A disgruntled data analyst decides that the best response to losing his contract is to steal the entire company payroll database and demand $2.5 million in Bitcoin – signing his extortion emails from a company called “Loot.”
Meanwhile, two people drive up to the entrance of the UK’s nuclear submarine base at Faslane and politely ask if they can have a look around. Tourists? Spies? Something in between?
Plus: Female Muslim punk rock group, and a little red book that might save your sanity in a post-truth world.
All this and more in episode 460 of the “Smashing Security” podcast with cybersecurity veteran and keynote speaker Graham Cluley, and special guest Jenny Radcliffe.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
It was so fascinating because you were looking up and you think, how can they, how can they be earning that much?
And there's two people doing the same job but vastly different salaries, and one of them may be much better than the other in your point of view.
And there's two people doing the same job but vastly different salaries, and one of them may be much better than the other in your point of view.
Can I hazard a guess, Graham? Was the one not being paid as much by any chance a woman? I'm just wondering. Wild stab in the dark.
Smashing Security, Episode 460: Never Knock on the Door of a Nuclear Submarine Base and Ask for a Selfie. With Graham Cluley and special guest Jenny Radcliffe.
Hello, hello, and welcome to Smashing Security, Episode 460. My name's Graham Cluley.
Hello, hello, and welcome to Smashing Security, Episode 460. My name's Graham Cluley.
And I'm Jenny Radcliffe.
Jenny, welcome back to the show. Always a delight to have you. Now, you're normally in your executive podcast penthouse suite, aren't you? But you're at a different location today.
I am. I had to travel at the last minute, Graham, so apologies if there's a little bit of background noise that there wouldn't normally be.
Well, such is the life of a human hacker, I suppose. Always on a mission. That is what you do though, isn't it?
You are about the social engineering, you are about breaking into buildings, less so with sledgehammers and JCBs and more with your brain.
You are about the social engineering, you are about breaking into buildings, less so with sledgehammers and JCBs and more with your brain.
Well, it's been known. Yes, more and more about assessing physical infiltration and ransomware insider threat for clients. So sometimes you have to dash away quite quickly.
And unfortunately today I had to do that just in front of our podcast, but hopefully we can hear each other and all will be well.
And unfortunately today I had to do that just in front of our podcast, but hopefully we can hear each other and all will be well.
Well, thank you very much for taking the time to join us today. Before we kick off, let's thank this week's wonderful sponsors, Meta, ThreatLocker, and Vanta.
We'll be hearing more about them later on in the podcast.
This week on Smashing Security, we won't be talking about how hackers paid to make a malicious link a top Google search result for people hunting for Claude AI plugins.
You'll hear no discussion of how cyber attackers crippled breathalyzer devices in the United States used to test people with drink driving convictions before they can drive their cars.
And we won't even mention how Chinese hackers are posing as a cybersecurity firm to steal millions of dollars of cryptocurrency.
So Jenny, what are you going to be talking about this week?
We'll be hearing more about them later on in the podcast.
This week on Smashing Security, we won't be talking about how hackers paid to make a malicious link a top Google search result for people hunting for Claude AI plugins.
You'll hear no discussion of how cyber attackers crippled breathalyzer devices in the United States used to test people with drink driving convictions before they can drive their cars.
And we won't even mention how Chinese hackers are posing as a cybersecurity firm to steal millions of dollars of cryptocurrency.
So Jenny, what are you going to be talking about this week?
Well, I'm going to be talking about the fact that two people walked up to the UK's nuclear submarine base and tried to get in.
Oh, maybe that's what's keeping you busy today. Have you had a— we'll find out later on.
And I'm going to be talking about a disgruntled contractor who thinks he's found the perfect way to get what he deserves.
All this and much more coming up on this episode of Smashing Security.
Right, before we go any further, ThreatLocker is one of our sponsors this week, and they want to talk about something specific this week, Joe. They want us to talk about DAC.
And I'm going to be talking about a disgruntled contractor who thinks he's found the perfect way to get what he deserves.
All this and much more coming up on this episode of Smashing Security.
Right, before we go any further, ThreatLocker is one of our sponsors this week, and they want to talk about something specific this week, Joe. They want us to talk about DAC.
DAC? Is that duck?
Well, no, Joe, it's not duck. DAC, it stands for Defence Against Configurations.
That is a shame. I ducks. What does this do?
Well, you know how most cyberattacks don't actually start with some sophisticated piece of malware?
They start with a misconfigured setting or a drifted policy or an exposed endpoint that nobody noticed.
They start with a misconfigured setting or a drifted policy or an exposed endpoint that nobody noticed.
And when you've got hundreds of endpoints, keeping on top of all that manually is basically a full-time job in itself.
Well, it is a full-time job and it's an impossible one. So ThreatLocker built DAC to solve exactly that problem.
Every day it runs deep checks across every endpoint in your environment, scanning operating system settings, application settings, as well as your ThreatLocker policies allowlisting and ring-fencing.
Every day it runs deep checks across every endpoint in your environment, scanning operating system settings, application settings, as well as your ThreatLocker policies allowlisting and ring-fencing.
Every endpoint every day.
Yes, every endpoint every day. And everything that's misconfigured comes back to one dashboard, categorized, prioritized with clear steps to fix it.
Before an attacker finds it first.
Exactly. And you can verify alignment across frameworks like CIS, NIST, HIPAA, ISO 27001, so it's useful come audit time too.
That's actually rather elegant. Spot the gap before someone crawls through it.
That is ThreatLocker's whole philosophy, really. Don't wait for a misconfiguration to become a breach.
And you, gentle listener, you can try DAK for free for 30 days at threatlocker.com.
And you, gentle listener, you can try DAK for free for 30 days at threatlocker.com.
That's threatlocker.com. And thanks to ThreatLocker for supporting the show. And remember, if your security's in a flap, DAK's got your back.
Unlike an actual duck, which would just quack and waddle off.
Unlike an actual duck, which would just quack and waddle off.
Hey Joe, you know, the other day someone contacted me on LinkedIn and they said, who's this Joe guy?
Oh yeah.
They said, we haven't properly introduced him. And they were worried you were an AI.
