more attacks happening.
I mean, there will be people who are seeing the volume of reports which we're seeing right now in the newspapers and on the TV of companies being hacked and of the huge amounts of money some of these cybercriminals are making.
And there's still that perception that, that you're going to get away with it. There's, we still unfortunately see far too few actual arrests and prosecutions made.
When we do see those arrests, you know, they make the news because they're rare.
We see a lot of seizure and shutting down of infrastructure and, and great, we need to do it, but that always reappears, that Breach Forums, right? That always comes back.
So I think there is definitely a strong perception that you stand to make a lot of money. So people might look at it and go, well, you know what? I don't have to do it for long.
I just have to do it enough. One payoff.
If I can get the right company, the right ransomware, it's rare, I think, to see people walk away from it once, especially if you end up successful.
When we do see those arrests, you know, they make the news because they're rare.
We see a lot of seizure and shutting down of infrastructure and, and great, we need to do it, but that always reappears, that Breach Forums, right? That always comes back.
So I think there is definitely a strong perception that you stand to make a lot of money. So people might look at it and go, well, you know what? I don't have to do it for long.
I just have to do it enough. One payoff.
If I can get the right company, the right ransomware, it's rare, I think, to see people walk away from it once, especially if you end up successful.
So come on, Rik, give us your prediction. If you were to come back in a year's time on Smashing Security, are we gonna be looking back on 2026 saying it was better or worse?
Than 2025?
Than 2025?
I honestly feel that from a cybersecurity perspective, it's going to get worse.
The one that scares me the most of the things that I was thinking about is when I was thinking about JLR.
They had to shut down their production line, not because their operational technology was directly affected by the attack, but I think the impression I get is that they were painfully aware that it could be.
Obviously, I guess they have quite a flat network infrastructure and it's not air-gapped or whatever.
So I think they were painfully aware that that was a potential, so they did a preventative shutdown.
But the catastrophic effects of it is bad enough for JLR, but they got a government bailout, so I guess it didn't hurt that much.
But who it really hurt was the upstream providers, the people that sell things to JLR, the people that make components or seat covers or whatever, right?
Those people were going out of business.
The one that scares me the most of the things that I was thinking about is when I was thinking about JLR.
They had to shut down their production line, not because their operational technology was directly affected by the attack, but I think the impression I get is that they were painfully aware that it could be.
Obviously, I guess they have quite a flat network infrastructure and it's not air-gapped or whatever.
So I think they were painfully aware that that was a potential, so they did a preventative shutdown.
But the catastrophic effects of it is bad enough for JLR, but they got a government bailout, so I guess it didn't hurt that much.
But who it really hurt was the upstream providers, the people that sell things to JLR, the people that make components or seat covers or whatever, right?
Those people were going out of business.
Yeah.
And I think threat actors will have looked at that and gone, oh, that's a novel approach. So I made up this thing that I called reverse ransomware.
And I think we might begin to see this next year where if you're a threat actor, you do your research work about your intended victim that you want to extort, because they do good research, they do reconnaissance.
You look at your big company you want to extort and you say, all right, who are their key suppliers? Four or five key suppliers. There'll be much smaller organizations.
You go, you break into those suppliers, you encrypt their data, but you don't extort them because they're smaller and they don't have the money.
You go back to the JLRs of the world and you say, by the way, the reason your four key suppliers are out of business is us.
Here's a very polite email asking you to pay a service restoration fee. Once you've paid us the service restoration fee, we will bring your suppliers back online.
And I think we might begin to see this next year where if you're a threat actor, you do your research work about your intended victim that you want to extort, because they do good research, they do reconnaissance.
You look at your big company you want to extort and you say, all right, who are their key suppliers? Four or five key suppliers. There'll be much smaller organizations.
You go, you break into those suppliers, you encrypt their data, but you don't extort them because they're smaller and they don't have the money.
You go back to the JLRs of the world and you say, by the way, the reason your four key suppliers are out of business is us.
Here's a very polite email asking you to pay a service restoration fee. Once you've paid us the service restoration fee, we will bring your suppliers back online.
Smashing Security, the podcast where cybercriminals get all their tips.
That's the thing with predictions, isn't it? It's you've got to say what's coming next and if it happens, it's not my fault, Mom.
Okay, before we go any further, I need to share a quick word with you about one of our sponsors today, Vanta. You know how everyone's got an AI assistant these days?
Well, imagine one that doesn't just write haikus about zero-day vulnerabilities, but actually does your audit work for you. That is Vanta.
It connects to all of your tools, gathers evidence, tracks compliance, and quietly helps you prove that yes, you do take security seriously. Vanta automates all of that.
