ยทE445
The hack that brought back the zombie apocalypse
Episode Transcript
[SPEAKER_03]: in a technique which no hacker has ever used before or since.
[SPEAKER_03]: The hackers were using default passwords.
[SPEAKER_03]: That were listed in user manuals, manuals that were helpfully published.
[SPEAKER_03]: In public.
[SPEAKER_01]: This smashing security, episode 445, the hack that brought back the zombie apocalypse, with Graham clearly and special guest Dan Raywood.
[SPEAKER_03]: Hello, hello, and welcome to smashing security episode 445, my name's Graham clearly.
[SPEAKER_03]: And I'm Dan Raywood.
[SPEAKER_03]: Dan, welcome back to the show after many, many years.
[SPEAKER_03]: You have joined us once again, good to have you here.
[SPEAKER_02]: Yeah, it's gonna be back seven years since I did my last appearance, so um Is it really?
[SPEAKER_02]: I look forward to coming back again.
[SPEAKER_02]: Yeah, yeah 2018 it was this all time I think Halloween is October 2018.
[SPEAKER_02]: It's funny how I think of you come Halloween isn't it?
[SPEAKER_02]: I'm just a month on now and I'm actually probably the ghost of Christmas past.
[SPEAKER_02]: I don't know.
[SPEAKER_03]: Okay, well, let's not leave it another seven years certainly, but for those people who don't know you, how can you describe what you are, why you're here, what you get up to?
[SPEAKER_02]: Well, in a couple of months, January the 8th, it would be 25 years inside my first ever professional journalism job.
[SPEAKER_02]: Oh, my goodness.
[SPEAKER_02]: I better not try that part.
[SPEAKER_02]: It wasn't until 2008 going to be about writing about size there.
[SPEAKER_02]: So I've been doing cyber now for about 17 years.
[SPEAKER_02]: I've worked for a bunch of magazines including this.
[SPEAKER_02]: See you magazine, folks.
[SPEAKER_02]: Securacy, don't reading.
[SPEAKER_02]: I've been an analyst, been a marketer.
[SPEAKER_02]: Now I work mainly for a great candle coming called Bora, who do content creation, and also system really, really great clients.
[SPEAKER_02]: I'm also a bit of a freelance hired gun on the side, do some speaking, do some moderating, and, okay take a few podcasts a pair of some which are really nice.
[SPEAKER_03]: Ah, well, fantastic to have you here today.
[SPEAKER_03]: Before we kick off, let's thank this week's wonderful sponsors, Vanta, Action One, and Horizon 3-A-I.
[SPEAKER_03]: We'll be hearing more about them later on in the podcast.
[SPEAKER_01]: this week on smashing security.
[SPEAKER_03]: We won't be talking about how fake adult websites are pushing a hyper realistic but fake windows update pop up to install malware.
[SPEAKER_03]: You'll hear no discussion of how a Japanese quarters found cloud flare liable for ignoring takedown requests and the aid in them protecting a manga piracy site.
[SPEAKER_00]: and we won't even mention.
[SPEAKER_03]: How a former romantic partner of ex-Google Chairman Eric Schmidt has accused him of hacking her email and PC to spy on her and steal business secrets.
[SPEAKER_03]: So Dan, what are you going to be talking about this week?
[SPEAKER_02]: Longly looking at how crowd strike that no-seed security vendor took back against a significant threat.
[SPEAKER_03]: And I'm going to be speaking about how America's airwaves are under attack.
[SPEAKER_03]: All this and much more come up on this episode of smashing security.
[SPEAKER_03]: Okay, before we go any further, and it's Sherequric word with you about one of our sponsors today, Vanta.
[SPEAKER_03]: You know how everyone's gone AI system these days.
[SPEAKER_03]: Well, imagine one that doesn't just write high-cours about zero-day vulnerabilities, but actually does your audit work for you.
[SPEAKER_03]: That is Vanta.
[SPEAKER_03]: It connects to all of your tools, gathers, evidence, tracks, compliance, and quietly helps you prove that, yes, you do take security seriously.
[SPEAKER_03]: Vanta automates all of that.
[SPEAKER_03]: It pulls everything together, keeps an eye on your systems, and basically make sure you're ready for an audit at any time, which means no last minute panic for screenshots and policies.
[SPEAKER_03]: It also plugs into the tools you're already using and flags up issues before they become a right-ord mess.
[SPEAKER_03]: So if that sounds like something that might save you from a few sleepless nights, check out vantar.com slash smashin.
[SPEAKER_03]: If you use that link, you'll get a thousand dollars off.
[SPEAKER_03]: So don't forget vantar.com slash smashin, and thanks to vantar for sponsoring this week's episode.
[SPEAKER_03]: On with the show.
[SPEAKER_03]: Now Dan, what were you doing in 2013?
[SPEAKER_03]: Do you remember?
[SPEAKER_02]: Um, well that's the year I left our scene magazine and joined IT Security Guru, which is still going strong.
[SPEAKER_02]: Um, my friend Andy got married because I remember being at the West.
[SPEAKER_02]: Okay, you don't know him, do you?
[SPEAKER_02]: Yeah, and he had elevated great wedding, um, a scout camp in Millhill.
[SPEAKER_02]: Um, otherwise not a lot of censor.
[SPEAKER_02]: My big thing was my changing guru.
[SPEAKER_03]: Alright, well there's some really memorable things which happened in 2013.
[SPEAKER_03]: It was of course the year Beyonce performed at the Super Bowl.
[SPEAKER_03]: I think there was a slight reunion of destinies, child briefly up on the stage.
[SPEAKER_02]: That was the one, the Power Blue.
[SPEAKER_02]: It was in New Orleans and the Power Wayne's out.
[SPEAKER_02]: Quick story.
[SPEAKER_02]: My wife and I were going to be staff and watch the Super Bowl.
[SPEAKER_02]: That year she had a work thing.