Now I'm thinking, now you've actually quacked like a duck on the podcast, surely no deepfake Joe could possibly do that?
Now I'm thinking, now you've actually quacked like a duck on the podcast, surely no deepfake Joe could possibly do that?
No.
Now, Jenny, it's tough out there. There's a cost of living crisis going on. Many people are finding they haven't got very much money in their pockets and the prices are going up.
It's tough, isn't it?
It's tough, isn't it?
It really is. Everyone's feeling it, Graham.
Yeah, we're all feeling the pinch. And I've got a lot of sympathy for people who are working out there who feel that they may be being underpaid.
You know, the billionaires are making all their money and not necessarily sharing it around. Pay equality, salary transparency, it's important.
And if you've just been told your contract isn't going to be renewed, I think it's pretty understandable that people would feel hard done by.
You know, people would think, oh, for goodness sake, it's so hard getting a job. I was doing this work and now it's come to an end.
What is a bit less understandable, though, and harder to think is justifiable, is stealing your company's entire payroll database.
You know, the billionaires are making all their money and not necessarily sharing it around. Pay equality, salary transparency, it's important.
And if you've just been told your contract isn't going to be renewed, I think it's pretty understandable that people would feel hard done by.
You know, people would think, oh, for goodness sake, it's so hard getting a job. I was doing this work and now it's come to an end.
What is a bit less understandable, though, and harder to think is justifiable, is stealing your company's entire payroll database.
Sorry, it's not funny, Graham, but my goodness me. Go on.
Yeah, it's not good, is it? And then, not just taking the database, but then threatening to leak everybody's salaries unless this company wires you $2.5 million in bitcoin.
I mean, we've all had bad days in work. There's times when we don't like our bosses and our colleagues, but this guy took it to the extreme, right?
He absolutely did. His name is Cameron Currie, 27 years old, from Charlotte, North Carolina.
And until recently, he was contracted as a data analyst at an international tech firm headquartered in Washington, D.C.
Now, joining the dots, it doesn't take a lot of effort to work out who this is when you come to read the court documents.
We can work out that the company he was working for was a software-as-a-service company called Brightly. Formerly called School Dude.
And until recently, he was contracted as a data analyst at an international tech firm headquartered in Washington, D.C.
Now, joining the dots, it doesn't take a lot of effort to work out who this is when you come to read the court documents.
We can work out that the company he was working for was a software-as-a-service company called Brightly. Formerly called School Dude.
Okay.
Which made— they decided to get a bit more corporate, I suppose.
Yes.
They were acquired by Siemens in 2022. What they do is they provide asset management software to over 12,000 schools and public institutions around the world.
Okay. Right.
So far, so straightforward. He's working as a data analyst. He's contracted there. And his contract was only supposed to last 6 months. And it started in August 2023.
And he was— usual kind of deal. He was given a laptop, access to the company network.
And he was— usual kind of deal. He was given a laptop, access to the company network.
Oh no.
Access to sensitive HR and payroll files.
A mug with the company logo, everybody's login details.
Yeah, he's got it all. And it meant that he could access things like base salaries and bonuses and performance data and personal details. Sensitive information.
I mean, I remember, oh golly, this would have been about 30 years ago when I was in a fairly junior position in the cybersecurity company I was working for.
And I found out the HR department had left on the company network, not behind a password, but in a publicly accessible directory, a spreadsheet with everybody's salary in it.
I mean, I remember, oh golly, this would have been about 30 years ago when I was in a fairly junior position in the cybersecurity company I was working for.
And I found out the HR department had left on the company network, not behind a password, but in a publicly accessible directory, a spreadsheet with everybody's salary in it.
Yeah, we've all found them, Graham. We've all found it. And then you become disgruntled if you're not at the top of that spreadsheet, sort by column G. Oh my goodness.
I mean, it was so fascinating because you were looking at people and you think, how can they be earning that much? And there were these injustices.
I mean, I wasn't just looking for myself, but other people just thinking there's two people doing the same job, but vastly different salaries.
And one of them may be much better than the other in your point of view.
I mean, I wasn't just looking for myself, but other people just thinking there's two people doing the same job, but vastly different salaries.
And one of them may be much better than the other in your point of view.
Can I hazard a guess, Graham? Was the one not being paid as much by any chance a woman? I'm just wondering.
Sometimes.
Wild stab in the dark.
I say sometimes, often, of course, that is the case. So sensitive information that this guy had.
What's perhaps surprising is that he didn't wait until he was told his contract was coming to an end before he started stealing this sensitive information, this data which he had access to.
He started removing files without authorization as early as August 2023, the very month he started the job.
So, it wasn't that he had lost the job or was about to leave his position. He was doing it from the beginning. It's like he went to the company with a plan in the first place.
What's perhaps surprising is that he didn't wait until he was told his contract was coming to an end before he started stealing this sensitive information, this data which he had access to.
He started removing files without authorization as early as August 2023, the very month he started the job.
So, it wasn't that he had lost the job or was about to leave his position. He was doing it from the beginning. It's like he went to the company with a plan in the first place.
You see different breeds of insider threats. Sometimes that's the plan, I guess.
I suppose so. And anyway, on December 5th of that year, the company told his recruitment agency that his last day would be December 15th.
So, 10 days later, by December 10th, he'd worked his very last shift.
And would you know, the very next day, December 11th, he'd created a new Microsoft Outlook account under the name of Lüt.
So, 10 days later, by December 10th, he'd worked his very last shift.
And would you know, the very next day, December 11th, he'd created a new Microsoft Outlook account under the name of Lüt.
Now, can I just say?
Yes.
That is a cool name for your burglar. That's such a great handle.
Lüt. It is cool, isn't it?
It's a bit of a tell though, if someone's looking for you.
Yes, it does give it away a little bit. It's not like—
Swag.
Swag is a great-sounding word as well. Over the following 6 weeks, he was sending emails. He sent more than 60 emails to company employees and execs.
I mean, that's quite a lot of emails. That's practically a Mailchimp newsletter campaign. And he sent these emails, which looked kind of official.
They had the subject line, "Loot data leak, DocuSign agreement attached." And this thing, I'll just read the start of these emails.
