
Polymarket has built an entire business on predicting the future. So how did it manage to spectacularly fail to predict its own hack? Plus, the Google engineer with a million-dollar secret, and the curious case of the airport hairdryer.
Meanwhile, “FortiBleed” sees 75,000 Fortinet firewalls thrown wide open – and the real damage is going to roll on for years.
All this and more in episode 474 of the “Smashing Security” podcast with cybersecurity expert and keynote speaker Graham Cluley, and special guest Quentyn Taylor.
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
You've got a pretty important job at a big company, haven't you?
I know in this world of everyone leaving and changing jobs every 3 to 5 years, I've been in Canon for 25 years, which is really unusual to be in a similar role.
And now I head up information security. I also now, which is really weird, I head up product security. And I also head up global response as well.
So having product security and cybersecurity under the same hat, I think it's unique in Canon.
But I do think though, that this will be the way that information security teams of the future will be formed. I think we're kind of setting a trend here.
I think this is the way things will work in the future.
And then we've also got the printer side, and the office and the scanner. So all the stuff that goes into the office.
So we both use our own products, which means I have to secure our own product, which means I can then be the best person to suggest to our customers how to secure it because we've also had to do it ourselves.
And the first version of the hardening guide that we wrote for customers, we didn't write for customers, we wrote for ourselves and then gave to customers.
And that's kind of how cybersecurity started because we were doing testing internally because we had to for our own deployments.
And then people say, well, could we give that to a customer? And I went, of course we can.
In the past, it was very much ad hoc and we would pass in titbits through, and now it's actually a proper defined process that we sit down and we say, right, well, we tested this, this is what we think about in our market and this is how we would improve it.
And a great example of that is things like ubiquitous encryption on the device, on the printer device. That used to be an option and now it's just there by default.
Well, that was a change that we and several other people pushed for simultaneously and said, no, just make this change.
We'll be hearing more about them later on in the podcast.
This week on Smashing Security, we won't be talking about how a Danish privacy activist doxxed his own prime minister and ended up getting raided by the police.
You'll hear no discussion of how a UK hospital has reported itself to the Information Commissioner's Office after 40 people were found to have accessed the medical records of a 3-year-old thrown into a crocodile pit.
And we won't even mention how an attacker called Snoopy has been sent to prison after hacking a fantasy sports betting website.
So Quentyn, what are you going to be talking about this week?
This episode is sponsored by Proton Pass.
Proton Pass is built to fix exactly that, letting teams store and share credentials securely with end-to-end encryption baked into every feature.
And it's backed by a nonprofit, no venture capitalists, no pressure to chase a quick exit.
So it will never be pressured to cut security corners or rush towards a liquidity event that could change ownership, pricing, or priorities overnight.
It's trusted by over 100 million people, ISO 27001 certified, SOC 2 audited, and it helps you tick the boxes for NIS 2, DORA and the UK's Cybersecurity and Resilience Bill.
And maybe you've heard of it, because it's been making a lot of headlines recently, called Polymarket.
And last week, it completely failed to predict that it was about to have a very, very bad week indeed. It's always a bit embarrassing, isn't it?
It's a bit like when an astrologer's convention is cancelled due to bad weather.
You can bet on an election or the weather or the economics or military conflict, whether there's going to be a Doctor Who episode on at Christmas.
All of the big questions which people are wrestling with.
And then what they did, because the weather in airports are measured by those little weather stations that you often see, they bet that the temperature would go up by a couple of degrees.
So they took a battery-powered hairdryer, went down there, shoved it in the casing, turned it on, and then mysteriously, the temperature of that airport went up.
And he might have known this because maybe he was involved in them.
Racked up a $9 billion valuation, doing pretty well. But let's talk about last week because Polymarket confirmed last week that hackers had successfully stolen funds from its users.
And they did what any serious corporation does in that situation. They hopped onto Twitter, or X, as it likes to be called.
They released a very serious, very dry, very corporate apology. Standard kind of thing. And I'm a bit disappointed with the people on Twitter, to be honest.
Well, I'm very disappointed with all of the people on Twitter, to be fair.
Overwhelmingly, the replies went along the lines of, for a company that claims to know the future, why didn't you open a betting market on whether your website was going to get pwned or not?
Which seems a fairly fair question to ask.
According to Polymarket, a compromised third-party vendor allowed attackers to inject malicious JavaScript directly onto its website's front end.
So this was a supply chain attack, effectively.