[SPEAKER_02]: Sort of we'd take to, what's in it, we'd call this, or it's take to 1980s and what's in the Monday afternoon, which is brilliant because we are able to fast forward through [SPEAKER_02]: the TV company went down for about an hour.
[SPEAKER_02]: Quite notable, so you thought 2013.
[SPEAKER_03]: 2013 was famous for other things as well.
[SPEAKER_03]: Miley Cyrus worked at the VMAs, and I don't suppose you have any tape in of that to you, at least not one that you've dared to admit to to your wife.
[SPEAKER_02]: I remember, who was the guy she was dancing with?
[SPEAKER_02]: I think I made it a bloodline.
[SPEAKER_02]: Robby's is now, I'm so busy.
[SPEAKER_02]: I'm so busy.
[SPEAKER_03]: Thick, thick, yes, there will be thick, yes, and everyone was obsessed with flappy bird.
[SPEAKER_03]: Well, they, wonderful game flappy bird, one of the best.
[SPEAKER_03]: But what you may have missed was the zombie uprising Dan.
[SPEAKER_03]: because there was an uprising of zombies on February 11th, 2013, fans of the Steve Wilco's syndicated TV show in Montana.
[SPEAKER_03]: You may know, Steve, he was Steve the security guard on the Jerry Springer show.
[SPEAKER_03]: He was popular for breaking up this fight between cousins and generally being muslim, bald, big and bit of a bruiser.
[SPEAKER_03]: It was his show that people were watching [SPEAKER_04]: Civil authorities in their area have reported that the bodies of the dead are rising from the graves and attacking the living.
[SPEAKER_04]: Follow the messages on screen that will be updated as information becomes available.
[SPEAKER_04]: Do not attempt to approach or apprehend these bodies as they are considered extremely dangerous, I repeat.
[SPEAKER_03]: Civil authorities have reported that the bodies of the dead.
[SPEAKER_03]: are rising from their graves and attacking the living.
[SPEAKER_03]: That's right, the zombie apocalypse was announced during daytime TV.
[SPEAKER_03]: This was an emergency alert system which kicked in and warned people not just in Montana but also in Michigan where viewers got their undead warning during Barney and friends.
[SPEAKER_03]: Barney's pretty upset in itself, I'd say, actually, I mean, yes, yes, yes, you know, camp purple dinosaur on one hand, flesh eating corpse on the other.
[SPEAKER_03]: I'm not sure which one I prefer, but [SPEAKER_02]: Yeah, which side do you run, so yeah.
[SPEAKER_03]: Now the thing is this, Dan, it wasn't true.
[SPEAKER_03]: I actor burst your bubble right now.
[SPEAKER_03]: There wasn't actually a zombie uprising.
[SPEAKER_03]: And this makes shock you.
[SPEAKER_03]: But hackers had actually gained access to the broadcast in system.
[SPEAKER_03]: And the broadcast as it turned out, in a technique which no hackers ever used before or since, the hackers were using default passwords.
[SPEAKER_03]: that were listed in user manuals, manuals that were hopefully published in public.
[SPEAKER_03]: So anyone could find out what the passwords were and then access these systems and mess with a TV broadcast is bonkers, isn't it?
[SPEAKER_03]: This sort of thing happens.
[SPEAKER_02]: It is.
[SPEAKER_02]: I don't think it'll get to this.
[SPEAKER_02]: It's a couple things in history.
[SPEAKER_02]: Whether at the max headroom instantly, you've ever seen this?
[SPEAKER_02]: Yes.
[SPEAKER_03]: It was in on PBS.
[SPEAKER_03]: It's Jordan episode of Doctor Who, showing in America.
[SPEAKER_03]: Yes.
[SPEAKER_03]: The horror of Fang Rock.
[SPEAKER_03]: As I remember.
[SPEAKER_03]: I can't do the episode.
[SPEAKER_03]: It's a Tom Baker one.
[SPEAKER_03]: It's a Tom Baker one with Lee Layering and Lighthouse.
[SPEAKER_03]: Yeah, it's a great story, the horror of Fang.
[SPEAKER_03]: Yes.
[SPEAKER_03]: But yeah, it was interrupted by Max headroom.
[SPEAKER_03]: And I don't think they ever worked out.
[SPEAKER_03]: Who was responsible for that hack or what the purpose was.
[SPEAKER_02]: Oh, it's a great, I think I found it on a radio or a Wikipedia, a whole story about how they did it, but no one ever admitted to it.
[SPEAKER_02]: And I've got caught, how do you catch someone?
[SPEAKER_02]: Yeah, yeah, yeah, yeah.
[SPEAKER_02]: Try to forensically identify someone's hand using a fly sport, didn't they?
[SPEAKER_03]: Well, in this particular case, also what they were doing with it, but yeah.
[SPEAKER_03]: In this particular case, it was default passwords, which had been published.
[SPEAKER_03]: The authorities had to tell, grown adults running TV stations, because this was back in 2013 when it was adults running TV stations, rather than the dystopian toxic help it we live in today, they had to tell them to change their password.
[SPEAKER_03]: And that always seems to me a little bit like telling an S, should not forget to close the door before takeoff.
[SPEAKER_03]: It's a fairly elementary stuff you would like to think.
[SPEAKER_03]: So that was the great zombie panic of 2013.
[SPEAKER_03]: You've spoken about the max headroom instant.
[SPEAKER_03]: You'd think stations would learn from these kind of things, but you're wrong.
[SPEAKER_03]: Because if you fast forward to 2016, there was an instant involving Furry's dad.
[SPEAKER_03]: Um, talk some more and I'll let you know.
[SPEAKER_02]: Okay.
[SPEAKER_03]: Well, let me tell you first of all how it happened.
[SPEAKER_03]: So multiple stations were hijacked through their unsecured barracks, STL devices.
[SPEAKER_03]: Those are little internet boxes that send audio from a radio station studio to the transmitter.
[SPEAKER_03]: And the hackers aired an episode of a podcast, a podcast called The Furcast.
[SPEAKER_03]: which is all about, well put it this way.