It said, "To whom it may concern, I am the founder of a company called Loot. We have recently partnered with your company to implement salary transparency within your organisation.
As you roll out your salary statements, we would like to share your organisation's salaries with everyone in the company because salary transparency is crucial as the cost of living rises.
So we and our partners aim to ensure that everyone is being paid accordingly, providing employees with the leverage they deserve while also adhering to federal government regulations."
I mean, that's quite a lot of emails. That's practically a Mailchimp newsletter campaign. And he sent these emails, which looked kind of official.
They had the subject line, "Loot data leak, DocuSign agreement attached." And this thing, I'll just read the start of these emails.
It said, "To whom it may concern, I am the founder of a company called Loot. We have recently partnered with your company to implement salary transparency within your organisation.
As you roll out your salary statements, we would like to share your organisation's salaries with everyone in the company because salary transparency is crucial as the cost of living rises.
So we and our partners aim to ensure that everyone is being paid accordingly, providing employees with the leverage they deserve while also adhering to federal government regulations."
Yeah.
It's quite an approach, isn't it? It's not saying I'm here to blackmail you. He's saying, we are partnering with your company.
It's on the surface of that, that sounds very kind of professional, but the minute that you give that a moment's thought, you think, hey, that's not a thing. Yeah.
And he sent them contracts via DocuSign. So, these settlement agreements, and he demanded $2.5 million.
And they were even set up so he said, look, your passwords to access DocuSign they're going to be the same as your employee ID number.
So he's reduced the friction as much as possible to let these people sign these things. So, you said, kind of professional, obviously very crooked, but kind of professional.
And then there were follow-up emails saying, urgent, 24 hours to respond.
And they were even set up so he said, look, your passwords to access DocuSign they're going to be the same as your employee ID number.
So he's reduced the friction as much as possible to let these people sign these things. So, you said, kind of professional, obviously very crooked, but kind of professional.
And then there were follow-up emails saying, urgent, 24 hours to respond.
Classic.
Yeah, yeah, exactly. You know, you need to respond now. Don't think about it, just respond.
There was another one where he said he'd be sending salary information to every VP via LinkedIn.
There was another one where he said he'd be sending salary information to every VP via LinkedIn.
Again, classic authority ploy, credibility play. Yeah, yeah.
Right.
Ticking boxes, social engineering here. Yeah, I'll give him some marks.
He threatened to set up interviews for underpaid female employees with the Equal Opportunities Commission to help them file a class action lawsuit, which in some ways you kind of think, good for him.
Well, again, but using, you know, so sort of, it gives someone a cause and a way to support a cause.
Yes.
And that's another social engineer. I just wonder if you'd seen one of my keynotes. That's terrible, isn't it? I hope not. Go on.
And there was another one where he did what we talked about already, talking about disparity.
You know, one worker was told they weren't receiving a bonus while everyone else on their level was. So you can imagine the problems that would cause.
And then on December 18th, 2023, which is a famous date in the history of data breaches, because that was the date when the SEC introduced new laws on cyber incident disclosure.
What they did was they required publicly traded companies to report breaches within 4 days.
So on that day, the very day that law came in, he sent emails saying there was a new SEC law. You either have to report your breach or we will with the SEC.
So he's using that as extra pressure leverage.
You know, one worker was told they weren't receiving a bonus while everyone else on their level was. So you can imagine the problems that would cause.
And then on December 18th, 2023, which is a famous date in the history of data breaches, because that was the date when the SEC introduced new laws on cyber incident disclosure.
What they did was they required publicly traded companies to report breaches within 4 days.
So on that day, the very day that law came in, he sent emails saying there was a new SEC law. You either have to report your breach or we will with the SEC.
So he's using that as extra pressure leverage.
And it's all in block caps and lots of exclamation marks.
Yes, oh my God.
So he's getting a bit impatient now.
You've got to use block capitals, haven't you? Obviously. Quite entrepreneurial, I think.
That's what sometimes impresses me about the cybercriminals is, you know, if only they used their entrepreneurial skills, their imagination sometimes in a good legitimate cause, maybe the economy would be in a better place.
That's what sometimes impresses me about the cybercriminals is, you know, if only they used their entrepreneurial skills, their imagination sometimes in a good legitimate cause, maybe the economy would be in a better place.
Maybe.
So, in January, it's become more like a hostage situation where he's holding the data and he says, final warning, all in capitals, demanding bitcoin by 5 PM the same day.
He's threatening to send pay gap emails every 2 hours until the company has complied and paid up. And he says, extremely firm, extremely firm. You've been— what?
Yes, he misspelled extremely twice. So crimes against spelling as well. But yeah, he's saying I can save your company stock if you just pay up $2.5 million.
Otherwise, this amount of money I'm demanding is going to increase every month by $100,000. So, a bit of a pickle the company found itself in. Do you think they should have paid up?
He's threatening to send pay gap emails every 2 hours until the company has complied and paid up. And he says, extremely firm, extremely firm. You've been— what?
Yes, he misspelled extremely twice. So crimes against spelling as well. But yeah, he's saying I can save your company stock if you just pay up $2.5 million.
Otherwise, this amount of money I'm demanding is going to increase every month by $100,000. So, a bit of a pickle the company found itself in. Do you think they should have paid up?
No, because, you know—
Yes, I agree with you.
Because it's quite amateurish, this.
And it doesn't seem to be at first, but the minute you give it a bit of scrutiny, particularly with that $2.5 million in order to save company, each subsequent month and carrying a further $100,000.
As soon as you see that, you know that this is likely an insider and likely one person because a more organized group doesn't go for six figures, basically.
And it doesn't seem to be at first, but the minute you give it a bit of scrutiny, particularly with that $2.5 million in order to save company, each subsequent month and carrying a further $100,000.
As soon as you see that, you know that this is likely an insider and likely one person because a more organized group doesn't go for six figures, basically.
Yeah. So the company, it seems, approached the FBI quite rightly, you know, bring in the authorities when something like this happens. They did end up paying $7,500 in bitcoin.
And I assume that was done to try and help the authorities trace where the money might be going to maybe help secure a conviction as well.