And according to the firms which monitor the blockchain, they estimate that hackers made off with about $3 million worth of cryptocurrency as a consequence.
And what was most astonishing to me about that was the $3 million had been stolen from just 11 victims, which works out as about $260,000, $270,000 per person, just casually sitting in a hot wallet somewhere.
So quite a lot of cash was got from not many customers. And Polymarket says they've contained the incident. They said they will refund everyone in full, which is very nice of them.
But this isn't Polymarket's first rodeo. In fact, this is at least their third notable incident involving cybersecurity in under a year.
So last December, they confirmed a security incident on its Discord. Users reported missing funds, suspicious login attempts.
Again, that was blamed on an unidentified third-party login provider. So we're hearing a similar sort of story from the company.
In May, just a month or so ago, an admin wallet used internally by Polymarket for employee reward top-ups — so they basically got a bag of digital cash at Polymarket, which they hand out to employees to say, well done, you've handled that well — that was drained of around about $700,000.
So first of all, they're clearly giving lovely bonuses out over there. But that happened through a, most likely, a private key compromise.
They had a 6-year-old private key which had been left exposed on the internet, allowing hackers to access that bag of cash.
And the official line from Polymarket was, this doesn't matter that much because user funds were safe. This was an internal-only problem. But Quentyn, what do you think about this?
I mean, whenever a company starts screaming, it wasn't us, it was a third-party vendor, I tend to get a little bit cynical.
It's the third-party companies that are getting compromised in between.
I mean, the number of Salesforce breach notifications you receive and you read it and you go, well, that isn't Salesforce.
It's one of the underlying integration partners that's being compromised, because attackers are not stupid. I mean, we saw this when we go back to Operation Cloudhopper.
That was to try and break into the US defence industry companies.
So instead of breaking into the companies themselves, they broke into the managed service partners that they were using.
If you then go back even further and look at when RSA got breached back in the day with the RSA SecurID tokens, when they got breached and all their key material got stolen, it wasn't RSA that the attackers were after, it was the underlying defence companies.
So this has always been the way of the world, which is you could either go after the individual really hard targets, or you could go, what is the glue that binds them all together?
And if I can attack that glue, I put a lot of effort into there, I get everything in one go.
And especially things like OAuth tokens these days, who really properly understands how they all work in all scenarios?
As a security professional, I'd like to say that I understand how every single one of them work.
As a realist, sometimes you sit there and go, sorry, that person with that thing could grant access to what?
And you're sitting there going, sorry, you managed to generate permissions to who by how? Yeah. And that's what worries me. I think this is the way of the world.
This is how stuff happens. Accept the fact that your supply chain isn't even your direct supply chain. It's the suppliers of your supply chain.
And when you start to multiply that together, you start to go, hang on a second, I've got 10,000, 20,000 companies in my supply chain. Yeah.
Maybe I should send them all an Excel questionnaire because that'll improve the world.
So the Wall Street Journal published an investigation into Polymarket and they discovered that it had orchestrated a massive deceptive marketing campaign.
Apparently, they hired an army of TikTok and Instagram creators to post videos pretending they were making an absolute fortune on Polymarket.
And the Wall Street Journal took it upon themselves to analyse this video footage.
They found that in 70% of the videos, the creators, the people posting them up on social media, weren't even using the real Polymarket website.
Apparently Polymarket had created a fake dummy website with simulated funds just for the influencers to film themselves winning a heck of a lot of money, nearly $2 million.
So in a way, Polymarket is doing the same kind of thing which phishing gangs are doing, creating lookalike websites, but they're creating one of their own website for other people to use.
Still seemingly, I have to use my words carefully, with the intention maybe of fooling people into believing something?
There's aggressive marketing techniques, there's simulated results, and then there's what that might be.
But the Wall Street Journal, they checked the actual blockchain ledger and they found in reality 50 genuine real Polymarket accounts had made the same bet.
Every single one of them lost.
So these people who Polymarket was paying, they apparently were told hide the fact that you're getting paid, use the dummy websites, try and trick people into believing you can also make a lot of money on it.
And that's concerning because, well, there's now a lawsuit actually alleging that Polymarket has unfairly exploited and targeted college students.
And of course, that's a demographic which—
So again, there are regulations about how things should be promoted on social media by—
There were a lot of YouTubers who got caught out who weren't saying that they were being paid to do certain things. And of course they were.
Apparently, the bet has been frozen because the platform and its users cannot agree — they are in deadlock over the definition of the word permanent, as in permanent peace.