[SPEAKER_03]: I didn't internet search for Furcast, find out if I could listen or view any of the episodes.
[SPEAKER_03]: And I found a bunch of men sat around a table, dressed up as foxes and pandas and all kinds of fairy gear.
[SPEAKER_03]: I mean, [SPEAKER_03]: If that's your thing, fair enough, or maybe fair enough.
[SPEAKER_02]: Uh, very good, very good yet.
[SPEAKER_03]: I'm not going to show you anyway.
[SPEAKER_03]: But anyway, so again, what they did was they put out an explicit podcast, rather than the regular programming.
[SPEAKER_03]: Well, let's move on again, have things got any better in 2017 and Donald Trump has been inaugurated for his first of what I think is likely to be about 17 stints inside the White House.
[SPEAKER_03]: I'm sure he's not going to stop at two or three and you think surely we've learned by now.
[SPEAKER_03]: Nope.
[SPEAKER_03]: because during Trump's inauguration, stations started blasting out a hip hop song called FDT by some fellows called YG and Nipsey Hustle.
[SPEAKER_03]: No, I know you really like your music, Dan.
[SPEAKER_03]: You're really big on music, aren't you?
[SPEAKER_02]: Have you ever heard of YG and Nipsey Hustle and they're [SPEAKER_03]: Wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait, wait [SPEAKER_03]: So the present of a radio station in Louisville, WCHQ, they admitted it was their thoughts, they said, other stations that this happened to have contacted me, we all use the same device, none of us had a password on the device, and they said, my bad!
[SPEAKER_03]: I'd done other security measures at the transmission tower and the studio, but I failed to password protect this device.
[SPEAKER_03]: I let that my bad wouldn't be great if every time there's an organization which suffers a data breach, it just says, my bad oops, so what's the, what's the day he said?
[SPEAKER_03]: Yeah, sorry.
[SPEAKER_02]: Rather than we take your security seriously, we say that together, we probably that means time's up and we are.
[SPEAKER_03]: You say, what's or my bad when you forget to bring potato salad to the barbecue?
[SPEAKER_03]: Not when you let hackers turn your classic hit station into some sort of unsensored political dire tribe.
[SPEAKER_03]: So here we are now Dan.
[SPEAKER_03]: It's 2025.
[SPEAKER_03]: We're 12 years after.
[SPEAKER_03]: Not quite 28 years after.
[SPEAKER_03]: The zombie incident.
[SPEAKER_03]: and ESPN Houston has just been hijacked during its coverage of a game between the Philadelphia Eagles and the Dallas Cowboys.
[SPEAKER_03]: I think they're American footballers.
[SPEAKER_03]: Yeah.
[SPEAKER_03]: Yeah.
[SPEAKER_03]: And apparently, listeners' ears were assaulted with racist songs, and again, fake emergency alerts.
[SPEAKER_03]: It's almost just like you have these gold radio stations which play the oldies.
[SPEAKER_03]: The hackers are actually doing the same kind of thing.
[SPEAKER_03]: They're still playing emergency alerts over hacked radio stations just like they were back in 2013.
[SPEAKER_03]: It's been over 10 years.
[SPEAKER_03]: And radio stations and TV stations still be in hacked.
[SPEAKER_03]: due to their IP addresses being included on the showed and database, showed and for those who don't know, it's basically Google for hackable devices, tells you all devices are which are open to the public and not being configured properly to avoid unauthorized access.
[SPEAKER_03]: It's really easy for these unssecured devices to be found and to be exploited by the hackers isn't it?
[SPEAKER_02]: I think also we do see this situation where default passwords aren't changes.
[SPEAKER_02]: It's probably because you think about the IOC stuff.
[SPEAKER_02]: We get some new thing and you know, oh, it works.
[SPEAKER_02]: I mean, Christmas is as we record it literally a month away.
[SPEAKER_02]: Oh, people getting some sort of interconnected toy Bluetooth enabled, whatever.
[SPEAKER_02]: And it's like, is your first priority going to be or is it going to be secure?
[SPEAKER_02]: Now, a kids toy versus some sort of thing you're going to use in work, place are various different things.
[SPEAKER_02]: But, you [SPEAKER_02]: You think that if it's going to be usual, that's on the business of order.
[SPEAKER_03]: You'd like to think so, wouldn't you?
[SPEAKER_03]: But I guess radio stations, they're probably running on a type budget, cyber security, probably isn't that top thing that they're worried about, unfortunately, they're probably isn't very much budget for that.
[SPEAKER_03]: It's a problem.
[SPEAKER_03]: So this happened and one station they received a call from a listener because they heard of scene lyrics instead of the religious [SPEAKER_03]: You can imagine how that phone call may have gone, but these aren't really sophisticated hacks.
[SPEAKER_03]: They literally are just checking if you changed the password from like admin admin to something else.
[SPEAKER_03]: So barracks, who are the makers of these station to transmitter devices, they say that they now have better security on their gismos.
[SPEAKER_03]: They say they now come with unique passwords already set because boardcasters can't be trusted with the complex task of actually typing in a new password.
[SPEAKER_03]: They, they, and they're apparently are currently 600 to 650 publicly accessible barracks devices around the world, around 300 of them in the USA.
[SPEAKER_03]: Many of them will be these older devices, which don't have unique passwords.
[SPEAKER_03]: All of them are waiting for a board teenager to find them.
[SPEAKER_02]: And you will listen to how the striers under fake.
[SPEAKER_02]: So now it's been done by one or two by the single, but you're one with the Donald Trump team on with this past abatula.
[SPEAKER_02]: Right, guess the question is, is it gonna spare others into action or thinking are we running this?
[SPEAKER_02]: But you mentioned the budget thing.
[SPEAKER_02]: There was a great piece on Joel Oliver's show for the release of about PBS and funding.
[SPEAKER_02]: And it's like, somebody's basically running an absolute shoe string.
[SPEAKER_02]: So, yes, is there actually gonna be any sort of privacy for essentially what we call side to security versus trying to keep the lights on essentially?