And I assume that was done to try and help the authorities trace where the money might be going to maybe help secure a conviction as well.
I completely agree. Yeah, definitely.
Now, unfortunately for Cameron, his operational security was not that watertight.
So some things we teach companies about how to be more secure and individuals how to be more secure, he wasn't putting into practice himself.
So some things we teach companies about how to be more secure and individuals how to be more secure, he wasn't putting into practice himself.
No.
So, he had a Coinbase account to do his cryptocurrency transactions.
And of course, if you create an account on somewhere like Coinbase, they're going to ask you, well, who the hell are you? You know, provide some ID papers.
And he used his own personal details to verify. Bless him, you know.
And of course, if you create an account on somewhere like Coinbase, they're going to ask you, well, who the hell are you? You know, provide some ID papers.
And he used his own personal details to verify. Bless him, you know.
Think it through, Cameron, come on.
So, he used his own details and debit cards which he linked to his account. They belonged to his mother and sister.
Who I'm sure were delighted.
They would have been. They would have been, absolutely. So the FBI, they turn up at his apartment in late January 2024. Apparently they were searching the place.
And while, actually, while the FBI was searching the place, he sent a few more threatening emails to the company saying he would publish all the data if he was arrested.
And while, actually, while the FBI was searching the place, he sent a few more threatening emails to the company saying he would publish all the data if he was arrested.
Come on, he's a legend at this point. He's a menace to society.
Come on now. So, yes, he was arrested. And last week, and this is what I'm talking about now, last week he was convicted. And the thing is, he's not a sophisticated hacker, is he?
He's not a nation-state hacking group member. He's not a member of a ransomware cartel. He is a contractor who had legitimate access to sensitive data, which he chose to abuse.
He abused that trust and tried to extort money from his workplace. And this is such a common problem. There's so much focus on outsiders rather than insiders.
He's not a nation-state hacking group member. He's not a member of a ransomware cartel. He is a contractor who had legitimate access to sensitive data, which he chose to abuse.
He abused that trust and tried to extort money from his workplace. And this is such a common problem. There's so much focus on outsiders rather than insiders.
Yeah. Yeah. I mean, this is an area that in what we do is just huge and growing all the time because particularly, Graham, as technology, you know, quote unquote replaces jobs.
Yes.
The remaining humans have access to more and more data.
And if you've got a bit of imagination, and if your own morality isn't that great, we do see things like this happen, and more creatively with less access than Cameron here had as well.
So yeah, it's just that we don't hear a lot about these things really. This one is good because we've got a lot of detail.
And if you've got a bit of imagination, and if your own morality isn't that great, we do see things like this happen, and more creatively with less access than Cameron here had as well.
So yeah, it's just that we don't hear a lot about these things really. This one is good because we've got a lot of detail.
We do have a lot of detail.
I think a lot of times these things can either be hushed up or the company itself doesn't quite discover how it was all happening, but quite often it will be the person that they, for legitimate reasons, gave a password to or granted too much access to an employee who then was able to cause the problem.
So, however good your perimeter defenses are, however patched your systems are, however many layers of multifactor authentication you've deployed, if the person sitting at the keyboard has decided to steal from you, it's difficult to stop them.
It's not straightforward.
I think a lot of times these things can either be hushed up or the company itself doesn't quite discover how it was all happening, but quite often it will be the person that they, for legitimate reasons, gave a password to or granted too much access to an employee who then was able to cause the problem.
So, however good your perimeter defenses are, however patched your systems are, however many layers of multifactor authentication you've deployed, if the person sitting at the keyboard has decided to steal from you, it's difficult to stop them.
It's not straightforward.
I mean, one of the things that I've advised in the past is, you know, we really do need to get to know our people.
And that means you need to get to know when people are behaving peculiarly.
And that means you need to get to know when people are behaving peculiarly.
Right.
So, in the same way that technology detects, you know, breaks from patterns.
And the same way that we've got all the kit to show when someone is doing something unusual, technically, online, we should really be observant of our employees and notice when someone is breaking a pattern or behaving strangely.
So, from a human sort of point of view, at line manager level, a team level, we really do need to know our people, and that does mean following up things like references and really talking to people that they've worked for before as well.
Otherwise, it is going to be difficult to detect these things, but it is sometimes possible. I think we miss that bit out.
And the same way that we've got all the kit to show when someone is doing something unusual, technically, online, we should really be observant of our employees and notice when someone is breaking a pattern or behaving strangely.
So, from a human sort of point of view, at line manager level, a team level, we really do need to know our people, and that does mean following up things like references and really talking to people that they've worked for before as well.
Otherwise, it is going to be difficult to detect these things, but it is sometimes possible. I think we miss that bit out.
Right, before we crack on any further, Joe and I want to take a moment to tell you about one of today's sponsors, Vanta.
We've got a question for you. What's the thing that keeps you staring at the ceiling at 2 AM when it comes to your company's security?
Is it wondering whether you've actually got the right controls in place? Whether one of your suppliers has been quietly compromised? Or is it the truly soul-destroying one?
Why on earth are we still running our entire security program out of a spreadsheet?
Why on earth are we still running our entire security program out of a spreadsheet?
If any of that hit a little too close to home, that's where Vanta comes in.
Vanta takes all that tedious manual security grind— chasing down evidence, wrestling with questionnaires, updating the same cells for the thousandth time— and automates the whole thing.
Vanta takes all that tedious manual security grind— chasing down evidence, wrestling with questionnaires, updating the same cells for the thousandth time— and automates the whole thing.
Their trust management platform keeps a continuous eye on your systems. It pulls everything into one central place and keeps your security program audit-ready around the clock.
Yes, it uses AI, but the genuinely useful kind— flagging risks, streamlining evidence collection, and slotting into the tools your team already relies on.
The upshot of this is you move faster, scale without the usual headaches, and maybe, just, just maybe, actually get a decent night's sleep.
Yes, it uses AI, but the genuinely useful kind— flagging risks, streamlining evidence collection, and slotting into the tools your team already relies on.
The upshot of this is you move faster, scale without the usual headaches, and maybe, just, just maybe, actually get a decent night's sleep.