Rather like the US president, who keeps on claiming that the whole problem has been solved, only to decide actually, no, it isn't maybe quite as solvent.
You'd have to wait till the heat death of the universe before you could pay out, because only then you would know. You gotta think about the price of Bitcoin or Ethereum by then.
Might not help as well, I don't know. But maybe being part of the family helps a little bit in terms of how you can get things done.
But any kind of business that's involved in that kind of stuff and doing that, you have to wonder — if that's the stuff you see, what's the stuff you didn't see?
Because if they said yes to that, what was the stuff that went, oh no, no, that's gone too far.
There is a Google engineer who's just been charged with insider trading, because he allegedly used confidential internal Google search data to spot real-time trends, and he cleared over $1 million worth of profit on PolyMarket bets.
So when you can see what the world is effectively Googling before anyone else, your bet may be, well, a bit less of a gamble, mightn't it?
I mean, it's kind of like the whole sort of Frodo, "What have I got in my pocket?" kind of thing, when he was having the conversation with Gollum. At the end of the day, you know.
So that's always gonna be the problem with these kind of betting things.
And I kind of wonder if it works very well in the US because betting's a bit of a — it's not legal in all states — whereas in the UK, I wonder whether it would be so big because people are a bit more cynical, maybe over here.
They found that 0.1% of accounts net 67% of the profits. So it's a very small number of accounts which are making a huge proportion of any money on Polymarket, so be wary of—
So it's kind of — it gives you a base to then move forwards from.
But you know how most companies have to prove they're secure to customers or auditors and regulators, and the whole thing involves chasing down evidence, filling in questionnaires and forms, updating the same spreadsheet cells over and over again.
So no more staring at the ceiling at 2 AM wondering whether you've got the right controls in place or whether one of your suppliers has been breached.
But this Vanta solution uses AI as well, and it's the useful kind — flagging risks, collecting evidence, slotting into the tools your team already uses.
So you move faster, scale without the headaches, and perhaps actually get some sleep.
So it seems to have come from a LinkedIn post from a while ago from a Russian guy who went, oh, hang on a second, I found this website and it appears to have some Fortinet credentials in there.
When they looked into it, they discovered credentials to 75,000 Fortinet firewalls.
Now, if you think about where Fortinet sits in kind of the corporate hierarchies, you've got a lot of the smaller Fortinets that are the backbone of the SME to sort of small to medium-sized enterprise that sits in there.
And these are the kind of companies who might be doing some very interesting things, but probably don't have a dedicated security person.
So the problem I see here is not only did the attackers get these credentials, the attackers didn't use AI, but they used infrastructure that only exists because of AI to crack large amounts of the credentials.
They wrote a password stealer in Go that they could install on the individual firewalls, but then steal any credentials that went through the firewalls that they could actually see and then crack those as well.
They've actually done it really, really well. They've done a really professional thing.
They appear to have done some stuff in Kali Linux so they can then deploy stuff in there that other people could then screen share while they're doing some hacking into things.
As the nationality of the initial access brokers, don't know, probably someone from the East. That's the sort of rumour that I heard on there.
But the point here is that for large corporates, they have security teams, they have teams who can fix these things and can rotate the credentials.
But for the SME market, do they have large security teams? No. Do they have a security person? Probably not.
These credentials are probably going to sit there cracked for a very long time, both the firewall and any of the credentials that were flowing through that firewall that subsequently got cracked as well.
So this is going to be one that's going to run and run and run and run.
And obviously this has been making the headlines and so forth.
So if you look at the CISA KEV list, so CISA's one of the big government security agencies from the US, and they have a list called the KEV list, the Known Exploited Vulnerabilities list.
Now, the important point for your listeners here is, obviously vulnerabilities get graded on a 10-point scale, and you think, oh, if it's a 10, it's really, really serious.
But what the KEV list does is it says which of these vulnerabilities are getting exploited, not which is the one which is theoretically the highest vulnerability, but which ones are actually being used by real-world attackers to break into real-world systems.
And there's a couple of vulnerabilities that dominate that KEV list, with this particular firewall manufacturer being one of the ones that are quite heavily represented in that particular list.
So attackers are using these vulnerabilities to break in because they probably sit open for a very long period of time. They've had a lot of vulnerabilities.
So it's kind of things like this that are going to sit around and have a very, very, very long tail to get fixed.