[SPEAKER_03]: Absolutely, keeping the lights on, keeping the transmitter going, you know, it's just about having power and they're probably struggling to get the advertising and sponsorship to keep their station alive, it's a problem.
[SPEAKER_03]: By the way, this zombie instant was particularly amusing because a disc jockey actually played a tape of the zombie EAS alert, so he was telling the story to his listeners.
[SPEAKER_03]: He played the tape, which included this digital tone which plays, and that happens before the emergency alert, and apparently play in that tone across the radio.
[SPEAKER_03]: Triggers more alerts down stream, it's like a domino effect.
[SPEAKER_03]: This chaos unfolds, so it's a bit like, it's a bit like saying Alexa, not podcast.
[SPEAKER_03]: Because those type of devices are going to hear it, and then we'll trigger actions.
[SPEAKER_03]: So machines can't necessarily tell the difference between a real emergency alert and someone playing a recording of a fake emergency alert, which is pretty understandable, I think.
[SPEAKER_02]: We must be a Kevin Midney, whistling down the phone line.
[SPEAKER_02]: Yes, there's a bit of a, in this case, you know, all the phone lines belong to him, essentially.
[SPEAKER_03]: You know, so yeah.
[SPEAKER_03]: So in response to this, the Michigan Association of Broadcasts, they've written up some tutorials on how to lock down systems.
[SPEAKER_03]: But...
[SPEAKER_03]: I was speaking to someone on the other day and they said to me, frankly, you're neffused Minecraft server.
[SPEAKER_03]: It's probably more secure than some all-guys actions, they're more likely to have locked it down.
[SPEAKER_03]: I said anything else, probably the case with these radio stations.
[SPEAKER_03]: So my advice to broadcasters is imagine your broadcast in equipment is a bit like your teenager.
[SPEAKER_03]: You wouldn't leave them unsupervised overnight in the house over the weekend with the drinks cabinet on-ducked, because before you know it, your house is going to be overrun full of other teenagers, having a house party, general havoc occurring, so treat your professional broadcast and equipment with the same level of concern you had gift stopping your kid from going on a benton.
[SPEAKER_03]: I think I said by switch, we can all probably take into our [SPEAKER_03]: Really, really concentrate on securing those devices and making it as hard as possible for your accounts and your devices to be accessed by unauthorized users.
[SPEAKER_02]: I mean, we'll talk about, you know, crown jewels and critical, yeah, to your business running and operating.
[SPEAKER_02]: That's been doing a few things recently on operational resilience, as it's now being called.
[SPEAKER_02]: And essentially, part of that is understand what you need to keep your business running and secure.
[SPEAKER_02]: But you think after the first one's happening, what 2013 was it with Barney the Dinosaur?
[SPEAKER_02]: Yeah.
[SPEAKER_02]: Yeah.
[SPEAKER_02]: Yeah.
[SPEAKER_02]: I don't really know.
[SPEAKER_02]: Maybe just it's not the priority that we often feel it should be.
[SPEAKER_03]: I've just had a thought, you think he could be Barney the dinosaur, he's responsible for this.
[SPEAKER_03]: He tries to give a cross a sort of harmless image, but I think behind that face, maybe there's an evil criminal mastermind at work.
[SPEAKER_03]: I've not seen no head of Barney in years, I mean, if it's still on me.
[SPEAKER_03]: Hey, if Barney has hit hard times.
[SPEAKER_03]: If he hasn't got any money in his pocket, he could well have turned to hacking.
[SPEAKER_03]: There's something to consider, I'm just asking the questions.
[SPEAKER_03]: Right then, we've got time for a quick word now, about one of our sponsors today, Action 1.
[SPEAKER_03]: Now, most security breaches still happen because of unpatched vulnerabilities, and the worst part, many already have fixes available for them, but patching can be a real pain, right?
[SPEAKER_03]: If staying up at night worrying about the next cyber attack headline sounds familiar, it's time to try Action 1, the patch management platform that just works.
[SPEAKER_03]: You can start updating Windows Mac and third party apps in under 5 minutes, and Linux support is coming very soon.
[SPEAKER_03]: The best part?
[SPEAKER_03]: Well, your first 200 end points are free, forever with no functional limits.
[SPEAKER_03]: This isn't a disguised free trial.
[SPEAKER_03]: There's no credit card required, no hidden limits, no tricks.
[SPEAKER_03]: All you have to do is visit smashinscurity.com slash action one and get started today.
[SPEAKER_03]: So if you're looking to automate patching and save weeks or even months doing it, go to smashingsecurity.com slash action one and sign up for patching that just works.
[SPEAKER_03]: And thanks to action one for supporting the show.
[SPEAKER_03]: Dan, what have you got for us this week?
[SPEAKER_02]: Well, an interesting one around CrowdStrike.
[SPEAKER_02]: Now, we've got to remember CrowdStrike from last year.
[SPEAKER_02]: They had a particularly nasty incident, which it's all put most of the world offline for several hours.
[SPEAKER_03]: They pushed out a bad update, didn't they?
[SPEAKER_02]: A bad update, and at the time, I was actually working for SCUK.
[SPEAKER_02]: And it was a fun one.
[SPEAKER_02]: It was a Friday morning.
[SPEAKER_02]: We have no knowledge of what was going on.
[SPEAKER_02]: And I wrote a story based on what I could find on X and Reddit, which aren't the greatest sources.
[SPEAKER_02]: But there wasn't very much information, but...
[SPEAKER_02]: Yeah, crowd strike.
[SPEAKER_02]: I mean, they recovered and you saw a main absolute, you know, huge cybersecurity company and you know, it's a great research.
[SPEAKER_02]: But they haven't really felt to keep out of the headlines.
[SPEAKER_02]: That was a bit of a bad incident and a bit of a one-off.
[SPEAKER_02]: But in the past few days, a report has come out where it confirmed that it fired what they call a suspicious insider in October for allegedly sharing internal information with a hacking collective.
[SPEAKER_02]: Right.