Sounds lush. Find out more and get started at vanta.com/smashing.
That's vanta.com/smashing. And a big thank you to Vanta for supporting the show. Jenny, what's your story for us this week?
So Graham, my story this week concerns— On Thursday the 19th of March, at 5:00 PM at night, 17:00.
Right.
Two people apparently drove up to the entrance of His Majesty's Naval Base Clyde, which everyone calls Faslane, and asked if they could have a look around.
Now, this is significant for a couple of reasons, because it's, this base includes the UK's four Vanguard-class ballistic missile submarines.
No, they're the ones that carry Trident missiles, which—
Now, this is significant for a couple of reasons, because it's, this base includes the UK's four Vanguard-class ballistic missile submarines.
No, they're the ones that carry Trident missiles, which—
This is the nuclear submarines, isn't it? Yes.
It's the UK's nuclear submarine defence. The actual missiles are stored down the road, I believe, which is probably fortunate, a co-port. But obviously that's not great, doing that.
But the timing of this is significant because as we know, there is a conflict in the Middle East at the moment.
And the two people who've driven to the entrance have been identified. One is apparently an Iranian man and the lady he was with is a Romanian woman.
And so that's really why this is kind of, the timing seems significant and it's kind of got more attention with some of our less scrupulous press immediately saying these are Iranian spies without any real knowledge of that.
'Cause one would think that if you wanted to break into a nuclear base, you probably wouldn't just drive up with the car and ask the guards on the door if you could have a quick look around.
You know, we think it might be a museum, a point of interest, in fact, on the Clyde. And could we go and do it? No, you know.
But the timing of this is significant because as we know, there is a conflict in the Middle East at the moment.
And the two people who've driven to the entrance have been identified. One is apparently an Iranian man and the lady he was with is a Romanian woman.
And so that's really why this is kind of, the timing seems significant and it's kind of got more attention with some of our less scrupulous press immediately saying these are Iranian spies without any real knowledge of that.
'Cause one would think that if you wanted to break into a nuclear base, you probably wouldn't just drive up with the car and ask the guards on the door if you could have a quick look around.
You know, we think it might be a museum, a point of interest, in fact, on the Clyde. And could we go and do it? No, you know.
You might though. I mean, I'm thinking particularly in this sort of Instagram generation, you might say, look, I just want to get some selfies done. Could you let me through, please?
Because I just want this for my social media.
Because I just want this for my social media.
No, is it a museum? 'Can I get a shot?' Yeah. With the camera.
It's a submarine. How cool is a submarine?
How cool is that?
You know, can I get a bit closer?
Now, the truth is, Graham, we don't really know what's going on here. Right. We don't, you know, they were immediately arrested by the looks of things.
And are being charged on Monday, 23rd. So, they're going to court on that day.
So, we don't really know, and there's no more comment other than, they seem to drive off, this is their nationality and age, and there are charges.
So there's an investigation they're not going to comment on.
But it really piqued my interest as someone who does in fact specialise in physical infiltrations, because I've been asked—
And are being charged on Monday, 23rd. So, they're going to court on that day.
So, we don't really know, and there's no more comment other than, they seem to drive off, this is their nationality and age, and there are charges.
So there's an investigation they're not going to comment on.
But it really piqued my interest as someone who does in fact specialise in physical infiltrations, because I've been asked—
Yes, you do have something of a history, don't you, Jenny, of getting into places you shouldn't be necessarily able to get into.
Mm-hmm. And I do, and, you know, talk about it, help prevent it happening.
Yes. Yes.
But one of the questions that I get asked all the time is, does physical infiltration matter anymore?
Right.
In this digital world, can't everything be stolen remotely? And why would it matter? And, you know, it does matter.
So one of the things to understand is this is taken so seriously, even if it fails, even if it turns out to be, you know, couple of tourists who thought it was, I don't know, a naval museum or something.
Because the most sensitive systems are often not online. You have to physically access the systems in order to steal things, in order to do things.
And so, when I'm asked, oh, does physical infiltration matter as much anymore? It does, depending on how sensitive the data is. It does matter.
If you've got very sensitive data, it probably isn't all online anyway. You have to physically access them, or going back to our friend Cameron, or use insiders.
And if someone is already inside, there are so many possibilities in terms of security breaches. You know, you can steal things, you can sabotage things.
If you think of what happened with Palestine Action Group in Brizenorton just a few months ago, they sabotage planes. It can be very serious.
Those planes could then have, you know, the theory being those planes could have malfunctioned, they could have hit our service people, et cetera.
So one of the things to understand is this is taken so seriously, even if it fails, even if it turns out to be, you know, couple of tourists who thought it was, I don't know, a naval museum or something.
Because the most sensitive systems are often not online. You have to physically access the systems in order to steal things, in order to do things.
And so, when I'm asked, oh, does physical infiltration matter as much anymore? It does, depending on how sensitive the data is. It does matter.
If you've got very sensitive data, it probably isn't all online anyway. You have to physically access them, or going back to our friend Cameron, or use insiders.
And if someone is already inside, there are so many possibilities in terms of security breaches. You know, you can steal things, you can sabotage things.
If you think of what happened with Palestine Action Group in Brizenorton just a few months ago, they sabotage planes. It can be very serious.
Those planes could then have, you know, the theory being those planes could have malfunctioned, they could have hit our service people, et cetera.
Yes, they'd been terrible if they'd been covered in some red paint, wouldn't they?
Yes, but it could have malfunctioned in some other way, Graham.
Okay, alright, okay.
And I wanted to check with you, 'cause you will know this, but if I remember rightly, wasn't Stuxnet infected USBs?
Yes, Stuxnet did, absolutely. But I believe they use 5¼-inch floppy disks on these nuclear submarines. I think they're so old, they actually have these really old floppies.
They probably don't have a USB port.
They probably don't have a USB port.
Well, I have friends who would tell me that exactly, probably at a later date.
But in terms of intelligence gathering, everything else, physical intrusion is very serious because, if someone ever manages it, the consequences can be far more serious than even a cyberattack and more immediate.
So my interest is piqued.