It pulls everything together, keeps an eye on your systems, and basically make sure you're ready for an audit at any time, which means no last-minute panic for screenshots and policies.
It also plugs into the tools you're already using and flags up issues before they become a right old mess.
So if that sounds like something that might save you from a few sleepless nights, check out vanta.com/smashing. And if you use that link, you'll get $1,000 off.
So don't forget, vanta.com/smashing. And thanks to Vanta for sponsoring this week's episode.
And welcome back, and you join us at our favourite part of the show, the part of the show that we like to call Pick of the Week.
Well, imagine one that doesn't just write haikus about zero-day vulnerabilities, but actually does your audit work for you. That is Vanta.
It connects to all of your tools, gathers evidence, tracks compliance, and quietly helps you prove that yes, you do take security seriously. Vanta automates all of that.
It pulls everything together, keeps an eye on your systems, and basically make sure you're ready for an audit at any time, which means no last-minute panic for screenshots and policies.
It also plugs into the tools you're already using and flags up issues before they become a right old mess.
So if that sounds like something that might save you from a few sleepless nights, check out vanta.com/smashing. And if you use that link, you'll get $1,000 off.
So don't forget, vanta.com/smashing. And thanks to Vanta for sponsoring this week's episode.
And welcome back, and you join us at our favourite part of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week. Pick of the Week. Pick of the Week.
Pick of the Week.
You can have that.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, record, a podcast, a website, or an app, whatever they wish.
It doesn't have to be security-related necessarily. Well, my pick of the week this week is not security-related.
My pick of the week this week is an online service, and a very important online service, because what do we like to do?
Well, one of the things that we like to do is we like to have a lovely meal, right? But sometimes you get bored of the same old thing. Oh Graham, you're making another baked potato.
Oh Graham, you're making another cheese and cucumber sandwich. Can't you come up with something else?
Well, yes, maybe I can, because what I could do is I could go onto the internet and I could find a recipe. But there is a flaw in that plan.
And the flaw in that plan is when you go to a recipe website, what do you see? You see a whole load of guff.
A whole load of guff about the recipe writer's personal journey, about how they went on this wonderful trip to Italy or wherever it is, or they were traveling around.
I don't care about all that. What I want to know, give me the ingredients. Tell me what the bloody ingredients are and what I have to do with them. I don't want your pop-up ads.
I don't want to join your newsletter. I don't want any of that. Well, this pick of the week solves that problem because this pick of the week is called Just the Recipe.
And you can go to justtherecipe.com.
And if you go there and you paste in a URL of a webpage containing a recipe, it spits back at you just the recipe, the ingredients and the recipe.
Could be a funny story, a book that they've read, a TV show, a movie, record, a podcast, a website, or an app, whatever they wish.
It doesn't have to be security-related necessarily. Well, my pick of the week this week is not security-related.
My pick of the week this week is an online service, and a very important online service, because what do we like to do?
Well, one of the things that we like to do is we like to have a lovely meal, right? But sometimes you get bored of the same old thing. Oh Graham, you're making another baked potato.
Oh Graham, you're making another cheese and cucumber sandwich. Can't you come up with something else?
Well, yes, maybe I can, because what I could do is I could go onto the internet and I could find a recipe. But there is a flaw in that plan.
And the flaw in that plan is when you go to a recipe website, what do you see? You see a whole load of guff.
A whole load of guff about the recipe writer's personal journey, about how they went on this wonderful trip to Italy or wherever it is, or they were traveling around.
I don't care about all that. What I want to know, give me the ingredients. Tell me what the bloody ingredients are and what I have to do with them. I don't want your pop-up ads.
I don't want to join your newsletter. I don't want any of that. Well, this pick of the week solves that problem because this pick of the week is called Just the Recipe.
And you can go to justtherecipe.com.
And if you go there and you paste in a URL of a webpage containing a recipe, it spits back at you just the recipe, the ingredients and the recipe.
Oh, that's excellent.
Exactly. It's genius. And it also displays in a simple, user-friendly way. And there's a free version of Just the Recipe as the core functionality.
Or you can pay a little bit of cash if you want to, you know, to thank them for improving the quality of your life.
And then you get some more features so you can sync it up with your phone and there's an app if you want to.
And then it will tell you when you're down the supermarket so you don't have to print it out. It's available for web, it's available for iOS, it's available for Android.
What are you waiting for? Make your life better and go to justtherecipe.com, which is my pick of the week.
Or you can pay a little bit of cash if you want to, you know, to thank them for improving the quality of your life.
And then you get some more features so you can sync it up with your phone and there's an app if you want to.