[SPEAKER_02]: But essentially, what they are saying is that some hacking group was able to access crowd strike, but stoising data and basically was able to share picture that computer screen leading to immediate termination for this employee.
[SPEAKER_02]: So, all get to inside of threats in a bit.
[SPEAKER_02]: But yeah, what essentially crowds are saying is that someone shared information with an outsider.
[SPEAKER_02]: And that, outside of then, to be various means, was able to then try and access crowd strike.
[SPEAKER_02]: And, screenshots posted on the public telegram channel a peer to show inside of their black sister crowd strike systems, including an employee's oc to dashboard.
[SPEAKER_02]: And our photographer is this single sign on.
[SPEAKER_02]: Yes, you can use that to get into all sorts of applications.
[SPEAKER_02]: You've used it myself in the previous job.
[SPEAKER_02]: It's really, really handy.
[SPEAKER_02]: The screenshots were shared by the scattered lapses, hums as now.
[SPEAKER_02]: Not if we're being a really silly, long-awaitment, but the levels, so, how is it was that to write?
[SPEAKER_02]: Oh, either like three words, you know, I've written on Joe Titis, but then it, well, but they come at the price of HTTP.
[SPEAKER_02]: That's three letters.
[SPEAKER_02]: Why don't you get a lapses hunt as soon as they're anyway?
[SPEAKER_02]: But they can buy in shiny hunters, get a spider and lapses with a dollar.
[SPEAKER_02]: So those three gifts all kind of came together a little while ago.
[SPEAKER_02]: And so they claimed the excess crowd strike of exploiting data from gain site.
[SPEAKER_02]: And I think that's a CRM platform used by sales force and then presumably it's then used by crowd strike as well.
[SPEAKER_02]: and they would exploit that day.
[SPEAKER_02]: So, and apparently getting, now, we don't have much of those true, but what I think we're looking at here is a bit like with our friend Joe Tidey, who the other month had the situation where some hackers said to him, we give you loads of money, give us access to your network, do you remember that one?
[SPEAKER_03]: Yes, I do.
[SPEAKER_03]: I know that the hackers obviously haven't tweaked that he was actually their cybercrime correspondent, so maybe he wasn't the best person to approach.
[SPEAKER_02]: Well, also, you're thinking, well, you know, a lot of the BBC might get off him with pretty TV license or anything like that.
[SPEAKER_02]: They can give him a lot of some money, but it's an interesting one again, because this situation shows that if you go to the sort of the weekling, then we don't think of humans as the weekling, because that just creates arguments, doesn't it, really?
[SPEAKER_02]: But if you get for someone in turn, they say, hey, give me information, give me access.
[SPEAKER_02]: And yeah, for whatever reason, every they blackmailing them, whether in the money like with Joe's situation, [SPEAKER_02]: But crowds try to set the inside a simple shared picture of the computer screen external source.
[SPEAKER_02]: That led to immediate termination.
[SPEAKER_02]: Now, you probably argue that's probably the right action to take.
[SPEAKER_02]: I'm presuming that the DLP was switched on to max for that particular employees out put away from their computer.
[SPEAKER_02]: In other words, did they take the screen shots with the money secure USB?
[SPEAKER_02]: Put it in their Google Drive, whatever.
[SPEAKER_03]: Um, I hope they haven't just fired this guy, I hope they've also reported him to the authorities because if they're claiming he somehow assisted a group of malicious hackers or shared sensitive information, that is something the police need to investigate, isn't it?
[SPEAKER_02]: Absolutely, because we're talking about potential, well, I mean, what's it for?
[SPEAKER_02]: I don't think it's inside the threats, I particularly worry some.
[SPEAKER_02]: You've got the situation where the insider, I guess, is leaking information.
[SPEAKER_02]: If you were, it's for a bank and saw said, here's our, here's all the pin numbers.
[SPEAKER_02]: Yeah, or a million people.
[SPEAKER_02]: That's a crime, or it's the data theft, essentially.
[SPEAKER_03]: Three honest though, Dan, in fairness, when it comes to pin numbers, I could probably give you everybody's pin number.
[SPEAKER_03]: I said, I mean, I could give you a list.
[SPEAKER_03]: It starts at 0, 0, 0 and goes up to 9, 9, 9, 9, 9.
[SPEAKER_03]: So, you know, it's different, of course, if you have names associated with the pin numbers.
[SPEAKER_03]: But the numbers themselves, that shouldn't be something which is an arrestable offense, I think.
[SPEAKER_02]: Well, yeah, true, but I don't have to read that knowledge yet.
[SPEAKER_02]: I have to do another one, what's on my head, but...
[SPEAKER_02]: But yeah, but on the situations where someone steals something internally, let's say, you know, if you run off with a laptop, for example, I gave him brick that, if you run off with the coffee machine, you're like, get that, get that, get your jumper, but I'm certain pictures of the computer screen.
[SPEAKER_02]: This was what they got immediately terminated for.
[SPEAKER_02]: Now, crowds lack of rejected the claim of that actually data was stolen, which the hackers claim they did.
[SPEAKER_02]: But crowds reject that claim saying that systems were never compromised and customers were always protected.
[SPEAKER_02]: Now, as we're saying earlier on, we take security seriously, crowds like I really hope they do, and I'm sure they do as well.
[SPEAKER_02]: But it's, um, they have only the case to law enforcement further investigation.
[SPEAKER_02]: So, that's where we're at at the moment.
[SPEAKER_02]: It's [SPEAKER_02]: Maybe it's just screenshots of an octa platform and as a result, some got fired and handed over to the police for it.
[SPEAKER_02]: So that's what we know.
[SPEAKER_02]: But it's not one say it's particularly uncommon, but I think it's probably unreported.
[SPEAKER_02]: It's really how this one got out to Zack and Lorenzo over at TechCrunch.
[SPEAKER_02]: Because gain site again, the CRM system that we presume Krauss was using, and the hackers' alleged was a source that the brief did not come out either.
[SPEAKER_02]: Then another leg to go and go, yeah, where the weak link.