I am looking forward to finding out whether or not this is two people who thought it was some sort of museum, or whether it was in fact two tourists who unfortunately managed to pick exactly the wrong place and exactly the wrong time to attempt to take a selfie by a nuclear submarine?
But in terms of intelligence gathering, everything else, physical intrusion is very serious because, if someone ever manages it, the consequences can be far more serious than even a cyberattack and more immediate.
So my interest is piqued.
I am looking forward to finding out whether or not this is two people who thought it was some sort of museum, or whether it was in fact two tourists who unfortunately managed to pick exactly the wrong place and exactly the wrong time to attempt to take a selfie by a nuclear submarine?
Birdwatching. That's the excuse I would always give. That's why I've got the long lens camera and the binoculars and—
You just wanted to see the steeple of Salisbury Cathedral. What's wrong with you?
Oh my goodness.
Yeah.
Yeah.
It is interesting, isn't it? But I think it is, again, a timely reminder that not all threats approach your organization via the same route.
And we can focus far too much on defending certain perimeters and maybe not the physical perimeters. Right. Let's take a moment to talk about one of today's sponsors, Meta.
So picture this. You need to set up a network for a new office. Suddenly you're juggling ISPs, floor plans, hardware configuration. Oh, what a headache. It's basically a second job.
And we can focus far too much on defending certain perimeters and maybe not the physical perimeters. Right. Let's take a moment to talk about one of today's sponsors, Meta.
So picture this. You need to set up a network for a new office. Suddenly you're juggling ISPs, floor plans, hardware configuration. Oh, what a headache. It's basically a second job.
Ah, yes. The classic experience of paying a contractor to arrive on the wrong day at the wrong address to install the wrong thing.
Right. Well, Meta's entire pitch is this. What if that just wasn't your problem?
Huh. Tell me more.
They are a network as a service company. They are genuinely end to end. You hand them a physical address and a floor plan and they handle everything.
They sort out the ISP, they design the network, they show up on site, they rack their own hardware. Not reselling someone else's kit, and they get the whole thing running.
They sort out the ISP, they design the network, they show up on site, they rack their own hardware. Not reselling someone else's kit, and they get the whole thing running.
So I don't have to spend 45-odd minutes on hold with a company whose hold music is a 15-second loop of pan flute that I've committed to heart.
No, you don't. And once you're up and running, you get a single dashboard covering monitoring, management, security, VLANs, firewall, DNS security, SD-WAN, all of it.
Full visibility and control. None of the tedious legwork.
Full visibility and control. None of the tedious legwork.
Oh, that sounds actually useful. But what's the catch?
No catch, Joe. Just a subscription model with no nasty surprises. They've even got a hardware buyback program if you've already invested in kit from another vendor.
Very sensible. Where do we send people?
Go to meter.com/smashing. Go on, do it right now. Take a look.
That's meter.com/smashing. Thanks to Meta for supporting the show.
And welcome back, and you join us for our favorite part of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security-related necessarily. Now, Jenny, I've known you for a long time. What I don't really know about you though is what kind of music are you into?
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security-related necessarily. Now, Jenny, I've known you for a long time. What I don't really know about you though is what kind of music are you into?
Ah, okay. I must say, and this probably comes as no surprise, I'm kind of a bit of a metal fan. So maybe the AC/DC, you know, that type of thing.
But I also like some sort of medieval choral stuff from Germany.
But I also like some sort of medieval choral stuff from Germany.
Oh, la-di-da! Okay.
I know.
The odd little madrigal played on your lute?
Mm-hmm. I see.
Wonderful. Okay, well, that sounds a lot of fun. That's not particularly my bag. My bag tends to be Joni Mitchell, The Beatles, maybe a bit of jazz, some crooning, something that.
Girl groups from the '60s.
Girl groups from the '60s.
Oh.
What I'm not such a fan of is punk music. So I remember when that came out as a young lad, I just thought, what's that terrible racket happening on Top of the Pops?
What's up with all this spitting and shouting and lack of melody? And I just, I had a bit of a problem with it. I'm a gentle soul. I think we all know that.
But maybe I've had something of a revelation because, as listeners may remember, some weeks ago now, I was extolling the virtues of a Channel 4 TV show called We Are Lady Parts.
Are you familiar with We Are Lady Parts?
What's up with all this spitting and shouting and lack of melody? And I just, I had a bit of a problem with it. I'm a gentle soul. I think we all know that.
But maybe I've had something of a revelation because, as listeners may remember, some weeks ago now, I was extolling the virtues of a Channel 4 TV show called We Are Lady Parts.
Are you familiar with We Are Lady Parts?
I am familiar with We Are Lady Parts.
Right. Did you We Are Lady Parts?
Absolutely. Great show.
Excellent. Fantastic. I think more people need to see We Are Lady Parts. It's a comedy about an all-female Muslim punk band. And I really enjoyed it a lot.
And after watching the series, I've been listening to their music because the people who appeared in the TV show did, it seems, form an actual band, learnt how to play instruments, and their music is on Spotify.
And after watching the series, I've been listening to their music because the people who appeared in the TV show did, it seems, form an actual band, learnt how to play instruments, and their music is on Spotify.
Awesome.
So I've been— I don't know if this is the right way to put it or not, but I've been kind of into Lady Parts ever since.
And most mornings— Most mornings in the shower, I've been enjoying the We Are Lady Parts band. So I want to give them another plug because I've been listening to them on Spotify.
So even if you haven't seen the TV show, you can enjoy this band because I think they're great.
And they've got songs "Voldemort Under My Headscarf," "Bashir with the Good Beard," "Ain't No One Gonna Honor Kill My Sister But Me." And it's all delivered in this punky, thrashy style.
And I have to say, it's a great way to start my morning and energise myself up for the battles ahead. And I've greatly enjoyed it.
And so my recommendation is go and listen to We Are Lady Parts. Go and check out their songs on Spotify. Other streaming services are available, of course.
And that is my pick of the week.
And most mornings— Most mornings in the shower, I've been enjoying the We Are Lady Parts band. So I want to give them another plug because I've been listening to them on Spotify.
So even if you haven't seen the TV show, you can enjoy this band because I think they're great.