Because we saw some big ones with Oracle, and one would presume when the Clop ransomware group went after some people who had Oracle exposed to the internet, pretty much if you had vulnerable Oracle exposed to the internet, which wouldn't be hundreds of thousands because not everyone's got that particular Oracle module set, you probably got compromised.
So you probably had to fix it.
Was this — this is 75,000 firewalls that are potentially victims and are going to sit there for quite some time because not all are going to get fixed and not all have been fixed.
And not all are probably going to ever get fixed.
I mean, I wonder if FortiBleed is really a fair name for the vulnerability.
Is it more a case of admin fail because administrators haven't rolled out new credentials, for instance, haven't responded to this?
I mean, even though the original flaw was in the Fortinet devices, which allowed the hackers in, so they could steal information and then obviously crack the passwords.
Blaming the users, blaming the administrators is very, very unpopular. It's now, "Oh no, no, it wasn't that fault that person clicked on a link.
We should have stopped the link from getting through to the user." And kind of that's true, but it's easier, I think, for the naming convention.
But they have had quite a lot of vulnerabilities. And also with things like password reuse, we know admins also reuse passwords in places. This one's gonna have a long tail.
This feels like this is gonna have a tail like the LinkedIn breach from like 2010. So I think this one's gonna go on and on and on and on.
And someone's gonna look through and say, "Okay, 'cause you've got your real email address in there, where else did you use that set of credentials on the internet?
'Cause if it was for a file, well, it was probably an important one, so let's have a hunt around." And especially if you're an SME kind of person, you're not MFAing everywhere.
You're not linking off to something else. This is probably a static password that you've used on lots of different sets of customer infrastructure.
So this isn't 75,000 firewalls have been compromised. This could be hundreds of thousands, millions of devices.
Because if that administrator is used on that Fortinet device, but it's also used on all those other manufacturers' devices, well, they won't get a fancy name.
They won't get a fancy website. They'll just get compromised.
Don't sit there whack-a-moling trying to fix the vulnerabilities because you're going to fail.
You need to look at what are the classes of vulnerability and how you design those out of your system.
'Cause there's certain vendors in the world where they don't seem to be learning from the vulnerabilities that come up. You still start seeing things like SQL injection.
You go, wow, I haven't seen SQL injection in 10, 15 years in a regular product. That's interesting. So you see things like that.
So it's like, hang on a second, you need to get deeper in.
And this is where things like, ironically, things like Mythos — yes, the AI model — might actually help you out, to say, don't just sit there spitting out vulnerabilities that are like whack-a-mole vulnerabilities.
Dig in deeper and tell me what I need to fix at the root cause of all of those ones over the top.
Is there a certain module that is so badly written it is just a hive of vulnerabilities? Tell me where that one is and just look at it. Can I just get rid of it?
So that's what I think vendors need to do.
But I also wonder, and this is kind of digging across to the AI side, I'm not so worried about the AI apocalypse that seems to be coming along.
I think it's going to take a bit longer to get to there.
And I also think that a lot of attackers won't be using AI to write exploits, because why would you bother with an exploit if you can just steal credentials and credentials are reused?
I mean, it works every time. An exploit, and this is the problem I have — sorry, we've gone on top again.
This is the problem I have with exploits: a lot of cybersecurity people's experience with exploits is things like EternalBlue, which was written by the NSA and literally was like chef's kiss.
It was beautiful. It was like a proper commercial piece of software. Whoever in the NSA wrote EternalBlue, hats off to you — you need an award.
They work like this: they need a lot of fiddling, they need a lot of messing around to get them to work. Whereas credentials — credentials work the same every single time.
And especially now you can steal OAuth tokens, you've already logged in for the attacker.
So you've actually now got an OAuth token, which is pre-logged in, pre-access session, boom, straight in, and you go for it.
And let's be clear here, I joked earlier on — who actually knows how all of these things like the OAuth stuff works properly?
Some people do, but the vast majority of people don't, and they grant them and they get stolen, and that's how some of these attacks occur.
But what I'm trying to say here is I think that the temperature with the AI side is just gonna go upside, but the weather's gonna remain broadly the same.
And I think especially with things like when we go back to Fortinet, I think we're now on vendors — we're moving into a post-patching world where the ability to generate an exploit is gonna be so fast and come so cheap that you need to start thinking you're not gonna be able to patch.
Does that mean to say you stop patching? No, it doesn't. But it means you need to say my percentage failure rate, my speed of being able to patch is gonna come down.