[SPEAKER_02]: But what we do know is that lapsus shiny hunters are where we call them.
[SPEAKER_02]: This collection, a known for using social engineering techniques to trick employees into giving access to systems.
[SPEAKER_02]: Now, that's different from Brian being like we saw with Joe and sure others.
[SPEAKER_02]: They're actually trying to get people to give up things, whether it's through his email, his clips of the Eagle's Cowboys game.
[SPEAKER_02]: Or here's, do you read this about the zombie network, take your rod, probably read that all the backs have your [SPEAKER_03]: Okay, so you can talk about an outright malicious actor inside your organization, so you've got a rogue employee who may be as access to sensitive information, can take screenshots, consent them to a hacking gang who we may be working with.
[SPEAKER_03]: And then of course, we're always hearing at the moment about these support lines being run up by the hackers and they socially engineer information out them.
[SPEAKER_03]: They claim to be employees, for instance, saying that they've been locked out of their accounts.
[SPEAKER_03]: where maybe someone who works in a call center for a particular organization has been not bought by a hacking gang.
[SPEAKER_03]: And the hackers say, look, and they don't say this during the course of the phone call, obviously, but outside of that, they say, we'll be ringing you on Monday morning.
[SPEAKER_03]: And we're going to do a bit of social engineering on you, and they say, yep, okay, I will fall for the social engineering.
[SPEAKER_03]: And I will agree to unlock this account for you, or I'll make sure that the social engineering works.
[SPEAKER_03]: So you could have this kind of hybrid effect.
[SPEAKER_03]: And then the employee, if it was determined, who it was, who was tricked by, I put tricked in quotes by the hackers, they could [SPEAKER_03]: maybe have plausible deniability and say, oh, well, I was just socially engineered.
[SPEAKER_02]: Yeah, there is that middle ground of like, you know, I've worked for a company with a big call centre once upon a time.
[SPEAKER_02]: And you know, these are people with these very intense periods of working up.
[SPEAKER_00]: Yes.
[SPEAKER_02]: You've got the situation with people.
[SPEAKER_02]: Are they just kind of being caught up?
[SPEAKER_02]: Because you, you catch them out and they're not paying attention.
[SPEAKER_02]: You catch send it a 10 to 5 on a Friday.
[SPEAKER_02]: Who's going to really be caring at that stage?
[SPEAKER_02]: Send it on some of their interests.
[SPEAKER_02]: And if you really profile the person, what they're in stocked up to who, for example, [SPEAKER_02]: You know, after the Delphiereg was a make-on, I probably wouldn't really have fun, but it's actually very, very simple way of doing things, but it takes time up and if you fail at it, then all that ever goes to waste from the hackers, but apparently here, who knows, because crowds strike and games are both not commented and denied, whatever.
[SPEAKER_02]: They are actually the ones coming out saying, you know, almost like we're not supplying, but someone was supplying.
[SPEAKER_03]: Hmm.
[SPEAKER_03]: I think the insider threat is largely under-reported, isn't it?
[SPEAKER_03]: I think a lot of the cybersecurity companies love to talk about external hackers and maybe their solutions are better at handling that kind of threat rather than the insider threat just as much.
[SPEAKER_03]: The insider's who, of course, you've given your passwords to you, allowed to access the databases and the sensitive information because they needed to do their job.
[SPEAKER_03]: But of course, there's always the potential that they will leak it, or even if they can't make a copy of it onto a USB drive, they can take a photograph of a screen, or just simply memorize a piece of information, which they take home with them, and then later exploiting one fashioner, but it's a really significant problem.
[SPEAKER_02]: and also organisations experience an average of 13 to half instances every year.
[SPEAKER_02]: That seems quite loads to me.
[SPEAKER_03]: It does, yes.
[SPEAKER_02]: That's just over one a month.
[SPEAKER_02]: These very convinced and such as Ticuno Link.
[SPEAKER_02]: Actually, is that an insider threat is added to an accidental error?
[SPEAKER_02]: Yeah.
[SPEAKER_02]: To malicious intent such as we saw here, or Parvy saw here, getting out and actually kind of putting information out that the people are working for.
[SPEAKER_02]: So, [SPEAKER_02]: If it covers that broad spectrum, I think that number is probably significantly higher than 13.5.
[SPEAKER_02]: But again, how many of these are actually reported it?
[SPEAKER_02]: Do you get your regulator, do you say, oh yeah, we had someone do this and, you know, the click from the link and we've got man's somewhere.
[SPEAKER_02]: Okay, and did you clean up?
[SPEAKER_02]: Yeah, we called in whichever consultancy or firms come and source out.
[SPEAKER_02]: Great.
[SPEAKER_02]: Do you need to report that?
[SPEAKER_02]: I don't think you do.
[SPEAKER_02]: It's not like a day to breach.
[SPEAKER_02]: We have to go to the ICR and say, this is what we lost, because if you didn't lose anything, it's a really tricky one to kind of determine.
[SPEAKER_03]: Yep, it really is.
[SPEAKER_03]: Right, we've got a chance now to thank one of the supporters of this week's podcast Horizon 3 AI.
[SPEAKER_03]: You can't defend what you don't see, and that's why Horizon 3 AI created Node0 to continuously test your network the same way real attackers would, and built to help you prove your defenses work.
[SPEAKER_03]: Traditional pen tests happen once a year.
[SPEAKER_03]: They're manual, they're expensive, and they're outdated, the moment they're done.
[SPEAKER_03]: Node0 changes that by continuously testing your environment.
[SPEAKER_03]: With over 170,000 Pentesis completed, Node0 doesn't just find vulnerabilities, it proves how they can be exploited safely.
[SPEAKER_03]: from Active Directory trip wires to AI-driven attack paths, you'll see your network, the way an adversary does, and before they do.
[SPEAKER_03]: Join thousands of organizations who've moved from reactive to continuous security, because the best defense is understanding offense.
[SPEAKER_03]: Visit horizon3.au to get your autonomous pen test demo today.