And they've got songs "Voldemort Under My Headscarf," "Bashir with the Good Beard," "Ain't No One Gonna Honor Kill My Sister But Me." And it's all delivered in this punky, thrashy style.
And I have to say, it's a great way to start my morning and energise myself up for the battles ahead. And I've greatly enjoyed it.
And so my recommendation is go and listen to We Are Lady Parts. Go and check out their songs on Spotify. Other streaming services are available, of course.
And that is my pick of the week.
Awesome.
Jen, what is your pick of the week?
Well, my pick of the week is a book, an actual physical book, ladies and gentlemen, that I'm recommending that we all read.
Wow. Very impressive.
But don't worry or panic. It's quite a small book, right? It's a pocket book.
All right. Yes.
It's only 144 pages and they are— it's big font and it's a small book and it's called—
You're going to be telling me next there are drawings in it to try and make it easier for me.
Well, because there are people who just will raise their eyebrows at the thought of even picking up a book these days, I guess.
Okay.
It's called "On Disinformation," and it's by Lee McIntyre, who's a prof in the States.
Ah.
It's a brilliant book because it puts the case forward very sort of easy to read.
So it's one to give to teenagers and people who really don't want to read too much and just want something easy.
So it's one to give to teenagers and people who really don't want to read too much and just want something easy.
Right.
It's a USA perspective written before the 2024 election. And what he talks about is basically a little bit of history about disinformation.
So not misinformation, not mistakes, disinformation that is deliberately being put out there to get you to believe a lie for whatever reason, political, social, whatever.
But in this world at the moment, it can feel sometimes like we're drowning in this and there's nothing we can do about people who believe this disinformation, why it's there.
And he gives a little history of all of the methodology of leading people to believe lies for a cause. Links it all back to things like 1920s Soviet campaigns and things like that.
Brings it right up to date to the point just before the election in 2024. And it's looking at a crystal ball. It's amazing.
But what he does is he talks about the need for algorithmic transparency in social media.
And he shows how the tactics haven't really changed, argues that it's urgent and necessary to try and fight this disinformation and think more critically.
But here's the thing that I thought was wonderful.
He gives you 10 ways to do it as a single person, 10 ways that you can actually understand how disinformation is disseminated, how it works, and what you can do as a person to try and combat it in your own community, in your circle of friends and family.
And I just thought it's so short, it's really easy to read, it's well written, and it gives you some background, some examples of what social media platforms can do to combat disinformation and why they should be doing it.
And then how you can sort of sit in the pub and kind of argue against someone who believes something that is not true and that they're being led astray, whether that's political or something else.
And so in that short pocketbook of 144 pages, you really get a sort of a masterclass, but an easy one, in how to combat some of the things that are sort of going wrong in the media, the world, and online.
And I thought it was very easy to read, very nice approach, given that it actually gives you some action points at the end. So, On Disinformation by Lee McIntyre.
It's a little red book, which is not why I like it, but it's a little red book and it's available everywhere. And I really recommend it.
It'll take you no more than an hour or two to read. And it's a great thing.
And I would recommend, can I just say, actually buying the physical book and holding a book in your hand and putting a little red book in your pocket because there is something kind of grounding and real and unusual about that these days.
I found that quite nice as well. So there you go. That's my pick of the week.
So not misinformation, not mistakes, disinformation that is deliberately being put out there to get you to believe a lie for whatever reason, political, social, whatever.
But in this world at the moment, it can feel sometimes like we're drowning in this and there's nothing we can do about people who believe this disinformation, why it's there.
And he gives a little history of all of the methodology of leading people to believe lies for a cause. Links it all back to things like 1920s Soviet campaigns and things like that.
Brings it right up to date to the point just before the election in 2024. And it's looking at a crystal ball. It's amazing.
But what he does is he talks about the need for algorithmic transparency in social media.
And he shows how the tactics haven't really changed, argues that it's urgent and necessary to try and fight this disinformation and think more critically.
But here's the thing that I thought was wonderful.
He gives you 10 ways to do it as a single person, 10 ways that you can actually understand how disinformation is disseminated, how it works, and what you can do as a person to try and combat it in your own community, in your circle of friends and family.
And I just thought it's so short, it's really easy to read, it's well written, and it gives you some background, some examples of what social media platforms can do to combat disinformation and why they should be doing it.
And then how you can sort of sit in the pub and kind of argue against someone who believes something that is not true and that they're being led astray, whether that's political or something else.
And so in that short pocketbook of 144 pages, you really get a sort of a masterclass, but an easy one, in how to combat some of the things that are sort of going wrong in the media, the world, and online.
And I thought it was very easy to read, very nice approach, given that it actually gives you some action points at the end. So, On Disinformation by Lee McIntyre.
It's a little red book, which is not why I like it, but it's a little red book and it's available everywhere. And I really recommend it.
It'll take you no more than an hour or two to read. And it's a great thing.
And I would recommend, can I just say, actually buying the physical book and holding a book in your hand and putting a little red book in your pocket because there is something kind of grounding and real and unusual about that these days.
I found that quite nice as well. So there you go. That's my pick of the week.
That's fantastic. I mean, this is actually a practical how-to book. It's not just saying, oh, there's a bloody awful problem out there.
It's actually saying, and this is what you can do to help protect yourself against it.
It's actually saying, and this is what you can do to help protect yourself against it.
Yeah.
And maybe help others as well.
Yeah. Teach you to argue the point for the truth in the pub. Which I think is something that we all need occasionally, right?
Okay. You have sold me, Jen. I will put a link in the show notes and other listeners can check it out as well. Sounds a useful resource. That just about wraps up the show.
Thank you so much for joining us this week. I'm sure lots of our listeners would love to find out what you're up to, Jenny, and follow you online.
What's the best way for people to do that?
Thank you so much for joining us this week. I'm sure lots of our listeners would love to find out what you're up to, Jenny, and follow you online.
What's the best way for people to do that?
Best way to do it at the moment is just to look for me on LinkedIn. And I'll update things shortly. I've got big news coming up soon.
So at the moment, things seem a bit quiet, but that's because things are noisy elsewhere. But follow me online and I'll update everyone shortly as to what I'm up to.