I know CISA has now just said we've gone from 20 days patching to 3 days patching — well, 20 days to 3 days, okay, that's better, but actually it needs to be like 3 minutes, it needs to be 30 seconds, it needs to be patch it before actually the vulnerability came out because the attacker was already using it.
So how on earth are we gonna move in this new world where it's gonna become a post-patching world? Well, it goes back to the basics — it comes back to security layering.
If you don't want to get hacked, don't put it on the internet.
We probably should give them some practical advice on what they should be doing about FortiBleed right now. Is it changing their passwords? Is it about enabling MFA?
Is it about checking whether they're included in that 75,000? What should they be doing?
You should be having MFA and phishing-resistant MFA — so passkeys or tokens everywhere. If you're not using passkeys or hardware tokens, then what is your MFA?
SMS is probably push code — you've gotta move on to passkeys or tokens if possible.
Bounce those credentials, but not just bounce your admin credentials on those firewalls — you're gonna have to bounce the credentials potentially of all the people whose data was going through those firewalls.
And that's a big, big, big task.
Picture the scene — it's Monday morning, you've got your coffee, you're wearing your second best hoodie, you're feeling pretty good about your Microsoft 365 setup because you checked Purview, you tightened conditional access, and frankly, you deserve a biscuit.
So how did they get hacked? Turns out some quiet little permission that crept wider over 3 years.
A policy exception that nobody had reviewed, the kind of thing that's invisible until it isn't.
It's the drift, the exceptions, the little permissions you stopped looking at because, well, you assumed they were fine. And the spoiler is that they're often not.
And if you'd like a hand setting it up, their team will happily walk you through it.
So all you've got to do is visit smashingsecurity.com/coreview to download your free copy of the tool, and even you will be able to answer the question, how secure is your Microsoft 365 tenant?
And thanks to CoreView for supporting the show.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish.
It doesn't have to be security related necessarily. Well, my Pick of the Week this week is not security related. My Pick of the Week this week is music related.
I think it's no secret to fans of Smashing Security that I am a bit of a fan of the Fab Four. The mop top from Merseyside, Paul McCartney, has just turned 84 years old.
And he's still cranking out albums at the age of 84.
It's an introspective look back on his childhood, the resilience of his parents bringing him up during the Second World War, his early adventures with John Lennon and George Harrison years before Beatlemania took off, and he still has melodies pouring out of him, which pass my test, which is, can I whistle it?
If I can't whistle it, it's not a proper song. And I'm quite impressed.
I've listened to it a few times, and the last time I listened to it, I thought, you know what, this chap has some musical talent.
And some people were saying, well, he can't sing as well as he used to. I mean, to which I say, he's 84 years old.
Of course he doesn't sound like how he's sounded when he was 24 years old. I don't sound like I sounded when I started this podcast, for goodness' sake. So give him a break.
The truth is, he's still got some great tunes in him, and I'm impressed that anyone of his vintage is able to pull off something like this.
And so my pick of the week is The Boys of Dungeon Lane by a chap called Paul McCartney.
He probably doesn't need your money, but you can all stream it online, and that way Spotify makes all the money rather than the artist.
Actually, I shouldn't be encouraging that at all. Anyway, it's out now. It's lovely stuff. And that is my pick of the week.
And so I tend to sort of hammer Spotify and various other things as I'm running. I always am listening to podcasts like this one while I'm running. Good man.
And also listening to music while I'm running. So yeah, I'm really looking forward to having a listen to that.
And let's be honest, some people do some of their best work when they're sort of like rather like the end of their life. Yes.
I'm sure everyone remembers Hurt by, oh, what was his name? Oh, Johnny Cash. Johnny Cash's cover of Hurt.
That one brings a tear to my eye when I watch the video every single time, because it was the last thing he recorded.
And it is classical, but hear me out. It's classical but arranged in a modern way.
So he's using classical instruments, but you can hear rock and pop kind of themes in the way he's put it together.
But I mean, it must be very, very boring for the musicians, because they're having to do one chord over and over and over again. But it's really good. And I've been running to it.
I've been listening to it on planes. I'm gonna go and see him. He's apparently coming to Wembley. I've got tickets to go and see him.
I remember when I saw Lenny Kravitz for the first time, my wife was a fan. I didn't know I was a fan.
And when I heard him at Pinkpop in God knows when it was, like 2010, it was like, "That's the advert from that. That's the advert from that.