[SPEAKER_03]: That's horizon3.au and thanks to horizon3.au for supporting the show.
[SPEAKER_03]: And welcome back and you join us at our favourite part of the show, the part of the show that we like to call Pick of the Week.
[SPEAKER_03]: Pick of the Week.
[SPEAKER_03]: Because the week is the part of the show everyone she's done the look could be a funny story a book that they read a TV show, a movie or record a podcast or a website or an app.
[SPEAKER_03]: Whatever they wish, it doesn't have to be security-related necessarily.
[SPEAKER_03]: Better not be.
[SPEAKER_03]: Oh.
[SPEAKER_03]: Well, my pick of the week this week is not security related.
[SPEAKER_03]: My pick the week is a movie which I saw and it is a modern movie.
[SPEAKER_03]: Yes, I haven't gone back to 1958 to choose some classic old movie that I've just discovered.
[SPEAKER_03]: This is one that's barely new out.
[SPEAKER_03]: It is Guillermo del Toro's version of Frankenstein.
[SPEAKER_03]: Have you seen it Dan?
[SPEAKER_02]: No, I heard a bit, but I know, frankly, I obviously don't deal with a Torah, but I don't know this one.
[SPEAKER_03]: Right, well, it's rather good, I think, it's obviously an adaptation of Mary Shelley's classic book, so it's drenched in atmosphere and stunning visuals and, in fact, it's more sort of heartbreaking than horrific, and I think it's all the better for that.
[SPEAKER_03]: So we all know the story.
[SPEAKER_03]: We've got Dr Frankenstein, who wants to see if he can defeat death, whether he can bring people back to life.
[SPEAKER_03]: by taking the parts of human beings who have deceased and but in some electricity through them.
[SPEAKER_03]: And it's really rather good.
[SPEAKER_03]: I really enjoyed it much more than I was expecting.
[SPEAKER_03]: It's got some terrific performances from Oscar Isaac.
[SPEAKER_03]: He was poe in the Star Wars Force Awakens trilogy.
[SPEAKER_03]: He plays Victor Frankenstein.
[SPEAKER_03]: And Jacob Allaudi is the creature itself.
[SPEAKER_03]: And it was briefly at the Sun Amos, and it's now available for anyone who subscribes to Netflix.
[SPEAKER_03]: And I thought it was visually stunning.
[SPEAKER_03]: No, it's, and really good fun.
[SPEAKER_02]: I saw the one that did in the 70s or late 60s with, and I've been as zephralia.
[SPEAKER_02]: Something the guy who played Romeo in zephralia's Roman Jule, was playing Vixer Francis Stein.
[SPEAKER_02]: I saw that one.
[SPEAKER_03]: Oh yes!
[SPEAKER_02]: And I remember one from, got this as the mid-9, she's way Robert De Niro paid the monster.
[SPEAKER_02]: Don't know how he ended up in there.
[SPEAKER_02]: He must have really quiet year.
[SPEAKER_03]: Oh, he was in the Kenneth Branagh version, I think.
[SPEAKER_03]: Well, that's why why he did it.
[SPEAKER_03]: Yeah.
[SPEAKER_03]: What's the 70s when the one with David McCallum?
[SPEAKER_03]: Oh, I remember that early 70s, there was a TV movie version.
[SPEAKER_03]: Probably that one, yeah.
[SPEAKER_02]: He was like a two-parser, I think.
[SPEAKER_02]: There's a one Christmas mid-9 season.
[SPEAKER_03]: This is age dust, doesn't it?
[SPEAKER_02]: Yeah, yes, remember 70s and I actually can't name when it in a film could barely remember.
[SPEAKER_02]: Yeah, I remember that one.
[SPEAKER_02]: I mean, it's a really interesting story actually.
[SPEAKER_02]: A lot of copyrights, I saw him in the Star Wars films and I took a lot of other things as well.
[SPEAKER_02]: Yeah, yeah, sounds cool.
[SPEAKER_03]: It was great.
[SPEAKER_03]: Anyway, that is my pick of the week.
[SPEAKER_03]: Frontestine.
[SPEAKER_03]: Go and check it out.
[SPEAKER_03]: Dan, what's your pick the week?
[SPEAKER_02]: Well, as we go back to 2010s, I'm going to do exactly the same thing once more.
[SPEAKER_02]: With a podcast series I've just listened to recently called Vine 6 seconds that changed the world.
[SPEAKER_02]: Okay.
[SPEAKER_02]: Now, do you have a Vine?
[SPEAKER_03]: It was the Twitter, it's when Twitter thought, you know, we've had enough of 140 characters.
[SPEAKER_03]: Let's see if we can do things with very short videos.
[SPEAKER_02]: Yeah, I'll give it a quick low down on the podcast series.
[SPEAKER_02]: I think it's about eight episodes.
[SPEAKER_02]: I was through.
[SPEAKER_02]: It was really, really interesting.
[SPEAKER_02]: It was a little kind of app that could really, the whole thing was making six-second videos.
[SPEAKER_02]: But if you think the six-second book can you achieve, and actually people got quite famous through this, but they got acquired by Twitter very, very soon after launch.
[SPEAKER_02]: And I think there was a feeling in the podcast.
[SPEAKER_02]: They almost sold up a little too early because, [SPEAKER_02]: Twitter didn't recently know what they were getting and how to embed these little vines into tweets.
[SPEAKER_02]: They'd know that sort of functionality, right?
[SPEAKER_02]: There was also when they tried to revolve at a room between six seconds, which would kind of its USP really, to 140 seconds.
[SPEAKER_02]: Oh, no.
[SPEAKER_02]: A lot of our favorite betles.
[SPEAKER_02]: Some of the songs are barely 140 seconds, and some of the reality stuff is two minutes.
[SPEAKER_02]: Make about whole betles, some in a vine, and just a little bit rowing, it's a mellow bit stuff.
[SPEAKER_02]: But I got critically panned for that move.