So at the moment, things seem a bit quiet, but that's because things are noisy elsewhere. But follow me online and I'll update everyone shortly as to what I'm up to.
And of course, Smashing Security is on social media as well. You can find me, Graham Cluley, on LinkedIn or follow Smashing Security on BlueSky or Mastodon, all kinds of places.
And don't forget to ensure that you never miss another episode.
Follow Smashing Security in your favorite podcast apps such as Apple Podcasts, Spotify, and Pocket Casts for episode show notes, sponsorship info, guest lists, and the entire back catalog of 460-odd episodes.
Check out smashingsecurity.com. Until next time, cheerio, bye-bye.
And don't forget to ensure that you never miss another episode.
Follow Smashing Security in your favorite podcast apps such as Apple Podcasts, Spotify, and Pocket Casts for episode show notes, sponsorship info, guest lists, and the entire back catalog of 460-odd episodes.
Check out smashingsecurity.com. Until next time, cheerio, bye-bye.
Bye-bye.
You've been listening to Smashing Security with me, Graham Cluley.
And thanks so much to Jenny Radcliffe for joining us this week and to this episode's sponsors, ThreatLocker, Vanta, and Meta.
And of course, to the following chums who are amongst those lovely souls who've signed up for Smashing Security Plus. So please put your hands together for, let's see who we got.
Khadijatan Kazimierzak. Whose name we've absolutely pronounced correctly and definitely succeeded with that.
Bravo Whiskey, who appears to be a big fan of the NATO phonetic alphabet, maybe because their real name is somehow harder to say than Khadijatan Kazimierzak.
Dmitry, he's back again, still just Dmitry, no last name, still very mysterious. Saital, who doesn't believe in capital letters. Tall letters.
Matt H, who's our favorite Matt, apart from Matt Cotton. Lisa, just Lisa. Did you see Lisa? Yes, I saw Lisa. Iconic timeless 1970s song there for some of you.
Sian Puttick, who has our sympathy for spending a lifetime probably spelling her first name to people on the phone.
Sean, who probably sometimes has people misspell his name as Sian. Marwan Khatheah, and finally Gary Heather, which it just sounds lovely really.
Probably runs a garden center in the Cotswolds, something like that. Anyway, we love you all.
As members of Smashing Security Plus, they not only get episodes of the podcast earlier than the great unwashed public and also ad-free episodes as well, but they also get the chance to have their names pulled out the hat and their names mocked.
By me. So, well, it's a win all round, isn't it? If you'd like to learn more, just head over to smashingsecurity.com/plus for all of the details.
And you can do something lovely as well, even if you can't support us by Smashing Security Plus. What you can do is you can tell your friends about Smashing Security.
Go on, go and tell them. Tell someone today. Say, hey, I listen to this podcast. It's really marvelous. This chap called Graham rambling on about cybersecurity.
He's been doing it for about 10 years, don't you know? So why not go and do that? Every little bit helps, and it makes the effort all worthwhile.
Well, until we chat again next time, toodle-oo, bye-bye.
And thanks so much to Jenny Radcliffe for joining us this week and to this episode's sponsors, ThreatLocker, Vanta, and Meta.
And of course, to the following chums who are amongst those lovely souls who've signed up for Smashing Security Plus. So please put your hands together for, let's see who we got.
Khadijatan Kazimierzak. Whose name we've absolutely pronounced correctly and definitely succeeded with that.
Bravo Whiskey, who appears to be a big fan of the NATO phonetic alphabet, maybe because their real name is somehow harder to say than Khadijatan Kazimierzak.
Dmitry, he's back again, still just Dmitry, no last name, still very mysterious. Saital, who doesn't believe in capital letters. Tall letters.
Matt H, who's our favorite Matt, apart from Matt Cotton. Lisa, just Lisa. Did you see Lisa? Yes, I saw Lisa. Iconic timeless 1970s song there for some of you.
Sian Puttick, who has our sympathy for spending a lifetime probably spelling her first name to people on the phone.
Sean, who probably sometimes has people misspell his name as Sian. Marwan Khatheah, and finally Gary Heather, which it just sounds lovely really.
Probably runs a garden center in the Cotswolds, something like that. Anyway, we love you all.
As members of Smashing Security Plus, they not only get episodes of the podcast earlier than the great unwashed public and also ad-free episodes as well, but they also get the chance to have their names pulled out the hat and their names mocked.
By me. So, well, it's a win all round, isn't it? If you'd like to learn more, just head over to smashingsecurity.com/plus for all of the details.
And you can do something lovely as well, even if you can't support us by Smashing Security Plus. What you can do is you can tell your friends about Smashing Security.
Go on, go and tell them. Tell someone today. Say, hey, I listen to this podcast. It's really marvelous. This chap called Graham rambling on about cybersecurity.
He's been doing it for about 10 years, don't you know? So why not go and do that? Every little bit helps, and it makes the effort all worthwhile.
Well, until we chat again next time, toodle-oo, bye-bye.
Host:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Guest:
Jenny Radcliffe:
/ jenny-radcliffe-the-people-hacker
Episode links:
- A Top Google Search Result for Claude Plugins Was Planted by Hackers – 404 Media.
- Iowa-based Intoxalock cyberattack disrupts calibration service for interlock users – DysruptionHub.
- China hacker group leaks $7M crypto theft operation targeting wallet supply chains – Crypto News.
- Federal Jury Convicts Charlotte Man For Cyber Extortion Scheme That Targeted International Technology Company – DOJ.
- Iranian and Romanian charged after allegedly trying to enter UK nuclear naval base – Sky News.
- LadyParts – Spotify.
- On Disinformation: How to Fight for Truth and Protect Democracy – Lee McIntyre.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsored by:
- ThreatLocker – Start your free trial and book a demo of ThreatLocker today to see how you can implement Zero Trust in your environment.
- Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!
- Meter – Network infrastructure for the enterprise. Get a free personalised demo.
Support the show:
You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.
Join Smashing Security PLUS for ad-free episodes and our early-release feed!
Follow us:
Follow the show on Bluesky, or join us on the Smashing Security subreddit, or visit our website for more episodes.
Thanks:
Theme tune: “Vinyl Memories” by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