And then it will tell you when you're down the supermarket so you don't have to print it out. It's available for web, it's available for iOS, it's available for Android.
What are you waiting for? Make your life better and go to justtherecipe.com, which is my pick of the week.
Here's a business idea for you, 'cause it's based on something that my daughter started to do.
Okay.
Which is totally related to this. She finished school, so she's on her own now looking after herself.
Yep.
And she hasn't really particularly done that much cooking before.
The big flaw with recipes is that you kind of have to know what you want, or you kind of have to know what you can do with what you have. There's a big flaw there, right?
The big flaw with recipes is that you kind of have to know what you want, or you kind of have to know what you can do with what you have. There's a big flaw there, right?
Yep.
So what she was doing was just going to ChatGPT and saying, this is what I have in my cupboard. What can I make? So stick a front end on that.
Brilliant.
And you can call it justtheingredients.com. You type in your ingredients, you get a recipe that matches them.
Fantastic. What a brilliant idea.
You can have that.
Can I? Yeah. Brilliant.
Right.
I'm quitting the podcast. Don't need to do this podcast schlock anymore. Just gonna run justtheingredients.com. Thanks, Rik. Rik, what is your pick of the week?
I'm a little late, but I'm still obsessing over it.
Yes.
Only a little late.
Yes.
And it's Lily Allen's album, West End Girl. It's just phenomenal.
Isn't it?
So, I was dropping my daughter off at school.
Yep.
And I was driving home, and I got a pop-up on my phone. Lily Allen's just released a new album. And I was like, what? I didn't have no idea that was coming.
Didn't realize no one else had any idea that was coming at all. So I started to play it and I kind of haven't stopped. It is absolutely phenomenal.
The songwriting, the lyrics, the backstory, the fact that it's a person just processing something that happened to them.
I think the whole thing was written over the course of about 10 days, written and recorded over the course of about 10 days. And it is absolutely the pinnacle of her career.
Didn't realize no one else had any idea that was coming at all. So I started to play it and I kind of haven't stopped. It is absolutely phenomenal.
The songwriting, the lyrics, the backstory, the fact that it's a person just processing something that happened to them.
I think the whole thing was written over the course of about 10 days, written and recorded over the course of about 10 days. And it is absolutely the pinnacle of her career.
It is a brilliant LP and it is a brilliant pick of the week. In fact, it's such a brilliant pick of the week that it was my pick of the week 3 weeks ago.
Oh, arses.
I mean, it's inevitably going to happen. It's episode 446. People do sometimes come up with something which we've had before.
So I do agree with you though, and it's worth reiterating, it's a bloody good album.
So I do agree with you though, and it's worth reiterating, it's a bloody good album.
It's a blinder. It's an absolute blinder.
After it had been released, she announced some tour dates that were— all the venues were halls, corn exchanges, sold out obviously in seconds.
After it had been released, she announced some tour dates that were— all the venues were halls, corn exchanges, sold out obviously in seconds.
Yeah.
And then she's announced a whole slew of dates in arenas because everybody wants the tickets.
And I think this will be finally the album that actually breaks her in the US because she never cracked that market before.
And I think this will be finally the album that actually breaks her in the US because she never cracked that market before.
Yes.
And ironically, it's about the nightmare she had while she was there, but yes, I think it will break her in that market. Yes, absolutely phenomenal. I had no idea you were a fan.
Yes, yes. And it was well-timed as well with the new Stranger Things season coming out, which has a connection.
I sat there watching that and you can't watch the actor without thinking about the record now. It's, ah, yeah, it's a difficult watch all of a sudden.
A great pick of the week. And thank you very much for joining us this week. I'm sure lots of our listeners would love to find out what you're up to and follow you online.
What's the best way for them to do that?
What's the best way for them to do that?
Well, I quit Twitter a while back.
Good man.
All that's left there is a picture of a burning pirate ship on my profile.
I deleted every post I ever made, but I managed to export them all and import all of those old posts if you ever want to look back through them to Bluesky.
So the entirety of my Twitter existence is now on or of course LinkedIn, which weirdly has become probably more of a Twitter replacement for me than Bluesky has.
I deleted every post I ever made, but I managed to export them all and import all of those old posts if you ever want to look back through them to Bluesky.
So the entirety of my Twitter existence is now on or of course LinkedIn, which weirdly has become probably more of a Twitter replacement for me than Bluesky has.
You're not the only person to say that.
And of course you can follow Smashing Security on social media as well, you can find me, Graham Cluley, up on Bluesky or LinkedIn, and you can follow Smashing Security on Bluesky as well.
And don't forget to ensure that you never miss another episode.
Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts for episode show notes, sponsorship info, guest lists, and the entire back catalog of 445 or so episodes, and indeed the Pick of the Week archive if you want to check what's happened before, then go to smashingsecurity.com.
Until next time, cheerio, bye-bye.
And of course you can follow Smashing Security on social media as well, you can find me, Graham Cluley, up on Bluesky or LinkedIn, and you can follow Smashing Security on Bluesky as well.
And don't forget to ensure that you never miss another episode.
Follow Smashing Security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocket Casts for episode show notes, sponsorship info, guest lists, and the entire back catalog of 445 or so episodes, and indeed the Pick of the Week archive if you want to check what's happened before, then go to smashingsecurity.com.
Until next time, cheerio, bye-bye.
I'm Rik Ferguson and I need to follow Smashing Security.
You've been listening to Smashing Security with me, Graham Cluley, and I'm grateful to Rik Ferguson for joining us this week, and I'm also grateful to this episode's sponsors, Banta, 1Password, and Drata.
And of course, to all those lovely folks who've signed up for the Smashing Security Plus over on Patreon.
They include Sean Puttick, Stephen Castle, Jack Underfurth, Mark Norman, Christo V, Darren Kenny, Ashley Woodhall, Dave and Pam, Jay Lewis, Jessica Orth, Sean, Nigel Scott, Stein, David Smythe, and Daniel Kromeck.
Well, wouldn't you love to hear your name read out at the end of the show from time to time? If so, consider joining Smashing Security Plus.
For the cost of a fancy coffee once a month, you will become part of our merry band and get early access to the episodes without the annoying ads.
All you got to do is head over to smashingsecurity.com/plus for all of the details.
Now, I know that doesn't appeal to everybody and not everyone can afford it, and that's absolutely fine. I wouldn't want you to participate if you can't actually justify it.
There's absolutely no pressure from me. But what you can do is you can support the show in ways which don't cost any cash.
You can like, you can subscribe, you can leave a 5-star review wherever you listen, tell your friends about the show, just spread the word because every little bit helps and it makes all of the effort worthwhile.
So thanks for tuning in once again, and I hope you will join me again next week for the next episode of Smashing Security.
And of course, to all those lovely folks who've signed up for the Smashing Security Plus over on Patreon.
They include Sean Puttick, Stephen Castle, Jack Underfurth, Mark Norman, Christo V, Darren Kenny, Ashley Woodhall, Dave and Pam, Jay Lewis, Jessica Orth, Sean, Nigel Scott, Stein, David Smythe, and Daniel Kromeck.
Well, wouldn't you love to hear your name read out at the end of the show from time to time? If so, consider joining Smashing Security Plus.
For the cost of a fancy coffee once a month, you will become part of our merry band and get early access to the episodes without the annoying ads.
All you got to do is head over to smashingsecurity.com/plus for all of the details.
Now, I know that doesn't appeal to everybody and not everyone can afford it, and that's absolutely fine. I wouldn't want you to participate if you can't actually justify it.
There's absolutely no pressure from me. But what you can do is you can support the show in ways which don't cost any cash.
You can like, you can subscribe, you can leave a 5-star review wherever you listen, tell your friends about the show, just spread the word because every little bit helps and it makes all of the effort worthwhile.
So thanks for tuning in once again, and I hope you will join me again next week for the next episode of Smashing Security.
Host:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Guest:
Rik Ferguson:
/ rikferguson
Episode links:
- Europol nukes Cryptomixer laundering hub, seizing €25M in Bitcoin – The Register.
- 4.3 Million Browsers Infected: Inside ShadyPanda’s 7-Year Malware Campaign – Koi.
- Uncovering a Calendly-themed phishing campaign targeting business ad manager accounts – Push Security.
- Meet Rey, the Admin of ‘Scattered Lapsus$ Hunters’ – Krebs on Security.
- Jonathan Ross email goof highlights Twitter security issue – Graham Cluley.
- VIDEO: Mark Zuckerberg’s password choices are dadada-dumb! – Graham Cluley.
- Password to Louvre’s video surveillance system was ‘Louvre’, according to employee – ABC News.
- Just the Recipe.
- West End Girl – Wikipedia.
- West End Girl – Spotify.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsored by:
- 1Password – Take the first step to better security by securing your team’s credentials.
- Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!
- Drata – The world’s most advanced Trust Management platform – making risk and compliance management accessible, continuous, and 10x more automated than ever before.
Support the show:
You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.
Join Smashing Security PLUS for ad-free episodes and our early-release feed!
Follow us:
Follow the show on Bluesky, or join us on the Smashing Security subreddit, or visit our website for more episodes.
Thanks:
Theme tune: “Vinyl Memories” by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