[SPEAKER_02]: Spoilers say people, but yeah, one of the reasons it really failed is because it didn't have any monetization plan behind it because essentially how do you make money out of a six second video?
[SPEAKER_02]: Can you do it for Google or a Nickelodeon, for example?
[SPEAKER_02]: How do you do a six second video that is promotional for a company?
[SPEAKER_02]: So I didn't really have that monetization plan.
[SPEAKER_03]: Yes, I suppose if you had an advert, then the advert could well end up being five times longer than the video you're trying to watch, that would be irritating wouldn't it?
[SPEAKER_02]: Yeah, every TV advert, it's about 30 seconds or something.
[SPEAKER_02]: Yeah, and the ones I see on YouTube feel like they're not lonely because I'm waiting to make a click to start, but it's some...
[SPEAKER_02]: Yeah, so six episodes didn't give you a lot of time to sell something really.
[SPEAKER_02]: And now the real problem in monetization is that basically the crate has held all the power.
[SPEAKER_02]: They're the ones who were getting the commissions from Google and whoever else to sort of make videos for them.
[SPEAKER_02]: Yes.
[SPEAKER_02]: But that money went to the creators.
[SPEAKER_02]: Something can create a quite famous and vise or nothing of this.
[SPEAKER_02]: In some of the bits famous vine using the slogan Paul, who went to create the drink prime, peed none once a YouTube.
[SPEAKER_02]: There's also a lot of others that get featured and it's all very much like, yeah, we did pretty well out of this, but vine didn't.
[SPEAKER_02]: Once people realise they couldn't make any more out of them, they moved on to the house.
[SPEAKER_02]: Right.
[SPEAKER_02]: So the takeaway is that vine walks are ticked up could run.
[SPEAKER_02]: essentially what we saw is people move to probably YouTube first, then Instagram now TikTok.
[SPEAKER_02]: They make the money there, but they're the ones who hold all the power and the platform, in that case, was just the conduit for where to be seen.
[SPEAKER_03]: Are you on TikTok, Dan?
[SPEAKER_03]: Is that where you hang out?
[SPEAKER_02]: You don't TikTok dances?
[SPEAKER_02]: I know, I'm a late doctor of most tech as a co-san.
[SPEAKER_02]: I'll last one of what's up in my info security scene.
[SPEAKER_02]: I've never done TikTok yet.
[SPEAKER_02]: I'd join Instagram later as well.
[SPEAKER_02]: Very wise.
[SPEAKER_02]: I'd use a look looking at TikTok and it was a bit more open on the tube.
[SPEAKER_02]: It's quite fun during lockdown, but that's how the NHS dials in all that sort of thing.
[SPEAKER_03]: Well, it sounds like a great pick of the week.
[SPEAKER_03]: Thank you, Dan.
[SPEAKER_03]: Vine.
[SPEAKER_03]: Six seconds that changed the world.
[SPEAKER_03]: And that just about wraps up the show for this week.
[SPEAKER_03]: Thank you so much, Dan, for joining us.
[SPEAKER_03]: I really appreciate it.
[SPEAKER_03]: I'm sure lots of listeners would love to find out what you're up to and follow you online.
[SPEAKER_03]: What's the best way for them to do that?
[SPEAKER_02]: Yeah, so it's my name Dan Ray with R-A-Y-W-O-D, I'm mostly on LinkedIn more the time on X, Blue Sky, massive on Parry, I don't look very often, but yeah, LinkedIn's bringing my best one to find me.
[SPEAKER_03]: Okay, and of course smash and security is on social media as well.
[SPEAKER_03]: You can find me grand clearly on LinkedIn or follow smash and security on Blue Sky.
[SPEAKER_03]: And don't get to ensure you never miss another episode, follow smash and security in your favorite podcast app, such as Apple Podcasts, Spotify, and Pocketcasts.
[SPEAKER_03]: If so, show notes, want to be in progress lists in the entire back catalog of 445 episodes.
[SPEAKER_03]: Check out smash and security.com.
[SPEAKER_03]: Until next time, cheer you out, bye, bye, bye, bye, thanks for listening.
[SPEAKER_03]: You've been listening to Smash and Security with me, Graham clearly, and I'm really grateful.
[SPEAKER_03]: This week, to Dan Raywood for joining us, and also this episode sponsors Banta Actionman a Ryzen 3 AI, and of course, all of the huge chums who've signed up for Smash and Security Plus.
[SPEAKER_03]: Over on Patreon, they include Philip Dade, Sammy Dozer, Nate M.
Andrew Davison, Bobby Hendrix, Richard Annand, MJ Lee, Florian Schwalm, Steven Castle, Heisenberg, Matthew Hunt, funky duck, [SPEAKER_03]: Well, wouldn't you like to hear your name read out at the end of the show from time to time?
[SPEAKER_03]: All you've got to do is consider joining smashing security plus.
[SPEAKER_03]: For as little as $5 a month, you will become part of our happy little troop and you'll get early access to episodes without the annoying ads and you'll get that warm glow of feeling that you're helping me out.
[SPEAKER_03]: Which I always appreciate, thank you very much.
[SPEAKER_03]: Just head over to smashinscurity.com slash plus for more details.
[SPEAKER_03]: Now of course, I realise Patreon isn't for everybody and that's perfectly fine.
[SPEAKER_03]: There's absolutely no pressure to become a member of smashinscurity plus.
[SPEAKER_03]: The truth is you can support the show in plenty of other ways, which don't have to cost you anything really.
[SPEAKER_03]: You can just like, subscribe, leave a nice review, up on Apple Podcasts, I'm gonna like that, you can tell your friends about the show, just spread the word.
[SPEAKER_03]: Maybe to two across your forehead, I love smashing security in.
[SPEAKER_03]: Slick back your hair so everyone can see it, actually don't do that, that sounds like a really terrible idea.
[SPEAKER_03]: So I don't endorse it, if you do do that, it's not my fault.
[SPEAKER_03]: But every little bit apart from the tattoos does help, and so until next time, Cheeria, bye-bye!