That's the music from that." And I kind of sat there enthralled going, "I have been a fan of this man for a very long time."
I'm sure lots of our listeners would love to find out what you're up to and follow you online. What's the best way to do that?
We don't have a Strava account, but we certainly do have a Reddit account and a Bluesky account and a Mastodon account. You can find me, Graham Cluley, on LinkedIn as well.
And don't forget to ensure you never miss another episode.
Follow Smashing Security in your favourite podcast apps such as Pocket Casts, Apple Podcasts, Spotify, and for episode show notes, sponsorship info, guest lists, and the entire back catalog of roundabout 474 episodes, check out smashingsecurity.com.
Until next time, cheerio, bye-bye.
And also to this episode's sponsors, ProtonPass, CoreView, and Vanta. And also we've got to thank our patrons, haven't we? Those people who've signed up for Smashing Security Plus.
Let's pick a few of them out of the hat right now. We've got Jason B, who is maintaining their mystery by just using an initial for their surname.
The terribly wise sounding Govinda Charya. The crispy monosyllabled Roy Tate. Nigel Scott, who sounds like he might manage a garden centre.
Michael Crumb, who quite literally takes the biscuit. The iconic and economical Jay, doing their bit for the world's byte shortage. Just the one letter there.
Steve B, who doesn't like to use a spacebar. And half man, half fish, Jonathan Haddock. Thank cod for him.
These are just a few people who have signed up for Smashing Security Plus, which means that they get their episodes ad-free and earlier than the great unwashed public.
And they can also have the benefit of having their names pulled out at random to be mercilessly mocked at the end of the show, just like this.
If you'd like to join Smashing Security Plus, just head over to smashingsecurity.com/plus for all of the details. But you don't have to become a patron.
You can also support the show in plenty of other ways. One of the ways in which I'd really appreciate it is I love to see good reviews popping up on Apple Podcasts and elsewhere.
So why don't you leave a little comment? It really does warm the cockles of my heart.
Leave us a nice review, subscribe to the show, give us 5 stars, but best of all, tell your friends about Smashing Security. Spreading the word really does help.
Until next time, cheerio, bye-bye.
Host:
Graham Cluley:
Guest:
Quentyn Taylor:
Episode links:
- Danish Police Raided Self-Described Privacy Activist. PM Lives at a Secret Address – State of Surveillance.
- Hospital probe after 40 staff access crocodile boy’s medical records – Cybernews.
- Third Defendant Sentenced To Prison For Hacking Fantasy Sports And Betting Website – US Dept of Justice.
- Someone allegedly used a hairdryer to rig Polymarket weather bets – Engadget.
- Tweet by Polymarket Traders – XCancel.
- Polymarket says hackers stole users’ funds – TechCrunch.
- Operation Cloud Hopper: China-based Hackers Target Managed Service Providers – SecurityWeek.
- The Full Story of the Stunning RSA Hack Can Finally Be Told – WIRED.
- Polymarket points to third-party login tool after users report account breaches – Coindesk.
- Polymarket Admin Wallet Exploited on Polygon, Says ZachXBT – CryptoPotato.
- Polymarket reportedly paid creators to post deceptive videos about fake bets – TechCrunch.
- ‘Unbelievable how accurate’: How paid influencers hype Polymarket’s odds – POLITICO.
- Polymarket’s $345 million Iran peace bet is stuck because nobody can agree on what “permanent” means – TNW.
- Alert: NCSC issues advice following global targeting of Fortinet firewalls and VPN gateways – National Cyber Security Centre.
- Analysis of Reported Credential Compromise of FortiGate Devices – Fortinet Blog.
- FortiBleed – Free FortiGate Exposure Checker – SOCRadar.
- The Boys of Dungeon Lane – Paul McCartney.
- A closer listen to Paul McCartney’s new album ‘The Boys of Dungeon Lane’ – YouTube.
- The Summer Portraits – Ludovico Einaudi.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsored by:
- Proton Pass – The password manager for businesses that can’t compromise on security or slow their team down. Start a free trial.
- Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!
- CoreView – How secure is your Microsoft 365 tenant? Find out with CoreView’s free Microsoft 365 Tenant Security Scanner.
Support the show:
You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.
Join Smashing Security PLUS for ad-free episodes and our early-release feed!
Follow us:
Follow the show on Bluesky, or join us on the Smashing Security subreddit, or visit our website for more episodes.
Thanks:
Theme tune: “Vinyl Memories” by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.


